Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OOM on certain files when using Python module #1945

Closed
jwahsnakupaku opened this issue Jan 24, 2024 · 4 comments · Fixed by #1948
Closed

OOM on certain files when using Python module #1945

jwahsnakupaku opened this issue Jan 24, 2024 · 4 comments · Fixed by #1948

Comments

@jwahsnakupaku
Copy link

jwahsnakupaku commented Jan 24, 2024
edited
Loading

Description

When using Capa as a library against certain files the process ends up just OOMing..

Steps to Reproduce

Find a file that triggers it, I can provide a few samples if that helps.
https://www.virustotal.com/gui/file/f88e1f280af5b7ea78a8f0f59fba910e54e2eaeb2f34611a7e36f33b505d2784
https://www.virustotal.com/gui/file/f0fa2602f5b65dd91ec0eb7626556f6e9d07ed39065a574e05974a0bc3651017

  1. Run bulk-process.py script against the files, eg;
python3 bulk-process.py -r capa-rules-6.1.0/ -s sigs/ -n1 --no-mp /tmp/samples
INFO:capa:successfully loaded 1061 rules
INFO:capa:computing capa results for: /tmp/samples/f88e1f280af5b7ea78a8f0f59fba910e54e2eaeb2f34611a7e36f33b505d2784.exe
Killed

Expected behavior:
Runs successfully against the file.

Actual behavior:
Process is killed by the oom killer.

Versions

./capa --version
capa 6.1.0

pip list installed | grep -i flare
flare-capa 6.1.0

python3 --version
Python 3.8.10

Using Ubuntu 20.04

Additional Information

Interestingly, running the capa binary against the file works without any dramas.
@mr-tz
Copy link
Collaborator

mr-tz commented Jan 26, 2024

Thanks for the detailed report. You mention that the capa binary works.
Do you mean the standalone binary or the Python script invocation?

@mr-tz
Copy link
Collaborator

mr-tz commented Jan 26, 2024

I see what's going on. The bulk-processor script only analyzes samples as native PEs. These samples are .NET and when analyzed in vivisect causes the issues. So there's two issues:

  • the bulk analyze script is not up-to-date (which we should change or at least document)
  • vivisect has issues processing the files

@jwahsnakupaku
Copy link
Author

jwahsnakupaku commented Jan 27, 2024
edited
Loading

Thanks for the detailed report. You mention that the capa binary works. Do you mean the standalone binary or the Python script invocation?

Standalone binary.

I see what's going on. The bulk-processor script only analyzes samples as native PEs. These samples are .NET and when analyzed in vivisect causes the issues. So there's two issues:

* the bulk analyze script is not up-to-date (which we should change or at least document)

* vivisect has issues processing the files

Oh cool, ran into this when using AssemblyLine, looks like they based the CAPA service on that bulk analyze script - https://github.com/CybercentreCanada/assemblyline-service-capa
They'll probably be keen to update the service to fix it.

@williballenthin
Copy link
Collaborator

the bulk-export bug should be fixed in #1948

@williballenthin williballenthin mentioned this issue Jan 27, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor main to for ease of integration mandiant/capa
3 participants
@williballenthin @mr-tz @jwahsnakupaku