Merge pull request #1270 from mandiant/fix/issue-1267

features: string: better __str__ embedded whitespace

CHANGELOG.md

@@ -81,6 +81,7 @@
 - dotnet: address unhandled exceptions with improved type checking #1230 @mike-hunhoff
 - fix import-to-ida script formatting #1208 @williballenthin
 - render: fix verbose rendering of scopes #1263 @williballenthin
+- show-features: better render strings with embedded whitespace #1267 @williballenthin
 
 ### capa explorer IDA Pro plugin
 - fix: display instruction items #1154 @mr-tz

capa/features/common.py

@@ -179,6 +179,10 @@ class String(Feature):
     def __init__(self, value: str, description=None):
         super().__init__(value, description=description)
 
+    def get_value_str(self) -> str:
+        assert isinstance(self.value, str)
+        return escape_string(self.value)
+
 
 class Class(Feature):
     def __init__(self, value: str, description=None):
@@ -232,9 +236,13 @@ class Substring(String):
         else:
             return Result(False, _MatchedSubstring(self, {}), [])
 
+    def get_value_str(self) -> str:
+        assert isinstance(self.value, str)
+        return escape_string(self.value)
+
     def __str__(self):
         assert isinstance(self.value, str)
-        return "substring(%s)" % self.value
+        return "substring(%s)" % escape_string(self.value)
 
 
 class _MatchedSubstring(Substring):

capa/features/extractors/common.py

@@ -9,6 +9,7 @@ import pefile
 import capa.features
 import capa.features.extractors.elf
 import capa.features.extractors.pefile
+import capa.features.extractors.strings
 from capa.features.common import OS, FORMAT_PE, FORMAT_ELF, OS_WINDOWS, FORMAT_FREEZE, Arch, Format, String, Feature
 from capa.features.freeze import is_freeze
 from capa.features.address import NO_ADDRESS, Address, FileOffsetAddress