Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to specify .viv file locations #168

Closed
secshoggoth opened this issue Jul 17, 2020 · 2 comments · Fixed by #185
Closed

Add ability to specify .viv file locations #168

secshoggoth opened this issue Jul 17, 2020 · 2 comments · Fixed by #185
Assignees
@williballenthin
Labels
bug Something isn't working
Milestone
v1.1.0

Comments

@secshoggoth
Copy link

Summary

Capa fails to run if the file it is analyzing is located in a directory it does not have permissions to write to. In this case, it attempts to create the .viv file but fails.

Motivation

This tool may be run against files in directories that are write protected or are on remote systems that we do not have write access to.

Describe alternatives you've considered

The workaround is to just copy the file locally, but that might not always be possible/feasible.

Additional context

I found this by running capa-v1.0.0-win.exe on an Windows 10 system as a normal user against notepad.exe. Since it is located in c:\windows, an unprivileged user does not have access to write in that directory.

C:\tools\capa>capa-v1.0.0-win.exe -r capa-rules-master c:\windows\notepad.exe
WARNING:capa:skipping non-.yml file: LICENSE.txt
Unwind Info Version: 2 (bailing on .pdata)
Traceback (most recent call last):
  File "capa\main.py", line 646, in <module>
  File "capa\main.py", line 532, in main
  File "capa\main.py", line 286, in get_extractor
  File "capa\main.py", line 266, in get_extractor_py2
  File "capa\main.py", line 252, in get_workspace
  File "site-packages\viv_utils\__init__.py", line 86, in getWorkspace
  File "site-packages\vivisect\__init__.py", line 2345, in saveWorkspace
  File "site-packages\vivisect\storage\basicfile.py", line 15, in saveWorkspace
  File "site-packages\vivisect\storage\basicfile.py", line 24, in vivEventsToFile
IOError: [Errno 13] Permission denied: 'c:\\windows\\notepad.exe.viv'
[2616] Failed to execute script main
@mr-tz mr-tz added the bug Something isn't working label Jul 17, 2020
@mr-tz
Copy link
Collaborator

mr-tz commented Jul 17, 2020

Good find. We'll address this shortly.

@williballenthin
Copy link
Collaborator

should we keep creating .viv files or just do everything in memory? if we keep them around:

pro:

  • subsequent processing of the sample is faster

con:

  • fills up the file system
  • doesn't work with if the directory is not writable
  • not consistent with other tools like strings, which don't create analysis workspaces

we could auto-detect if the directory is writable, and if not, avoid writing the .viv.

@williballenthin williballenthin self-assigned this Jul 23, 2020
@williballenthin williballenthin added this to the v1.0.1 milestone Jul 23, 2020
williballenthin added a commit that referenced this issue Jul 23, 2020
@williballenthin
main: don't crash when the .viv cannot be saved
e509105 
closes #168
@williballenthin williballenthin mentioned this issue Jul 23, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@williballenthin williballenthin

Labels
bug Something isn't working
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging a pull request may close this issue.

main: don't crash when the .viv cannot be saved mandiant/capa
3 participants
@williballenthin @mr-tz @secshoggoth