Skip to content

Commit

Permalink
add more xor instructions
Browse files Browse the repository at this point in the history
  • Loading branch information
@mr-tz
mr-tz committed Dec 7, 2020
1 parent 0e62ebe commit c2ad6ab
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 5 deletions.
2 changes: 1 addition & 1 deletion capa/features/extractors/ida/insn.py
View file
Expand Up @@ -302,7 +302,7 @@ def extract_insn_nzxor_characteristic_features(f, bb, insn):
bb (IDA BasicBlock)
insn (IDA insn_t)
"""
if insn.itype != idaapi.NN_xor:
if insn.itype not in (idaapi.NN_xor, idaapi.NN_xorpd, idaapi.NN_xorps, idaapi.NN_pxor):
return
if capa.features.extractors.ida.helpers.is_operand_equal(insn.Op1, insn.Op2):
return
Expand Down
2 changes: 1 addition & 1 deletion capa/features/extractors/smda/insn.py
View file
Expand Up @@ -258,7 +258,7 @@ def extract_insn_nzxor_characteristic_features(f, bb, insn):
ignore expected non-zeroing XORs, e.g. security cookies.
"""

if insn.mnemonic != "xor":
if insn.mnemonic not in ("xor", "xorpd", "xorps", "pxor"):
return

operands = [o.strip() for o in insn.operands.split(",")]
Expand Down
2 changes: 1 addition & 1 deletion capa/features/extractors/viv/insn.py
View file
Expand Up @@ -422,7 +422,7 @@ def extract_insn_nzxor_characteristic_features(f, bb, insn):
parse non-zeroing XOR instruction from the given instruction.
ignore expected non-zeroing XORs, e.g. security cookies.
"""
if insn.mnem != "xor":
if insn.mnem not in ("xor", "xorpd", "xorps", "pxor"):
return

if insn.opers[0] == insn.opers[1]:
Expand Down
11 changes: 9 additions & 2 deletions tests/fixtures.py
View file
Expand Up @@ -166,8 +166,10 @@ def get_data_path_by_name(name):
return os.path.join(CD, "data", "82BF6347ACF15E5D883715DC289D8A2B.exe_")
elif name.startswith("pingtaest"):
return os.path.join(CD, "data", "ping_täst.exe_")
elif name.startswith("773290"):
elif name.startswith("77329"):
return os.path.join(CD, "data", "773290480d5445f11d3dc1b800728966.exe_")
elif name.startswith("3b13b"):
return os.path.join(CD, "data", "3b13b6f1d7cd14dc4a097a12e2e505c0a4cff495262261e2bfc991df238b9b04.dll_")
else:
raise ValueError("unexpected sample fixture: %s" % name)

Expand Down Expand Up @@ -208,8 +210,11 @@ def get_sample_md5_by_name(name):
return "64d9f7d96b99467f36e22fada623c3bb"
elif name.startswith("82bf6"):
return "82bf6347acf15e5d883715dc289d8a2b"
elif name.startswith("773290"):
elif name.startswith("77329"):
return "773290480d5445f11d3dc1b800728966"
elif name.startswith("3b13b"):
# file name is SHA256 hash
return "56a6ffe6a02941028cc8235204eef31d"
else:
raise ValueError("unexpected sample fixture: %s" % name)

Expand Down Expand Up @@ -435,6 +440,8 @@ def parametrize(params, values, **kwargs):
("mimikatz", "function=0x40105D", capa.features.Characteristic("nzxor"), False),
# insn/characteristic(nzxor): no security cookies
("mimikatz", "function=0x46D534", capa.features.Characteristic("nzxor"), False),
# insn/characteristic(nzxor): no security cookies
("3b13b...", "function=0x10006860", capa.features.Characteristic("nzxor"), True),
# insn/characteristic(peb access)
("kernel32-64", "function=0x1800017D0", capa.features.Characteristic("peb access"), True),
("mimikatz", "function=0x4556E5", capa.features.Characteristic("peb access"), False),
Expand Down

0 comments on commit c2ad6ab

Please sign in to comment.