Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when running capa with Binary Ninja backend on shellcode #2489

Closed
as0ni opened this issue Nov 11, 2024 · 5 comments
Closed

Error when running capa with Binary Ninja backend on shellcode #2489

as0ni opened this issue Nov 11, 2024 · 5 comments
Labels
binary-ninja
Milestone
v8.0

Comments

@as0ni
Copy link

as0ni commented Nov 11, 2024

Description

When running capa against shellcode using the Binary Ninja backend, I encountered an error related to an unexpected file format. The analysis fails, preventing capa from assessing shellcode capabilities as expected.

Steps to Reproduce

Run capa on shellcode using Binary Ninja as a backend with the following command:
capa.exe -r C:\Tools\capa-rules -f sc64 sc.bin -b binja -d

Expected behavior:
capa should analyze the shellcode file and report any detected capabilities based on the specified rules.

Actual behavior:
The above command produces the following error:

File "C:\Users\<USER>\AppData\Local\Programs\Python\Python311\Lib\site-packages\capa\features\extractors\binja\file.py", line 174, in extract_file_format
    raise NotImplementedError(f"unexpected file format: {view_type}")
NotImplementedError: unexpected file format: Mapped

Versions

capa version: 7.3.0
Installed as: Python library
Backend: Binary Ninja 4.1.5902

Potential solution:

To work around this issue, I modified the file file.py in the Binary Ninja extractor by changing the line:

elif view_type == "Raw":
to
elif view_type == "Mapped":

within the extract_file_format function. After this change, capa ran successfully and produced the expected results.
@mr-tz
Copy link
Collaborator

mr-tz commented Nov 11, 2024

Good find, there's no proper support for shellcode in Binary Ninja.
@xusheng6, is using Mapped a proper way to handle/identify shellcode?

@xusheng6
Copy link
Contributor

Good find, there's no proper support for shellcode in Binary Ninja. @xusheng6, is using Mapped a proper way to handle/identify shellcode?

Yes! I think you can change the line at https://github.com/mandiant/capa/blob/2987eeb0acc03e187bdd90bb1644377774a2045a/capa/features/extractors/binja/file.py#L136 from

elif view_type == "Raw": to elif view_type in ["Raw", "Mapped"]:

@xusheng6 xusheng6 mentioned this issue Nov 19, 2024
Closed
@mr-tz
Copy link
Collaborator

mr-tz commented Nov 19, 2024

Great, thanks for the input. @as0ni do you want to make the PR?

@mr-tz mr-tz added this to the v8.0 milestone Nov 20, 2024
@as0ni
Copy link
Author

as0ni commented Nov 20, 2024

@mr-tz will do!

@xusheng6 xusheng6 mentioned this issue Nov 21, 2024
Closed
@xusheng6
Copy link
Contributor

@as0ni @mr-tz let me fix this one. I need to verify it actually works after the proposed change

xusheng6 added a commit to xusheng6/capa that referenced this issue Nov 21, 2024
@xusheng6
binja: support analyzing x86/x86_64 shellcode with binja backend (man…
a27083d 
…diant#2489)
@xusheng6 xusheng6 mentioned this issue Nov 21, 2024
Merged
3 tasks
williballenthin pushed a commit that referenced this issue Nov 25, 2024
@xusheng6 @williballenthin
binja: support analyzing x86/x86_64 shellcode with binja backend (#2489)
2a6ba62
@mr-tz mr-tz closed this as completed Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
binary-ninja
Projects
None yet
Milestone
v8.0
Development

No branches or pull requests
3 participants
@as0ni @mr-tz @xusheng6