smda: fix negative number extraction #851
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add fixtures to validate the following number features: - number(0x0): to check feature extraction for null number - number(0xFFFFFFFF): to check feature extraction for -1 number - number(0xFFFFFFF0): to check feature extraction for negative number (-0x10 in this case)
SmdaInstruction operands are python `str` objects. SMDA number operands are signed integers. This commit adds a converter to the SMDA number extractor. The goal is to convert any signed number to the two’s complement representation with the correct bitness.
| @@ -86,7 +86,7 @@ def main(argv=None): | |||
| argv = sys.argv[1:] | |||
|
|
|||
| parser = argparse.ArgumentParser(description="Show the features that capa extracts from the given sample") | |||
| capa.main.install_common_args(parser, wanted={"format", "sample", "signatures"}) | |||
| capa.main.install_common_args(parser, wanted={"format", "sample", "signatures", "backend"}) | |||
There was a problem hiding this comment.
nice catch, thanks
Comment on lines
+416
to
+426
| ("mimikatz", "function=0x401000", capa.features.insn.Number(0x0), True), | ||
| # insn/number: stack adjustments | ||
| ("mimikatz", "function=0x40105D", capa.features.insn.Number(0xC), False), | ||
| ("mimikatz", "function=0x40105D", capa.features.insn.Number(0x10), False), | ||
| # insn/number: bitness flavors | ||
| ("mimikatz", "function=0x40105D", capa.features.insn.Number(0xFF), True), | ||
| ("mimikatz", "function=0x40105D", capa.features.insn.Number(0xFF, bitness=BITNESS_X32), True), | ||
| ("mimikatz", "function=0x40105D", capa.features.insn.Number(0xFF, bitness=BITNESS_X64), False), | ||
| # insn/number: negative | ||
| ("mimikatz", "function=0x401553", capa.features.insn.Number(0xFFFFFFFF), True), | ||
| ("mimikatz", "function=0x43e543", capa.features.insn.Number(0xFFFFFFF0), True), |
There was a problem hiding this comment.
thanks for adding tests! this makes me confident that the fixes work as intended
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SMDA extractor is extracting negative Number features as described in #430.
This is not compliant with the rule format described in capa documentation:
This PR adds the following fixtures:
The function
extract_insn_number_featuresnow converts the parsed smda number operands in its two's complement representation.I also edited the
show-features.pyscript to be able to compare the feature extraction of smda and vivisect. I think that it could be useful and it does not seem to cause any issue.The documentation is not updated since I am just fixing a simple issue.
closes #430
Checklist