improve handling _ prefix added to library functions as compile/link …

…artifact (#924)
mandiant · Mar 25, 2022 · fb34b16 · fb34b16
1 parent eaf978d
commit fb34b16
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@
 -
 
 ### Bug Fixes
+- improve handling _ prefix compile/link artifact #924 @mike-hunhoff
 
 ### capa explorer IDA Pro plugin
 - improve file format extraction #918 @mike-hunhoff

diff --git a/capa/features/extractors/ida/file.py b/capa/features/extractors/ida/file.py
@@ -152,6 +152,12 @@ def extract_file_function_names():
         if idaapi.get_func(ea).flags & idaapi.FUNC_LIB:
             name = idaapi.get_name(ea)
             yield FunctionName(name), ea
+            if name.startswith("_"):
+                # some linkers may prefix linked routines with a `_` to avoid name collisions.
+                # extract features for both the mangled and un-mangled representations.
+                # e.g. `_fwrite` -> `fwrite`
+                # see: https://stackoverflow.com/a/2628384/87207
+                yield FunctionName(name[1:]), ea
 
 
 def extract_file_format():

diff --git a/capa/features/extractors/ida/insn.py b/capa/features/extractors/ida/insn.py
@@ -114,6 +114,12 @@ def extract_insn_api_features(f, bb, insn):
     if target_func.flags & idaapi.FUNC_LIB:
         name = idaapi.get_name(target_func.start_ea)
         yield API(name), insn.ea
+        if name.startswith("_"):
+            # some linkers may prefix linked routines with a `_` to avoid name collisions.
+            # extract features for both the mangled and un-mangled representations.
+            # e.g. `_fwrite` -> `fwrite`
+            # see: https://stackoverflow.com/a/2628384/87207
+            yield API(name[1:]), insn.ea
 
 
 def extract_insn_number_features(f, bb, insn):

diff --git a/capa/features/extractors/viv/file.py b/capa/features/extractors/viv/file.py
@@ -79,6 +79,12 @@ def extract_file_function_names(vw, **kwargs):
         if viv_utils.flirt.is_library_function(vw, va):
             name = viv_utils.get_function_name(vw, va)
             yield FunctionName(name), va
+            if name.startswith("_"):
+                # some linkers may prefix linked routines with a `_` to avoid name collisions.
+                # extract features for both the mangled and un-mangled representations.
+                # e.g. `_fwrite` -> `fwrite`
+                # see: https://stackoverflow.com/a/2628384/87207
+                yield FunctionName(name[1:]), va
 
 
 def extract_file_format(buf, **kwargs):

diff --git a/capa/features/extractors/viv/insn.py b/capa/features/extractors/viv/insn.py
@@ -119,6 +119,12 @@ def extract_insn_api_features(f, bb, insn):
         if viv_utils.flirt.is_library_function(f.vw, target):
             name = viv_utils.get_function_name(f.vw, target)
             yield API(name), insn.va
+            if name.startswith("_"):
+                # some linkers may prefix linked routines with a `_` to avoid name collisions.
+                # extract features for both the mangled and un-mangled representations.
+                # e.g. `_fwrite` -> `fwrite`
+                # see: https://stackoverflow.com/a/2628384/87207
+                yield API(name[1:]), insn.va
             return
 
         for _ in range(THUNK_CHAIN_DEPTH_DELTA):