binexport: number: skipped mapped numbers

mandiant · Jan 30, 2024 · afbff1b · afbff1b
1 parent f318129
commit afbff1b
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/capa/features/extractors/binexport2/insn.py b/capa/features/extractors/binexport2/insn.py
@@ -53,6 +53,14 @@ def extract_insn_api_features(fh: FunctionHandle, _bbh: BBHandle, ih: InsnHandle
             yield API(f"{library_name}.{vertex.mangled_name}"), ih.address
 
 
+def probe_memory(be2: BinExport2, address: int) -> bool:
+    """return True if the given address is mapped"""
+    for section in be2.section:
+        if section.address <= address < section.address + section.size:
+            return True
+    return False
+
+
 def extract_insn_number_features(
     fh: FunctionHandle, _bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[Tuple[Feature, Address]]:
@@ -88,7 +96,10 @@ def extract_insn_number_features(
 
         value = expression1.immediate
         # TODO: skip small numbers
-        # TODO: skip mapped pointers
+
+        if probe_memory(be2, value):
+            continue
+
         yield Number(value), ih.address