Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dotnet: format(dotnet) does not match correctly #1187

Closed
mike-hunhoff opened this issue Oct 11, 2022 · 4 comments · Fixed by #1256
Closed

dotnet: format(dotnet) does not match correctly #1187

mike-hunhoff opened this issue Oct 11, 2022 · 4 comments · Fixed by #1256
Assignees
@mr-tz
Labels
bug Something isn't working dotnet question Further information is requested
Milestone
5.0.0

Comments

@mike-hunhoff
Copy link
Collaborator

format(dotnet) does not match at function/bb scope but matches at global scope. Additionally, capa metadata lists .NET file format as pe instead of dotnet.

Should we extract both pe and dotnet formats for .NET files? Otherwise, when analyzing .NET files we miss out on native capabilities bound by format(pe).
@mike-hunhoff mike-hunhoff added bug Something isn't working question Further information is requested labels Oct 11, 2022
@mike-hunhoff mike-hunhoff added this to the 5.0.0 milestone Nov 1, 2022
@mr-tz
Copy link
Collaborator

mr-tz commented Dec 19, 2022

format should be a global feature so match at all scopes. Is this a bug currently?

I'd say it'd be fair to emit pe and dotnet for PEs.

The metadata discrepancy should be an easy fix.

@mr-tz
Copy link
Collaborator

mr-tz commented Dec 19, 2022

related: #938

@mr-tz mr-tz self-assigned this Dec 21, 2022
@mr-tz mr-tz mentioned this issue Jan 3, 2023
Merged
3 tasks
@mr-tz
Copy link
Collaborator

mr-tz commented Jan 6, 2023

While looking at #1258 I noticed that we may want to improve capa.features.extractors.common.extract_format() or at least discuss and document our decision.

I think extract_format() would ideally also detect dotnet and we could simplify the code a bit (including parts of #1256).

Right now the dotnet detection depends on capa.features.extractors.dnfile_.DnfileFeatureExtractor.is_dotnet_file() and then some manual format setting subsequently.

@mr-tz mr-tz reopened this Jan 6, 2023
@mr-tz mr-tz mentioned this issue Jan 12, 2023
Merged
3 tasks
@mr-tz
Copy link
Collaborator

mr-tz commented Jan 30, 2023

We've refactored the code and addressed this.

@mr-tz mr-tz closed this as completed Jan 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mr-tz mr-tz

Labels
bug Something isn't working dotnet question Further information is requested
Projects
None yet
Milestone
5.0.0
Development

Successfully merging a pull request may close this issue.

fix dotnet and pe format handling mandiant/capa
3 participants
@williballenthin @mr-tz @mike-hunhoff