From 89ebfe6b0cfdb1530e8fa5d7ccfea4b222287e56 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Thu, 25 Jan 2024 11:50:24 +0000
Subject: [PATCH 1/2] features: add BinExport2 declarations

---
 capa/features/common.py |  5 ++++-
 capa/helpers.py         | 23 +++++++++++++----------
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/capa/features/common.py b/capa/features/common.py
index c4b7df8e6..2a048a8a3 100644
--- a/capa/features/common.py
+++ b/capa/features/common.py
@@ -409,9 +409,10 @@ def get_value_str(self):
 # other candidates here: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types
 ARCH_I386 = "i386"
 ARCH_AMD64 = "amd64"
+ARCH_AARCH64 = "aarch64"
 # dotnet
 ARCH_ANY = "any"
-VALID_ARCH = (ARCH_I386, ARCH_AMD64, ARCH_ANY)
+VALID_ARCH = (ARCH_I386, ARCH_AMD64, ARCH_ANY, ARCH_AARCH64)
 
 
 class Arch(Feature):
@@ -459,6 +460,7 @@ def evaluate(self, features: "capa.engine.FeatureSet", short_circuit=True):
 FORMAT_AUTO = "auto"
 FORMAT_SC32 = "sc32"
 FORMAT_SC64 = "sc64"
+FORMAT_BINEXPORT2 = "binexport2"
 FORMAT_CAPE = "cape"
 FORMAT_FREEZE = "freeze"
 FORMAT_RESULT = "result"
@@ -470,6 +472,7 @@ def evaluate(self, features: "capa.engine.FeatureSet", short_circuit=True):
     FORMAT_DOTNET,
     FORMAT_FREEZE,
     FORMAT_RESULT,
+    FORMAT_BINEXPORT2,
 }
 DYNAMIC_FORMATS = {
     FORMAT_CAPE,
diff --git a/capa/helpers.py b/capa/helpers.py
index 77380c7ed..e274b501b 100644
--- a/capa/helpers.py
+++ b/capa/helpers.py
@@ -27,10 +27,11 @@
     FORMAT_FREEZE,
     FORMAT_UNKNOWN,
     Format,
-)
+), FORMAT_BINEXPORT2
 
 EXTENSIONS_SHELLCODE_32 = ("sc32", "raw32")
 EXTENSIONS_SHELLCODE_64 = ("sc64", "raw64")
+EXTENSIONS_BINEXPORT2 = ("BinExport", "BinExport2")
 EXTENSIONS_DYNAMIC = ("json", "json_", "json.gz")
 EXTENSIONS_ELF = "elf_"
 EXTENSIONS_FREEZE = "frz"
@@ -105,15 +106,8 @@ def get_format_from_extension(sample: Path) -> str:
         format_ = get_format_from_report(sample)
     elif sample.name.endswith(EXTENSIONS_FREEZE):
         format_ = FORMAT_FREEZE
-    return format_
-
-
-def get_auto_format(path: Path) -> str:
-    format_ = get_format(path)
-    if format_ == FORMAT_UNKNOWN:
-        format_ = get_format_from_extension(path)
-    if format_ == FORMAT_UNKNOWN:
-        raise UnsupportedFormatError()
+    elif sample.name.endswith(EXTENSIONS_BINEXPORT2):
+        format_ = FORMAT_BINEXPORT2
     return format_
 
 
@@ -136,6 +130,15 @@ def get_format(sample: Path) -> str:
     return FORMAT_UNKNOWN
 
 
+def get_auto_format(path: Path) -> str:
+    format_ = get_format(path)
+    if format_ == FORMAT_UNKNOWN:
+        format_ = get_format_from_extension(path)
+    if format_ == FORMAT_UNKNOWN:
+        raise UnsupportedFormatError()
+    return format_
+
+
 @contextlib.contextmanager
 def redirecting_print_to_tqdm(disable_progress):
     """

From fb72e5e8fddec5f0b763f384e9e126d866bf6fce Mon Sep 17 00:00:00 2001
From: Mike Hunhoff <mike.hunhoff@gmail.com>
Date: Mon, 10 Jun 2024 14:49:03 -0600
Subject: [PATCH 2/2] fix lints

---
 capa/helpers.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/capa/helpers.py b/capa/helpers.py
index e274b501b..5a466cfd9 100644
--- a/capa/helpers.py
+++ b/capa/helpers.py
@@ -26,8 +26,9 @@
     FORMAT_DOTNET,
     FORMAT_FREEZE,
     FORMAT_UNKNOWN,
+    FORMAT_BINEXPORT2,
     Format,
-), FORMAT_BINEXPORT2
+)
 
 EXTENSIONS_SHELLCODE_32 = ("sc32", "raw32")
 EXTENSIONS_SHELLCODE_64 = ("sc64", "raw64")