gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 15:49:46 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5596d5f8b298431724c59c014a5fcb4dc9512750
capa/capa/ida/plugin
History
Michael Hunhoff 9f254b22ee adding file scope support to rule generator IDA plugin
2021-02-23 11:10:34 -07:00
..
__init__.py
rename ida plugin
2020-09-11 13:12:28 -06:00
capa_explorer.py
rename ida plugin
2020-09-11 13:12:28 -06:00
form.py
adding file scope support to rule generator IDA plugin
2021-02-23 11:10:34 -07:00
hooks.py
changes to plugin function-level documentation
2020-09-08 12:26:20 -06:00
icon.py
use embedded icon
2020-09-02 17:50:25 +02:00
item.py
explorer: adding option to show results by function
2021-02-22 08:16:18 -07:00
model.py
explorer: adding option to show results by function
2021-02-22 08:16:18 -07:00
proxy.py
merge conflicts
2020-09-09 12:45:35 -06:00
README.md
Update README.md
2021-02-12 14:38:11 -07:00
view.py
adding file scope support to rule generator IDA plugin
2021-02-23 11:10:34 -07:00

README.md

capa explorer

capa explorer is an IDA Pro plugin written in Python that integrates the FLARE team's open-source framework, capa, with IDA. capa is a framework that uses a well-defined collection of rules to identify capabilities in a program. You can run capa against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the program is a backdoor, can install services, or relies on HTTP to communicate. You can use capa explorer to run capa directly on an IDA database without requiring access to or execution of the source binary. Once a database has been analyzed, capa explorer can be used to quickly identify and navigate to interesting areas of a program and manually build new capa rules out of the features extracted directly from your IDB.

We love using capa explorer during malware analysis because it teaches us what parts of a program suggest a behavior. As we click on rows, capa explorer jumps directly to important addresses in the IDA Pro database and highlights key features in the Disassembly view so they stand out visually. To illustrate, we use capa explorer to analyze Lab 14-02 from Practical Malware Analysis (PMA) available here. Our goal is to understand the program's functionality.

After loading Lab 14-02 into IDA and analyzing the database with capa explorer, we see that capa detected a rule match for self delete via COMSPEC environment variable:

We can use capa explorer to navigate the IDA Disassembly view directly to the suspect function and get an assembly-level breakdown of why capa matched self delete via COMSPEC environment variable for this particular function.

Using the Rule Information and Details columns capa explorer shows us that the suspect function matched self delete via COMSPEC environment variable because it contains capa rule matches for create process, get COMSPEC environment variable, and query environment variable, references to the strings COMSPEC, > nul, and /c del, and calls to the Windows API functions GetEnvironmentVariableA and ShellExecuteEx.

capa explorer also helps you build new capa rules. To start select the Rule Generator tab, navigate to a function in the IDA Disassembly view, and click Analyze. capa explorer will extract features from this function and display them in the Function Features pane. You can add features listed in this pane to the Editor pane by either double-clicking a feature or using multi-select + right-click to add multiple features at once. The Preview and Editor panes help edit your rule. Use the Preview pane to modify the rule text directly and the Editor pane to construct and rearrange your hierarchy of statements and features. When you finish a rule you can save it directly to a file by clicking Save.

For more information on the FLARE team's open-source framework, capa, check out the overview in our first blog.

Getting Started

Requirements

capa explorer supports the following IDA setups:

  • IDA Pro 7.4+ with Python 2.7 or Python 3.

If you encounter issues with your specific setup, please open a new Issue.

Supported File Types

capa explorer is limited to the file types supported by capa, which includes:

  • Windows 32-bit and 64-bit PE files
  • Windows 32-bit and 64-bit shellcode

Installation

You can install capa explorer using the following steps:

  1. Install capa and its dependencies from PyPI for the Python interpreter used by your IDA installation: 
    $ pip install flare-capa
  2. Download the standard collection of capa rules (capa explorer needs capa rules to analyze a database)
  3. Copy capa_explorer.py to your IDA plugins directory

Usage

  1. Run IDA and analyze a supported file type (select the Manual Load and Load Resources options in IDA for best results)
  2. Open capa explorer in IDA by navigating to Edit > Plugins > FLARE capa explorer or using the keyboard shortcut Alt+F5
  3. Select the Program Analysis tab
  4. Click the Analyze button

When running capa explorer for the first time you are prompted to select a file directory containing capa rules. The plugin conveniently remembers your selection for future runs; you can change this selection by navigating to Settings > Change default rules directory.... We recommend downloading and using the standard collection of capa rules when getting started with the plugin.

Tips for Program Analysis

  • Start analysis by clicking the Analyze button
  • Reset the plugin user interface and remove highlighting from IDA disassembly view by clicking the Reset button
  • Change your capa rules directory by navigating to Settings > Change default rules directory... from the plugin menu
  • Hover your cursor over a rule match to view the source content of the rule
  • Double-click the Address column to navigate the IDA Disassembly view to the associated feature
  • Double-click a result in the Rule Information column to expand its children
  • Select a checkbox in the Rule Information column to highlight the address of the associated feature in the IDA Dissasembly view

Tips for Rule Generator

  • Navigate to a function in the Disassembly view and clickAnalyze to get started
  • Double-click or multi-select + right-click in the Function Features pane to add features to the Editor pane
  • Right-click features in the Editor pane to make modifications
  • Drag-and-drop (single click + multi-select support) features in the Editor pane to quickly build a hierarchy of statements and features
  • Right-click anywhere in the Editor pane not on a feature to quickly remove all features
  • Add descriptions/comments by placing editing the appropriate column in the Editor pane
  • Directly edit rule text, including rule metadata fields using the Preview pane
  • Change the default rule author and default scope displayed in the Preview pane by navigating to Settings

Development

Because capa explorer is packaged with capa you will need to install capa locally for development.

You can install capa locally by following the steps outlined in Method 3: Inspecting the capa source code of the capa installation guide. Once installed, copy capa_explorer.py to your IDA plugins directory to run the plugin in IDA.

Components

capa explorer consists of two main components:

  • An IDA feature extractor built on top of IDA's binary analysis engine
    • This component uses IDAPython to extract capa features from the IDA database such as strings, disassembly, and control flow; these extracted features are used by capa to find feature combinations that result in a rule match
  • An interactive user interface for displaying and exploring capa rule matches
    • This component integrates the IDA feature extractor and capa, providing an interactive user interface to dissect rule matches found by capa using features extracted by the IDA feature extractor
Reference in New Issue View Git Blame Copy Permalink