ida: extract forwarded export features

2025-12-12 15:49:46 -08:00 · 2023-07-13 12:18:57 +02:00
parent cb8133467b
commit bb6557ea0a
1 changed files with 16 additions and 2 deletions
--- a/capa/features/extractors/ida/file.py
+++ b/capa/features/extractors/ida/file.py
@@ -12,6 +12,7 @@ from typing import Tuple, Iterator
 import idc
 import idaapi
 import idautils
+import ida_entry

 import capa.features.extractors.common
 import capa.features.extractors.helpers
@@ -83,8 +84,21 @@ def extract_file_embedded_pe() -> Iterator[Tuple[Feature, Address]]:

 def extract_file_export_names() -> Iterator[Tuple[Feature, Address]]:
    """extract function exports"""
-    for _, _, ea, name in idautils.Entries():
-        yield Export(name), AbsoluteVirtualAddress(ea)
+    for _, ordinal, ea, name in idautils.Entries():
+        forwarded_name = ida_entry.get_entry_forwarder(ordinal)
+        if forwarded_name is None:
+            yield Export(name), AbsoluteVirtualAddress(ea)
+        else:
+            # use rpartition so we can split on separator between dll and name.
+            # the dll name can be a full path, like in the case of
+            # ef64d6d7c34250af8e21a10feb931c9b
+            # which i assume means the path can have embedded periods.
+            # so we don't want the first period, we want the last.
+            forwarded_dll, _, forwarded_symbol = forwarded_name.rpartition(".")
+            forwarded_dll = forwarded_dll.lower()
+
+            yield Export(f"{forwarded_dll}.{forwarded_symbol}"), AbsoluteVirtualAddress(ea)
+            yield Characteristic("forwarded export"), AbsoluteVirtualAddress(ea)


 def extract_file_import_names() -> Iterator[Tuple[Feature, Address]]: