gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 15:49:46 -08:00
Code Issues Packages Projects Releases Wiki Activity

dotnet: emit features from newobj instruction (#1186)

Browse Source
This commit is contained in:
Mike Hunhoff
2022-10-13 08:35:29 -06:00
committed by GitHub
parent 7cc6773bf8
commit 20c7949be3
4 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -5,6 +5,7 @@
### New Features
- verify rule metadata format on load #1160 @mr-tz
- extract property features from .NET PE files #1168 @anushkavirgaonkar
- emit features for .NET newobj instruction #1186 @mike-hunhoff
### Breaking Changes

4
capa/features/extractors/dnfile/helpers.py
View File

@@ -50,6 +50,10 @@ class DnType(object):
self.access = access
self.namespace = namespace
self.class_ = class_
if member == ".ctor":
member = "ctor"
if member == ".cctor":
member = "cctor"
self.member = member
def __hash__(self):

4
capa/features/extractors/dnfile/insn.py
View File

@@ -94,7 +94,7 @@ def extract_insn_api_features(fh: FunctionHandle, bh, ih: InsnHandle) -> Iterato
"""parse instruction API features"""
insn: Instruction = ih.inner
if insn.opcode not in (OpCodes.Call, OpCodes.Callvirt, OpCodes.Jmp, OpCodes.Calli):
if insn.opcode not in (OpCodes.Call, OpCodes.Callvirt, OpCodes.Jmp, OpCodes.Calli, OpCodes.Newobj):
return
callee: Union[DnType, DnUnmanagedMethod, None] = get_callee(fh.ctx, insn.operand.value)
@@ -188,6 +188,7 @@ def extract_insn_class_features(fh: FunctionHandle, bh, ih: InsnHandle) -> Itera
OpCodes.Ldsflda,
OpCodes.Stfld,
OpCodes.Stsfld,
OpCodes.Newobj,
):
return
@@ -220,6 +221,7 @@ def extract_insn_namespace_features(fh: FunctionHandle, bh, ih: InsnHandle) -> I
OpCodes.Ldsflda,
OpCodes.Stfld,
OpCodes.Stsfld,
OpCodes.Newobj,
):
return

4
tests/fixtures.py
View File

@@ -725,8 +725,8 @@ FEATURE_PRESENCE_TESTS_DOTNET = sorted(
("b9f5b", "file", OS(OS_ANY), True),
("b9f5b", "file", Format(FORMAT_DOTNET), True),
("hello-world", "file", capa.features.file.FunctionName("HelloWorld::Main"), True),
("hello-world", "file", capa.features.file.FunctionName("HelloWorld::.ctor"), True),
("hello-world", "file", capa.features.file.FunctionName("HelloWorld::.cctor"), False),
("hello-world", "file", capa.features.file.FunctionName("HelloWorld::ctor"), True),
("hello-world", "file", capa.features.file.FunctionName("HelloWorld::cctor"), False),
("hello-world", "file", capa.features.common.String("Hello World!"), True),
("hello-world", "file", capa.features.common.Class("HelloWorld"), True),
("hello-world", "file", capa.features.common.Class("System.Console"), True),