Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

include reference to function that contains a given bb in json doc #130

Closed
mr-tz opened this issue Jul 11, 2020 · 4 comments · Fixed by #813
Closed

include reference to function that contains a given bb in json doc #130

mr-tz opened this issue Jul 11, 2020 · 4 comments · Fixed by #813
Labels
enhancement New feature or request

Comments

@mr-tz
Copy link
Collaborator

mr-tz commented Jul 11, 2020
edited by williballenthin
Loading

For basic block matches, we could tweak the output to include the function in which the BB is foun.d

$ capa -t "anti-VM i" ./tests/data/testbed/PMA/Chapter_17L/Lab17-03.exe_ -vv
execute anti-VM instructions
namespace  anti-analysis/anti-vm/vm-detection
author     moritz.raabe@fireeye.com
scope      basic block
att&ck     Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc        Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing
examples   Practical Malware Analysis Lab 17-03.exe_:0x401A80
basic block @ 0x401A80  <---------- add reference to function here.
  or:
    mnemonic: in @ 0x401AC8
@mr-tz mr-tz added the enhancement New feature or request label Jul 11, 2020
@mr-tz mr-tz added this to the 1.0 milestone Jul 11, 2020
@mr-tz mr-tz mentioned this issue Jul 11, 2020
Merged
@williballenthin
Copy link
Collaborator

interesting point - when we have a BB match, should we report the address of the BB or the function? currently, we report the address of the BB.

the BB address is more specific, and better corresponds to how capa is doing the matching.
the function address is more likely what a human will inspect and/or correlate with another tool.

if nothing else, we should probably update the json document to include both.

@mr-tz
Copy link
Collaborator Author

mr-tz commented Jul 13, 2020

Nevermind, the output is correct (I thought BB address and offset are wrong). Including the function association in the JSON and potentially the output here makes sense to me though!

@williballenthin williballenthin changed the title Output for basic block scope misleading include reference to function that contains a given bb in json doc Jul 13, 2020
@williballenthin williballenthin removed this from the 1.0 milestone Jul 13, 2020
@williballenthin
Copy link
Collaborator

not sure if we can hit this by 1.0/thursday, but its a non-breaking change to the JSON doc, so we can do this as we have time.

@williballenthin
Copy link
Collaborator

williballenthin commented Jul 14, 2020
edited
Loading

this isn't super trivial, because we need to find a way to thread the association between bb and func all around. could maybe stuff it into the Match instance. probably would do that here: https://github.com/fireeye/capa/blob/b0092a784bb3e7ad07d9750f2593bded2e7bc088/capa/main.py#L67-L70

res.function = oint(f)
res.basic_block = oint(bb)

williballenthin added a commit that referenced this issue Oct 26, 2021
@williballenthin
main: compute function & bb layout
328e13f 
so bb can be associated with function in output.
only captures BBs that have a rule match,
otherwise, there might be too much data captured.
closes #130.
@williballenthin williballenthin mentioned this issue Oct 26, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix 130 mandiant/capa
2 participants
@williballenthin @mr-tz