Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

file limitation rules #400

Merged
merged 3 commits into from Jun 1, 2021
Merged

file limitation rules #400

merged 3 commits into from Jun 1, 2021

Conversation

williballenthin
Copy link
Collaborator

@williballenthin

This comment has been minimized.

Sign in to view
mr-tz
mr-tz requested changes May 31, 2021
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice, see question on internal vs. using capa in other PR

also linter fails:

KeyError: 'anti-analysis/packer'
Error: Process completed with exit code 1.

internal/limitation/file/internal-autoit-file-limitation.yml Outdated Show resolved Hide resolved
@mr-tz
Copy link
Collaborator

mr-tz commented May 31, 2021

VMProtect for mandiant/capa#588

Is it worth to add this? Maybe it makes sense to display the limitation details, e.g. what lower rule names caused the limitation?

rule:
  meta:
    name: (internal) VMProtect file limitation
    description: |
      This sample appears to be packed with VMProtect.
      
      Packed samples have often been obfuscated to hide their logic.
      capa cannot handle obfuscation well. This means the results may be misleading or incomplete.
      If possible, you should try to unpack this input file before analyzing it with capa.
    namespace: internal/limitation/file
    author: william.ballenthin@fireeye.com
    scope: file
    examples:
      - CD2CBA9E6313E8DF2C1273593E649682
  features:
    - or:
      - match: anti-analysis/packer/vmprotect

@mr-tz mr-tz mentioned this pull request May 31, 2021
Merged
@williballenthin williballenthin merged commit 72dab25 into master Jun 1, 2021
@williballenthin williballenthin deleted the feature-590 branch June 1, 2021 17:51
Ana06 added a commit to Ana06/capa that referenced this pull request Jun 2, 2021
@Ana06
ci: fix CHANGELOG
9744e8c 
The `-` used by the GitHub actions which updates the rules in the
CHANGELOG was removed in:
mandiant#591
Consequently the new rules added in the last pull request were not added
to the CHANGELOG:
mandiant/capa-rules#400
Ana06 added a commit to mandiant/capa that referenced this pull request Jun 2, 2021
@Ana06
ci: fix CHANGELOG
1a3286b 
The `-` used by the GitHub actions which updates the rules in the
CHANGELOG was removed in:
#591
Consequently the new rules added in the last pull request were not added
to the CHANGELOG:
mandiant/capa-rules#400
Ana06 added a commit to Ana06/capa that referenced this pull request Jun 2, 2021
@Ana06
ci: lint CHANGELOG
4c9d7b8 
The sync GH action in capa-rules relies on a single '- *$' in the
CHANGELOG file. Check in the tests that this is the case to avoid that
it is removed.

This happened in the following PR:
mandiant#591
This caused that the new rules in the following PR were not added to the
CHANGELOG:
mandiant/capa-rules#400
Ana06 added a commit to Ana06/capa that referenced this pull request Jun 2, 2021
@Ana06
ci: lint CHANGELOG
f304bdb 
The sync GH action in capa-rules relies on a single '- *$' in the
CHANGELOG file. Check in the tests that this is the case to avoid that
it is removed.

This happened in the following PR:
mandiant#591
This caused that the new rules in the following PR were not added to the
CHANGELOG:
mandiant/capa-rules#400
@Ana06 Ana06 mentioned this pull request Jun 2, 2021
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mr-tz mr-tz mr-tz requested changes

@Ana06 Ana06 Awaiting requested review from Ana06

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@williballenthin @mr-tz