Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

capa explorer: unit test fails #1243

Closed
mike-hunhoff opened this issue Dec 20, 2022 · 4 comments · Fixed by #1250
Closed

capa explorer: unit test fails #1243

mike-hunhoff opened this issue Dec 20, 2022 · 4 comments · Fixed by #1250
Labels
bug Something isn't working ida-explorer Related to IDA Pro plugin
Milestone
5.0.0

Comments

@mike-hunhoff
Copy link
Collaborator

capa v4.0.1

FAIL mimikatz-function=0x4011FB-offset(-0x1)-True
Traceback (most recent call last):
  File "C:/Exclusions/capa-4.0.1/tests/test_ida_features.py", line 61, in test_ida_features
    fixtures.do_test_feature_presence(get_ida_extractor, sample, scope, feature, expected)
  File "C:\Exclusions/capa-4.0.1/tests\fixtures.py", line 792, in do_test_feature_presence
    assert feature.evaluate(features) == expected, msg
AssertionError: offset(-0x1) should be found in function=0x4011FB
FAIL mimikatz-function=0x4011FB-offset(-0x2)-True
Traceback (most recent call last):
  File "C:/Exclusions/capa-4.0.1/tests/test_ida_features.py", line 61, in test_ida_features
    fixtures.do_test_feature_presence(get_ida_extractor, sample, scope, feature, expected)
  File "C:\Exclusions/capa-4.0.1/tests\fixtures.py", line 792, in do_test_feature_presence
    assert feature.evaluate(features) == expected, msg
AssertionError: offset(-0x2) should be found in function=0x4011FB
@mike-hunhoff mike-hunhoff added bug Something isn't working ida-explorer Related to IDA Pro plugin labels Dec 20, 2022
@mike-hunhoff mike-hunhoff added this to the 5.0.0 milestone Dec 20, 2022
@mike-hunhoff
Copy link
Collaborator Author

mike-hunhoff commented Dec 28, 2022
edited
Loading

We appear to be emitting 64-bit displacement e.g.

movsx   eax, word ptr [edi-4]

emits

0xfffffffffffffffc

We then assume 32-bit displacement and fail to generate the correct negative.

I am unsure if this is a bug in the way we emit displacement or a bug in IDA. The IDA disassembly UI appears to use 32-bit displacement.

movsx   eax, word ptr [edi+0FFFFFFFCh]

tested 64-bit IDA >= 8.0

@mike-hunhoff
Copy link
Collaborator Author

we grab the displacement from idaapi.op_t.addr here:

capa/capa/features/extractors/ida/helpers.py

Line 224 in e6585ee

offset = op.addr

idaapi.op_t.addr docs: https://www.hex-rays.com/products/ida/support/sdkdoc/classop__t.html#acaaeff517df0b7156b4b8521a3900cdc

@mike-hunhoff
Copy link
Collaborator Author

mike-hunhoff commented Dec 28, 2022
edited
Loading

Displacement is 32-bit in 32-bit IDA. I'm guessing ea_t is 32-bit in 32-bit IDA and 64-bit in 64-bit IDA and because ea_t is used for displacement the displacement is 64-bit (even though we assume 32-bit displacement).

Screen Shot 2022-12-27 at 5 26 50 PM

Screen Shot 2022-12-27 at 5 26 43 PM

@mike-hunhoff
Copy link
Collaborator Author

IDA >= 8.2 is 64-bit only so we can expect this issue to persist. We assume 32-bit displacement based on discussions here so we can simply mask the offset.

@mike-hunhoff mike-hunhoff mentioned this issue Dec 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working ida-explorer Related to IDA Pro plugin
Projects
None yet
Milestone
5.0.0
Development

Successfully merging a pull request may close this issue.

explorer: assume 32-bit displacement for offsets mandiant/capa
1 participant
@mike-hunhoff