mirror of
https://github.com/mandiant/capa.git
synced 2025-12-15 00:50:47 -08:00
Compare commits
1 Commits
object-lay
...
fix/sigpat
| Author | SHA1 | Date | |
|---|---|---|---|
|
481ae685e1 |
2
.github/pyinstaller/pyinstaller.spec
vendored
2
.github/pyinstaller/pyinstaller.spec
vendored
@@ -18,7 +18,7 @@ a = Analysis(
|
|||||||
# this gets invoked from the directory of the spec file,
|
# this gets invoked from the directory of the spec file,
|
||||||
# i.e. ./.github/pyinstaller
|
# i.e. ./.github/pyinstaller
|
||||||
("../../rules", "rules"),
|
("../../rules", "rules"),
|
||||||
("../../sigs", "sigs"),
|
("../../capa/sigs", "sigs"),
|
||||||
("../../cache", "cache"),
|
("../../cache", "cache"),
|
||||||
# capa.render.default uses tabulate that depends on wcwidth.
|
# capa.render.default uses tabulate that depends on wcwidth.
|
||||||
# it seems wcwidth uses a json file `version.json`
|
# it seems wcwidth uses a json file `version.json`
|
||||||
|
|||||||
@@ -214,7 +214,7 @@ def get_default_signatures() -> List[Path]:
|
|||||||
"""
|
"""
|
||||||
compute a list of file system paths to the default FLIRT signatures.
|
compute a list of file system paths to the default FLIRT signatures.
|
||||||
"""
|
"""
|
||||||
sigs_path = get_default_root() / "sigs"
|
sigs_path = get_default_root() / "capa" / "sigs"
|
||||||
logger.debug("signatures path: %s", sigs_path)
|
logger.debug("signatures path: %s", sigs_path)
|
||||||
|
|
||||||
ret = []
|
ret = []
|
||||||
@@ -962,7 +962,7 @@ def handle_common_args(args):
|
|||||||
)
|
)
|
||||||
logger.debug("-" * 80)
|
logger.debug("-" * 80)
|
||||||
|
|
||||||
sigs_path = get_default_root() / "sigs"
|
sigs_path = get_default_root() / "capa" / "sigs"
|
||||||
|
|
||||||
if not sigs_path.exists():
|
if not sigs_path.exists():
|
||||||
logger.error(
|
logger.error(
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
# capa/sigs
|
# capa FLIRT signatures
|
||||||
|
|
||||||
This directory contains FLIRT signatures that capa uses to identify library functions.
|
This directory contains FLIRT signatures that capa uses to identify library functions.
|
||||||
Typically, capa will ignore library functions, which reduces false positives and improves runtime.
|
Typically, capa will ignore library functions, which reduces false positives and improves runtime.
|
||||||
@@ -35,12 +35,6 @@ $ unzip v4.0.0.zip
|
|||||||
$ capa -r /path/to/capa-rules suspicious.exe
|
$ capa -r /path/to/capa-rules suspicious.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
This technique also doesn't set up the default library identification [signatures](https://github.com/mandiant/capa/tree/master/sigs). You can pass the signature directory using the `-s` argument.
|
|
||||||
For example, to run capa with both a rule path and a signature path:
|
|
||||||
```console
|
|
||||||
$ capa -s /path/to/capa-sigs suspicious.exe
|
|
||||||
```
|
|
||||||
|
|
||||||
Alternatively, see Method 3 below.
|
Alternatively, see Method 3 below.
|
||||||
|
|
||||||
### 2. Use capa
|
### 2. Use capa
|
||||||
|
|||||||
@@ -100,9 +100,9 @@ def get_viv_extractor(path: Path):
|
|||||||
sigpaths = [
|
sigpaths = [
|
||||||
CD / "data" / "sigs" / "test_aulldiv.pat",
|
CD / "data" / "sigs" / "test_aulldiv.pat",
|
||||||
CD / "data" / "sigs" / "test_aullrem.pat.gz",
|
CD / "data" / "sigs" / "test_aullrem.pat.gz",
|
||||||
CD.parent / "sigs" / "1_flare_msvc_rtf_32_64.sig",
|
CD.parent / "capa" / "sigs" / "1_flare_msvc_rtf_32_64.sig",
|
||||||
CD.parent / "sigs" / "2_flare_msvc_atlmfc_32_64.sig",
|
CD.parent / "capa" / "sigs" / "2_flare_msvc_atlmfc_32_64.sig",
|
||||||
CD.parent / "sigs" / "3_flare_common_libs.sig",
|
CD.parent / "capa" / "sigs" / "3_flare_common_libs.sig",
|
||||||
]
|
]
|
||||||
|
|
||||||
if "raw32" in path.name:
|
if "raw32" in path.name:
|
||||||
|
|||||||
Reference in New Issue
Block a user