-
Notifications
You must be signed in to change notification settings - Fork 567
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
35 changed files
with
32,642 additions
and
363 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,6 +2,29 @@ | |
|
||
## master (unreleased) | ||
|
||
### New Features | ||
|
||
### Breaking Changes | ||
|
||
### New Rules (0) | ||
|
||
- | ||
|
||
### Bug Fixes | ||
|
||
### capa explorer IDA Pro plugin | ||
|
||
### Development | ||
|
||
### Raw diffs | ||
- [capa v7.0.0-beta...master](https://github.com/mandiant/capa/compare/v7.0.0-beta...master) | ||
- [capa-rules v7.0.0-beta...master](https://github.com/mandiant/capa-rules/compare/v7.0.0-beta...master) | ||
|
||
## v7.0.0-beta | ||
This is the beta release of capa v7.0 which was mainly worked on during the Google Summer of Code (GSoC) 2023. A huge | ||
shoutout to @colton-gabertan and @yelhamer for their amazing work. | ||
|
||
Also a big thanks to the other contributors: @aaronatp, @Aayush-Goel-04, @bkojusner, @doomedraven, @ruppde, and @xusheng6. | ||
### New Features | ||
- add Ghidra backend #1770 #1767 @colton-gabertan @mike-hunhoff | ||
- add dynamic analysis via CAPE sandbox reports #48 #1535 @yelhamer | ||
|
@@ -13,6 +36,7 @@ | |
- binja: add support for forwarded exports #1646 @xusheng6 | ||
- binja: add support for symtab names #1504 @xusheng6 | ||
- add com class/interface features #322 @Aayush-goel-04 | ||
- dotnet: emit enclosing class information for nested classes #1780 #1913 @bkojusner @mike-hunhoff | ||
|
||
### Breaking Changes | ||
|
||
|
@@ -22,7 +46,7 @@ | |
- update freeze format to v3, adding support for dynamic analysis @williballenthin | ||
- extractor: ignore DLL name for api features #1815 @mr-tz | ||
|
||
### New Rules (34) | ||
### New Rules (41) | ||
|
||
- nursery/get-ntoskrnl-base-address @mr-tz | ||
- host-interaction/network/connectivity/set-tcp-connection-state @johnk3r | ||
|
@@ -57,21 +81,43 @@ | |
- data-manipulation/compression/create-cabinet-on-windows [email protected] [email protected] | ||
- data-manipulation/compression/extract-cabinet-on-windows [email protected] | ||
- lib/create-file-decompression-interface-context-on-windows [email protected] | ||
- | ||
- nursery/enumerate-files-in-dotnet [email protected] [email protected] | ||
- nursery/get-mac-address-in-dotnet [email protected] [email protected] [email protected] | ||
- nursery/get-current-process-command-line [email protected] | ||
- nursery/get-current-process-file-path [email protected] | ||
- nursery/hook-routines-via-dlsym-rtld_next [email protected] | ||
- nursery/linked-against-hp-socket [email protected] | ||
- host-interaction/process/inject/process-ghostly-hollowing [email protected] | ||
|
||
### Bug Fixes | ||
- ghidra: fix `ints_to_bytes` performance #1761 @mike-hunhoff | ||
- binja: improve function call site detection @xusheng6 | ||
- binja: use `binaryninja.load` to open files @xusheng6 | ||
- binja: bump binja version to 3.5 #1789 @xusheng6 | ||
- elf: better detect ELF OS via GCC .ident directives #1928 @williballenthin | ||
- elf: better detect ELF OS via Android dependencies #1947 @williballenthin | ||
- fix setuptools package discovery #1886 @gmacon @mr-tz | ||
|
||
### capa explorer IDA Pro plugin | ||
|
||
### Development | ||
- update ATT&CK/MBC data for linting #1932 @mr-tz | ||
|
||
#### Developer Notes | ||
With this new release, many classes and concepts have been split up into static (mostly identical to the | ||
prior implementations) and dynamic ones. For example, the legacy FeatureExtractor class has been renamed to | ||
StaticFeatureExtractor and the DynamicFeatureExtractor has been added. | ||
|
||
Starting from version 7.0, we have moved the component responsible for feature extractor from main to a new | ||
capabilities' module. Now, users wishing to utilize capa’s feature extraction abilities should use that module instead | ||
of importing the relevant logic from the main file. | ||
|
||
For sandbox-based feature extractors, we are using Pydantic models. Contributions of more models for other sandboxes | ||
are very welcome! | ||
|
||
### Raw diffs | ||
- [capa v6.1.0...master](https://github.com/mandiant/capa/compare/v6.1.0...master) | ||
- [capa-rules v6.1.0...master](https://github.com/mandiant/capa-rules/compare/v6.1.0...master) | ||
- [capa v6.1.0...v7.0.0-beta](https://github.com/mandiant/capa/compare/v6.1.0...v7.0.0-beta) | ||
- [capa-rules v6.1.0...v7.0.0-beta](https://github.com/mandiant/capa-rules/compare/v6.1.0...v7.0.0-beta) | ||
|
||
## v6.1.0 | ||
|
||
|
@@ -1626,4 +1672,4 @@ Download a standalone binary below and checkout the readme [here on GitHub](http | |
### Raw diffs | ||
|
||
- [capa v1.0.0...v1.1.0](https://github.com/mandiant/capa/compare/v1.0.0...v1.1.0) | ||
- [capa-rules v1.0.0...v1.1.0](https://github.com/mandiant/capa-rules/compare/v1.0.0...v1.1.0) | ||
- [capa-rules v1.0.0...v1.1.0](https://github.com/mandiant/capa-rules/compare/v1.0.0...v1.1.0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Copyright (C) 2023 Mandiant, Inc. All Rights Reserved. | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at: [package root]/LICENSE.txt | ||
# Unless required by applicable law or agreed to in writing, software distributed under the License | ||
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and limitations under the License. | ||
from enum import Enum | ||
from typing import Dict, List | ||
|
||
from capa.helpers import assert_never | ||
|
||
|
||
class ComType(Enum): | ||
CLASS = "class" | ||
INTERFACE = "interface" | ||
|
||
|
||
COM_PREFIXES = { | ||
ComType.CLASS: "CLSID_", | ||
ComType.INTERFACE: "IID_", | ||
} | ||
|
||
|
||
def load_com_database(com_type: ComType) -> Dict[str, List[str]]: | ||
# lazy load these python files since they are so large. | ||
# that is, don't load them unless a COM feature is being handled. | ||
import capa.features.com.classes | ||
import capa.features.com.interfaces | ||
|
||
if com_type == ComType.CLASS: | ||
return capa.features.com.classes.COM_CLASSES | ||
elif com_type == ComType.INTERFACE: | ||
return capa.features.com.interfaces.COM_INTERFACES | ||
else: | ||
assert_never(com_type) |
Oops, something went wrong.