do not display subscope rules in any mode

2026-01-01 15:36:15 -08:00 · 2020-06-26 16:19:07 +02:00
parent b973d7fc50
commit dcd66f41fa
2 changed files with 12 additions and 1 deletions
--- a/capa/features/extractors/viv/insn.py
+++ b/capa/features/extractors/viv/insn.py
@@ -298,7 +298,7 @@ def extract_insn_peb_access_characteristic_features(f, bb, insn):
    '''
    parse peb access from the given function. fs:[0x30] on x86, gs:[0x60] on x64
    '''
-    # TODO extract x64
+    # TODO handle where fs/gs are loaded into a register or onto the stack and used later

    if insn.mnem not in ['push', 'mov']:
        return
--- a/capa/main.py
+++ b/capa/main.py
@@ -321,6 +321,10 @@ def render_capabilities_verbose(ruleset, results):
          - 0x40105d
    '''
    for rule, ress in results.items():
+        if ruleset.rules[rule].meta.get('capa/subscope-rule', False):
+            # don't display subscope rules
+            continue
+
        rule_scope = ruleset.rules[rule].scope
        if rule_scope == capa.rules.FILE_SCOPE:
            # only display rule name at file scope
@@ -396,6 +400,10 @@ def render_capabilities_vverbose(ruleset, results):
                    - virtual address: 0x4010c8
    '''
    for rule, ress in results.items():
+        if ruleset.rules[rule].meta.get('capa/subscope-rule', False):
+            # don't display subscope rules
+            continue
+
        print('rule %s:' % (rule))
        for (va, res) in sorted(ress, key=lambda p: p[0]):
            rule_scope = ruleset.rules[rule].scope
@@ -686,6 +694,9 @@ def main(argv=None):
        if args.tag:
            rules = rules.filter_rules_by_meta(args.tag)
            logger.info('selected %s rules', len(rules))
+            for i, r in enumerate(rules.rules, 1):
+                # TODO don't display subscope rules?
+                logger.debug(' %d. %s', i, r)
    except (IOError, capa.rules.InvalidRule, capa.rules.InvalidRuleSet) as e:
        logger.error('%s', str(e))
        return -1