gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 15:49:46 -08:00
Code Issues Packages Projects Releases Wiki Activity

adjusted identification of thunks via SMDA.

Browse Source
This commit is contained in:
pnx@pyrite
2020-11-05 12:58:07 +01:00
parent 6bcdf64f67
commit 3a43ffa641
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
capa/features/extractors/smda/insn.py
View File

@@ -58,16 +58,16 @@ def extract_insn_api_features(f, bb, insn):
dll_name = dll_name.lower()
for name in capa.features.extractors.helpers.generate_symbols(dll_name, api_name):
yield API(name), insn.offset
# TODO SMDA: we want to check this recursively!
elif insn.offset in f.outrefs:
current_function = f
current_instruction = insn
for _ in range(THUNK_CHAIN_DEPTH_DELTA):
if len(current_function.outrefs[current_instruction.offset]) == 1:
for index in range(THUNK_CHAIN_DEPTH_DELTA):
if current_function and len(current_function.outrefs[current_instruction.offset]) == 1:
target = current_function.outrefs[current_instruction.offset][0]
referenced_function = current_function.smda_report.getFunction(target)
if referenced_function:
if referenced_function.isThunkCall():
# TODO SMDA: implement this function for both jmp and call, checking if function has 1 instruction which refs an API
if referenced_function.isApiThunk():
api_entry = (
referenced_function.apirefs[target] if target in referenced_function.apirefs else None
)