Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore DLL names for API features #1824

Merged
merged 5 commits into from
Oct 20, 2023
Merged

Ignore DLL names for API features #1824

merged 5 commits into from
Oct 20, 2023

Conversation

mr-tz
Copy link
Collaborator

@mr-tz mr-tz commented Oct 20, 2023

closes #1815

Checklist

  • No CHANGELOG update needed
  • No new tests needed
  • No documentation update needed

@mr-tz mr-tz merged commit c9df782 into dynamic-feature-extraction Oct 20, 2023
5 checks passed
@mr-tz mr-tz deleted the ignore-dll-api-feats branch October 20, 2023 11:39
@mr-tz mr-tz mentioned this pull request Oct 20, 2023
Closed
@mr-tz
Copy link
Collaborator Author

mr-tz commented Oct 20, 2023

for completeness, tests in IDA also succeed:

--------------------------------------------------------------------------------
PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-basic block-7
PASS: test_ida_feature_counts/mimikatz-function=0x4702FD-characteristic(calls from)-0
PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-characteristic(calls from)-3
PASS: test_ida_feature_counts/mimikatz-function=0x4556E5-characteristic(calls to)-0
PASS: test_ida_feature_counts/mimikatz-function=0x40B1F1-characteristic(calls to)-3
SKIP: test_ida_features/294b8d...-function=0x404970,bb=0x404970,insn=0x40499F-string(\r\n\x00:ht)-False
SKIP: test_ida_features/64d9f-function=0x10001510,bb=0x100015B0-offset(0x4000)-True
SKIP: test_ida_features/7351f.elf-file-os(linux)-True
SKIP: test_ida_features/7351f.elf-file-os(windows)-False
SKIP: test_ida_features/7351f.elf-file-format(elf)-True
SKIP: test_ida_features/7351f.elf-file-format(pe)-False
SKIP: test_ida_features/7351f.elf-file-arch(i386)-False
SKIP: test_ida_features/7351f.elf-file-arch(amd64)-True
SKIP: test_ida_features/7351f.elf-function=0x408753-string(/dev/null)-True
SKIP: test_ida_features/7351f.elf-function=0x408753,bb=0x408781-api(open)-True
SKIP: test_ida_features/773290...-function=0x140001140-string(%s:\\\\OfficePackagesForWDAG)-True
SKIP: test_ida_features/79abd...-function=0x10002385,bb=0x10002385-characteristic(call $+5)-True
SKIP: test_ida_features/946a9...-function=0x10001510,bb=0x100015c0-characteristic(call $+5)-True
SKIP: test_ida_features/a1982...-function=0x4014D0-characteristic(cross section flow)-True
SKIP: test_ida_features/al-khaser x64-function=0x14004B4F0-api(__vcrt_GetModuleHandle)-True
SKIP: test_ida_features/c91887...-function=0x40156F-api(CloseClipboard)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CreatePipe)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.SetHandleInformation)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CloseHandle)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.WriteFile)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(CreatePipe)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(SetHandleInformation)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(CloseHandle)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(WriteFile)-True
SKIP: test_ida_features/ea2876-file-export(vresion.GetFileVersionInfoA)-True
SKIP: test_ida_features/ea2876-file-characteristic(forwarded export)-True
SKIP: test_ida_features/kernel32-file-export(BaseThreadInitThunk)-True
SKIP: test_ida_features/kernel32-file-export(lstrlenW)-True
SKIP: test_ida_features/kernel32-file-export(nope)-False
SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True
SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True
SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(gs access)-True
SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(cross section flow)-False
SKIP: test_ida_features/kernel32-64-function=0x1800017D0-characteristic(peb access)-True
SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True
SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True
PASS: test_ida_features/mimikatz-file-string(SCardControl)-True
PASS: test_ida_features/mimikatz-file-string(SCardTransmit)-True
PASS: test_ida_features/mimikatz-file-string(ACR  > )-True
PASS: test_ida_features/mimikatz-file-string(nope)-False
PASS: test_ida_features/mimikatz-file-section(.text)-True
PASS: test_ida_features/mimikatz-file-section(.nope)-False
PASS: test_ida_features/mimikatz-file-import(advapi32.CryptSetHashParam)-True
PASS: test_ida_features/mimikatz-file-import(CryptSetHashParam)-True
PASS: test_ida_features/mimikatz-file-import(kernel32.IsWow64Process)-True
PASS: test_ida_features/mimikatz-file-import(IsWow64Process)-True
PASS: test_ida_features/mimikatz-file-import(msvcrt.exit)-True
PASS: test_ida_features/mimikatz-file-import(cabinet.#11)-True
PASS: test_ida_features/mimikatz-file-import(#11)-False
PASS: test_ida_features/mimikatz-file-import(#nope)-False
PASS: test_ida_features/mimikatz-file-import(nope)-False
PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContextW)-True
PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContext)-True
PASS: test_ida_features/mimikatz-file-import(CryptAcquireContextW)-True
PASS: test_ida_features/mimikatz-file-import(CryptAcquireContext)-True
PASS: test_ida_features/mimikatz-file-os(windows)-True
PASS: test_ida_features/mimikatz-file-arch(i386)-True
PASS: test_ida_features/mimikatz-file-format(pe)-True
PASS: test_ida_features/mimikatz-function=0x401000-characteristic(loop)-False
PASS: test_ida_features/mimikatz-function=0x401000-characteristic(tight loop)-False
PASS: test_ida_features/mimikatz-function=0x401000-characteristic(stack string)-False
PASS: test_ida_features/mimikatz-function=0x401000-number(0x0)-True
PASS: test_ida_features/mimikatz-function=0x401000-bytes(FD FF 59 F6 47)-False
PASS: test_ida_features/mimikatz-function=0x401000,bb=0x401000-characteristic(tight loop)-False
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(push)-True
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(movzx)-True
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(xor)-True
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(in)-False
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(out)-False
PASS: test_ida_features/mimikatz-function=0x40105D-number(0xFF)-True
PASS: test_ida_features/mimikatz-function=0x40105D-number(0x3136B0)-True
PASS: test_ida_features/mimikatz-function=0x40105D-number(0xC)-False
PASS: test_ida_features/mimikatz-function=0x40105D-number(0x10)-False
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x0)-True
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x4)-True
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0xC)-True
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x8)-False
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x10)-False
PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardControl)-True
PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardTransmit)-True
PASS: test_ida_features/mimikatz-function=0x40105D-string(ACR  > )-True
PASS: test_ida_features/mimikatz-function=0x40105D-string(nope)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 54 00 72 00 61 00 6E 00 73 00 6D 00 69 00 74 00)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(41 00 43 00 52 00 20 00 20 00 3E 00 20 00)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(6E 6F 70 65)-False
PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(nzxor)-False
PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(calls to)-True
PASS: test_ida_features/mimikatz-function=0x40105D-os(windows)-True
PASS: test_ida_features/mimikatz-function=0x40105D-arch(i386)-True
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[1].number(0xFF)-True
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[0].number(0xFF)-False
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[0].offset(0x4)-True
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[1].offset(0x4)-False
PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x1)-True
PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x2)-True
PASS: test_ida_features/mimikatz-function=0x401517-characteristic(loop)-True
PASS: test_ida_features/mimikatz-function=0x401517-bytes(CA 3B 0E 00 00 00 F8 AF 47)-True
PASS: test_ida_features/mimikatz-function=0x401553-number(0xFFFFFFFF)-True
PASS: test_ida_features/mimikatz-function=0x401873,bb=0x4018B2,insn=0x4018C0-number(0x2)-True
PASS: test_ida_features/mimikatz-function=0x401CC7,bb=0x401CDE,insn=0x401CF6-offset(0x10)-False
PASS: test_ida_features/mimikatz-function=0x401D64,bb=0x401D73,insn=0x401D85-offset(0x80000000)-False
PASS: test_ida_features/mimikatz-function=0x402203,bb=0x402221,insn=0x40223C-offset(0x4)-True
PASS: test_ida_features/mimikatz-function=0x402EC4-characteristic(tight loop)-True
PASS: test_ida_features/mimikatz-function=0x402EC4,bb=0x402F8E-characteristic(tight loop)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContextW)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContext)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptGenKey)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptImportKey)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptDestroyKey)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContextW)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContext)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptGenKey)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptImportKey)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptDestroyKey)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(Nope)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.Nope)-False
PASS: test_ida_features/mimikatz-function=0x404414-bytes(01 80 00 00 40 EA 47 00)-True
PASS: test_ida_features/mimikatz-function=0x40640e-characteristic(recursive call)-True
PASS: test_ida_features/mimikatz-function=0x40B3C6-api(LocalFree)-True
PASS: test_ida_features/mimikatz-function=0x410DFC-characteristic(nzxor)-True
PASS: test_ida_features/mimikatz-function=0x410dfc-characteristic(nzxor)-True
PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(recursive call)-False
PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(indirect call)-True
PASS: test_ida_features/mimikatz-function=0x43e543-number(0xFFFFFFF0)-True
PASS: test_ida_features/mimikatz-function=0x44570F-bytes(FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF)-False
PASS: test_ida_features/mimikatz-function=0x44EDEF-string(INPUTEVENT)-True
PASS: test_ida_features/mimikatz-function=0x44EDEF-bytes(49 00 4E 00 50 00 55 00 54 00 45 00 56 00 45 00 4E 00 54 00)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(stack string)-True
PASS: test_ida_features/mimikatz-function=0x4556E5-api(advapi32.LsaQueryInformationPolicy)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-api(LsaQueryInformationPolicy)-True
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(peb access)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(gs access)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(cross section flow)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(indirect call)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(calls from)-True
PASS: test_ida_features/mimikatz-function=0x456BB9-characteristic(calls to)-False
PASS: test_ida_features/mimikatz-function=0x456BB9-format(pe)-True
PASS: test_ida_features/mimikatz-function=0x46D534-characteristic(nzxor)-False
PASS: test_ida_features/mimikatz-function=0x46D6CE-string((null))-True
PASS: test_ida_features/mimikatz-function=0x4702FD-characteristic(calls from)-False
PASS: test_ida_features/mimikatz-function=0x47153B,bb=0x4717AB,insn=0x4717B1-number(-0x30)-False
PASS: test_ida_features/mimikatz-function=0x471EAB,bb=0x471ED8,insn=0x471EE6-number(0x4)-False
SKIP: test_ida_features/pma12-04-file-characteristic(embedded pe)-True
SKIP: test_ida_features/pma16-01-file-function-name(__aulldiv)-True
SKIP: test_ida_features/pma16-01-file-os(windows)-True
SKIP: test_ida_features/pma16-01-file-os(linux)-False
SKIP: test_ida_features/pma16-01-file-arch(i386)-True
SKIP: test_ida_features/pma16-01-file-arch(amd64)-False
SKIP: test_ida_features/pma16-01-file-format(pe)-True
SKIP: test_ida_features/pma16-01-file-format(elf)-False
SKIP: test_ida_features/pma16-01-function=0x4021B0-regex(string =~ HTTP/1.0)-True
SKIP: test_ida_features/pma16-01-function=0x402F40-regex(string =~ www.practicalmalwareanalysis.com)-True
SKIP: test_ida_features/pma16-01-function=0x402F40-substring(practicalmalwareanalysis.com)-True
SKIP: test_ida_features/pma16-01-function=0x404356-os(windows)-True
SKIP: test_ida_features/pma16-01-function=0x404356-arch(i386)-True
SKIP: test_ida_features/pma16-01-function=0x404356-format(pe)-True
SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-os(windows)-True
SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-arch(i386)-True
PASS: test_ida_features/mimikatz-file-import(cabinet.FCIAddFile)-True
DONE

@williballenthin williballenthin mentioned this pull request Aug 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@williballenthin williballenthin williballenthin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mr-tz @williballenthin