From afbff1b5acdea6ad107ed83ff182bcdc1e0c3927 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Tue, 30 Jan 2024 20:19:48 +0000
Subject: [PATCH] binexport: number: skipped mapped numbers

---
 capa/features/extractors/binexport2/insn.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/capa/features/extractors/binexport2/insn.py b/capa/features/extractors/binexport2/insn.py
index 97406f25d..e1f62c014 100644
--- a/capa/features/extractors/binexport2/insn.py
+++ b/capa/features/extractors/binexport2/insn.py
@@ -53,6 +53,14 @@ def extract_insn_api_features(fh: FunctionHandle, _bbh: BBHandle, ih: InsnHandle
             yield API(f"{library_name}.{vertex.mangled_name}"), ih.address
 
 
+def probe_memory(be2: BinExport2, address: int) -> bool:
+    """return True if the given address is mapped"""
+    for section in be2.section:
+        if section.address <= address < section.address + section.size:
+            return True
+    return False
+
+
 def extract_insn_number_features(
     fh: FunctionHandle, _bbh: BBHandle, ih: InsnHandle
 ) -> Iterator[Tuple[Feature, Address]]:
@@ -88,7 +96,10 @@ def extract_insn_number_features(
 
         value = expression1.immediate
         # TODO: skip small numbers
-        # TODO: skip mapped pointers
+
+        if probe_memory(be2, value):
+            continue
+
         yield Number(value), ih.address