Converts exported results of Capa tool from .json format to another formats supporting by different tools.
It parses the .json output and converts it to .tag file, x64dbg annotation and bookmarking script or Cutter/r2gui annotation script so you will be able to profit from Capa results in other tools.
The format of .tag file can be used for intagration CAPA results to tools like PE-bear (Tested): https://github.com/hasherezade/pe-bear-releases or IDA PRO (not Tested) with use of IFL plugin made by: https://github.com/hasherezade/IDA_ifl
Capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do.
For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
Capa repo: https://github.com/fireeye/capa
Capa blog post: https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html
Analyze sample with CAPA:
Example: CAPA -j malware.exe > malware.exe.json
Example: CAPA -j malware.bin > malware.bin.json
Example: CAPA -j malware > malware.json
Example: CAPA -j DD488AF61F792C89265FD783F3EC4A18 > DD488AF61F792C89265FD783F3EC4A18.json
Parameter '-j' must be presented in cmdline argument to export results in .json format.
The exported .json file MUST have the original filename of sample (shown in examples) to successful use of exported x64dbg script !!!
Do NOT change the filename of sample for x64dbg or the script would not find the Base address.
Run CAPA_JsonConver.pyw or standalone binary CAPA_JsonConver.exe (https://github.com/Dump-GUY/CAPA_JsonConver/releases)
CheckboxBox option menu will pop up and you can choose if you want to convert .json to .tag file, x64dbg script or Cutter/r2gui script.
File open dialog will pop up - choose .json file which you want to convert.
All converted files are saved to the same location where the .json file used for conversion.
CheckBox option menu:
Selecting .json file:
Run x64dbg with relevant sample.
Go to script tab and load script exported by CAPA_JsonConver.py.
Run script.
Unload the script.
You can see that code was commented in disassembly view and bookmark view.
Disassembly view:
Bookmark view:
Graph view with bookmarks:
If you run Pe-bear and load sample from the same directory, where .tag file is - .tag file is automatically imported.
If not - run Pe-bear and load sample. Click on Tag button - click on file - load - select your .tag file.
Hint: You can enable option in PE-bear - Tag view - Follow on click --> so if you click on RVA you are immediately on that position in Disassembly view, which could be quite handy.
PE-bear view 1:
PE-bear view 2:
Run Cutter, load relevant sample and run the .r2 script produced by tool CAPA_JsonConver. You can run the .r2 script via advanced options during sample loading.
Advanced options during sample loading:
Or you can run .r2 script from Cutter view. If you run script from Cutter view - you MUST refresh view with F5 or in View Tab/Refresh Contents to see modified contents.
Running Cutter script from Cutter view:
Cutter - Comment and Disassembly view annotated with Capa results:
Cutter - Comment and Graph view annotated with Capa results and CallGraph view:
Cutter - Comment and Disassembly view annotated with Capa results and CallGraph view:
Cutter - Comment, Disassembly view and Decompile view annotated with Capa results:
In case of more Capabilities detected by Capa which are relevant to the same origin RVA (same function, block or whole file),all capabilities are chained and added (as a comment) to the same RVA.
The sizes of labels and comments in x64dbg are limited to ~256 characters so in case of more Capabilities relevant to same origin RVA - only first 256 character are added and some Capability could be cut off :(
In real Case the cutting off chained Capabilities which takes together more than 256 character is not such a problem because
you already know that the (Function, Block) on the specific RVA has for example more than 10 Capabilities so it must be your point of interrest.
In case of .tag file, there is no limitation - cutting off capabilities size relevant to same RVA - programs supporting .tag file can handle larger comments.
Example: PE-bear: https://github.com/hasherezade/pe-bear-releases
Require Python 3+ or you can use standalone binary for Windows 64bit (https://github.com/Dump-GUY/CAPA_JsonConver/releases).
Tested with CAPA version 1.0.0-1.1.0, X64dbg, Cutter, PE-Bear version 0.4.0.3, on win7 - win10.