insn extractor: Add static api extraction using .symtab

2025-12-12 15:49:46 -08:00 · 2023-04-14 04:07:05 +01:00
parent 6ba5b2b72b
commit c71cb55051
1 changed files with 21 additions and 0 deletions
--- a/capa/features/extractors/viv/insn.py
+++ b/capa/features/extractors/viv/insn.py
@@ -120,6 +120,27 @@ def extract_insn_api_features(fh: FunctionHandle, bb, ih: InsnHandle) -> Iterato
                yield API(name[1:]), ih.address
            return

+        if imports == {}:
+            # no imports implies the binary was likely statically linked.
+            # therefore, we try to use the symbol's table to fetch the api names
+            name = f.vw.name_by_va.get(target)
+            if not name:
+                return
+
+            name = name.split('.')[-1]
+            prefixes = [
+                    "__GI_",
+                    "__libc_",
+            ]
+
+            for prefix in prefixes:
+                if name.startswith(prefix):
+                    yield API(name[len(prefix):]), ih.address
+                    return
+
+            yield API(name), ih.address
+            return
+
        for _ in range(THUNK_CHAIN_DEPTH_DELTA):
            if target in imports:
                dll, symbol = imports[target]