From 25ae7e9dda3fc5e9e747bc396d1ccb85f3a6517e Mon Sep 17 00:00:00 2001
From: Capa Bot <capa-dev@fireeye.com>
Date: Fri, 24 Jul 2020 21:51:31 +0000
Subject: [PATCH 1/7] Sync capa rules submodule

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 11ee0337..25abd9af 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 ![capa](.github/logo.png)
 
 [![CI status](https://github.com/fireeye/capa/workflows/CI/badge.svg)](https://github.com/fireeye/capa/actions?query=workflow%3ACI+event%3Apush+branch%3Amaster)
-[![Number of rules](https://img.shields.io/badge/rules-267-blue.svg)](https://github.com/fireeye/capa-rules)
+[![Number of rules](https://img.shields.io/badge/rules-266-blue.svg)](https://github.com/fireeye/capa-rules)
 [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt)
 
 capa detects capabilities in executable files.

From 82b95142301ee6f4144279132a0c1e6e4403051c Mon Sep 17 00:00:00 2001
From: Jordan Wiens <jordan@psifertex.com>
Date: Sat, 25 Jul 2020 17:45:25 -0400
Subject: [PATCH 2/7] initial commit of BinaryNinja import script

---
 scripts/import-to-bn.py | 111 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 111 insertions(+)
 create mode 100644 scripts/import-to-bn.py

diff --git a/scripts/import-to-bn.py b/scripts/import-to-bn.py
new file mode 100644
index 00000000..0f0564ed
--- /dev/null
+++ b/scripts/import-to-bn.py
@@ -0,0 +1,111 @@
+"""
+Binary Ninja plugin that imports a capa report,
+produced via `capa --json /path/to/sample`,
+into the current database.
+
+It will mark up functions with their capa matches, like:
+
+    ; capa: print debug messages (host-interaction/log/debug/write-event)
+    ; capa: delete service (host-interaction/service/delete)
+    ; Attributes: bp-based frame
+
+    public UninstallService
+    UninstallService proc near
+    ...
+
+To use, invoke from the Binary Ninja Tools menu, or from the 
+command-palette.
+
+This script will verify that the report matches the workspace.
+Check the log window for any errors, and/or the summary of changes.
+
+Derived from: https://github.com/fireeye/capa/blob/master/scripts/import-to-ida.py
+"""
+import json
+import os
+
+from binaryninja import *
+
+
+def append_func_cmt(bv, va, cmt):
+    """
+    add the given comment to the given function, 
+    if it doesn't already exist.
+    """
+    func = bv.get_function_at(va)
+    if not func:
+        raise ValueError("not a function")
+
+    if cmt in func.comment:
+        return
+
+    func.comment = func.comment + "\n" + cmt
+
+
+def load_analysis(bv):
+    #not that I expect many files with multiple periods but why not
+    shortname = '.'.join(os.path.basename(bv.file.filename).split(".")[0:-1]) 
+    dirname = os.path.dirname(bv.file.filename)
+    log_info(f'dirname: {dirname}\nshortname: {shortname}\n')
+    if os.access(os.path.join(dirname, shortname + ".js"), os.R_OK):
+        path = os.path.join(dirname, shortname + ".js")
+    elif os.access(os.path.join(dirname, shortname + ".json"), os.R_OK):
+        path = os.path.join(dirname, shortname + ".json")
+    else:
+        path = interaction.get_open_filename_input("capa report:", "JSON (*.js *.json);;All Files (*)")
+    if not path or not os.access(path, os.R_OK):
+        log_error("Invalid filename.")
+        return 0
+    log_info("Using capa file %s" % path)
+
+    with open(path, "rb") as f:
+        doc = json.loads(f.read().decode("utf-8"))
+
+    if "meta" not in doc or "rules" not in doc:
+        log_error("doesn't appear to be a capa report")
+        return -1
+
+    a = doc["meta"]["sample"]["md5"].lower()
+    md5=Transform['MD5']
+    rawhex=Transform['RawHex']
+    b = rawhex.encode(md5.encode(bv.parent_view.read(bv.parent_view.start, bv.parent_view.end))).decode("utf-8")
+    if not a == b:
+        log_error("sample mismatch")
+        return -2
+
+    rows = []
+    for rule in doc["rules"].values():
+        if rule["meta"].get("lib"):
+            continue
+        if rule["meta"].get("capa/subscope"):
+            continue
+        if rule["meta"]["scope"] != "function":
+            continue
+
+        name = rule["meta"]["name"]
+        ns = rule["meta"].get("namespace", "")
+        for va in rule["matches"].keys():
+            va = int(va)
+            rows.append((ns, name, va))
+
+    # order by (namespace, name) so that like things show up together
+    rows = sorted(rows)
+    for ns, name, va in rows:
+        if ns:
+            cmt = "%s (%s)" % (name, ns)
+        else:
+            cmt = "%s" % (name,)
+
+        log_info("0x%x: %s" % (va, cmt))
+        try:
+            # message will look something like:
+            #
+            #     capa: delete service (host-interaction/service/delete)
+            append_func_cmt(bv, va, "capa: " + cmt)
+        except ValueError:
+            continue
+
+    log_info("ok")
+
+
+PluginCommand.register("Load CAPA file", "Loads an analysis file from capa", load_analysis)

From 508ebb47e0ddb63d8520136ee4a56ca27793d69a Mon Sep 17 00:00:00 2001
From: Jordan <jordan@psifertex.com>
Date: Sat, 25 Jul 2020 17:50:15 -0400
Subject: [PATCH 3/7] submodule update requires --init the first time

---
 doc/installation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/installation.md b/doc/installation.md
index 0aff8993..a54525ee 100644
--- a/doc/installation.md
+++ b/doc/installation.md
@@ -47,7 +47,7 @@ To only get the source code and our provided rules (common), follow these steps:
   - `$ git clone https://github.com/fireeye/capa.git /local/path/to/src` (HTTPS)
   - `$ git clone git@github.com:fireeye/capa.git /local/path/to/src` (SSH)
 - `$ cd /local/path/to/src`
-- `$ git submodule update rules`
+- `$ git submodule update --init rules`
 
 ### 2. Install the local source code
 Use `pip` to install the source code in "editable" mode. This means that Python will load the capa module from the local directory rather than copying it to `site-packages` or `dist-packages`. This is good because it is easy to modify files and see the effects reflected immediately. But, be careful not to remove this directory unless uninstalling capa.

From a901f2e7acb6332a017449fa2de25280abbecf79 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Sat, 25 Jul 2020 18:37:36 -0600
Subject: [PATCH 4/7] license: fill in org name

closes #206
---
 LICENSE.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE.txt b/LICENSE.txt
index d6456956..47e450fe 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright (C) 2020 FireEye, Inc.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

From f547ca0faef49e3a98b52ec0b14433f6eb354e93 Mon Sep 17 00:00:00 2001
From: Jordan Wiens <jordan@psifertex.com>
Date: Sat, 25 Jul 2020 22:45:51 -0400
Subject: [PATCH 5/7] updates for pull 205

---
 scripts/import-to-bn.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/scripts/import-to-bn.py b/scripts/import-to-bn.py
index 0f0564ed..33952aef 100644
--- a/scripts/import-to-bn.py
+++ b/scripts/import-to-bn.py
@@ -1,4 +1,4 @@
-"""
+j"""
 Binary Ninja plugin that imports a capa report,
 produced via `capa --json /path/to/sample`,
 into the current database.
@@ -16,13 +16,15 @@ It will mark up functions with their capa matches, like:
 To use, invoke from the Binary Ninja Tools menu, or from the 
 command-palette.
 
+Adapted for Binary Ninja by @psifertex
+
 This script will verify that the report matches the workspace.
 Check the log window for any errors, and/or the summary of changes.
 
 Derived from: https://github.com/fireeye/capa/blob/master/scripts/import-to-ida.py
 """
-import json
 import os
+import json
 
 from binaryninja import *
 
@@ -43,8 +45,7 @@ def append_func_cmt(bv, va, cmt):
 
 
 def load_analysis(bv):
-    #not that I expect many files with multiple periods but why not
-    shortname = '.'.join(os.path.basename(bv.file.filename).split(".")[0:-1]) 
+    shortname = os.path.splitext(os.path.basename(bv.file.filename))[0]
     dirname = os.path.dirname(bv.file.filename)
     log_info(f'dirname: {dirname}\nshortname: {shortname}\n')
     if os.access(os.path.join(dirname, shortname + ".js"), os.R_OK):
@@ -108,4 +109,4 @@ def load_analysis(bv):
     log_info("ok")
 
 
-PluginCommand.register("Load CAPA file", "Loads an analysis file from capa", load_analysis)
+PluginCommand.register("Load capa file", "Loads an analysis file from capa", load_analysis)

From e44dc73ec25bd98a0c036bde7fac83e10e8072e8 Mon Sep 17 00:00:00 2001
From: Capa Bot <capa-dev@fireeye.com>
Date: Mon, 27 Jul 2020 13:16:02 +0000
Subject: [PATCH 6/7] Sync capa rules submodule

---
 rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules b/rules
index b878effe..7f94cf10 160000
--- a/rules
+++ b/rules
@@ -1 +1 @@
-Subproject commit b878effef7d8c9a98876a29103e3226aea2707cc
+Subproject commit 7f94cf106d850b84d531443c7df538f5ac5fcfc0

From bfdd68c60a13c4d24527d2088e733e3c9ca258aa Mon Sep 17 00:00:00 2001
From: Capa Bot <capa-dev@fireeye.com>
Date: Mon, 27 Jul 2020 16:02:34 +0000
Subject: [PATCH 7/7] Sync capa rules submodule

---
 rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules b/rules
index 7f94cf10..4c9cb029 160000
--- a/rules
+++ b/rules
@@ -1 +1 @@
-Subproject commit 7f94cf106d850b84d531443c7df538f5ac5fcfc0
+Subproject commit 4c9cb0294994f8e20be00eee6c01e219c1087af5