lancelot: insn: fs/gs

2025-12-12 15:49:46 -08:00 · 2020-08-10 18:15:10 -06:00
parent e7bf5bfceb
commit 5929c0652c
2 changed files with 27 additions and 12 deletions
--- a/capa/features/extractors/lancelot/insn.py
+++ b/capa/features/extractors/lancelot/insn.py
@@ -15,6 +15,7 @@ from lancelot import (
    MEMORY_OPERAND_DISP,
    OPERAND_TYPE_MEMORY,
    OPERAND_TYPE_REGISTER,
+    MEMORY_OPERAND_SEGMENT,
    OPERAND_TYPE_IMMEDIATE,
    IMMEDIATE_OPERAND_VALUE,
    REGISTER_OPERAND_REGISTER,
@@ -384,12 +385,30 @@ def extract_insn_peb_access_characteristic_features(xtor, f, bb, insn):
    """
    parse peb access from the given function. fs:[0x30] on x86, gs:[0x60] on x64
    """
-    raise NotImplementedError()
+    for operand in insn.operands:
+        if (
+            operand[OPERAND_TYPE] == OPERAND_TYPE_MEMORY
+            and operand[MEMORY_OPERAND_SEGMENT] == "gs"
+            and operand[MEMORY_OPERAND_DISP] == 0x60
+        ):
+            yield Characteristic("peb access"), insn.address
+
+        if (
+            operand[OPERAND_TYPE] == OPERAND_TYPE_MEMORY
+            and operand[MEMORY_OPERAND_SEGMENT] == "fs"
+            and operand[MEMORY_OPERAND_DISP] == 0x30
+        ):
+            yield Characteristic("peb access"), insn.address


 def extract_insn_segment_access_features(xtor, f, bb, insn):
    """ parse the instruction for access to fs or gs """
-    raise NotImplementedError()
+    for operand in insn.operands:
+        if operand[OPERAND_TYPE] == OPERAND_TYPE_MEMORY and operand[MEMORY_OPERAND_SEGMENT] == "gs":
+            yield Characteristic("gs access"), insn.address
+
+        if operand[OPERAND_TYPE] == OPERAND_TYPE_MEMORY and operand[MEMORY_OPERAND_SEGMENT] == "fs":
+            yield Characteristic("fs access"), insn.address


 def extract_insn_cross_section_cflow(xtor, f, bb, insn):
--- a/tests/test_lancelot_features.py
+++ b/tests/test_lancelot_features.py
@@ -285,6 +285,12 @@ def parametrize(params, values, **kwargs):
        ("mimikatz", "function=0x40105D", capa.features.Characteristic("nzxor"), False),
        # insn/characteristic(nzxor): no security cookies
        ("mimikatz", "function=0x46B67A", capa.features.Characteristic("nzxor"), False),
+        # insn/characteristic(peb access)
+        ("kernel32-64", "function=0x180001068", capa.features.Characteristic("peb access"), True),
+        ("mimikatz", "function=0x46B67A", capa.features.Characteristic("peb access"), False),
+        # insn/characteristic(gs access)
+        ("kernel32-64", "function=0x180001068", capa.features.Characteristic("gs access"), True),
+        ("mimikatz", "function=0x46B67A", capa.features.Characteristic("gs access"), False),
    ],
    indirect=["sample", "scope"],
 )
@@ -299,16 +305,6 @@ def test_lancelot_features(sample, scope, feature, expected):


 """
-
-def test_nzxor_features(mimikatz):
-    features = extract_function_features(lancelot_utils.Function(mimikatz.ws, 0x410DFC))
-    assert capa.features.Characteristic("nzxor") in features  # 0x0410F0B
-
-def test_peb_access_features(sample_a933a1a402775cfa94b6bee0963f4b46):
-    features = extract_function_features(lancelot_utils.Function(sample_a933a1a402775cfa94b6bee0963f4b46.ws, 0xABA6FEC))
-    assert capa.features.Characteristic("peb access") in features
-
-
 def test_tight_loop_features(mimikatz):
    f = lancelot_utils.Function(mimikatz.ws, 0x402EC4)
    for bb in f.basic_blocks: