Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

file scope feature: library function name #567

Closed
williballenthin opened this issue May 19, 2021 · 0 comments
Closed

file scope feature: library function name #567

williballenthin opened this issue May 19, 2021 · 0 comments
Labels
enhancement New feature or request
Milestone
v2.0.0

Comments

@williballenthin
Copy link
Collaborator

we should be able to match the names recognized by FLIRT (etc). we have insn scope features (API) for this right now, but these are only relevant if an instruction references the function address (for example, with call strcpy). if the function is only referenced by vtable, such as the case with most CryptoPP (C++ library) functions, then we don't have a way to say "this file can AES encrypt data via CryptoPP".

we could enable API features at the file scope, associating them with the address of recognized library functions.

motivated by mandiant/capa-rules#388 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.0.0
Development

No branches or pull requests
1 participant
@williballenthin