add light weight ElfFeatureExtractor #770

mr-tz · 2021-09-10T18:33:43Z

Add a basic ELF feature extractor similar to the pefile one in support of #699.

Checklist

No CHANGELOG update needed

No new tests needed

No documentation update needed

williballenthin · 2021-09-10T18:36:21Z

capa/features/extractors/elffile.py

+    args:
+      elf (elftools.elf.elffile.ELFFile): the parsed ELFFile
+      buf: the raw sample bytes


use type hints for this

capa/features/extractors/elffile.py

williballenthin

this looks great!

williballenthin · 2021-09-10T18:38:50Z

capa/features/common.py

@@ -344,7 +344,6 @@ def freeze_deserialize(cls, args):

 class Arch(Feature):
    def __init__(self, value: str, description=None):
-        assert value in VALID_ARCH


if we remove this check then we should probably add checks within the rule parser to validate what a user specifies

agreed, reason I removed them here is because our arch extraction fails for packed samples, e.g. via UPX

see https://github.com/fireeye/capa/pull/770/files#diff-651412a054a596ef4cccaa6c9cd9f8632585de43dfd8012ff675ca19f935f600R55

mr-tz · 2021-09-10T18:43:22Z

capa/features/extractors/base_extractor.py

@@ -9,7 +9,7 @@
 import abc
 from typing import Tuple, Iterator, SupportsInt

-from capa.features.basicblock import Feature
+from capa.features.common import Feature


I think this is better?!

mr-tz · 2021-09-10T18:45:00Z

capa/features/extractors/elffile.py

+    # see https://github.com/eliben/pyelftools/blob/0664de05ed2db3d39041e2d51d19622a8ef4fb0f/scripts/readelf.py#L372
+    symbol_tables = [(idx, s) for idx, s in enumerate(elf.iter_sections()) if isinstance(s, SymbolTableSection)]


Did you want to be independent or is it ok to rely on elftools?

yeah, this makes sense. and, maybe we want to migrate the OS detection to pyelftools? well, it works as is, but its an option.

mr-tz · 2021-09-10T18:45:40Z

capa/features/common.py

@@ -344,7 +344,6 @@ def freeze_deserialize(cls, args):

 class Arch(Feature):
    def __init__(self, value: str, description=None):
-        assert value in VALID_ARCH


see https://github.com/fireeye/capa/pull/770/files#diff-651412a054a596ef4cccaa6c9cd9f8632585de43dfd8012ff675ca19f935f600R55

mr-tz · 2021-09-10T18:46:38Z

capa/features/extractors/elffile.py

+
+
+def extract_file_arch(elf, **kwargs):
+    # TODO merge with capa.features.extractors.elf.detect_elf_arch()


there's some overlap/dup between some of the functions in capa.features.extractors.elf and what's provided by elftools

yeah, happy to use elftools

capa/features/extractors/elffile.py

capa/rules.py

williballenthin · 2021-09-13T19:26:56Z

merging so i can get a medium-scale run against ELF files before v3

mr-tz mentioned this pull request Sep 10, 2021

update UPX for ELF mandiant/capa-rules#460

Merged

williballenthin reviewed Sep 10, 2021

View reviewed changes

capa/features/extractors/elffile.py Show resolved Hide resolved

add ElfFeatureExtractor

06d238a

mr-tz force-pushed the elffile-extractor branch from b769dea to 06d238a Compare September 10, 2021 18:38

williballenthin approved these changes Sep 10, 2021

View reviewed changes

mr-tz commented Sep 10, 2021

View reviewed changes

mr-tz added 2 commits September 10, 2021 21:29

init variable :/

80bb0b4

minor fixes

4c6be15

williballenthin reviewed Sep 13, 2021

View reviewed changes

capa/features/extractors/elffile.py Outdated Show resolved Hide resolved

Update capa/features/extractors/elffile.py

11644cb

williballenthin reviewed Sep 13, 2021

View reviewed changes

capa/rules.py Show resolved Hide resolved

williballenthin merged commit 297d9aa into master Sep 13, 2021

williballenthin deleted the elffile-extractor branch September 13, 2021 19:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add light weight ElfFeatureExtractor #770

add light weight ElfFeatureExtractor #770

mr-tz commented Sep 10, 2021

williballenthin Sep 10, 2021

williballenthin left a comment

williballenthin Sep 10, 2021

mr-tz Sep 10, 2021

mr-tz Sep 10, 2021

mr-tz Sep 10, 2021

mr-tz Sep 10, 2021

williballenthin Sep 11, 2021

mr-tz Sep 10, 2021

mr-tz Sep 10, 2021

williballenthin Sep 11, 2021

williballenthin commented Sep 13, 2021

		# see https://github.com/eliben/pyelftools/blob/0664de05ed2db3d39041e2d51d19622a8ef4fb0f/scripts/readelf.py#L372
		symbol_tables = [(idx, s) for idx, s in enumerate(elf.iter_sections()) if isinstance(s, SymbolTableSection)]



		def extract_file_arch(elf, **kwargs):
		# TODO merge with capa.features.extractors.elf.detect_elf_arch()

add light weight ElfFeatureExtractor #770

add light weight ElfFeatureExtractor #770

Conversation

mr-tz commented Sep 10, 2021

Checklist

Choose a reason for hiding this comment

williballenthin left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

williballenthin commented Sep 13, 2021