From 801c80d7a21d4e686874396b0778e1bfb125425c Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:06 -0500 Subject: [PATCH 01/18] spelling: alphanum Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- scripts/capa2yara.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/capa2yara.py b/scripts/capa2yara.py index 9474347b..d38c970a 100644 --- a/scripts/capa2yara.py +++ b/scripts/capa2yara.py @@ -129,7 +129,7 @@ def convert_capa_number_to_yara_bytes(number): def convert_rule_name(rule_name): - # yara rule names: "Identifiers must follow the same lexical conventions of the C programming language, they can contain any alphanumeric character and the underscore character, but the first character cannot be a digit. Rule identifiers are case sensitive and cannot exceed 128 characters." so we replace any non-alpanum with _ + # yara rule names: "Identifiers must follow the same lexical conventions of the C programming language, they can contain any alphanumeric character and the underscore character, but the first character cannot be a digit. Rule identifiers are case sensitive and cannot exceed 128 characters." so we replace any non-alphanum with _ rule_name = re.sub(r"\W", "_", rule_name) rule_name = "capa_" + rule_name From 1fa9180fee2fea9beb5490b9dc856b539691c102 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:07 -0500 Subject: [PATCH 02/18] spelling: beginning Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- scripts/capa2yara.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/capa2yara.py b/scripts/capa2yara.py index d38c970a..f4c9b357 100644 --- a/scripts/capa2yara.py +++ b/scripts/capa2yara.py @@ -283,7 +283,7 @@ def convert_rule(rule, rulename, cround, depth): # change capas /xxx/i to yaras /xxx/ nocase, count will be used later to decide appending 'nocase' regex, count = re.subn(r"/i$", "/", regex) - # remove / in the begining and end + # remove / in the beginning and end regex = regex[1:-1] # all .* in the regexes of capa look like they should be maximum 100 chars so take 1000 to speed up rules and prevent yara warnings on poor performance @@ -296,7 +296,7 @@ def convert_rule(rule, rulename, cround, depth): # /reg(|.exe)/ => /reg(.exe)?/ regex = re.sub(r"\(\|([^\)]+)\)", r"(\1)?", regex) - # change begining of line to null byte, e.g. /^open => /\x00open (not word boundary because we're not looking for the begining of a word in a text but usually a function name if there's ^ in a capa rule) + # change beginning of line to null byte, e.g. /^open => /\x00open (not word boundary because we're not looking for the beginning of a word in a text but usually a function name if there's ^ in a capa rule) regex = re.sub(r"^\^", r"\\x00", regex) # regex = re.sub(r"^\^", r"\\b", regex) From 4576cbd0a1e1cd00a27ea78397cccd1502825062 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:07 -0500 Subject: [PATCH 03/18] spelling: committing Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- doc/installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/installation.md b/doc/installation.md index 04414062..fa1b46f1 100644 --- a/doc/installation.md +++ b/doc/installation.md @@ -79,7 +79,7 @@ You'll find that the `capa.exe` (Windows) or `capa` (Linux/MacOS) executables in For development, we recommend to use [venv](https://docs.python.org/3/tutorial/venv.html). It allows you to create a virtual environment: a self-contained directory tree that contains a Python installation for a particular version of Python, plus a number of additional packages. This approach avoids conflicts between the requirements of different applications on your computer. It also ensures that you don't overlook to add a new requirement to `setup.up` using a library already installed on your system. -To create an environment (in the parent directory, to avoid commiting it by accident or messing with the linters), run: `$ python3 -m venv ../capa-env` +To create an environment (in the parent directory, to avoid committing it by accident or messing with the linters), run: `$ python3 -m venv ../capa-env` To activate `capa-env` in Linux or MacOS, run: `$ source ../capa-env/bin/activate` From 5396d5f99e54b51a551f2d1dd2ba7ae7914a604c Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:08 -0500 Subject: [PATCH 04/18] spelling: contiguous Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- capa/features/extractors/dnfile/helpers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/capa/features/extractors/dnfile/helpers.py b/capa/features/extractors/dnfile/helpers.py index d79d802b..e511a5da 100644 --- a/capa/features/extractors/dnfile/helpers.py +++ b/capa/features/extractors/dnfile/helpers.py @@ -186,7 +186,7 @@ def get_dotnet_managed_methods(pe: dnfile.dnPE) -> Iterator[DnType]: Each row represents a class in the current assembly. TypeName (index into String heap) TypeNamespace (index into String heap) - MethodList (index into MethodDef table; it marks the first of a continguous run of Methods owned by this Type) + MethodList (index into MethodDef table; it marks the first of a contiguous run of Methods owned by this Type) """ accessor_map: Dict[int, str] = {} for (methoddef, methoddef_access) in get_dotnet_methoddef_property_accessors(pe): @@ -223,7 +223,7 @@ def get_dotnet_fields(pe: dnfile.dnPE) -> Iterator[DnType]: Each row represents a class in the current assembly. TypeName (index into String heap) TypeNamespace (index into String heap) - FieldList (index into Field table; it marks the first of a continguous run of Fields owned by this Type) + FieldList (index into Field table; it marks the first of a contiguous run of Fields owned by this Type) """ for (rid, typedef) in iter_dotnet_table(pe, dnfile.mdtable.TypeDef.number): assert isinstance(typedef, dnfile.mdtable.TypeDefRow) From 68efa7316b418600d590a436a05606a5d8113d81 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:08 -0500 Subject: [PATCH 05/18] spelling: dictionary Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- scripts/capa_as_library.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/capa_as_library.py b/scripts/capa_as_library.py index 2db6a644..07b408cc 100644 --- a/scripts/capa_as_library.py +++ b/scripts/capa_as_library.py @@ -16,7 +16,7 @@ import capa.features.freeze.features as frzf from capa.engine import * -# == Render ddictionary helpers +# == Render dictionary helpers def render_meta(doc: rd.ResultDocument, result): result["md5"] = doc.meta.sample.md5 result["sha1"] = doc.meta.sample.sha1 From caef7812a36c06bc8f985cb51bde990815412f59 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:09 -0500 Subject: [PATCH 06/18] spelling: disassembly Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- capa/ida/plugin/README.md | 2 +- capa/ida/plugin/form.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/capa/ida/plugin/README.md b/capa/ida/plugin/README.md index 0a8883ef..c42181b2 100644 --- a/capa/ida/plugin/README.md +++ b/capa/ida/plugin/README.md @@ -71,7 +71,7 @@ downloading and using the [standard collection of capa rules](https://github.com * Hover your cursor over a rule match to view the source content of the rule * Double-click the `Address` column to navigate your Disassembly view to the address of the associated feature * Double-click a result in the `Rule Information` column to expand its children -* Select a checkbox in the `Rule Information` column to highlight the address of the associated feature in your Dissasembly view +* Select a checkbox in the `Rule Information` column to highlight the address of the associated feature in your Disassembly view #### Tips for Rule Generator diff --git a/capa/ida/plugin/form.py b/capa/ida/plugin/form.py index e2bde4e8..41d9d291 100644 --- a/capa/ida/plugin/form.py +++ b/capa/ida/plugin/form.py @@ -471,7 +471,7 @@ class CapaExplorerForm(idaapi.PluginForm): label2.setText("Editor") label2.setFont(font) - self.view_rulegen_limit_features_by_ea = QtWidgets.QCheckBox("Limit features to current dissasembly address") + self.view_rulegen_limit_features_by_ea = QtWidgets.QCheckBox("Limit features to current disassembly address") self.view_rulegen_limit_features_by_ea.setChecked(False) self.view_rulegen_limit_features_by_ea.stateChanged.connect(self.slot_checkbox_limit_features_by_ea) From 049e222e884a781c791037e63f262ec609e1eea9 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:32:04 -0500 Subject: [PATCH 07/18] spelling: falls through Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- capa/features/extractors/viv/indirect_calls.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/capa/features/extractors/viv/indirect_calls.py b/capa/features/extractors/viv/indirect_calls.py index c433bab4..335877e8 100644 --- a/capa/features/extractors/viv/indirect_calls.py +++ b/capa/features/extractors/viv/indirect_calls.py @@ -42,7 +42,7 @@ def get_previous_instructions(vw: VivWorkspace, va: int) -> List[int]: ret = [] # find the immediate prior instruction. - # ensure that it fallsthrough to this one. + # ensure that it falls through to this one. loc = vw.getPrevLocation(va, adjacent=True) if loc is not None: ploc = vw.getPrevLocation(va, adjacent=True) From d29e7e6f3a9109431641ae934b3bc40958844298 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:09 -0500 Subject: [PATCH 08/18] spelling: further Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- capa/features/extractors/common.py | 4 ++-- capa/features/extractors/ida/global_.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/capa/features/extractors/common.py b/capa/features/extractors/common.py index 5f56e50d..585c0040 100644 --- a/capa/features/extractors/common.py +++ b/capa/features/extractors/common.py @@ -63,7 +63,7 @@ def extract_arch(buf) -> Iterator[Tuple[Feature, Address]]: # 2. handling a new file format (e.g. macho) # # for (1) we can't do much - its shellcode and all bets are off. - # we could maybe accept a futher CLI argument to specify the arch, + # we could maybe accept a further CLI argument to specify the arch, # but i think this would be rarely used. # rules that rely on arch conditions will fail to match on shellcode. # @@ -91,7 +91,7 @@ def extract_os(buf) -> Iterator[Tuple[Feature, Address]]: # 2. handling a new file format (e.g. macho) # # for (1) we can't do much - its shellcode and all bets are off. - # we could maybe accept a futher CLI argument to specify the OS, + # we could maybe accept a further CLI argument to specify the OS, # but i think this would be rarely used. # rules that rely on OS conditions will fail to match on shellcode. # diff --git a/capa/features/extractors/ida/global_.py b/capa/features/extractors/ida/global_.py index b724942e..3cca914e 100644 --- a/capa/features/extractors/ida/global_.py +++ b/capa/features/extractors/ida/global_.py @@ -31,7 +31,7 @@ def extract_os() -> Iterator[Tuple[Feature, Address]]: # 2. handling a new file format (e.g. macho) # # for (1) we can't do much - its shellcode and all bets are off. - # we could maybe accept a futher CLI argument to specify the OS, + # we could maybe accept a further CLI argument to specify the OS, # but i think this would be rarely used. # rules that rely on OS conditions will fail to match on shellcode. # From 6e17462bd0820644462e2b9dac85aa6c71116d54 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 2 Jan 2023 13:58:21 -0500 Subject: [PATCH 09/18] spelling: github Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- .github/CONTRIBUTING.md | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index 86336f39..59a3b6a4 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -31,7 +31,7 @@ This project and everyone participating in it is governed by the [Capa Code of C ### Capa and its repositories -We host the capa project as three Github repositories: +We host the capa project as three GitHub repositories: - [capa](https://github.com/mandiant/capa) - [capa-rules](https://github.com/mandiant/capa-rules) - [capa-testfiles](https://github.com/mandiant/capa-testfiles) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70275804..646a298c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1300,7 +1300,7 @@ Download a standalone binary below and checkout the readme [here on GitHub](http - setup: pin vivisect version @williballenthin - setup: bump vivisect dependency version @williballenthin - setup: set Python project name to `flare-capa` @williballenthin - - ci: run tests and linter via Github Actions @Ana06 + - ci: run tests and linter via GitHub Actions @Ana06 - hooks: run style checkers and hide stashed output @Ana06 - linter: ignore period in rule filename @williballenthin - linter: warn on nursery rule with no changes needed @williballenthin From 9e3a48aa8d783417737ab3f316707d391653fe3b Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:10 -0500 Subject: [PATCH 10/18] spelling: globally Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- scripts/lint.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lint.py b/scripts/lint.py index cd6e32cb..ed6e8b17 100644 --- a/scripts/lint.py +++ b/scripts/lint.py @@ -902,7 +902,7 @@ def redirecting_print_to_tqdm(): old_print(*args, **kwargs) try: - # Globaly replace print with new_print. + # Globally replace print with new_print. # Verified this works manually on Python 3.11: # >>> import inspect # >>> inspect.builtins From 6932df356412640a9deeab736f07d5c22092e13d Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 2 Jan 2023 13:58:15 -0500 Subject: [PATCH 11/18] spelling: import Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- tests/test_ida_features.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_ida_features.py b/tests/test_ida_features.py index a568606a..d0a4a67d 100644 --- a/tests/test_ida_features.py +++ b/tests/test_ida_features.py @@ -37,7 +37,7 @@ def check_input_file(wanted): def get_ida_extractor(_path): check_input_file("5f66b82558ca92e54e77f216ef4c066c") - # have to import import this inline so pytest doesn't bail outside of IDA + # have to import this inline so pytest doesn't bail outside of IDA import capa.features.extractors.ida.extractor return capa.features.extractors.ida.extractor.IdaFeatureExtractor() From 00254b93dcd6c545de18c3f7edf084fafc779976 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:10 -0500 Subject: [PATCH 12/18] spelling: instruction Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- capa/features/insn.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/capa/features/insn.py b/capa/features/insn.py index e5c1a49e..1f1c0171 100644 --- a/capa/features/insn.py +++ b/capa/features/insn.py @@ -82,7 +82,7 @@ class Mnemonic(Feature): super().__init__(value, description=description) -# max number of operands to consider for a given instrucion. +# max number of operands to consider for a given instruction. # since we only support Intel and .NET, we can assume this is 3 # which covers cases up to e.g. "vinserti128 ymm0,ymm0,ymm5,1" MAX_OPERAND_COUNT = 4 From ea0a708f35fd77cef5f954092c5d0b4abffaea37 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:11 -0500 Subject: [PATCH 13/18] spelling: interesting Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- scripts/capa2yara.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/capa2yara.py b/scripts/capa2yara.py index f4c9b357..0cb9542d 100644 --- a/scripts/capa2yara.py +++ b/scripts/capa2yara.py @@ -623,7 +623,7 @@ def convert_rules(rules, namespaces, cround, make_priv): value = re.sub(r"^([0-9a-f]{20,64}):0x[0-9a-f]{1,10}$", r"\1", value, flags=re.IGNORECASE) # examples in capa can contain the same hash several times with different offset, so check if it's already there: - # (keeping the offset might be interessting for some but breaks yara-ci for checking of the final rules + # (keeping the offset might be interesting for some but breaks yara-ci for checking of the final rules if value not in seen_hashes: yara_meta += "\t" + meta_name + ' = "' + value + '"\n' seen_hashes.append(value) From c11633c5db6fcdfe4e4c82ea8acf6f5f95c56835 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:11 -0500 Subject: [PATCH 14/18] spelling: minimum Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- scripts/capa2yara.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/capa2yara.py b/scripts/capa2yara.py index 0cb9542d..20a88594 100644 --- a/scripts/capa2yara.py +++ b/scripts/capa2yara.py @@ -377,7 +377,7 @@ def convert_rule(rule, rulename, cround, depth): if s_type == "Some": cmin = kid.count - logger.info("Some type with mininum: " + str(cmin)) + logger.info("Some type with minimum: " + str(cmin)) if not cmin: logger.info("this is optional: which means, we can just ignore it") @@ -482,7 +482,7 @@ def convert_rule(rule, rulename, cround, depth): elif statement == "Some": cmin = rule.count - logger.info("Some type with mininum at2: " + str(cmin)) + logger.info("Some type with minimum at2: " + str(cmin)) if not cmin: logger.info("this is optional: which means, we can just ignore it") From d65d7bcd7e8225ff50329555921025a81f3b4097 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:11 -0500 Subject: [PATCH 15/18] spelling: notifications Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- capa/ida/plugin/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/capa/ida/plugin/__init__.py b/capa/ida/plugin/__init__.py index 4ffc09af..b3140b86 100644 --- a/capa/ida/plugin/__init__.py +++ b/capa/ida/plugin/__init__.py @@ -85,7 +85,7 @@ class CapaExplorerPlugin(idaapi.plugin_t): # so we need to register a callback that's invoked from the main thread after the plugin is registered. # # after a lot of guess-and-check, we can use `UI_Hooks.updated_actions` to -# receive notications after IDA has created an action for each plugin. +# receive notifications after IDA has created an action for each plugin. # so, create this hook, wait for capa plugin to load, set the icon, and unhook. From 1c85f530b169be97b67342e9aa4d99131be0f2bb Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:12 -0500 Subject: [PATCH 16/18] spelling: objects Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- scripts/setup-linter-dependencies.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/setup-linter-dependencies.py b/scripts/setup-linter-dependencies.py index 021c0e31..bbe3a084 100644 --- a/scripts/setup-linter-dependencies.py +++ b/scripts/setup-linter-dependencies.py @@ -70,7 +70,7 @@ class MitreExtractor: self._memory_store = MemoryStore(stix_data=stix_json["objects"]) @staticmethod - def _remove_deprecated_objetcs(stix_objects) -> List[AttackPattern]: + def _remove_deprecated_objects(stix_objects) -> List[AttackPattern]: """Remove any revoked or deprecated objects from queries made to the data source.""" return list( filter( @@ -82,7 +82,7 @@ class MitreExtractor: def _get_tactics(self) -> List[Dict]: """Get tactics IDs from Mitre matrix.""" # Only one matrix for enterprise att&ck framework - matrix = self._remove_deprecated_objetcs( + matrix = self._remove_deprecated_objects( self._memory_store.query( [ Filter("type", "=", "x-mitre-matrix"), @@ -93,7 +93,7 @@ class MitreExtractor: def _get_techniques_from_tactic(self, tactic: str) -> List[AttackPattern]: """Get techniques and sub techniques from a Mitre tactic (kill_chain_phases->phase_name)""" - techniques = self._remove_deprecated_objetcs( + techniques = self._remove_deprecated_objects( self._memory_store.query( [ Filter("type", "=", "attack-pattern"), @@ -107,7 +107,7 @@ class MitreExtractor: def _get_parent_technique_from_subtechnique(self, technique: AttackPattern) -> AttackPattern: """Get parent technique of a sub technique using the technique ID TXXXX.YYY""" sub_id = technique["external_references"][0]["external_id"].split(".")[0] - parent_technique = self._remove_deprecated_objetcs( + parent_technique = self._remove_deprecated_objects( self._memory_store.query( [ Filter("type", "=", "attack-pattern"), From f9b3d6304ce86a6f7ba3c17f4ae21a9610c9a73c Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:12 -0500 Subject: [PATCH 17/18] spelling: uncommitted Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- scripts/ci.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/ci.sh b/scripts/ci.sh index e61831e8..1d359c7c 100755 --- a/scripts/ci.sh +++ b/scripts/ci.sh @@ -11,12 +11,12 @@ # Use a console with emojis support for a better experience # Use venv to ensure that `python` calls the correct python version -# Stash uncommited changes +# Stash uncommitted changes MSG="pre-push-$(date +%s)"; git stash push -kum "$MSG" &>/dev/null ; STASH_LIST=$(git stash list); if [[ "$STASH_LIST" == *"$MSG"* ]]; then - echo "Uncommited changes stashed with message '$MSG', if you abort before they are restored run \`git stash pop\`"; + echo "Uncommitted changes stashed with message '$MSG', if you abort before they are restored run \`git stash pop\`"; fi restore_stashed() { From c4ebb0a31d4ce22301d4436b0f00301e01e4382f Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:25:13 -0500 Subject: [PATCH 18/18] spelling: unescaped Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- scripts/capa2yara.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/capa2yara.py b/scripts/capa2yara.py index 20a88594..7fd4ad41 100644 --- a/scripts/capa2yara.py +++ b/scripts/capa2yara.py @@ -288,7 +288,7 @@ def convert_rule(rule, rulename, cround, depth): # all .* in the regexes of capa look like they should be maximum 100 chars so take 1000 to speed up rules and prevent yara warnings on poor performance regex = regex.replace(".*", ".{,1000}") - # strange: capa accepts regexes with unsescaped / like - string: /com/exe4j/runtime/exe4jcontroller/i in capa-rules/compiler/exe4j/compiled-with-exe4j.yml, needs a fix for yara: + # strange: capa accepts regexes with unescaped / like - string: /com/exe4j/runtime/exe4jcontroller/i in capa-rules/compiler/exe4j/compiled-with-exe4j.yml, needs a fix for yara: # would assume that get_value_str() gives the raw string regex = re.sub(r"(?