Source |
FireEye |
Identifiant |
4593808 |
Date de publication |
2021-08-03 15:39:20 (vue: 2022-05-13 21:47:31) |
Titre |
capa 2.0: Better, Faster, Stronger |
Texte |
We are excited to announce version 2.0 of our open-source tool called
capa. capa automatically identifies capabilities in programs using an
extensible rule set. The tool supports both malware triage and deep
dive reverse engineering. If you haven't heard of capa before, or need
a refresher, check out our first
blog post. You can download capa 2.0 standalone binaries from
the project's release page and
checkout the source code on GitHub.
capa 2.0 enables anyone to contribute rules more easily, which makes
the existing ecosystem even more vibrant. This blog post details the
following major improvements included in capa 2.0:
New features and enhancements for the capa
explorer IDA Pro plugin, allowing you to interactively explore
capabilities and write new rules without switching windows
More concise and relevant results via identification of library
functions using FLIRT and the release of accompanying open-source
FLIRT signatures Hundreds of new rules describing
additional malware capabilities, bringing the collection up to 579
total rules, with more than half associated with ATT&CK
techniques Migration to Python 3, to make it easier to
integrate capa with other projects
capa explorer and Rule Generator
capa explorer is an IDAPython plugin that shows capa results
directly within IDA Pro. The version 2.0 release includes many
additions and improvements to the plugin, but we'd like to highlight
the most exciting addition: capa explorer now helps you write new capa
rules directly in IDA Pro!
Since we spend most of our time in reverse engineering tools such as
IDA Pro analyzing malware, we decided to add a capa rule generator.
Figure 1 shows the rule generator interface.
Figure 1: capa explorer rule generator interface
Once you've installed capa explorer using the Getting
Started guide, open the plugin by navigating to Edit >
Plugins > FLARE capa explorer. You can start using
the rule generator by selecting the Rule Generator tab at the
top of the capa explorer pane. From here, navigate your IDA Pro
Disassembly view to the function containing a technique you'd like to
capture and click the Analyze button. The rule generator will
parse, format, and display all the capa features that it finds in your
function. You can write your rule using the rule generator's three
main panes: Features, Preview, and Editor. Your
first step is to add features from the Features pane.
The Features pane is a tree view containing all the capa
features extracted from your function. You can filter for specific
features using the search bar at the top of the pane. Then, you can
add features by double-clicking them. Figure 2 shows this in action.
Figure 2: capa explorer feature selection
As you add features from the Features pane, the rule
generator automatically formats and adds them to the Preview
and Editor panes. The Preview and Editor panes
help you finesse the features that you've added and allow you to
modify other information like the rule's metadata.
The Editor pane is an interactive tree view that displays the
stat |
Envoyé |
Oui |
Condensat |
000 100 186 1996 200 2020 206 260 570 579 able about accompanying across action active add added addition: additional additions adds aes after against all allow allowing almost alongside already also amount analysis analysts analyze analyzing announce anti any anyone apache appreciate approximately are area around ask associated atl att&ck attention authors automate automates automatically available avoid away bar because before behavior behaviors believe benefit benefits best better between binaries binary bindings blog both bringing build built but button byte c++ c/c++ called can capa capabilities capability capture captures card case catalog categories categorization certainly changes check checkout checks class click clicking closely code codify colleagues collected collecting collection columns combination come command comment comments common commonly communication community compare compiled comprehensive concise conclusion containing contains context contribute convert corpus costly count couple covers cpu cpuid crafted create credentials credit crypto++ cryptography cryptopp curl currently data debugging decided decrypt deep describes describing description descriptions detailed details detection detours develop developed developing differentiate directly directory disassembly discuss display displayed displays distracting dive dns docker documentation done double doubled download dozen dozens drag drastically drop due each easier easily ecosystem edit editable editor edits effective eliminates embedded enable enables encountered encourage encrypt engine engineer engineering engineers enhancements enjoys entire error errors especially even ever every exactly example excited exciting executable executables exhibits existing expect experience experimenting explore explorer exploring extensible extensive extract extracted fast faster favorite feature features figure figured file files filter final finally finding finds finesse finished first flag flair flare flirt floss focus following format formats forms found foundation fresh from function functionality functions functions/sec functions: furthermore future generation generator getting gigabytes github github under greatly guide half has hash have haven heard heavily help helps here hex hierarchy high highlight highly hindsight hope host how http humans hundreds ida idapython ideas identification identifier identifies identifying ignore ignoring impact implementation implementations implemented implements improve improved improvements improves include: included includes including including: incorporated information initial inspected install installation installed instance instruction instructions integrate intent interact interaction interactive interactively interesting interface introduced involved issues its itself know knowledge landed learn learned legitimately let level libraries library license lie like limited lints linux little logic lot mac main major make makes malware manipulate manipulation manually many match matched matches matching mbc mbed means memcpy menus messages metadata mfc microsoft migrating migration mind mitre modern modify months more moreover most much naively name names navigate navigating nearly need needs negligible new newer newest nodes not notably noteworthy notifies now object obvious often older once only open openssl opt optimized options organizations other out over overhead overview packers page pane panes panes: parse part pattern percentage performance performance: pip please plugin plugins polarssl post precise preview previously pro process processes processing produces product program programmer programs project projects protected provide provided provides providing pypi python quality questions quickly rather rays readme real recent recognition recognize recognized recognizes reduces reflect refresher registry reiterate related release releases relevant rely remained remember reorder report repository required requires research respective results reverse right routine routines rule rules run runs runtime rust samp |
Tags |
Malware
Tool
|
Stories |
|
Notes |
|
Move |
|