-
Notifications
You must be signed in to change notification settings - Fork 532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support wildcards and skips for bytes feature #233
Comments
we can support this by translating the bytes literal into a regular express (python supports byte literals in regexes). how would you use this feature? |
I was looking for this feature to write rules for direct syscall invocations - commonly generated by tooling like SysWhispers.
should be a pretty straight forward byte sequence for a capa rule, but I'm not sure how I would implement without byte wildcards. edit: I kept working on this and I think I should be able to do it with mnemonics after reading the Heaven's Gate rule. probably a similar situation for a lot these |
right, in capa we could match on a basic block containing something like:
Do you have a file/hash you can share for this specific example? |
I was using WdToggle, a Beacon Object File using the InlineWhispers library to test - https://github.com/outflanknl/WdToggle BOF's are a bit odd to run against capa, since they're more structured than shellcode but not PE's, but running them as shellcode seems to work just fine. WdToggle was an arbitrary choice on my end - mostly because it was linked in the InlineWhispers repository. |
Add support for wildcards and skips for
bytes
feature similar to Yara hexadecimal strings.The text was updated successfully, but these errors were encountered: