Merge branch 'dynamic-feature-extraction' into fix/dynamic-freeze

capa/features/extractors/common.py

@@ -6,6 +6,7 @@
 #  is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and limitations under the License.
 import io
+import re
 import logging
 import binascii
 import contextlib
@@ -41,6 +42,7 @@ logger = logging.getLogger(__name__)
 MATCH_PE = b"MZ"
 MATCH_ELF = b"\x7fELF"
 MATCH_RESULT = b'{"meta":'
+MATCH_JSON_OBJECT = b'{"'
 
 
 def extract_file_strings(buf, **kwargs) -> Iterator[Tuple[String, Address]]:
@@ -63,6 +65,11 @@ def extract_format(buf) -> Iterator[Tuple[Feature, Address]]:
         yield Format(FORMAT_FREEZE), NO_ADDRESS
     elif buf.startswith(MATCH_RESULT):
         yield Format(FORMAT_RESULT), NO_ADDRESS
+    elif re.sub(rb"\w", b"", buf[:20]).startswith(MATCH_JSON_OBJECT):
+        # potential start of JSON object data without whitespace
+        # we don't know what it is exactly, but may support it (e.g. a dynamic CAPE sandbox report)
+        # skip verdict here and let subsequent code analyze this further
+        return
     else:
         # we likely end up here:
         #  1. handling a file format (e.g. macho)

capa/helpers.py

@@ -147,11 +147,9 @@ def redirecting_print_to_tqdm(disable_progress):
 
 def log_unsupported_format_error():
     logger.error("-" * 80)
-    logger.error(" Input file does not appear to be a PE or ELF file.")
+    logger.error(" Input file does not appear to be a supported file.")
     logger.error(" ")
-    logger.error(
-        " capa currently only supports analyzing PE and ELF files (or shellcode, when using --format sc32|sc64)."
-    )
+    logger.error(" See all supported file formats via capa's help output (-h).")
     logger.error(" If you don't know the input file type, you can try using the `file` utility to guess it.")
     logger.error("-" * 80)
 
@@ -160,7 +158,7 @@ def log_unsupported_cape_report_error(error: str):
     logger.error("-" * 80)
     logger.error("Input file is not a valid CAPE report: %s", error)
     logger.error(" ")
-    logger.error(" capa currently only supports analyzing standard CAPE json reports.")
+    logger.error(" capa currently only supports analyzing standard CAPE reports in JSON format.")
     logger.error(
         " Please make sure your report file is in the standard format and contains both the static and dynamic sections."
     )

doc/installation.md

@@ -105,7 +105,7 @@ To install these development dependencies, run:
 
 We use [pre-commit](https://pre-commit.com/) so that its trivial to run the same linters & configuration locally as in CI.
 
-Run all linters liks:
+Run all linters like:
 
     ❯ pre-commit run --hook-stage=manual --all-files
     isort....................................................................Passed

tests/test_main.py

@@ -411,8 +411,8 @@ def test_com_feature_matching(z395eb_extractor):
                         meta:
                             name: initialize IWebBrowser2
                             scopes:
-                              - static: basic block
-                              - dynamic: unsupported
+                              static: basic block
+                              dynamic: unsupported
                         features:
                             - and:
                                 - api: ole32.CoCreateInstance