improve and fix various dynamic parts #1809
Conversation
| if cr.static is None and cr.target.file.pe is not None: | ||
| cr.static = Static() | ||
| cr.static.pe = cr.target.file.pe |
There was a problem hiding this comment.
noticed that this may store the data instead, maybe there's a better way to handle this?
There was a problem hiding this comment.
please add a comment with a reference to such a report and CAPE version.
There was a problem hiding this comment.
Do we want to add all/many/few reports to capa testfiles?
I'm pulling down sandbox data for all our current testfile EXEs and DLLs.
There was a problem hiding this comment.
i think it would be good to have a fair collection, but not necessarily one for every sample.
There was a problem hiding this comment.
adding a few initially here: mandiant/capa-testfiles#217
| if len(cr.behavior.processes) == 0: | ||
| raise EmptyReportError("CAPE did not capture any processes") |
There was a problem hiding this comment.
such empty reports are fairly useless
| for symbol in generate_symbols(call.api): | ||
| call.api = symbol | ||
|
|
||
| addr = DynamicCallAddress(thread=th.address, id=call_index) | ||
| yield CallHandle(address=addr, inner=call) |
There was a problem hiding this comment.
I've noticed we run into issues since CAPE reports only list the api (like CreateFileA), however:
- rules often include the DLL (which we won't get easily here)
- use the generic name (like
CreateFile[not A/W])
This is one way/part of handling this, maybe we can come up with a more generic way.
mr-tz
force-pushed
the
dynamic-fixes-1
branch
from
81b6d21 to
9361b7b
Compare
mr-tz
force-pushed
the
dynamic-fixes-1
branch
from
9361b7b to
26460a8
Compare
mr-tz
force-pushed
the
dynamic-fixes-1
branch
2 times, most recently
from
0ade462 to
316e65d
Compare
mr-tz
force-pushed
the
dynamic-fixes-1
branch
from
316e65d to
57f7e2e
Compare
addresses various issues encountered during testing
Checklist