Merge pull request #919 from mandiant/fix/917

fixes #917
2025-12-12 15:49:46 -08:00 · 2022-03-22 07:15:40 -06:00
parent 1cd5e89f85 768050f36c
commit 4c4e633395
2 changed files with 10 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@

 ### capa explorer IDA Pro plugin
 - improve file format extraction #918 @mike-hunhoff
+- remove decorators added by IDA to ELF imports #919 @mike-hunhoff

 ### Development

--- a/capa/features/extractors/ida/helpers.py
+++ b/capa/features/extractors/ida/helpers.py
@@ -85,10 +85,18 @@ def get_file_imports():
        if not library:
            continue

+        # IDA uses section names for the library of ELF imports, like ".dynsym"
+        library = library.lstrip(".")
+
        def inspect_import(ea, function, ordinal):
            if function and function.startswith("__imp_"):
-                # handle mangled names starting
+                # handle mangled PE imports
                function = function[len("__imp_") :]
+
+            if function and "@@" in function:
+                # handle mangled ELF imports, like "fopen@@glibc_2.2.5"
+                function, _, _ = function.partition("@@")
+
            imports[ea] = (library.lower(), function, ordinal)
            return True