Merge branch 'master' into vmray/record-cmdline

mandiant · Dec 3, 2024 · 480df97 · 480df97
2 parents bbe2223 + 83a4626
commit 480df97
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 12 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -25,7 +25,7 @@ repos:
     hooks:
     -   id: isort
         name: isort
-        stages: [commit, push, manual]
+        stages: [pre-commit, pre-push, manual]
         language: system
         entry: isort
         args: 
@@ -46,7 +46,7 @@ repos:
     hooks:
     -   id: black
         name: black
-        stages: [commit, push, manual]
+        stages: [pre-commit, pre-push, manual]
         language: system
         entry: black
         args: 
@@ -64,7 +64,7 @@ repos:
     hooks:
     -   id: ruff
         name: ruff
-        stages: [commit, push, manual]
+        stages: [pre-commit, pre-push, manual]
         language: system
         entry: ruff
         args: 
@@ -82,7 +82,7 @@ repos:
     hooks:
     -   id: flake8
         name: flake8
-        stages: [push, manual]
+        stages: [pre-push, manual]
         language: system
         entry: flake8
         args: 
@@ -101,7 +101,7 @@ repos:
     hooks:
     -   id: mypy
         name: mypy
-        stages: [push, manual]
+        stages: [pre-push, manual]
         language: system
         entry: mypy
         args: 
@@ -119,7 +119,7 @@ repos:
     hooks:
     -   id: deptry
         name: deptry
-        stages: [push, manual]
+        stages: [pre-push, manual]
         language: system
         entry: deptry .
         always_run: true

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,7 +12,7 @@
 
 - remove support for Python 3.8 and use Python 3.10 as minimum now #1966 @mr-tz
 
-### New Rules (10)
+### New Rules (18)
 
 - nursery/get-shadow-password-file-entry-on-linux [email protected]
 - nursery/set-shadow-password-file-entry-on-linux [email protected]
@@ -24,6 +24,14 @@
 - nursery/persist-via-print-processors-registry-key [email protected]
 - linking/static/touchsocket/linked-against-touchsocket [email protected]
 - runtime/dotnet/compiled-with-dotnet-aot [email protected]
+- nursery/persist-via-errorhandler-script [email protected]
+- nursery/persist-via-get-variable-hijack [email protected]
+- nursery/persist-via-iphlpapi-dll-hijack [email protected]
+- nursery/persist-via-lnk-shortcut [email protected]
+- nursery/persist-via-powershell-profile [email protected]
+- nursery/persist-via-windows-accessibility-tools [email protected]
+- nursery/persist-via-windows-terminal-profile [email protected]
+- nursery/write-to-browser-extension-directory [email protected]
 -
 
 ### Bug Fixes
@@ -34,6 +42,7 @@
 - binja: support loading raw x86/x86_64 shellcode #2489 @xusheng6
 - binja: fix crash when the IL of certain functions are not available. #2249 @xusheng6
 - binja: major performance improvement on the binja extractor. #1414 @xusheng6
+- cape: make Process model flexible and procmemory optional to load newest reports #2466 @mr-tz
 
 ### capa Explorer Web
 

diff --git a/capa/features/extractors/cape/models.py b/capa/features/extractors/cape/models.py
@@ -297,7 +297,10 @@ class Call(ExactModel):
     id: int
 
 
-class Process(ExactModel):
+# FlexibleModel to account for extended fields
+# refs: https://github.com/mandiant/capa/issues/2466
+# https://github.com/kevoreilly/CAPEv2/pull/2199
+class Process(FlexibleModel):
     process_id: int
     process_name: str
     parent_id: int
@@ -400,7 +403,7 @@ class CapeReport(FlexibleModel):
     CAPE: Optional[Union[Cape, list]] = None
     dropped: Optional[list[File]] = None
     procdump: Optional[list[ProcessFile]] = None
-    procmemory: ListTODO
+    procmemory: Optional[ListTODO] = None
 
     # =========================================================================
     # information we won't use in capa

diff --git a/requirements.txt b/requirements.txt
@@ -22,7 +22,7 @@ msgpack==1.0.8
 networkx==3.4.2
 pefile==2024.8.26
 pip==24.3.1
-protobuf==5.28.2
+protobuf==5.29.0
 pyasn1==0.5.1
 pyasn1-modules==0.3.0
 pycparser==2.22

diff --git a/rules b/rules
diff --git a/tests/data b/tests/data
diff --git a/tests/test_binja_features.py b/tests/test_binja_features.py
@@ -40,6 +40,10 @@
     indirect=["sample", "scope"],
 )
 def test_binja_features(sample, scope, feature, expected):
+    # TODO(mr-tz): BinaryNinja does not recognize this function
+    # https://github.com/mandiant/capa/issues/2507
+    if scope.__name__ == "function=0x14004B4F0":
+        pytest.xfail("BinaryNinja does not recognize this function")
     fixtures.do_test_feature_presence(fixtures.get_binja_extractor, sample, scope, feature, expected)
+13 −7		anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
+20 −0		nursery/persist-via-errorhandler-script.yml
+20 −0		nursery/persist-via-get-variable-hijack.yml
+20 −0		nursery/persist-via-iphlpapi-dll-hijack.yml
+20 −0		nursery/persist-via-lnk-shortcut.yml
+22 −0		nursery/persist-via-powershell-profile.yml
+27 −0		nursery/persist-via-windows-accessibility-tools.yml
+21 −0		nursery/persist-via-windows-terminal-profile.yml
+22 −0		nursery/write-to-browser-extension-directory.yml