gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 23:59:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

lancelot: insn: fs/gs

Browse Source
This commit is contained in:
William Ballenthin
2020-08-10 18:15:10 -06:00
parent e7bf5bfceb
commit 5929c0652c
2 changed files with 27 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
capa/features/extractors/lancelot/insn.py
View File

@@ -15,6 +15,7 @@ from lancelot import (
MEMORY_OPERAND_DISP,
OPERAND_TYPE_MEMORY,
OPERAND_TYPE_REGISTER,
MEMORY_OPERAND_SEGMENT,
OPERAND_TYPE_IMMEDIATE,
IMMEDIATE_OPERAND_VALUE,
REGISTER_OPERAND_REGISTER,
@@ -384,12 +385,30 @@ def extract_insn_peb_access_characteristic_features(xtor, f, bb, insn):
"""
parse peb access from the given function. fs:[0x30] on x86, gs:[0x60] on x64
"""
raise NotImplementedError()
for operand in insn.operands:
if (
operand[OPERAND_TYPE] == OPERAND_TYPE_MEMORY
and operand[MEMORY_OPERAND_SEGMENT] == "gs"
and operand[MEMORY_OPERAND_DISP] == 0x60
):
yield Characteristic("peb access"), insn.address
if (
operand[OPERAND_TYPE] == OPERAND_TYPE_MEMORY
and operand[MEMORY_OPERAND_SEGMENT] == "fs"
and operand[MEMORY_OPERAND_DISP] == 0x30
):
yield Characteristic("peb access"), insn.address
def extract_insn_segment_access_features(xtor, f, bb, insn):
""" parse the instruction for access to fs or gs """
raise NotImplementedError()
for operand in insn.operands:
if operand[OPERAND_TYPE] == OPERAND_TYPE_MEMORY and operand[MEMORY_OPERAND_SEGMENT] == "gs":
yield Characteristic("gs access"), insn.address
if operand[OPERAND_TYPE] == OPERAND_TYPE_MEMORY and operand[MEMORY_OPERAND_SEGMENT] == "fs":
yield Characteristic("fs access"), insn.address
def extract_insn_cross_section_cflow(xtor, f, bb, insn):

16
tests/test_lancelot_features.py
View File

@@ -285,6 +285,12 @@ def parametrize(params, values, **kwargs):
("mimikatz", "function=0x40105D", capa.features.Characteristic("nzxor"), False),
# insn/characteristic(nzxor): no security cookies
("mimikatz", "function=0x46B67A", capa.features.Characteristic("nzxor"), False),
# insn/characteristic(peb access)
("kernel32-64", "function=0x180001068", capa.features.Characteristic("peb access"), True),
("mimikatz", "function=0x46B67A", capa.features.Characteristic("peb access"), False),
# insn/characteristic(gs access)
("kernel32-64", "function=0x180001068", capa.features.Characteristic("gs access"), True),
("mimikatz", "function=0x46B67A", capa.features.Characteristic("gs access"), False),
],
indirect=["sample", "scope"],
)
@@ -299,16 +305,6 @@ def test_lancelot_features(sample, scope, feature, expected):
"""
def test_nzxor_features(mimikatz):
features = extract_function_features(lancelot_utils.Function(mimikatz.ws, 0x410DFC))
assert capa.features.Characteristic("nzxor") in features # 0x0410F0B
def test_peb_access_features(sample_a933a1a402775cfa94b6bee0963f4b46):
features = extract_function_features(lancelot_utils.Function(sample_a933a1a402775cfa94b6bee0963f4b46.ws, 0xABA6FEC))
assert capa.features.Characteristic("peb access") in features
def test_tight_loop_features(mimikatz):
f = lancelot_utils.Function(mimikatz.ws, 0x402EC4)
for bb in f.basic_blocks: