gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 15:49:46 -08:00
Code Issues Packages Projects Releases Wiki Activity

type: capa.features.extractors.viv.indirect_calls

Browse Source
This commit is contained in:
William Ballenthin
2021-06-09 23:08:29 -06:00
parent 23addda29a
commit a75d7576f8
2 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
capa/features/extractors/viv/indirect_calls.py
View File

@@ -7,11 +7,15 @@
# See the License for the specific language governing permissions and limitations under the License.
import collections
from typing import List, Tuple, Optional
import envi
import vivisect.const
import envi.archs.i386.disasm
import envi.archs.amd64.disasm
from vivisect import VivWorkspace
from capa.features.extractors.viv.extractor import InstructionHandle
# pull out consts for lookup performance
i386RegOper = envi.archs.i386.disasm.i386RegOper
@@ -26,7 +30,7 @@ FAR_BRANCH_MASK = envi.BR_PROC | envi.BR_DEREF | envi.BR_ARCH
DESTRUCTIVE_MNEMONICS = ("mov", "lea", "pop", "xor")
def get_previous_instructions(vw, va):
def get_previous_instructions(vw: VivWorkspace, va: int) -> List[int]:
"""
collect the instructions that flow to the given address, local to the current function.
@@ -67,7 +71,7 @@ class NotFoundError(Exception):
pass
def find_definition(vw, va, reg):
def find_definition(vw: VivWorkspace, va: int, reg: int) -> Tuple[int, int]:
"""
scan backwards from the given address looking for assignments to the given register.
if a constant, return that value.
@@ -128,14 +132,14 @@ def find_definition(vw, va, reg):
raise NotFoundError()
def is_indirect_call(vw, va, insn=None):
def is_indirect_call(vw: VivWorkspace, va: int, insn: Optional[InstructionHandle] = None) -> bool:
if insn is None:
insn = vw.parseOpcode(va)
return insn.mnem in ("call", "jmp") and isinstance(insn.opers[0], envi.archs.i386.disasm.i386RegOper)
def resolve_indirect_call(vw, va, insn=None):
def resolve_indirect_call(vw: VivWorkspace, va: int, insn: Optional[InstructionHandle] = None) -> Tuple[int, int]:
"""
inspect the given indirect call instruction and attempt to resolve the target address.

12
capa/render/default.py
View File

@@ -7,19 +7,15 @@
# See the License for the specific language governing permissions and limitations under the License.
import collections
from typing import Dict, List, Tuple
import tabulate
from typing import (
Dict,
List,
Tuple,
)
from capa.engine import Result
from capa.render.utils import StringIO
from capa.rules import RuleSet
import capa.render.utils as rutils
import capa.render.result_document
from capa.rules import RuleSet
from capa.engine import Result
from capa.render.utils import StringIO
tabulate.PRESERVE_WHITESPACE = True