mirror of
https://github.com/mandiant/capa.git
synced 2026-01-24 18:24:44 -08:00
scripts: show-features: add doc
This commit is contained in:
William Ballenthin
@@ -1,6 +1,60 @@
|
||||
#!/usr/bin/env python2
|
||||
"""
|
||||
show the features extracted by capa.
|
||||
show-features
|
||||
|
||||
Show the features that capa extracts from the given sample,
|
||||
to assist with the development of rules.
|
||||
|
||||
If you have a function with a capability that you'd like to detect,
|
||||
you can run this tool and grep for the function/basic block/instruction addresses
|
||||
to see what capa picks up.
|
||||
This way, you can verify that capa successfully notices the features you'd reference.
|
||||
|
||||
Example::
|
||||
|
||||
$ python scripts/show-features.py /tmp/suspicious.dll_
|
||||
...
|
||||
file: 0x10004e4d: export(__entry)
|
||||
file: 0x10004706: export(Install)
|
||||
file: 0x10004c2b: export(uninstallA)
|
||||
file: 0x10005034: import(kernel32.GetStartupInfoA)
|
||||
file: 0x10005034: import(GetStartupInfoA)
|
||||
file: 0x10005048: import(kernel32.SetLastError)
|
||||
file: 0x00004e10: string(Y29ubmVjdA==)
|
||||
file: 0x00004e28: string(practicalmalwareanalysis.com)
|
||||
file: 0x00004e68: string(serve.html)
|
||||
file: 0x00004eb8: string(dW5zdXBwb3J0)
|
||||
file: 0x00004ec8: string(c2xlZXA=)
|
||||
func: 0x100012c2: characteristic(calls to)
|
||||
func: 0x10001000: characteristic(loop)
|
||||
bb : 0x10001000: basic block
|
||||
insn: 0x10001000: mnemonic(push)
|
||||
insn: 0x10001001: mnemonic(push)
|
||||
insn: 0x10001002: mnemonic(push)
|
||||
insn: 0x10001003: mnemonic(push)
|
||||
insn: 0x10001004: mnemonic(push)
|
||||
insn: 0x10001005: mnemonic(push)
|
||||
insn: 0x10001006: mnemonic(xor)
|
||||
insn: 0x10001008: number(0x1)
|
||||
insn: 0x10001008: mnemonic(mov)
|
||||
bb : 0x1000100a: basic block
|
||||
bb : 0x1000100a: characteristic(tight loop)
|
||||
insn: 0x1000100a: mnemonic(movzx)
|
||||
insn: 0x1000100d: mnemonic(mov)
|
||||
insn: 0x1000100f: offset(0x1000A7C8)
|
||||
insn: 0x1000100f: mnemonic(mov)
|
||||
insn: 0x10001015: offset(0x100075C8)
|
||||
insn: 0x10001015: mnemonic(mov)
|
||||
insn: 0x1000101b: mnemonic(mov)
|
||||
insn: 0x1000101d: number(0x80)
|
||||
insn: 0x1000101d: mnemonic(and)
|
||||
insn: 0x10001020: mnemonic(neg)
|
||||
insn: 0x10001022: mnemonic(sbb)
|
||||
insn: 0x10001024: number(0x1B)
|
||||
insn: 0x10001024: mnemonic(and)
|
||||
insn: 0x10001027: number(0x1)
|
||||
insn: 0x10001027: mnemonic(shl)
|
||||
...
|
||||
"""
|
||||
import sys
|
||||
import logging
|
||||
|
||||
Reference in New Issue
Block a user