Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

null-preserving XOR not identified #840

Open
Ana06 opened this issue Nov 6, 2023 · 2 comments
Open

null-preserving XOR not identified #840

Ana06 opened this issue Nov 6, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@Ana06
Copy link
Member

Ana06 commented Nov 6, 2023
edited

capa doesn't detect null-preserving XOR because the XOR is not in a tight loop. Can we detect it?
Screenshot 2023-11-06 at 15 20 47

Tested with capa 6.1.0 using sample 4ce210df92602f9cf4990357eb63f1f05cb5e89d03426a98a77ef98d6ff967bc
@Ana06 Ana06 added the enhancement New feature or request label Nov 6, 2023
@Ana06 Ana06 changed the title zero-preserving XOR null-preserving XOR not identified Nov 6, 2023
@williballenthin
Copy link
Collaborator

can't detect it very easily since the loop isn't tight, like you said. we could write a rule with function scope matching and(non zero xor, has loop) but this doesn't seem very specific at all.

for this specific function we could also limit the number of basic blocks and/or #callers and/or #callees. that might be reasonably robust but doesn't generalize the technique very well.

do you all have any other ideas?

@mr-tz
Copy link
Collaborator

mr-tz commented Nov 7, 2023

Another approach would be to extend tight loops to capture "almost tight loops" (in the feature extraction).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@williballenthin @Ana06 @mr-tz