Skip to content

Commit

Permalink
Revert "introducing match strings constant for formats"
Browse files Browse the repository at this point in the history 
This reverts commit 530e28c.
  • Loading branch information
Pratham Chauhan authored and Pratham Chauhan committed Mar 29, 2023
1 parent 9e12c56 commit b49fb7f
Showing 1 changed file with 9 additions and 13 deletions.
22 changes: 9 additions & 13 deletions capa/features/extractors/common.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,6 @@

logger = logging.getLogger(__name__)

#match strings for formats
MATCH_PE = b"MZ"
MATCH_ELF = b"\x7fELF"
MATCH_RESULT = b"{\"meta\":"

def extract_file_strings(buf, **kwargs) -> Iterator[Tuple[String, Address]]:
"""
Expand All @@ -33,13 +29,13 @@ def extract_file_strings(buf, **kwargs) -> Iterator[Tuple[String, Address]]:


def extract_format(buf) -> Iterator[Tuple[Feature, Address]]:
if buf.startswith(MATCH_PE):
if buf.startswith(b"MZ"):
yield Format(FORMAT_PE), NO_ADDRESS
elif buf.startswith(MATCH_ELF):
elif buf.startswith(b"\x7fELF"):
yield Format(FORMAT_ELF), NO_ADDRESS
elif is_freeze(buf):
yield Format(FORMAT_FREEZE), NO_ADDRESS
elif buf.startswith(MATCH_RESULT):
elif buf.startswith(b"{\"meta\":"):
yield Format(FORMAT_RESULT), NO_ADDRESS
else:
# we likely end up here:
Expand All @@ -51,14 +47,14 @@ def extract_format(buf) -> Iterator[Tuple[Feature, Address]]:


def extract_arch(buf) -> Iterator[Tuple[Feature, Address]]:
if buf.startswith(MATCH_PE):
if buf.startswith(b"MZ"):
yield from capa.features.extractors.pefile.extract_file_arch(pe=pefile.PE(data=buf))

elif buf.startswith(MATCH_ELF):
elif buf.startswith(b"\x7fELF"):
with contextlib.closing(io.BytesIO(buf)) as f:
arch = capa.features.extractors.elf.detect_elf_arch(f)

elif buf.startswith(MATCH_RESULT):
elif buf.startswith(b"{\"meta\":"):
arch = ARCH_ANY

if arch not in capa.features.common.VALID_ARCH:
Expand All @@ -83,11 +79,11 @@ def extract_arch(buf) -> Iterator[Tuple[Feature, Address]]:


def extract_os(buf) -> Iterator[Tuple[Feature, Address]]:
if buf.startswith(MATCH_PE):
if buf.startswith(b"MZ"):
yield OS(OS_WINDOWS), NO_ADDRESS
elif buf.startswith(MATCH_RESULT):
elif buf.startswith(b"{\"meta\":"):
yield OS(OS_ANY), NO_ADDRESS
elif buf.startswith(MATCH_ELF):
elif buf.startswith(b"\x7fELF"):
with contextlib.closing(io.BytesIO(buf)) as f:
os = capa.features.extractors.elf.detect_elf_os(f)

Expand Down

0 comments on commit b49fb7f

Please sign in to comment.