gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-01-10 04:05:32 -08:00
Code Issues Packages Projects Releases Wiki Activity

increase stack cookie byte delta

Browse Source
This commit is contained in:
Moritz Raabe
2020-07-06 19:24:35 +02:00
parent 758c5dde3c
commit 55de5061ea
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
capa/features/extractors/viv/insn.py
View File

@@ -8,6 +8,11 @@ from capa.features.insn import Number, Offset, Mnemonic
from capa.features.extractors.viv.indirect_calls import NotFoundError, resolve_indirect_call
# security cookie checks may perform non-zeroing XORs, these are expected within a certain
# byte range within the first and returning basic blocks, this helps to reduce FP features
SECURITY_COOKIE_BYTES_DELTA = 0x40
def interface_extract_instruction_XXX(f, bb, insn):
"""
parse features from the given instruction.
@@ -257,11 +262,12 @@ def is_security_cookie(f, bb, insn):
# expect security cookie init in first basic block within first bytes (instructions)
bb0 = f.basic_blocks[0]
if bb == bb0 and insn.va < bb.va + 30:
if bb == bb0 and insn.va < (bb.va + SECURITY_COOKIE_BYTES_DELTA):
return True
# ... or within last bytes (instructions) before a return
elif bb.instructions[-1].isReturn() and insn.va > bb.va + bb.size - 30:
elif bb.instructions[-1].isReturn() and insn.va > (bb.va + bb.size - SECURITY_COOKIE_BYTES_DELTA):
return True
return False