From 13745702cd7e59d3982551f21c67d872a9aec900 Mon Sep 17 00:00:00 2001
From: Mike Hunhoff <mike.hunhoff@gmail.com>
Date: Fri, 1 Dec 2023 15:05:09 -0700
Subject: [PATCH] focus on data references only

---
 capa/features/extractors/ghidra/helpers.py | 8 ++++----
 capa/features/extractors/ghidra/insn.py    | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/capa/features/extractors/ghidra/helpers.py b/capa/features/extractors/ghidra/helpers.py
index 2d58ce98c..b1785f30c 100644
--- a/capa/features/extractors/ghidra/helpers.py
+++ b/capa/features/extractors/ghidra/helpers.py
@@ -277,11 +277,11 @@ def dereference_ptr(insn: ghidra.program.database.code.InstructionDB):
         return to_deref
 
 
-def find_memory_references_from_insn(insn, max_depth: int = 10):
-    """yield memory references from given instruction"""
+def find_data_references_from_insn(insn, max_depth: int = 10):
+    """yield data references from given instruction"""
     for reference in insn.getReferencesFrom():
-        if not reference.isMemoryReference():
-            # only care about memory references
+        if not reference.getReferenceType().isData():
+            # only care about data references
             continue
 
         to_addr = reference.getToAddress()
diff --git a/capa/features/extractors/ghidra/insn.py b/capa/features/extractors/ghidra/insn.py
index aeb44fd25..2ff87b61c 100644
--- a/capa/features/extractors/ghidra/insn.py
+++ b/capa/features/extractors/ghidra/insn.py
@@ -221,7 +221,7 @@ def extract_insn_bytes_features(fh: FunctionHandle, bb: BBHandle, ih: InsnHandle
     example:
         push    offset iid_004118d4_IShellLinkA ; riid
     """
-    for addr in capa.features.extractors.ghidra.helpers.find_memory_references_from_insn(ih.inner):
+    for addr in capa.features.extractors.ghidra.helpers.find_data_references_from_insn(ih.inner):
         data = getDataAt(addr)  # type: ignore [name-defined] # noqa: F821
         if data and not data.hasStringValue():
             extracted_bytes = capa.features.extractors.ghidra.helpers.get_bytes(addr, MAX_BYTES_FEATURE_SIZE)
@@ -236,7 +236,7 @@ def extract_insn_string_features(fh: FunctionHandle, bb: BBHandle, ih: InsnHandl
     example:
         push offset aAcr     ; "ACR  > "
     """
-    for addr in capa.features.extractors.ghidra.helpers.find_memory_references_from_insn(ih.inner):
+    for addr in capa.features.extractors.ghidra.helpers.find_data_references_from_insn(ih.inner):
         data = getDataAt(addr)  # type: ignore [name-defined] # noqa: F821
         if data and data.hasStringValue():
             yield String(data.getValue()), ih.address