v9.2.1 (#2685)

* ci: downgrade Ubuntu version to accommodate older GLIBC versions

* ci: upgrade Windows version to avoid deprecation

* ci: exclude pkg_resources from PyInstaller build

* update CHANGELOG

* update spec file

* ci: check if build runs without warnings or errors

* update CHANGELOG

* update build commands

* update build commands

* update build commands

* update build commands

* update build commands

.github/pyinstaller/pyinstaller.spec

@@ -74,6 +74,9 @@ a = Analysis(
         # only be installed locally.
         "binaryninja",
         "ida",
+        # remove once https://github.com/mandiant/capa/issues/2681 has
+        # been addressed by PyInstaller
+        "pkg_resources",
     ],
 )
 

.github/workflows/build.yml

@@ -22,16 +22,16 @@ jobs:
       fail-fast: true
       matrix:
         include:
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             # use old linux so that the shared library versioning is more portable
             artifact_name: capa
             asset_name: linux
             python_version: '3.10'
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             artifact_name: capa
             asset_name: linux-py312
             python_version: '3.12'
-          - os: windows-2019
+          - os: windows-2022
             artifact_name: capa.exe
             asset_name: windows
             python_version: '3.10'
@@ -49,7 +49,7 @@ jobs:
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ matrix.python_version }}
-      - if: matrix.os == 'ubuntu-20.04'
+      - if: matrix.os == 'ubuntu-22.04'
         run: sudo apt-get install -y libyaml-dev
       - name: Upgrade pip, setuptools
         run: python -m pip install --upgrade pip setuptools
@@ -59,6 +59,28 @@ jobs:
           pip install -e .[build]
       - name: Build standalone executable
         run: pyinstaller --log-level DEBUG .github/pyinstaller/pyinstaller.spec
+      - name: Does it run without warnings or errors?
+        shell: bash
+        run: |
+          if [[ "${{ matrix.os }}" == "windows-2022" ]]; then
+            EXECUTABLE=".\\dist\\capa"
+          else
+            EXECUTABLE="./dist/capa"
+          fi
+
+          output=$(${EXECUTABLE} --version 2>&1)
+          exit_code=$?
+
+          echo "${output}"
+          echo "${exit_code}"
+
+          if echo "${output}" | grep -iE 'error|warning'; then
+            exit 1
+          fi
+
+          if [[ "${exit_code}" -ne 0 ]]; then
+            exit 1
+          fi
       - name: Does it run (PE)?
         run: dist/capa -d "tests/data/Practical Malware Analysis Lab 01-01.dll_"
       - name: Does it run (Shellcode)?

.github/workflows/publish.yml

@@ -35,7 +35,7 @@ jobs:
         with:
           path: dist/*
       - name: publish package
-        uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0  # release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # release/v1.12.4
         with:
           skip-existing: true
           verbose: true

.github/workflows/tests.yml

@@ -88,16 +88,16 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04, windows-2019, macos-13]
+        os: [ubuntu-22.04, windows-2022, macos-13]
         # across all operating systems
         python-version: ["3.10", "3.11"]
         include:
           # on Ubuntu run these as well
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             python-version: "3.10"
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             python-version: "3.11"
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             python-version: "3.12"
     steps:
     - name: Checkout capa with submodules
@@ -109,7 +109,7 @@ jobs:
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install pyyaml
-      if: matrix.os == 'ubuntu-20.04'
+      if: matrix.os == 'ubuntu-22.04'
       run: sudo apt-get install -y libyaml-dev
     - name: Install capa
       run: |
@@ -168,7 +168,7 @@ jobs:
 
   ghidra-tests:
     name: Ghidra tests for ${{ matrix.python-version }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     needs: [tests]
     strategy:
       fail-fast: false

CHANGELOG.md

@@ -11,8 +11,6 @@
 -
 
 ### Bug Fixes
-- only parse CAPE fields required for analysis @mike-hunhoff #2607
-- improve _number_ feature extraction for BinExport @mike-hunhoff #2609
 
 ### capa Explorer Web
 
@@ -21,8 +19,92 @@
 ### Development
 
 ### Raw diffs
-- [capa v9.0.0...master](https://github.com/mandiant/capa/compare/v9.0.0...master)
-- [capa-rules v9.0.0...master](https://github.com/mandiant/capa-rules/compare/v9.0.0...master)
+- [capa v9.2.1...master](https://github.com/mandiant/capa/compare/v9.2.1...master)
+- [capa-rules v9.2.1...master](https://github.com/mandiant/capa-rules/compare/v9.2.1...master)
+
+## v9.2.1
+
+This point release fixes bugs including removing an unnecessary PyInstaller warning message and enabling the standalone binary to execute on systems running older versions of glibc.
+
+### Bug Fixes
+
+- ci: exclude pkg_resources from PyInstaller build @mike-hunhoff #2684
+- ci: downgrade Ubuntu version to accommodate older glibc versions @mike-hunhoff #2684
+
+### Development
+
+- ci: upgrade Windows version to avoid deprecation @mike-hunhoff #2684
+- ci: check if build runs without warnings or errors @mike-hunhoff #2684
+
+### Raw diffs
+- [capa v9.2.0...v9.2.1](https://github.com/mandiant/capa/compare/v9.2.0...v9.2.1)
+- [capa-rules v9.2.0...v9.2.1](https://github.com/mandiant/capa-rules/compare/v9.2.0...v9.2.1)
+
+## v9.2.0
+
+This release improves a few aspects of dynamic analysis, including relaxing our validation on fields across many CAPE versions and processing additional VMRay submission file types, for example.
+It also includes an updated rule pack containing new rules and rule fixes.
+
+### New Features
+- vmray: do not restrict analysis to PE and ELF files, e.g. docx @mike-hunhoff #2672
+
+### Breaking Changes
+
+### New Rules (22)
+
+- communication/socket/connect-socket moritz.raabe@mandiant.com joakim@intezer.com mrhafizfarhad@gmail.com
+- communication/socket/udp/connect-udp-socket mrhafizfarhad@gmail.com
+- nursery/enter-debug-mode-in-dotnet @v1bh475u
+- nursery/decrypt-data-using-tripledes-in-dotnet 0xRavenspar
+- nursery/encrypt-data-using-tripledes-in-dotnet 0xRavenspar
+- nursery/disable-system-features-via-registry-on-windows mehunhoff@google.com
+- data-manipulation/encryption/chaskey/encrypt-data-using-chaskey still@teamt5.org
+- data-manipulation/encryption/speck/encrypt-data-using-speck still@teamt5.org
+- load-code/dotnet/load-assembly-via-iassembly still@teamt5.org
+- malware-family/donut-loader/load-shellcode-via-donut still@teamt5.org
+- nursery/disable-device-guard-features-via-registry-on-windows mehunhoff@google.com
+- nursery/disable-firewall-features-via-registry-on-windows mehunhoff@google.com
+- nursery/disable-system-restore-features-via-registry-on-windows mehunhoff@google.com
+- nursery/disable-windows-defender-features-via-registry-on-windows mehunhoff@google.com
+- host-interaction/file-system/write/clear-file-content jakeperalta7
+- host-interaction/filter/unload-minifilter-driver JakePeralta7
+- exploitation/enumeration/make-suspicious-ntquerysysteminformation-call zdw@google.com
+- exploitation/gadgets/load-ntoskrnl zdw@google.com
+- exploitation/gadgets/resolve-ntoskrnl-gadgets zdw@google.com
+- exploitation/spraying/make-suspicious-ntfscontrolfile-call zdw@google.com
+- anti-analysis/anti-forensic/unload-sysmon JakePeralta7
+
+### Bug Fixes
+- cape: make some fields optional @williballenthin #2631 #2632
+- lint: add WARN for regex features that contain unescaped dot #2635
+- lint: add ERROR for incomplete registry control set regex #2643
+- binja: update unit test core version #2670
+
+### Raw diffs
+- [capa v9.1.0...v9.2.0](https://github.com/mandiant/capa/compare/v9.1.0...v9.2.0)
+- [capa-rules v9.1.0...v9.2.0](https://github.com/mandiant/capa-rules/compare/v9.1.0...v9.2.0)
+
+## v9.1.0
+
+This release improves a few aspects of dynamic analysis, relaxing our validation on fields across many CAPE versions, for example.
+It also includes an updated rule pack in which many dynamic rules make better use of the "span of calls" scope.
+
+
+### New Rules (3)
+
+- host-interaction/registry/change-registry-key-timestamp wballenthin@google.com
+- host-interaction/mutex/check-mutex-and-terminate-process-on-windows @_re_fox moritz.raabe@mandiant.com mehunhoff@google.com
+- anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs-remotely 99.elad.levi@gmail.com
+
+### Bug Fixes
+- only parse CAPE fields required for analysis @mike-hunhoff #2607
+- main: render result document without needing associated rules @williballenthin #2610
+- vmray: only verify process OS and monitor IDs match @mike-hunhoff #2613
+- render: don't assume prior matches exist within a thread @mike-hunhoff #2612
+
+### Raw diffs
+- [capa v9.0.0...v9.1.0](https://github.com/mandiant/capa/compare/v9.0.0...v9.1.0)
+- [capa-rules v9.0.0...v9.1.0](https://github.com/mandiant/capa-rules/compare/v9.0.0...v9.1.0)
 
 ## v9.0.0
 

capa/features/extractors/binexport2/helpers.py

@@ -349,9 +349,30 @@ def get_operand_register_expression(be2: BinExport2, operand: BinExport2.Operand
 
 
 def get_operand_immediate_expression(be2: BinExport2, operand: BinExport2.Operand) -> Optional[BinExport2.Expression]:
-    for expression in get_operand_expressions(be2, operand):
+    if len(operand.expression_index) == 1:
+        # - type: IMMEDIATE_INT
+        #   immediate: 20588728364
+        #   parent_index: 0
+        expression: BinExport2.Expression = be2.expression[operand.expression_index[0]]
         if expression.type == BinExport2.Expression.IMMEDIATE_INT:
             return expression
+
+    elif len(operand.expression_index) == 2:
+        # from IDA, which provides a size hint for every operand,
+        # we get the following pattern for immediate constants:
+        #
+        # - type: SIZE_PREFIX
+        #   symbol: "b8"
+        # - type: IMMEDIATE_INT
+        #   immediate: 20588728364
+        #   parent_index: 0
+        expression0: BinExport2.Expression = be2.expression[operand.expression_index[0]]
+        expression1: BinExport2.Expression = be2.expression[operand.expression_index[1]]
+
+        if expression0.type == BinExport2.Expression.SIZE_PREFIX:
+            if expression1.type == BinExport2.Expression.IMMEDIATE_INT:
+                return expression1
+
     return None
 
 

capa/features/extractors/cape/extractor.py

@@ -54,7 +54,8 @@ class CapeExtractor(DynamicFeatureExtractor):
 
     def get_base_address(self) -> Union[AbsoluteVirtualAddress, _NoAddress, None]:
         # value according to the PE header, the actual trace may use a different imagebase
-        assert self.report.static is not None and self.report.static.pe is not None
+        assert self.report.static is not None
+        assert self.report.static.pe is not None
         return AbsoluteVirtualAddress(self.report.static.pe.imagebase)
 
     def extract_global_features(self) -> Iterator[tuple[Feature, Address]]:

capa/features/extractors/cape/file.py

@@ -88,31 +88,49 @@ def extract_file_strings(report: CapeReport) -> Iterator[tuple[Feature, Address]
 
 
 def extract_used_regkeys(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
+    if not report.behavior.summary:
+        return
+
     for regkey in report.behavior.summary.keys:
         yield String(regkey), NO_ADDRESS
 
 
 def extract_used_files(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
+    if not report.behavior.summary:
+        return
+
     for file in report.behavior.summary.files:
         yield String(file), NO_ADDRESS
 
 
 def extract_used_mutexes(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
+    if not report.behavior.summary:
+        return
+
     for mutex in report.behavior.summary.mutexes:
         yield String(mutex), NO_ADDRESS
 
 
 def extract_used_commands(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
+    if not report.behavior.summary:
+        return
+
     for cmd in report.behavior.summary.executed_commands:
         yield String(cmd), NO_ADDRESS
 
 
 def extract_used_apis(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
+    if not report.behavior.summary:
+        return
+
     for symbol in report.behavior.summary.resolved_apis:
         yield String(symbol), NO_ADDRESS
 
 
 def extract_used_services(report: CapeReport) -> Iterator[tuple[Feature, Address]]:
+    if not report.behavior.summary:
+        return
+
     for svc in report.behavior.summary.created_services:
         yield String(svc), NO_ADDRESS
     for svc in report.behavior.summary.started_services:

capa/features/extractors/cape/models.py

@@ -188,15 +188,15 @@ class PE(FlexibleModel):
     # timestamp: str
 
     # list[ImportedDll], or dict[basename(dll), ImportedDll]
-    imports: Union[list[ImportedDll], dict[str, ImportedDll]]
+    imports: list[ImportedDll] | dict[str, ImportedDll] = Field(default_factory=list)  # type: ignore
     # imported_dll_count: Optional[int] = None
     # imphash: str
 
     # exported_dll_name: Optional[str] = None
-    exports: list[ExportedSymbol]
+    exports: list[ExportedSymbol] = Field(default_factory=list)
 
     # dirents: list[DirectoryEntry]
-    sections: list[Section]
+    sections: list[Section] = Field(default_factory=list)
 
     # ep_bytes: Optional[HexBytes] = None
 
@@ -364,7 +364,7 @@ class EncryptedBuffer(FlexibleModel):
 
 
 class Behavior(FlexibleModel):
-    summary: Summary
+    summary: Summary | None = None
 
     # list of processes, of threads, of calls
     processes: list[Process]

capa/features/extractors/vmray/__init__.py

@@ -96,14 +96,7 @@ class VMRayAnalysis:
                 % (self.submission_name, self.submission_type)
             )
 
-        if self.submission_static is not None:
-            if self.submission_static.pe is None and self.submission_static.elf is None:
-                # we only support static analysis for PE and ELF files for now
-                raise UnsupportedFormatError(
-                    "archive does not contain a supported file format (submission_name: %s, submission_type: %s)"
-                    % (self.submission_name, self.submission_type)
-                )
-        else:
+        if self.submission_static is None:
             # VMRay may not record static analysis for certain file types, e.g. MSI, but we'd still like to match dynamic
             # execution so we continue without and accept that the results may be incomplete
             logger.warning(
@@ -223,16 +216,15 @@ class VMRayAnalysis:
                 # we expect monitor processes recorded in both SummaryV2.json and flog.xml to equal
                 # to ensure this, we compare the pid, monitor_id, and origin_monitor_id
                 # for the other fields we've observed cases with slight deviations, e.g.,
-                # the ppid for a process in flog.xml is not set correctly, all other data is equal
+                # the ppid, origin monitor id, etc. for a process in flog.xml is not set correctly, all other
+                # data is equal
                 sv2p = self.monitor_processes[monitor_process.process_id]
                 if self.monitor_processes[monitor_process.process_id] != vmray_monitor_process:
                     logger.debug("processes differ: %s (sv2) vs. %s (flog)", sv2p, vmray_monitor_process)
 
-                assert (sv2p.pid, sv2p.monitor_id, sv2p.origin_monitor_id) == (
-                    vmray_monitor_process.pid,
-                    vmray_monitor_process.monitor_id,
-                    vmray_monitor_process.origin_monitor_id,
-                )
+                # we need, at a minimum, for the process id and monitor id to match, otherwise there is likely a bug
+                # in the way that VMRay tracked one of the processes
+                assert (sv2p.pid, sv2p.monitor_id) == (vmray_monitor_process.pid, vmray_monitor_process.monitor_id)
 
     def _compute_monitor_threads(self):
         for monitor_thread in self.flog.analysis.monitor_threads:

capa/main.py

@@ -995,7 +995,27 @@ def main(argv: Optional[list[str]] = None):
         handle_common_args(args)
         ensure_input_exists_from_cli(args)
         input_format = get_input_format_from_cli(args)
-        rules = get_rules_from_cli(args)
+    except ShouldExitError as e:
+        return e.status_code
+
+    if input_format == FORMAT_RESULT:
+        # render the result document immediately,
+        # no need to load the rules or do other processing.
+        result_doc = capa.render.result_document.ResultDocument.from_file(args.input_file)
+
+        if args.json:
+            print(result_doc.model_dump_json(exclude_none=True))
+        elif args.vverbose:
+            print(capa.render.vverbose.render_vverbose(result_doc))
+        elif args.verbose:
+            print(capa.render.verbose.render_verbose(result_doc))
+        else:
+            print(capa.render.default.render_default(result_doc))
+        return 0
+
+    try:
+        rules: RuleSet = get_rules_from_cli(args)
+
         found_limitation = False
         file_extractors = get_file_extractors_from_cli(args, input_format)
         if input_format in STATIC_FORMATS:
@@ -1003,45 +1023,30 @@ def main(argv: Optional[list[str]] = None):
             found_limitation = find_static_limitations_from_cli(args, rules, file_extractors)
         if input_format in DYNAMIC_FORMATS:
             found_limitation = find_dynamic_limitations_from_cli(args, rules, file_extractors)
+
+        backend = get_backend_from_cli(args, input_format)
+        sample_path = get_sample_path_from_cli(args, backend)
+        if sample_path is None:
+            os_ = "unknown"
+        else:
+            os_ = capa.loader.get_os(sample_path)
+        extractor: FeatureExtractor = get_extractor_from_cli(args, input_format, backend)
     except ShouldExitError as e:
         return e.status_code
 
-    meta: rdoc.Metadata
-    capabilities: Capabilities
+    capabilities: Capabilities = find_capabilities(rules, extractor, disable_progress=args.quiet)
 
-    if input_format == FORMAT_RESULT:
-        # result document directly parses into meta, capabilities
-        result_doc = capa.render.result_document.ResultDocument.from_file(args.input_file)
-        meta, capabilities = result_doc.to_capa()
+    meta: rdoc.Metadata = capa.loader.collect_metadata(
+        argv, args.input_file, input_format, os_, args.rules, extractor, capabilities
+    )
+    meta.analysis.layout = capa.loader.compute_layout(rules, extractor, capabilities.matches)
 
-    else:
-        # all other formats we must create an extractor
-        # and use that to extract meta and capabilities
-
-        try:
-            backend = get_backend_from_cli(args, input_format)
-            sample_path = get_sample_path_from_cli(args, backend)
-            if sample_path is None:
-                os_ = "unknown"
-            else:
-                os_ = capa.loader.get_os(sample_path)
-            extractor = get_extractor_from_cli(args, input_format, backend)
-        except ShouldExitError as e:
-            return e.status_code
-
-        capabilities = find_capabilities(rules, extractor, disable_progress=args.quiet)
-
-        meta = capa.loader.collect_metadata(
-            argv, args.input_file, input_format, os_, args.rules, extractor, capabilities
-        )
-        meta.analysis.layout = capa.loader.compute_layout(rules, extractor, capabilities.matches)
-
-        if found_limitation:
-            # bail if capa's static feature extractor encountered file limitation e.g. a packed binary
-            # or capa's dynamic feature extractor encountered some limitation e.g. a dotnet sample
-            # do show the output in verbose mode, though.
-            if not (args.verbose or args.vverbose or args.json):
-                return E_FILE_LIMITATION
+    if found_limitation:
+        # bail if capa's static feature extractor encountered file limitation e.g. a packed binary
+        # or capa's dynamic feature extractor encountered some limitation e.g. a dotnet sample
+        # do show the output in verbose mode, though.
+        if not (args.verbose or args.vverbose or args.json):
+            return E_FILE_LIMITATION
 
     if args.json:
         print(capa.render.json.render(meta, rules, capabilities.matches))

capa/render/result_document.py

@@ -418,8 +418,9 @@ class Match(FrozenModel):
                                     and a.id <= location.id
                                 ]
                             )
-                            _, most_recent_match = matches_in_thread[-1]
-                            children.append(Match.from_capa(rules, capabilities, most_recent_match))
+                            if matches_in_thread:
+                                _, most_recent_match = matches_in_thread[-1]
+                                children.append(Match.from_capa(rules, capabilities, most_recent_match))
 
                     else:
                         children.append(Match.from_capa(rules, capabilities, rule_matches[location]))
@@ -478,8 +479,11 @@ class Match(FrozenModel):
                                             and a.id <= location.id
                                         ]
                                     )
-                                    _, most_recent_match = matches_in_thread[-1]
-                                    children.append(Match.from_capa(rules, capabilities, most_recent_match))
+                                    # namespace matches may not occur within the same thread as the result, so only
+                                    # proceed if a match within the same thread is found
+                                    if matches_in_thread:
+                                        _, most_recent_match = matches_in_thread[-1]
+                                        children.append(Match.from_capa(rules, capabilities, most_recent_match))
                             else:
                                 if location in rule_matches:
                                     children.append(Match.from_capa(rules, capabilities, rule_matches[location]))

capa/version.py

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-__version__ = "9.0.0"
+__version__ = "9.2.1"
 
 
 def get_major_version():

pyproject.toml

@@ -121,11 +121,11 @@ dev = [
     # we want all developer environments to be consistent.
     # These dependencies are not used in production environments
     # and should not conflict with other libraries/tooling.
-    "pre-commit==4.1.0",
+    "pre-commit==4.2.0",
     "pytest==8.0.0",
     "pytest-sugar==1.0.0",
     "pytest-instafail==0.5.0",
-    "flake8==7.1.1",
+    "flake8==7.2.0",
     "flake8-bugbear==24.12.12",
     "flake8-encodings==0.5.1",
     "flake8-comprehensions==3.16.0",
@@ -133,20 +133,20 @@ dev = [
     "flake8-no-implicit-concat==0.3.5",
     "flake8-print==5.0.0",
     "flake8-todos==0.3.1",
-    "flake8-simplify==0.21.0",
+    "flake8-simplify==0.22.0",
     "flake8-use-pathlib==0.3.0",
     "flake8-copyright==0.2.4",
-    "ruff==0.9.2",
+    "ruff==0.11.0",
     "black==25.1.0",
     "isort==6.0.0",
     "mypy==1.15.0",
     "mypy-protobuf==3.6.0",
-    "PyGithub==2.5.0",
+    "PyGithub==2.6.0",
     # type stubs for mypy
     "types-backports==0.1.3",
     "types-colorama==0.4.15.11",
     "types-PyYAML==6.0.8",
-    "types-psutil==6.1.0.20241102",
+    "types-psutil==7.0.0.20250218",
     "types_requests==2.32.0.20240712",
     "types-protobuf==5.29.1.20241207",
     "deptry==0.23.0"
@@ -157,12 +157,12 @@ build = [
     # These dependencies are not used in production environments
     # and should not conflict with other libraries/tooling.
     "pyinstaller==6.12.0",
-    "setuptools==75.8.0",
+    "setuptools==80.9.0",
     "build==1.2.2"
 ]
 scripts = [
     "jschema_to_python==1.2.3",
-    "psutil==6.1.0",
+    "psutil==7.0.0",
     "stix2==3.0.1",
     "sarif_om==1.0.4",
     "requests==2.32.3",

requirements.txt

@@ -12,7 +12,7 @@ cxxfilt==0.3.0
 dncil==1.0.2
 dnfile==0.15.0
 funcy==2.0
-humanize==4.10.0
+humanize==4.12.0
 ida-netnode==3.0
 ida-settings==2.1.0
 intervaltree==3.1.0
@@ -21,25 +21,25 @@ mdurl==0.1.2
 msgpack==1.0.8
 networkx==3.4.2
 pefile==2024.8.26
-pip==25.0
-protobuf==5.29.3
+pip==25.1.1
+protobuf==6.30.1
 pyasn1==0.5.1
 pyasn1-modules==0.3.0
 pycparser==2.22
-pydantic==2.10.1
+pydantic==2.11.4
 # pydantic pins pydantic-core, 
 # but dependabot updates these separately (which is broken) and is annoying,
 # so we rely on pydantic to pull in the right version of pydantic-core.
 # pydantic-core==2.23.4
 xmltodict==0.14.2
-pyelftools==0.31
+pyelftools==0.32
 pygments==2.19.1
 python-flirt==0.9.2
 pyyaml==6.0.2
-rich==13.9.2
+rich==14.0.0
 ruamel-yaml==0.18.6
 ruamel-yaml-clib==0.2.8
-setuptools==75.8.0
+setuptools==80.9.0
 six==1.17.0
 sortedcontainers==2.4.0
 viv-utils==0.8.0

scripts/capa2yara.py

@@ -175,8 +175,6 @@ def convert_rule(rule, rulename, cround, depth):
     depth += 1
     logger.info("recursion depth: %d", depth)
 
-    global var_names
-
     def do_statement(s_type, kid):
         yara_strings = ""
         yara_condition = ""

scripts/lint.py

@@ -49,7 +49,7 @@ import capa.helpers
 import capa.features.insn
 import capa.capabilities.common
 from capa.rules import Rule, RuleSet
-from capa.features.common import OS_AUTO, String, Feature, Substring
+from capa.features.common import OS_AUTO, Regex, String, Feature, Substring
 from capa.render.result_document import RuleMetadata
 
 logger = logging.getLogger("lint")
@@ -406,6 +406,7 @@ class DoesntMatchExample(Lint):
                 return True
 
             if rule.name not in capabilities:
+                logger.info('rule "%s" does not match for sample %s', rule.name, example_id)
                 return True
 
 
@@ -721,6 +722,76 @@ class FeatureStringTooShort(Lint):
         return False
 
 
+class FeatureRegexRegistryControlSetMatchIncomplete(Lint):
+    name = "feature regex registry control set match incomplete"
+    recommendation = (
+        'use "(ControlSet\\d{3}|CurrentControlSet)" to match both indirect references '
+        + 'via "CurrentControlSet" and direct references via "ControlSetXXX"'
+    )
+
+    def check_features(self, ctx: Context, features: list[Feature]):
+        for feature in features:
+            if not isinstance(feature, (Regex,)):
+                continue
+
+            assert isinstance(feature.value, str)
+
+            pat = feature.value.lower()
+
+            if "system\\\\" in pat and "controlset" in pat or "currentcontrolset" in pat:
+                if "system\\\\(controlset\\d{3}|currentcontrolset)" not in pat:
+                    return True
+
+            return False
+
+
+class FeatureRegexContainsUnescapedPeriod(Lint):
+    name = "feature regex contains unescaped period"
+    recommendation_template = 'escape the period in "{:s}" unless it should be treated as a regex dot operator'
+    level = Lint.WARN
+
+    def check_features(self, ctx: Context, features: list[Feature]):
+        for feature in features:
+            if isinstance(feature, (Regex,)):
+                assert isinstance(feature.value, str)
+
+                pat = feature.value.removeprefix("/")
+                pat = pat.removesuffix("/i").removesuffix("/")
+
+                index = pat.find(".")
+                if index == -1:
+                    return False
+
+                if index < len(pat) - 1:
+                    if pat[index + 1] in ("*", "+", "?", "{"):
+                        # like "/VB5!.*/"
+                        return False
+
+                if index == 0:
+                    # like "/.exe/" which should be "/\.exe/"
+                    self.recommendation = self.recommendation_template.format(feature.value)
+                    return True
+
+                if pat[index - 1] != "\\":
+                    # like "/test.exe/" which should be "/test\.exe/"
+                    self.recommendation = self.recommendation_template.format(feature.value)
+                    return True
+
+                if pat[index - 1] == "\\":
+                    for i, char in enumerate(pat[0:index][::-1]):
+                        if char == "\\":
+                            continue
+
+                        if i % 2 == 0:
+                            # like "/\\\\.\\pipe\\VBoxTrayIPC/"
+                            self.recommendation = self.recommendation_template.format(feature.value)
+                            return True
+
+                        break
+
+        return False
+
+
 class FeatureNegativeNumber(Lint):
     name = "feature value is negative"
     recommendation = "specify the number's two's complement representation"
@@ -931,7 +1002,13 @@ def lint_meta(ctx: Context, rule: Rule):
     return run_lints(META_LINTS, ctx, rule)
 
 
-FEATURE_LINTS = (FeatureStringTooShort(), FeatureNegativeNumber(), FeatureNtdllNtoskrnlApi())
+FEATURE_LINTS = (
+    FeatureStringTooShort(),
+    FeatureNegativeNumber(),
+    FeatureNtdllNtoskrnlApi(),
+    FeatureRegexContainsUnescapedPeriod(),
+    FeatureRegexRegistryControlSetMatchIncomplete(),
+)
 
 
 def lint_features(ctx: Context, rule: Rule):

tests/test_binja_features.py

@@ -70,4 +70,4 @@ def test_standalone_binja_backend():
 @pytest.mark.skipif(binja_present is False, reason="Skip binja tests if the binaryninja Python API is not installed")
 def test_binja_version():
     version = binaryninja.core_version_info()
-    assert version.major == 4 and version.minor == 2
+    assert version.major == 5 and version.minor == 0

web/explorer/package.json

@@ -26,15 +26,15 @@
     },
     "devDependencies": {
         "@rushstack/eslint-patch": "^1.8.0",
-        "@vitejs/plugin-vue": "^5.0.5",
+        "@vitejs/plugin-vue": "^5.2.3",
         "@vue/eslint-config-prettier": "^9.0.0",
         "@vue/test-utils": "^2.4.6",
         "eslint": "^8.57.0",
         "eslint-plugin-vue": "^9.23.0",
         "jsdom": "^24.1.0",
         "prettier": "^3.2.5",
-        "vite": "^5.4.14",
-        "vite-plugin-singlefile": "^2.0.2",
-        "vitest": "^1.6.0"
+        "vite": "^6.3.4",
+        "vite-plugin-singlefile": "^2.2.0",
+        "vitest": "^3.0.9"
     }
 }

web/public/index.html

@@ -210,27 +210,25 @@
     <div class="row flex-lg-row-reverse align-items-center g-5">
       <h1>What's New</h1>
 
-      <h2 class="mt-3">Rule Updates</h2>
-
-      <ul class="mt-2 ps-5">
-        <!-- TODO(williballenthin): add date -->
-        <li>
-          added:
-          <a href="./rules/use bigint function/">
-            use bigint function
-          </a>
-        </li>
-
-        <li>
-          added:
-          <a href="./rules/encrypt data using RSA via embedded library/">
-            encrypt data using RSA via embedded library
-          </a>
-        </li>
-      </ul>
-
       <h2 class="mt-3">Tool Updates</h2>
 
+      <h3 class="mt-2">v9.2.1 (<em>2025-06-06</em>)</h3>
+      <p class="mt-0">
+        This point release fixes bugs including removing an unnecessary PyInstaller warning message and enabling the standalone binary to execute on systems running older versions of glibc.
+      </p>
+
+      <h3 class="mt-2">v9.2.0 (<em>2025-06-03</em>)</h3>
+      <p class="mt-0">
+        This release improves a few aspects of dynamic analysis, including relaxing our validation on fields across many CAPE versions and processing additional VMRay submission file types, for example.
+        It also includes an updated rule pack containing new rules and rule fixes.
+      </p>
+
+      <h3 class="mt-2">v9.1.0 (<em>2025-03-02</em>)</h3>
+      <p class="mt-0">
+        This release improves a few aspects of dynamic analysis, relaxing our validation on fields across many CAPE versions, for example.
+        It also includes an updated rule pack in which many dynamic rules make better use of the "span of calls" scope.
+      </p>
+
       <h3 class="mt-2">v9.0.0 (<em>2025-02-05</em>)</h3>
       <p class="mt-0">
         This release introduces a new scope for dynamic analysis, "span of calls",