Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support negative offset features #197

Closed
williballenthin opened this issue Jul 24, 2020 · 2 comments · Fixed by #208
Closed

support negative offset features #197

williballenthin opened this issue Jul 24, 2020 · 2 comments · Fixed by #208
Assignees
@williballenthin
Labels
enhancement New feature or request
Milestone
v1.1.0

Comments

@williballenthin
Copy link
Collaborator

currently we have a lint that rejects rules that contain negative numbers, specifically constants and offsets. i think this is primarily because its can be difficult to determine how immediate operands should be interpreted as signed or unsigned values. therefore, this restriction makes sense for constants/numbers; however, the way that we extract offsets (from memory reference operands) does support negative values. so, should we relax the lint and only enforce it on numbers/constants, but not offsets?

related: mandiant/capa-rules#52

@mike-hunhoff @mr-tz
@williballenthin williballenthin added the enhancement New feature or request label Jul 24, 2020
@williballenthin williballenthin mentioned this issue Jul 24, 2020
Merged
@williballenthin
Copy link
Collaborator Author

mandiant/capa-rules#52 (comment)

Short answer: no we do not officially support negative numbers

Because: By default both the viv and IDA APIs default to two's complement for representing numbers so capa can't match -1 because it only sees the two's complement form 0xFFFFFFFF.

However: It appears that the viv API does not default to two's complement for representing offsets which allows 0x-30 to match.

Unfortunately the IDA API does default to two's complement for representing offsets therefore, and I haven't tested this yet but I assume, this rule will match in viv but not in IDA.

I would probably consider this a bug as we need to establish a consistent representation of numbers, offsets, etc. across capa and the extractors.

Offsets in viv:

('Offset', -4)
('Offset', -20)
('Offset', -20)
('Offset', 0)
('Offset', -20)
('Offset', -4)
('Offset', 16)
('Offset', 0)
('Offset', 20)
('Offset', -4)

Offsets in IDA:

Python>insn = sark.code.instruction.Instruction(here())
Python>insn.operands[1].offset
0xfffffef8
Python>insn = sark.code.instruction.Instruction(here())
Python>insn.operands[1].offset
0x18

Originally posted by @mike-hunhoff in mandiant/capa-rules#52 (comment)

@williballenthin
Copy link
Collaborator Author

according to https://cse.unl.edu/~goddard/Courses/CSCE351/IntelArchitecture/IntelDataType.pdf

image

looks like we can assume offsets are guaranteed to be signed, so we could enforce that feature extractors auto-convert twos complement to signed values

@williballenthin williballenthin self-assigned this Jul 25, 2020
williballenthin added a commit that referenced this issue Jul 26, 2020
@williballenthin
ida: parse offsets as signed numbers
c91f9a3 
closes #197
@williballenthin williballenthin mentioned this issue Jul 27, 2020
Merged
@williballenthin williballenthin added this to the v1.1.0 milestone Aug 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@williballenthin williballenthin

Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging a pull request may close this issue.

support negative offset features (and add IDA tests) mandiant/capa
1 participant
@williballenthin