IDA plugin: ELF file format error

[mr-tz]

CC: @mike-hunhoff

Are ELF files properly enabled in the IDA plugin?

ERROR:capa.ida.plugin.form:Failed to extract capabilities from database (error: ('file format: %s', 'ELF for Intel 386 (Executable)'))
INFO:capa.ida.plugin.form:Analysis failed.

[mr-tz]

related: #910

[mike-hunhoff]

@mr-tz looks like a bug introduced here:

capa/capa/features/extractors/ida/file.py

Lines 157 to 167 in b4a2395

	def extract_file_format():
	format_name = ida_loader.get_file_type_name()
	if "PE" in format_name:
	yield Format(FORMAT_PE), 0x0
	elif "ELF64" in format_name:
	yield Format(FORMAT_ELF), 0x0
	elif "ELF32" in format_name:
	yield Format(FORMAT_ELF), 0x0
	else:
	raise NotImplementedError("file format: %s", format_name)

I'll take a closer look and push out a fix. Thanks for reporting!

[williballenthin]

im not quite sure how to enumerate all of the formats, though I think this is the source of the format above:

so maybe we can get away with checking for format_name.startswith("ELF for")

[mike-hunhoff]

we use the following for other file format checks:

capa/capa/ida/helpers.py

Lines 24 to 30 in 1b2f0fc

	# file type as returned by idainfo.file_type
	SUPPORTED_FILE_TYPES = (
	idaapi.f_PE,
	idaapi.f_ELF,
	idaapi.f_BIN,
	# idaapi.f_MACHO,
	)

capa/capa/ida/helpers.py

Lines 50 to 62 in 1b2f0fc

	def is_supported_file_type():
	file_info = idaapi.get_inf_structure()
	if file_info.filetype not in SUPPORTED_FILE_TYPES:
	logger.error("-" * 80)
	logger.error(" Input file does not appear to be a supported file type.")
	logger.error(" ")
	logger.error(
	" capa currently only supports analyzing PE, ELF, or binary files containing x86 (32- and 64-bit) shellcode."
	)
	logger.error(" If you don't know the input file type, you can try using the `file` utility to guess it.")
	logger.error("-" * 80)
	return False
	return True

I believe the above works for all cases

[mike-hunhoff]

let me see if I can grab the MD5 from @mr-tz to double-check.