-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle API versions sandboxes vs. rules #1815
Comments
CAPE sandbox output
See here for traced APIs: https://github.com/kevoreilly/CAPEv2/blob/3ac733c6d32fa0cdbe45f74920b21fa4c28203a3/lib/cuckoo/common/logtbl.py capa rules
So to make this work for dynamic analysis we'll have to:
|
Question on "remove DLL names from rule apis (during rule loading)":
For the second option we could even reduce the overall extracted features. We loose some exactness but I see little practical impact. |
agree that there's probably not a practical impact here. in theory there could be colliding API names, but i dont think i've ever seen this. i like having the DLL names in the rules because it provides a hint to humans about where to find the routine. but i think we can very reasonably update the documentation to indicate that the DLL name is just used for documentation and not used during matching. |
closed via #1824 |
I've noticed we run into issues since CAPE reports only list the api (like
CreateFileA
), however:CreateFile
[not A/W])This is one way/part of handling this, maybe we can come up with a more generic way.
Originally posted by @mr-tz in #1809 (comment)
Statically, we always have all data. For dynamic we need to handle this differently.
The text was updated successfully, but these errors were encountered: