gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 15:49:46 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #290 from edeca/master

Browse Source
This commit is contained in:
mike-hunhoff
2020-09-08 12:28:06 -06:00
committed by GitHub
parent 35e46654df 854e586f40
commit 93039df3ef
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
capa/features/extractors/ida/helpers.py
View File

@@ -12,6 +12,7 @@ import string
import idc
import idaapi
import idautils
import ida_bytes
def find_byte_sequence(start, end, seq):
@@ -229,6 +230,12 @@ def is_op_read(insn, op):
return idaapi.has_cf_use(insn.get_canon_feature(), op.n)
def is_op_offset(insn, op):
""" Check is an operand has been marked as an offset (by auto-analysis or manually) """
flags = idaapi.get_flags(insn.ea)
return ida_bytes.is_off(flags, op.n)
def is_sp_modified(insn):
""" determine if instruction modifies SP, ESP, RSP """
for op in get_insn_ops(insn, target_ops=(idaapi.o_reg,)):

11
capa/features/extractors/ida/insn.py
View File

@@ -104,13 +104,18 @@ def extract_insn_number_features(f, bb, insn):
return
for op in capa.features.extractors.ida.helpers.get_insn_ops(insn, target_ops=(idaapi.o_imm, idaapi.o_mem)):
# skip things like:
# .text:00401100 shr eax, offset loc_C
if capa.features.extractors.ida.helpers.is_op_offset(insn, op):
continue
if op.type == idaapi.o_imm:
const = capa.features.extractors.ida.helpers.mask_op_val(op)
else:
const = op.addr
if not idaapi.is_mapped(const):
yield Number(const), insn.ea
yield Number(const, arch=get_arch(f.ctx)), insn.ea
yield Number(const), insn.ea
yield Number(const, arch=get_arch(f.ctx)), insn.ea
def extract_insn_bytes_features(f, bb, insn):