Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

smda: extracting negative Number features #430

Closed
mike-hunhoff opened this issue Feb 17, 2021 · 1 comment · Fixed by #851
Closed

smda: extracting negative Number features #430

mike-hunhoff opened this issue Feb 17, 2021 · 1 comment · Fixed by #851
Labels
bug Something isn't working

Comments

@mike-hunhoff
Copy link
Collaborator

The smda backend appears to be extracting negative numbers e.g. -1 versus 0xFFFFFFFF as expected. This is causing rule matches to fail.

Sample feature extraction:

$ python scripts\show-features.py tests\data\493167e85e45363d09495d0841c30648.sys_ --function 0x404b00

smda:

...
insn: 0x00404bb6: number(0x-1)
insn: 0x00404bb6: number/x32(0x-1)
insn: 0x00404bb6: mnemonic(push)
...

viv:

...
insn: 0x00404bb6: number(0xFFFFFFFF)
insn: 0x00404bb6: number/x32(0xFFFFFFFF)
insn: 0x00404bb6: mnemonic(push)
...
@mike-hunhoff mike-hunhoff added the bug Something isn't working label Feb 17, 2021
@mr-tz
Copy link
Collaborator

mr-tz commented Feb 18, 2021

Good catch.

ida:

insn: 0x00404bb6: number(0xFFFFFFFF)
insn: 0x00404bb6: number/x32(0xFFFFFFFF)
insn: 0x00404bb6: mnemonic(push)

Note that capa treats all numbers as unsigned values. A negative number is not a valid feature value. To match a negative number you may specify its two's complement representation. For example, 0xFFFFFFF0 (-2) in a 32-bit file.
https://github.com/fireeye/capa-rules/blob/master/doc/format.md#number

We need to add test fixtures that account for this.

@williballenthin williballenthin mentioned this issue Dec 6, 2021
Merged
3 tasks
@kn0wl3dge kn0wl3dge mentioned this issue Dec 31, 2021
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

smda: fix negative number extraction kn0wl3dge/capa
2 participants
@mr-tz @mike-hunhoff