Merge branch 'master' into feature-insn-scope

2025-12-12 15:49:46 -08:00 · 2022-03-29 11:51:14 -06:00
parent b76930d2a3 fe5d88585c
commit 7487da89a1
9 changed files with 35 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,13 +6,16 @@

 ### Breaking Changes

-### New Rules (2)
+### New Rules (4)

 - data-manipulation/encryption/aes/manually-build-aes-constants huynh.t.nhan@gmail.com
 - nursery/get-process-image-filename michael.hunhoff@mandiant.com
+- compiler/v/compiled-with-v jakub.jozwiak@mandiant.com
+- compiler/zig/compiled-with-zig jakub.jozwiak@mandiant.com
 -

 ### Bug Fixes
+- improve handling _ prefix compile/link artifact #924 @mike-hunhoff

 ### capa explorer IDA Pro plugin
 - improve file format extraction #918 @mike-hunhoff
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-capa)](https://pypi.org/project/flare-capa)
 [![Last release](https://img.shields.io/github/v/release/mandiant/capa)](https://github.com/mandiant/capa/releases)
-[![Number of rules](https://img.shields.io/badge/rules-663-blue.svg)](https://github.com/mandiant/capa-rules)
+[![Number of rules](https://img.shields.io/badge/rules-665-blue.svg)](https://github.com/mandiant/capa-rules)
 [![CI status](https://github.com/mandiant/capa/workflows/CI/badge.svg)](https://github.com/mandiant/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster)
 [![Downloads](https://img.shields.io/github/downloads/mandiant/capa/total)](https://github.com/mandiant/capa/releases)
 [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt)
--- a/capa/features/extractors/ida/file.py
+++ b/capa/features/extractors/ida/file.py
@@ -152,6 +152,12 @@ def extract_file_function_names():
        if idaapi.get_func(ea).flags & idaapi.FUNC_LIB:
            name = idaapi.get_name(ea)
            yield FunctionName(name), ea
+            if name.startswith("_"):
+                # some linkers may prefix linked routines with a `_` to avoid name collisions.
+                # extract features for both the mangled and un-mangled representations.
+                # e.g. `_fwrite` -> `fwrite`
+                # see: https://stackoverflow.com/a/2628384/87207
+                yield FunctionName(name[1:]), ea


 def extract_file_format():
--- a/capa/features/extractors/ida/insn.py
+++ b/capa/features/extractors/ida/insn.py
@@ -114,6 +114,12 @@ def extract_insn_api_features(f, bb, insn):
    if target_func.flags & idaapi.FUNC_LIB:
        name = idaapi.get_name(target_func.start_ea)
        yield API(name), insn.ea
+        if name.startswith("_"):
+            # some linkers may prefix linked routines with a `_` to avoid name collisions.
+            # extract features for both the mangled and un-mangled representations.
+            # e.g. `_fwrite` -> `fwrite`
+            # see: https://stackoverflow.com/a/2628384/87207
+            yield API(name[1:]), insn.ea


 def extract_insn_number_features(f, bb, insn):
--- a/capa/features/extractors/viv/file.py
+++ b/capa/features/extractors/viv/file.py
@@ -79,6 +79,12 @@ def extract_file_function_names(vw, **kwargs):
        if viv_utils.flirt.is_library_function(vw, va):
            name = viv_utils.get_function_name(vw, va)
            yield FunctionName(name), va
+            if name.startswith("_"):
+                # some linkers may prefix linked routines with a `_` to avoid name collisions.
+                # extract features for both the mangled and un-mangled representations.
+                # e.g. `_fwrite` -> `fwrite`
+                # see: https://stackoverflow.com/a/2628384/87207
+                yield FunctionName(name[1:]), va


 def extract_file_format(buf, **kwargs):
--- a/capa/features/extractors/viv/insn.py
+++ b/capa/features/extractors/viv/insn.py
@@ -119,6 +119,12 @@ def extract_insn_api_features(f, bb, insn):
        if viv_utils.flirt.is_library_function(f.vw, target):
            name = viv_utils.get_function_name(f.vw, target)
            yield API(name), insn.va
+            if name.startswith("_"):
+                # some linkers may prefix linked routines with a `_` to avoid name collisions.
+                # extract features for both the mangled and un-mangled representations.
+                # e.g. `_fwrite` -> `fwrite`
+                # see: https://stackoverflow.com/a/2628384/87207
+                yield API(name[1:]), insn.va
            return

        for _ in range(THUNK_CHAIN_DEPTH_DELTA):
--- a/2
+++ b/2
--- a/setup.py
+++ b/setup.py
@@ -11,7 +11,7 @@ import os
 import setuptools

 requirements = [
-    "tqdm==4.63.0",
+    "tqdm==4.63.1",
    "pyyaml==6.0",
    "tabulate==0.8.9",
    "colorama==0.4.4",
@@ -71,9 +71,9 @@ setuptools.setup(
            "pytest-instafail==0.4.2",
            "pytest-cov==3.0.0",
            "pycodestyle==2.8.0",
-            "black==22.1.0",
+            "black==22.3.0",
            "isort==5.10.1",
-            "mypy==0.941",
+            "mypy==0.942",
            "psutil==5.9.0",
            "stix2==3.0.1",
            "requests==2.27.1",
@@ -84,7 +84,7 @@ setuptools.setup(
            "types-tabulate==0.8.6",
            "types-termcolor==1.1.3",
            "types-psutil==5.8.20",
-            "types_requests==2.27.12",
+            "types_requests==2.27.15",
        ],
    },
    zip_safe=False,
--- a/tests/data
+++ b/tests/data