Update capa/ida/plugin/form.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

.bumpversion.toml

@@ -1,5 +1,5 @@
 [tool.bumpversion]
-current_version = "9.3.1"
+current_version = "9.2.1"
 
 [[tool.bumpversion.files]]
 filename = "capa/version.py"
@@ -19,9 +19,4 @@ replace = '"flare-capa=={new_version}"'
 [[tool.bumpversion.files]]
 filename = "CHANGELOG.md"
 search = "v{current_version}...master"
-replace = "v{current_version}...{new_version}"
-
-[[tool.bumpversion.files]]
-filename = "CHANGELOG.md"
-search = "master (unreleased)"
-replace = "v{new_version}"
+replace = "{current_version}...{new_version}"

.github/workflows/build.yml

@@ -46,8 +46,8 @@ jobs:
           #  artifact_name: capa.exe
           #  asset_name: windows-arm64
           #  python_version: '3.12'
-          - os: macos-15-intel
-            # macos-15-intel is the lowest native intel build
+          - os: macos-13
+            # use older macOS for assumed better portability
             artifact_name: capa
             asset_name: macos
             python_version: '3.10'

.github/workflows/tests.yml

@@ -42,10 +42,10 @@ jobs:
     - name: Checkout capa
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     # use latest available python to take advantage of best performance
-    - name: Set up Python 3.13
+    - name: Set up Python 3.12
       uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
-        python-version: "3.13"
+        python-version: "3.12"
     - name: Install dependencies
       run: |
         pip install -r requirements.txt
@@ -70,10 +70,10 @@ jobs:
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         submodules: recursive
-    - name: Set up Python 3.13
+    - name: Set up Python 3.12
       uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
-        python-version: "3.13"
+        python-version: "3.12"
     - name: Install capa
       run: |
         pip install -r requirements.txt
@@ -88,11 +88,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, ubuntu-22.04-arm, windows-2022, macos-15-intel, macos-14]
+        os: [ubuntu-22.04, windows-2022, macos-13]
         # across all operating systems
-        python-version: ["3.10", "3.13"]
+        python-version: ["3.10", "3.11"]
         include:
           # on Ubuntu run these as well
+          - os: ubuntu-22.04
+            python-version: "3.10"
           - os: ubuntu-22.04
             python-version: "3.11"
           - os: ubuntu-22.04
@@ -129,7 +131,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.10", "3.13"]
+        python-version: ["3.10", "3.11"]
     steps:
     - name: Checkout capa with submodules
       # do only run if BN_SERIAL is available, have to do this in every step, see https://github.com/orgs/community/discussions/26726#discussioncomment-3253118
@@ -171,7 +173,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.10", "3.13"]
+        python-version: ["3.10", "3.11"]
         java-version: ["17"]
         ghidra-version: ["11.0.1"]
         public-version: ["PUBLIC_20240130"] # for ghidra releases
@@ -217,52 +219,3 @@ jobs:
         exit_code=$(cat ../output.log | grep exit | awk '{print $NF}')
         exit $exit_code
  
-  idalib-tests:
-    name: IDA tests for ${{ matrix.python-version }}
-    runs-on: ubuntu-22.04
-    needs: [tests]
-    env:
-      IDA_LICENSE_ID: ${{ secrets.IDA_LICENSE_ID }}
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.10", "3.13"]
-        ida:
-          - version: 9.0
-            slug: "release/9.0/ida-essential/ida-essential_90_x64linux.run"
-          - version: 9.2
-            slug: "release/9.2/ida-essential/ida-essential_92_x64linux.run"
-    steps:
-    - name: Checkout capa with submodules
-      # do only run if IDA_LICENSE_ID is available, have to do this in every step, see https://github.com/orgs/community/discussions/26726#discussioncomment-3253118
-      if: ${{ env.IDA_LICENSE_ID != 0 }}
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      with:
-        submodules: recursive
-    - name: Set up Python ${{ matrix.python-version }}
-      if: ${{ env.IDA_LICENSE_ID != 0 }}
-      uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Setup uv
-      if: ${{ env.IDA_LICENSE_ID != 0 }}
-      uses: astral-sh/setup-uv@v6
-    - name: Install dependencies
-      if: ${{ env.IDA_LICENSE_ID != 0 }}
-      run: sudo apt-get install -y libyaml-dev
-    - name: Install capa
-      if: ${{ env.IDA_LICENSE_ID != 0 }}
-      run: |
-        pip install -r requirements.txt
-        pip install -e .[dev,scripts]
-        pip install idapro
-    - name: Install IDA ${{ matrix.ida.version }}
-      if: ${{ env.IDA_LICENSE_ID != 0 }}
-      run: |
-        uv run hcli --disable-updates ida install --download-id ${{ matrix.ida.slug }} --license-id ${{ secrets.IDA_LICENSE_ID }} --set-default --yes
-      env:
-        HCLI_API_KEY: ${{ secrets.HCLI_API_KEY }}
-        IDA_LICENSE_ID: ${{ secrets.IDA_LICENSE_ID }}
-    - name: Run tests
-      if: ${{ env.IDA_LICENSE_ID != 0 }}
-      run: pytest -v tests/test_idalib_features.py  # explicitly refer to the idalib tests for performance. other tests run above.

.pre-commit-config.yaml

@@ -138,7 +138,6 @@ repos:
         -   "--ignore=tests/test_ghidra_features.py"
         -   "--ignore=tests/test_ida_features.py"
         -   "--ignore=tests/test_viv_features.py"
-        -   "--ignore=tests/test_idalib_features.py"
         -   "--ignore=tests/test_main.py"
         -   "--ignore=tests/test_scripts.py"
         always_run: true

CHANGELOG.md

@@ -3,62 +3,11 @@
 ## master (unreleased)
 
 ### New Features
-
-### Breaking Changes
-
-### New Rules (4)
-
-- nursery/run-as-nodejs-native-module mehunhoff@google.com
-- nursery/inject-shellcode-using-thread-pool-work-insertion-with-tp_io still@teamt5.org
-- nursery/inject-shellcode-using-thread-pool-work-insertion-with-tp_timer still@teamt5.org
-- nursery/inject-shellcode-using-thread-pool-work-insertion-with-tp_work still@teamt5.org
--
-
-### Bug Fixes
-- Fixed insecure deserialization vulnerability in YAML loading @0x1622 (#2770)
-
-### capa Explorer Web
-
-### capa Explorer IDA Pro plugin
-
-### Development
-
-- ci: deprecate macos-13 runner and use Python v3.13 for testing @mike-hunhoff #2777
-
-### Raw diffs
-- [capa v9.3.1...master](https://github.com/mandiant/capa/compare/v9.3.1...master)
-- [capa-rules v9.3.1...master](https://github.com/mandiant/capa-rules/compare/v9.3.1...master)
-
-## v9.3.1
-
-This patch release fixes a missing import for the capa explorer plugin for IDA Pro.
-
-### Bug Fixes
-
-- add missing ida-netnode dependency to project.toml @mike-hunhoff #2765
-
-### Development
-
-- ci: bump binja min version @mike-hunhoff #2763
-
-### Raw diffs
-- [capa v9.3.0...master](https://github.com/mandiant/capa/compare/v9.3.0...master)
-- [capa-rules v9.3.0...master](https://github.com/mandiant/capa-rules/compare/v9.3.0...master)
-
-## v9.3.0
-
-capa v9.3.0 comes with over 20 new and/or impoved rules.
-For IDA users the capa explorer plugin is now available via the IDA Pro plugin repository and contains Qt compatibility layer for PyQt5 and PySide6 support.
-Additionally a Binary Ninja bug has been fixed. Released binaries now include ARM64 binaries (Linux and macOS).
-
-### New Features
-
 - ci: add support for arm64 binary releases
-- tests: run tests against IDA via idalib @williballenthin #2742
 
 ### Breaking Changes
 
-### New Rules (24)
+### New Rules (21)
 
 - anti-analysis/anti-vm/vm-detection/detect-mouse-movement-via-activity-checks-on-windows tevajdr@gmail.com
 - nursery/create-executable-heap moritz.raabe@mandiant.com
@@ -80,9 +29,7 @@ Additionally a Binary Ninja bug has been fixed. Released binaries now include AR
 - host-interaction/network/routing-table/get-routing-table michael.hunhoff@mandiant.com
 - host-interaction/file-system/use-io_uring-io-interface-on-linux jakubjozwiak@google.com
 - collection/keylog/log-keystrokes-via-direct-input zeze-zeze
-- nursery/compiled-from-fsharp mehunhoff@google.com
-- nursery/decrypt-data-using-aes-via-dotnet mehunhoff@google.com
-- nursery/get-dotnet-assembly-entry-point mehunhoff@google.com
+-
 
 ### Bug Fixes
 
@@ -94,7 +41,7 @@ Additionally a Binary Ninja bug has been fixed. Released binaries now include AR
 
 - add `ida-plugin.json` for inclusion in the IDA Pro plugin repository @williballenthin
 - ida plugin: add Qt compatibility layer for PyQt5 and PySide6 support @williballenthin #2707
-- delay import to not load Qt* when running under idalib @mr-tz #2752
+- ida plugin: update ida-settings API @mr-tz #2736
 
 ### Development
 
@@ -102,8 +49,8 @@ Additionally a Binary Ninja bug has been fixed. Released binaries now include AR
 - dev: add bumpmyversion to bump and sync versions across the project @mr-tz
 
 ### Raw diffs
-- [capa v9.2.1...9.3.0](https://github.com/mandiant/capa/compare/v9.2.1...9.3.0)
-- [capa-rules v9.2.1...9.3.0](https://github.com/mandiant/capa-rules/compare/v9.2.1...9.3.0)
+- [capa v9.2.1...master](https://github.com/mandiant/capa/compare/v9.2.1...master)
+- [capa-rules v9.2.1...master](https://github.com/mandiant/capa-rules/compare/v9.2.1...master)
 
 ## v9.2.1
 

capa/features/extractors/ida/function.py

@@ -18,7 +18,6 @@ import idaapi
 import idautils
 
 import capa.features.extractors.ida.helpers
-from capa.features.file import FunctionName
 from capa.features.common import Feature, Characteristic
 from capa.features.address import Address, AbsoluteVirtualAddress
 from capa.features.extractors import loops
@@ -51,35 +50,10 @@ def extract_recursive_call(fh: FunctionHandle):
         yield Characteristic("recursive call"), fh.address
 
 
-def extract_function_name(fh: FunctionHandle) -> Iterator[tuple[Feature, Address]]:
-    ea = fh.inner.start_ea
-    name = idaapi.get_name(ea)
-    yield FunctionName(name), fh.address
-    if name.startswith("_"):
-        # some linkers may prefix linked routines with a `_` to avoid name collisions.
-        # extract features for both the mangled and un-mangled representations.
-        # e.g. `_fwrite` -> `fwrite`
-        # see: https://stackoverflow.com/a/2628384/87207
-        yield FunctionName(name[1:]), fh.address
-
-
-def extract_function_alternative_names(fh: FunctionHandle):
-    """Get all alternative names for an address."""
-
-    for aname in capa.features.extractors.ida.helpers.get_function_alternative_names(fh.inner.start_ea):
-        yield FunctionName(aname), fh.address
-
-
 def extract_features(fh: FunctionHandle) -> Iterator[tuple[Feature, Address]]:
     for func_handler in FUNCTION_HANDLERS:
         for feature, addr in func_handler(fh):
             yield feature, addr
 
 
-FUNCTION_HANDLERS = (
-    extract_function_calls_to,
-    extract_function_loop,
-    extract_recursive_call,
-    extract_function_name,
-    extract_function_alternative_names,
-)
+FUNCTION_HANDLERS = (extract_function_calls_to, extract_function_loop, extract_recursive_call)

capa/features/extractors/ida/helpers.py

@@ -20,7 +20,6 @@ import idaapi
 import ida_nalt
 import idautils
 import ida_bytes
-import ida_funcs
 import ida_segment
 
 from capa.features.address import AbsoluteVirtualAddress
@@ -437,23 +436,3 @@ def is_basic_block_return(bb: idaapi.BasicBlock) -> bool:
 def has_sib(oper: idaapi.op_t) -> bool:
     # via: https://reverseengineering.stackexchange.com/a/14300
     return oper.specflag1 == 1
-
-
-def get_function_alternative_names(fva: int):
-    """Get all alternative names for an address."""
-
-    # Check indented comment
-    cmt = ida_bytes.get_cmt(fva, False)  # False = non-repeatable
-    if cmt:
-        for line in cmt.split("\n"):
-            if line.startswith("Alternative name is '") and line.endswith("'"):
-                name = line[len("Alternative name is '") : -1]  # Extract name between quotes
-                yield name
-
-    # Check function comment
-    func_cmt = ida_funcs.get_func_cmt(idaapi.get_func(fva), False)
-    if func_cmt:
-        for line in func_cmt.split("\n"):
-            if line.startswith("Alternative name is '") and line.endswith("'"):
-                name = line[len("Alternative name is '") : -1]
-                yield name

capa/features/extractors/ida/insn.py

@@ -22,7 +22,6 @@ import idautils
 
 import capa.features.extractors.helpers
 import capa.features.extractors.ida.helpers
-from capa.features.file import FunctionName
 from capa.features.insn import API, MAX_STRUCTURE_SIZE, Number, Offset, Mnemonic, OperandNumber, OperandOffset
 from capa.features.common import MAX_BYTES_FEATURE_SIZE, THUNK_CHAIN_DEPTH_DELTA, Bytes, String, Feature, Characteristic
 from capa.features.address import Address, AbsoluteVirtualAddress
@@ -130,8 +129,8 @@ def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle)
         # not a function (start)
         return
 
+    if target_func.flags & idaapi.FUNC_LIB:
         name = idaapi.get_name(target_func.start_ea)
-    if target_func.flags & idaapi.FUNC_LIB or not name.startswith("sub_"):
         yield API(name), ih.address
         if name.startswith("_"):
             # some linkers may prefix linked routines with a `_` to avoid name collisions.
@@ -140,10 +139,6 @@ def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle)
             # see: https://stackoverflow.com/a/2628384/87207
             yield API(name[1:]), ih.address
 
-        for altname in capa.features.extractors.ida.helpers.get_function_alternative_names(target_func.start_ea):
-            yield FunctionName(altname), ih.address
-            yield API(altname), ih.address
-
 
 def extract_insn_number_features(
     fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle

capa/ida/plugin/__init__.py

@@ -17,6 +17,7 @@ import logging
 import idaapi
 import ida_kernwin
 
+from capa.ida.plugin.form import CapaExplorerForm
 from capa.ida.plugin.icon import ICON
 
 logger = logging.getLogger(__name__)
@@ -73,9 +74,6 @@ class CapaExplorerPlugin(idaapi.plugin_t):
           arg (int): bitflag. Setting LSB enables automatic analysis upon
           loading. The other bits are currently undefined. See `form.Options`.
         """
-        # delay import to not trigger load of Qt components when not running in idaq, i.e., in idalib
-        from capa.ida.plugin.form import CapaExplorerForm
-
         if not self.form:
             self.form = CapaExplorerForm(self.PLUGIN_NAME, arg)
         else:

capa/ida/plugin/form.py

@@ -54,7 +54,6 @@ from capa.ida.plugin.qt_compat import QtGui, QtCore, QtWidgets
 from capa.features.extractors.base_extractor import FunctionHandle
 
 logger = logging.getLogger(__name__)
-settings = ida_settings.IDASettings("capa")
 
 CAPA_SETTINGS_RULE_PATH = "rule_path"
 CAPA_SETTINGS_RULEGEN_AUTHOR = "rulegen_author"
@@ -79,6 +78,13 @@ AnalyzeOptionsText = {
 }
 
 
+def get_setting(key: str, default=None):
+    try:
+        return ida_settings.get_current_plugin_setting(key)
+    except KeyError:
+        return default
+
+
 def write_file(path: Path, data):
     """ """
     path.write_bytes(data)
@@ -107,7 +113,7 @@ class QLineEditClicked(QtWidgets.QLineEdit):
         old = self.text()
         new = str(
             QtWidgets.QFileDialog.getExistingDirectory(
-                self.parent(), "Please select a capa rules directory", settings.user.get(CAPA_SETTINGS_RULE_PATH, "")
+                self.parent(), "Please select a capa rules directory", get_setting(CAPA_SETTINGS_RULE_PATH, "")
             )
         )
         if new:
@@ -125,8 +131,8 @@ class CapaSettingsInputDialog(QtWidgets.QDialog):
         self.setMinimumWidth(500)
         self.setWindowFlags(self.windowFlags() & ~QtCore.Qt.WindowContextHelpButtonHint)
 
-        self.edit_rule_path = QLineEditClicked(settings.user.get(CAPA_SETTINGS_RULE_PATH, ""))
-        self.edit_rule_author = QtWidgets.QLineEdit(settings.user.get(CAPA_SETTINGS_RULEGEN_AUTHOR, ""))
+        self.edit_rule_path = QLineEditClicked(get_setting(CAPA_SETTINGS_RULE_PATH, ""))
+        self.edit_rule_author = QtWidgets.QLineEdit(get_setting(CAPA_SETTINGS_RULEGEN_AUTHOR, ""))
         self.edit_rule_scope = QtWidgets.QComboBox()
         self.edit_rules_link = QtWidgets.QLabel()
         self.edit_analyze = QtWidgets.QComboBox()
@@ -141,11 +147,11 @@ class CapaSettingsInputDialog(QtWidgets.QDialog):
 
         scopes = ("file", "function", "basic block", "instruction")
         self.edit_rule_scope.addItems(scopes)
-        self.edit_rule_scope.setCurrentIndex(scopes.index(settings.user.get(CAPA_SETTINGS_RULEGEN_SCOPE, "function")))
+        self.edit_rule_scope.setCurrentIndex(scopes.index(get_setting(CAPA_SETTINGS_RULEGEN_SCOPE, "function")))
 
         self.edit_analyze.addItems(AnalyzeOptionsText.values())
         # set the default analysis option here
-        self.edit_analyze.setCurrentIndex(settings.user.get(CAPA_SETTINGS_ANALYZE, Options.NO_ANALYSIS))
+        self.edit_analyze.setCurrentIndex(get_setting(CAPA_SETTINGS_ANALYZE, Options.NO_ANALYSIS))
 
         buttons = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok | QtWidgets.QDialogButtonBox.Cancel, self)
 
@@ -235,7 +241,7 @@ class CapaExplorerForm(idaapi.PluginForm):
 
         self.Show()
 
-        analyze = settings.user.get(CAPA_SETTINGS_ANALYZE)
+        analyze = get_setting(CAPA_SETTINGS_ANALYZE)
         if analyze != Options.NO_ANALYSIS or (option & Options.ANALYZE_AUTO) == Options.ANALYZE_AUTO:
             self.analyze_program(analyze=analyze)
 
@@ -581,7 +587,7 @@ class CapaExplorerForm(idaapi.PluginForm):
 
     def ensure_capa_settings_rule_path(self):
         try:
-            path: str = settings.user.get(CAPA_SETTINGS_RULE_PATH, "")
+            path: str = get_setting(CAPA_SETTINGS_RULE_PATH, "")
 
             # resolve rules directory - check self and settings first, then ask user
             # pathlib.Path considers "" equivalent to "." so we first check if rule path is an empty string
@@ -611,7 +617,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                     logger.error("rule path %s does not exist or cannot be accessed", path)
                     return False
 
-                settings.user[CAPA_SETTINGS_RULE_PATH] = path
+                ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULE_PATH, path)
         except UserCancelledError:
             capa.ida.helpers.inform_user_ida_ui("Analysis requires capa rules")
             logger.warning(
@@ -635,7 +641,7 @@ class CapaExplorerForm(idaapi.PluginForm):
         if not self.ensure_capa_settings_rule_path():
             return False
 
-        rule_path: Path = Path(settings.user.get(CAPA_SETTINGS_RULE_PATH, ""))
+        rule_path: Path = Path(get_setting(CAPA_SETTINGS_RULE_PATH, ""))
         try:
 
             def on_load_rule(_, i, total):
@@ -649,10 +655,10 @@ class CapaExplorerForm(idaapi.PluginForm):
             return None
         except Exception as e:
             capa.ida.helpers.inform_user_ida_ui(
-                f"Failed to load capa rules from {settings.user[CAPA_SETTINGS_RULE_PATH]}"
+                f"Failed to load capa rules from {get_setting(CAPA_SETTINGS_RULE_PATH)}"
             )
 
-            logger.error("Failed to load capa rules from %s (error: %s).", settings.user[CAPA_SETTINGS_RULE_PATH], e)
+            logger.error("Failed to load capa rules from %s (error: %s).", get_setting(CAPA_SETTINGS_RULE_PATH), e)
             logger.error(
                 "Make sure your file directory contains properly "  # noqa: G003 [logging statement uses +]
                 + "formatted capa rules. You can download and extract the official rules from %s. "
@@ -661,7 +667,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                 CAPA_RULESET_DOC_URL,
             )
 
-            settings.user[CAPA_SETTINGS_RULE_PATH] = ""
+            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULE_PATH, "")
             return None
 
     def load_capa_results(self, new_analysis, from_cache):
@@ -701,7 +707,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                     update_wait_box("verifying cached results")
 
                     count_source_rules = self.program_analysis_ruleset_cache.source_rule_count
-                    user_settings = settings.user[CAPA_SETTINGS_RULE_PATH]
+                    user_settings = get_setting(CAPA_SETTINGS_RULE_PATH)
                     view_status_rules: str = f"{user_settings} ({count_source_rules} rules)"
 
                     # warn user about potentially outdated rules, depending on the use-case this may be expected
@@ -775,7 +781,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                 update_wait_box("extracting features")
 
                 try:
-                    meta = capa.ida.helpers.collect_metadata([Path(settings.user[CAPA_SETTINGS_RULE_PATH])])
+                    meta = capa.ida.helpers.collect_metadata([Path(get_setting(CAPA_SETTINGS_RULE_PATH))])
                     capabilities = capa.capabilities.common.find_capabilities(
                         ruleset, self.feature_extractor, disable_progress=True
                     )
@@ -855,7 +861,7 @@ class CapaExplorerForm(idaapi.PluginForm):
                 except Exception as e:
                     logger.exception("Failed to save results to database (error: %s)", e)
                     return False
-                user_settings = settings.user[CAPA_SETTINGS_RULE_PATH]
+                user_settings = get_setting(CAPA_SETTINGS_RULE_PATH)
                 count_source_rules = self.program_analysis_ruleset_cache.source_rule_count
                 new_view_status = f"capa rules: {user_settings} ({count_source_rules} rules)"
         # regardless of new analysis, render results - e.g. we may only want to render results after checking
@@ -1076,13 +1082,13 @@ class CapaExplorerForm(idaapi.PluginForm):
             # load preview and feature tree
             self.view_rulegen_preview.load_preview_meta(
                 self.rulegen_current_function.address if self.rulegen_current_function else None,
-                settings.user.get(CAPA_SETTINGS_RULEGEN_AUTHOR, "<insert_author>"),
-                settings.user.get(CAPA_SETTINGS_RULEGEN_SCOPE, "function"),
+                get_setting(CAPA_SETTINGS_RULEGEN_AUTHOR, "<insert_author>"),
+                get_setting(CAPA_SETTINGS_RULEGEN_SCOPE, "function"),
             )
 
             self.view_rulegen_features.load_features(all_file_features, all_function_features)
 
-            self.set_view_status_label(f"capa rules: {settings.user[CAPA_SETTINGS_RULE_PATH]}")
+            self.set_view_status_label(f"capa rules: {get_setting(CAPA_SETTINGS_RULE_PATH)}")
         except Exception as e:
             logger.exception("Failed to render views (error: %s)", e)
             return False
@@ -1303,12 +1309,11 @@ class CapaExplorerForm(idaapi.PluginForm):
         """ """
         dialog = CapaSettingsInputDialog("capa explorer settings", parent=self.parent)
         if dialog.exec_():
-            (
-                settings.user[CAPA_SETTINGS_RULE_PATH],
-                settings.user[CAPA_SETTINGS_RULEGEN_AUTHOR],
-                settings.user[CAPA_SETTINGS_RULEGEN_SCOPE],
-                settings.user[CAPA_SETTINGS_ANALYZE],
-            ) = dialog.get_values()
+            rule_path, rule_author, rule_scope, analyze = dialog.get_values()
+            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULE_PATH, rule_path)
+            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULEGEN_AUTHOR, rule_author)
+            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_RULEGEN_SCOPE, rule_scope)
+            ida_settings.set_current_plugin_setting(CAPA_SETTINGS_ANALYZE, analyze)
 
     def save_program_analysis(self):
         """ """
@@ -1408,7 +1413,7 @@ class CapaExplorerForm(idaapi.PluginForm):
         """create Qt dialog to ask user for a directory"""
         return str(
             QtWidgets.QFileDialog.getExistingDirectory(
-                self.parent, "Please select a capa rules directory", settings.user.get(CAPA_SETTINGS_RULE_PATH, "")
+                self.parent, "Please select a capa rules directory", get_setting(CAPA_SETTINGS_RULE_PATH, "")
             )
         )
 
@@ -1417,7 +1422,7 @@ class CapaExplorerForm(idaapi.PluginForm):
         return QtWidgets.QFileDialog.getSaveFileName(
             None,
             "Please select a location to save capa rule file",
-            settings.user.get(CAPA_SETTINGS_RULE_PATH, ""),
+            get_setting(CAPA_SETTINGS_RULE_PATH, ""),
             "*.yml",
         )[0]
 

capa/ida/plugin/ida-plugin.json

@@ -3,7 +3,7 @@
   "plugin": {
     "name": "capa",
     "entryPoint": "capa_explorer.py",
-    "version": "9.3.1",
+    "version": "9.2.1",
     "idaVersions": ">=7.4",
     "description": "Identify capabilities in executable files using FLARE's capa framework",
     "license": "Apache-2.0",
@@ -12,7 +12,7 @@
       "api-scripting-and-automation",
       "ui-ux-and-visualization"
     ],
-    "pythonDependencies": ["flare-capa==9.3.1"],
+    "pythonDependencies": ["flare-capa==9.2.1"],
     "urls": {
       "repository": "https://github.com/mandiant/capa"
     },

capa/loader.py

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import io
 import os
 import logging
 import datetime
@@ -22,13 +23,24 @@ from pathlib import Path
 from rich.console import Console
 from typing_extensions import assert_never
 
+import capa.perf
 import capa.rules
+import capa.engine
+import capa.helpers
 import capa.version
+import capa.render.json
+import capa.rules.cache
+import capa.render.default
+import capa.render.verbose
 import capa.features.common
 import capa.features.freeze as frz
+import capa.render.vverbose
 import capa.features.extractors
+import capa.render.result_document
 import capa.render.result_document as rdoc
 import capa.features.extractors.common
+import capa.features.extractors.base_extractor
+import capa.features.extractors.cape.extractor
 from capa.rules import RuleSet
 from capa.engine import MatchResults
 from capa.exceptions import UnsupportedOSError, UnsupportedArchError, UnsupportedFormatError
@@ -326,22 +338,11 @@ def get_extractor(
         import capa.features.extractors.ida.extractor
 
         logger.debug("idalib: opening database...")
-        idapro.enable_console_messages(False)
+        # idalib writes to stdout (ugh), so we have to capture that
+        # so as not to screw up structured output.
+        with capa.helpers.stdout_redirector(io.BytesIO()):
             with console.status("analyzing program...", spinner="dots"):
-            # we set the primary and secondary Lumina servers to 0.0.0.0 to disable Lumina,
-            # which sometimes provides bad names, including overwriting names from debug info.
-            #
-            # return values from open_database:
-            #   0 - Success (database not packed)
-            #   1 - Success (database was packed)
-            #   2 - User cancelled or 32-64 bit conversion failed
-            #   4 - Database initialization failed
-            #   -1 - Generic errors (database already open, auto-analysis failed, etc.)
-            #   -2 - User cancelled operation
-            ret = idapro.open_database(
-                str(input_path), run_auto_analysis=True, args="-Olumina:host=0.0.0.0 -Osecondary_lumina:host=0.0.0.0"
-            )
-            if ret not in (0, 1):
+                if idapro.open_database(str(input_path), run_auto_analysis=True):
                     raise RuntimeError("failed to analyze input file")
 
             logger.debug("idalib: waiting for analysis...")

capa/main.py

@@ -392,7 +392,6 @@ class ShouldExitError(Exception):
     """raised when a main-related routine indicates the program should exit."""
 
     def __init__(self, status_code: int):
-        super().__init__(status_code)
         self.status_code = status_code
 
 

capa/rules/__init__.py

@@ -274,8 +274,12 @@ SUPPORTED_FEATURES[Scope.FUNCTION].update(SUPPORTED_FEATURES[Scope.BASIC_BLOCK])
 
 
 class InvalidRule(ValueError):
+    def __init__(self, msg):
+        super().__init__()
+        self.msg = msg
+
     def __str__(self):
-        return f"invalid rule: {super().__str__()}"
+        return f"invalid rule: {self.msg}"
 
     def __repr__(self):
         return str(self)
@@ -285,15 +289,20 @@ class InvalidRuleWithPath(InvalidRule):
     def __init__(self, path, msg):
         super().__init__(msg)
         self.path = path
+        self.msg = msg
         self.__cause__ = None
 
     def __str__(self):
-        return f"invalid rule: {self.path}: {super(InvalidRule, self).__str__()}"
+        return f"invalid rule: {self.path}: {self.msg}"
 
 
 class InvalidRuleSet(ValueError):
+    def __init__(self, msg):
+        super().__init__()
+        self.msg = msg
+
     def __str__(self):
-        return f"invalid rule set: {super().__str__()}"
+        return f"invalid rule set: {self.msg}"
 
     def __repr__(self):
         return str(self)
@@ -1093,15 +1102,15 @@ class Rule:
     @lru_cache()
     def _get_yaml_loader():
         try:
-            # prefer to use CLoader to be fast, see #306 / CSafeLoader is the same as CLoader but with safe loading
+            # prefer to use CLoader to be fast, see #306
             # on Linux, make sure you install libyaml-dev or similar
             # on Windows, get WHLs from pyyaml.org/pypi
-            logger.debug("using libyaml CSafeLoader.")
-            return yaml.CSafeLoader
+            logger.debug("using libyaml CLoader.")
+            return yaml.CLoader
         except Exception:
-            logger.debug("unable to import libyaml CSafeLoader, falling back to Python yaml parser.")
+            logger.debug("unable to import libyaml CLoader, falling back to Python yaml parser.")
             logger.debug("this will be slower to load rules.")
-            return yaml.SafeLoader
+            return yaml.Loader
 
     @staticmethod
     def _get_ruamel_yaml_parser():

capa/version.py

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-__version__ = "9.3.1"
+__version__ = "9.2.1"
 
 
 def get_major_version():

pyproject.toml

@@ -74,7 +74,6 @@ dependencies = [
     # comments and context.
     "pyyaml>=6",
     "colorama>=0.4",
-    "ida-netnode>=3.0",
     "ida-settings>=3.1.0",
     "ruamel.yaml>=0.18",
     "pefile>=2023.2.7",
@@ -122,14 +121,14 @@ dev = [
     # we want all developer environments to be consistent.
     # These dependencies are not used in production environments
     # and should not conflict with other libraries/tooling.
-    "pre-commit==4.5.0",
+    "pre-commit==4.2.0",
     "pytest==8.0.0",
     "pytest-sugar==1.1.1",
     "pytest-instafail==0.5.0",
     "flake8==7.3.0",
-    "flake8-bugbear==25.11.29",
+    "flake8-bugbear==24.12.12",
     "flake8-encodings==0.5.1",
-    "flake8-comprehensions==3.17.0",
+    "flake8-comprehensions==3.16.0",
     "flake8-logging-format==0.9.0",
     "flake8-no-implicit-concat==0.3.5",
     "flake8-print==5.0.0",
@@ -137,8 +136,8 @@ dev = [
     "flake8-simplify==0.22.0",
     "flake8-use-pathlib==0.3.0",
     "flake8-copyright==0.2.4",
-    "ruff==0.14.7",
-    "black==25.12.0",
+    "ruff==0.12.0",
+    "black==25.1.0",
     "isort==6.0.0",
     "mypy==1.17.1",
     "mypy-protobuf==3.6.0",
@@ -148,7 +147,7 @@ dev = [
     "types-backports==0.1.3",
     "types-colorama==0.4.15.11",
     "types-PyYAML==6.0.8",
-    "types-psutil==7.1.3.20251202",
+    "types-psutil==7.0.0.20250218",
     "types_requests==2.32.0.20240712",
     "types-protobuf==6.32.1.20250918",
     "deptry==0.23.0"
@@ -158,9 +157,9 @@ build = [
     # we want all developer environments to be consistent.
     # These dependencies are not used in production environments
     # and should not conflict with other libraries/tooling.
-    "pyinstaller==6.16.0",
+    "pyinstaller==6.14.1",
     "setuptools==80.9.0",
-    "build==1.3.0"
+    "build==1.2.2"
 ]
 scripts = [
     # can (optionally) be more lenient on dependencies here

requirements.txt

@@ -12,7 +12,7 @@ cxxfilt==0.3.0
 dncil==1.0.2
 dnfile==0.17.0
 funcy==2.0
-humanize==4.14.0
+humanize==4.13.0
 ida-netnode==3.0
 ida-settings==3.2.2
 intervaltree==3.1.0
@@ -22,16 +22,16 @@ msgpack==1.0.8
 networkx==3.4.2
 pefile==2024.8.26
 pip==25.3
-protobuf==6.33.1
+protobuf==6.31.1
 pyasn1==0.5.1
 pyasn1-modules==0.3.0
-pycparser==2.23
-pydantic==2.12.4
+pycparser==2.22
+pydantic==2.11.4
 # pydantic pins pydantic-core, 
 # but dependabot updates these separately (which is broken) and is annoying,
 # so we rely on pydantic to pull in the right version of pydantic-core.
 # pydantic-core==2.23.4
-xmltodict==1.0.2
+xmltodict==0.14.2
 pyelftools==0.32
 pygments==2.19.1
 python-flirt==0.9.2
@@ -44,5 +44,5 @@ six==1.17.0
 sortedcontainers==2.4.0
 viv-utils==0.8.0
 vivisect==1.2.1
-msgspec==0.20.0
+msgspec==0.19.0
 bump-my-version==1.2.4

tests/fixtures.py

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import logging
+
 import contextlib
 import collections
 from pathlib import Path
@@ -20,6 +20,7 @@ from functools import lru_cache
 
 import pytest
 
+import capa.main
 import capa.features.file
 import capa.features.insn
 import capa.features.common
@@ -52,7 +53,6 @@ from capa.features.extractors.base_extractor import (
 )
 from capa.features.extractors.dnfile.extractor import DnfileFeatureExtractor
 
-logger = logging.getLogger(__name__)
 CD = Path(__file__).resolve().parent
 DOTNET_DIR = CD / "data" / "dotnet"
 DNFILE_TESTFILES = DOTNET_DIR / "dnfile-testfiles"
@@ -200,71 +200,6 @@ def get_binja_extractor(path: Path):
     return extractor
 
 
-# we can't easily cache this because the extractor relies on global state (the opened database)
-# which also has to be closed elsewhere. so, the idalib tests will just take a little bit to run.
-def get_idalib_extractor(path: Path):
-    import capa.features.extractors.ida.idalib as idalib
-
-    if not idalib.has_idalib():
-        raise RuntimeError("cannot find IDA idalib module.")
-
-    if not idalib.load_idalib():
-        raise RuntimeError("failed to load IDA idalib module.")
-
-    import idapro
-    import ida_auto
-
-    import capa.features.extractors.ida.extractor
-
-    logger.debug("idalib: opening database...")
-
-    idapro.enable_console_messages(False)
-    # we set the primary and secondary Lumina servers to 0.0.0.0 to disable Lumina,
-    # which sometimes provides bad names, including overwriting names from debug info.
-    #
-    # return values from open_database:
-    #   0 - Success (database not packed)
-    #   1 - Success (database was packed)
-    #   2 - User cancelled or 32-64 bit conversion failed
-    #   4 - Database initialization failed
-    #   -1 - Generic errors (database already open, auto-analysis failed, etc.)
-    #   -2 - User cancelled operation
-    ret = idapro.open_database(
-        str(path), run_auto_analysis=True, args="-Olumina:host=0.0.0.0 -Osecondary_lumina:host=0.0.0.0"
-    )
-    if ret not in (0, 1):
-        raise RuntimeError("failed to analyze input file")
-
-    logger.debug("idalib: waiting for analysis...")
-    ida_auto.auto_wait()
-    logger.debug("idalib: opened database.")
-
-    extractor = capa.features.extractors.ida.extractor.IdaFeatureExtractor()
-    fixup_idalib(path, extractor)
-    return extractor
-
-
-def fixup_idalib(path: Path, extractor):
-    """
-    IDA fixups to overcome differences between backends
-    """
-    import idaapi
-    import ida_funcs
-
-    def remove_library_id_flag(fva):
-        f = idaapi.get_func(fva)
-        f.flags &= ~ida_funcs.FUNC_LIB
-        ida_funcs.update_func(f)
-
-    if "kernel32-64" in path.name:
-        # remove (correct) library function id, so we can test x64 thunk
-        remove_library_id_flag(0x1800202B0)
-
-    if "al-khaser_x64" in path.name:
-        # remove (correct) library function id, so we can test x64 nested thunk
-        remove_library_id_flag(0x14004B4F0)
-
-
 @lru_cache(maxsize=1)
 def get_cape_extractor(path):
     from capa.helpers import load_json_from_path
@@ -959,8 +894,20 @@ FEATURE_PRESENCE_TESTS = sorted(
         ("mimikatz", "function=0x4556E5", capa.features.insn.API("advapi32.LsaQueryInformationPolicy"), False),
         ("mimikatz", "function=0x4556E5", capa.features.insn.API("LsaQueryInformationPolicy"), True),
         # insn/api: x64
+        (
+            "kernel32-64",
+            "function=0x180001010",
+            capa.features.insn.API("RtlVirtualUnwind"),
+            True,
+        ),
         ("kernel32-64", "function=0x180001010", capa.features.insn.API("RtlVirtualUnwind"), True),
         # insn/api: x64 thunk
+        (
+            "kernel32-64",
+            "function=0x1800202B0",
+            capa.features.insn.API("RtlCaptureContext"),
+            True,
+        ),
         ("kernel32-64", "function=0x1800202B0", capa.features.insn.API("RtlCaptureContext"), True),
         # insn/api: x64 nested thunk
         ("al-khaser x64", "function=0x14004B4F0", capa.features.insn.API("__vcrt_GetModuleHandle"), True),
@@ -1048,20 +995,20 @@ FEATURE_PRESENCE_TESTS = sorted(
         ("pma16-01", "file", OS(OS_WINDOWS), True),
         ("pma16-01", "file", OS(OS_LINUX), False),
         ("mimikatz", "file", OS(OS_WINDOWS), True),
-        ("pma16-01", "function=0x401100", OS(OS_WINDOWS), True),
-        ("pma16-01", "function=0x401100,bb=0x401130", OS(OS_WINDOWS), True),
+        ("pma16-01", "function=0x404356", OS(OS_WINDOWS), True),
+        ("pma16-01", "function=0x404356,bb=0x4043B9", OS(OS_WINDOWS), True),
         ("mimikatz", "function=0x40105D", OS(OS_WINDOWS), True),
         ("pma16-01", "file", Arch(ARCH_I386), True),
         ("pma16-01", "file", Arch(ARCH_AMD64), False),
         ("mimikatz", "file", Arch(ARCH_I386), True),
-        ("pma16-01", "function=0x401100", Arch(ARCH_I386), True),
-        ("pma16-01", "function=0x401100,bb=0x401130", Arch(ARCH_I386), True),
+        ("pma16-01", "function=0x404356", Arch(ARCH_I386), True),
+        ("pma16-01", "function=0x404356,bb=0x4043B9", Arch(ARCH_I386), True),
         ("mimikatz", "function=0x40105D", Arch(ARCH_I386), True),
         ("pma16-01", "file", Format(FORMAT_PE), True),
         ("pma16-01", "file", Format(FORMAT_ELF), False),
         ("mimikatz", "file", Format(FORMAT_PE), True),
         # format is also a global feature
-        ("pma16-01", "function=0x401100", Format(FORMAT_PE), True),
+        ("pma16-01", "function=0x404356", Format(FORMAT_PE), True),
         ("mimikatz", "function=0x456BB9", Format(FORMAT_PE), True),
         # elf support
         ("7351f.elf", "file", OS(OS_LINUX), True),

tests/test_binja_features.py

@@ -70,4 +70,4 @@ def test_standalone_binja_backend():
 @pytest.mark.skipif(binja_present is False, reason="Skip binja tests if the binaryninja Python API is not installed")
 def test_binja_version():
     version = binaryninja.core_version_info()
-    assert version.major == 5 and version.minor == 2
+    assert version.major == 5 and version.minor == 1

tests/test_idalib_features.py

@@ -1,63 +0,0 @@
-# Copyright 2020 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import logging
-
-import pytest
-import fixtures
-
-import capa.features.extractors.ida.idalib
-
-logger = logging.getLogger(__name__)
-
-idalib_present = capa.features.extractors.ida.idalib.has_idalib()
-if idalib_present:
-    try:
-        import idapro  # noqa: F401 [imported but unused]
-    except ImportError:
-        idalib_present = False
-
-
-@pytest.mark.skipif(idalib_present is False, reason="Skip idalib tests if the idalib Python API is not installed")
-@fixtures.parametrize(
-    "sample,scope,feature,expected",
-    fixtures.FEATURE_PRESENCE_TESTS + fixtures.FEATURE_SYMTAB_FUNC_TESTS,
-    indirect=["sample", "scope"],
-)
-def test_idalib_features(sample, scope, feature, expected):
-    try:
-        fixtures.do_test_feature_presence(fixtures.get_idalib_extractor, sample, scope, feature, expected)
-    finally:
-        logger.debug("closing database...")
-        import idapro
-
-        idapro.close_database(save=False)
-        logger.debug("opened database.")
-
-
-@pytest.mark.skipif(idalib_present is False, reason="Skip idalib tests if the idalib Python API is not installed")
-@fixtures.parametrize(
-    "sample,scope,feature,expected",
-    fixtures.FEATURE_COUNT_TESTS,
-    indirect=["sample", "scope"],
-)
-def test_idalib_feature_counts(sample, scope, feature, expected):
-    try:
-        fixtures.do_test_feature_count(fixtures.get_idalib_extractor, sample, scope, feature, expected)
-    finally:
-        logger.debug("closing database...")
-        import idapro
-
-        idapro.close_database(save=False)
-        logger.debug("closed database.")

web/explorer/package-lock.json

@@ -2272,11 +2272,10 @@
             }
         },
         "node_modules/glob": {
-            "version": "10.5.0",
-            "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
-            "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==",
+            "version": "10.4.2",
+            "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.2.tgz",
+            "integrity": "sha512-GwMlUF6PkPo3Gk21UxkCohOv0PLcIXVtKyLlpEI28R/cO/4eNOdmLk3CMW1wROV/WR/EsZOWAfBbBOqYvs88/w==",
             "dev": true,
-            "license": "ISC",
             "dependencies": {
                 "foreground-child": "^3.1.0",
                 "jackspeak": "^3.1.2",
@@ -2288,6 +2287,9 @@
             "bin": {
                 "glob": "dist/esm/bin.mjs"
             },
+            "engines": {
+                "node": ">=16 || 14 >=14.18"
+            },
             "funding": {
                 "url": "https://github.com/sponsors/isaacs"
             }
@@ -2639,11 +2641,10 @@
             }
         },
         "node_modules/js-yaml": {
-            "version": "4.1.1",
-            "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
-            "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+            "version": "4.1.0",
+            "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
+            "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
             "dev": true,
-            "license": "MIT",
             "dependencies": {
                 "argparse": "^2.0.1"
             },

web/public/index.html

@@ -212,18 +212,6 @@
 
       <h2 class="mt-3">Tool Updates</h2>
 
-      <h3 class="mt-2">v9.3.1 (<em>2025-11-19</em>)</h3>
-      <p class="mt-0">
-        This patch release fixes a missing import for the capa explorer plugin for IDA Pro.
-      </p>
-
-      <h3 class="mt-2">v9.3.0 (<em>2025-11-12</em>)</h3>
-      <p class="mt-0">
-        capa v9.3.0 comes with over 20 new and/or impoved rules.
-        For IDA users the capa explorer plugin is now available via the IDA Pro plugin repository and contains Qt compatibility layer for PyQt5 and PySide6 support.
-        Additionally a Binary Ninja bug has been fixed. Released binaries now include ARM64 binaries (Linux and macOS).
-      </p>
-
       <h3 class="mt-2">v9.2.1 (<em>2025-06-06</em>)</h3>
       <p class="mt-0">
         This point release fixes bugs including removing an unnecessary PyInstaller warning message and enabling the standalone binary to execute on systems running older versions of glibc.