render: meta: add base address

mandiant · Jul 2, 2020 · ff44801 · ff44801
1 parent 2676649
commit ff44801
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 3 deletions.
diff --git a/capa/features/extractors/__init__.py b/capa/features/extractors/__init__.py
@@ -39,6 +39,15 @@ def __init__(self):
         #
         super(FeatureExtractor, self).__init__()
 
+    @abc.abstractmethod
+    def get_base_address(self):
+        """
+        fetch the preferred load address at which the sample was analyzed.
+
+        returns: int
+        """
+        raise NotImplemented
+
     @abc.abstractmethod
     def extract_file_features(self):
         """

diff --git a/capa/features/extractors/ida/__init__.py b/capa/features/extractors/ida/__init__.py
@@ -43,6 +43,9 @@ class IdaFeatureExtractor(FeatureExtractor):
     def __init__(self):
         super(IdaFeatureExtractor, self).__init__()
 
+    def get_base_address(self):
+        return idaapi.get_imagebase()
+
     def extract_file_features(self):
         for feature, va in capa.features.extractors.ida.file.extract_features():
             yield feature, va

diff --git a/capa/features/extractors/viv/__init__.py b/capa/features/extractors/viv/__init__.py
@@ -44,6 +44,10 @@ def __init__(self, vw, path):
         self.vw = vw
         self.path = path
 
+    def get_base_address(self):
+        # assume there is only one file loaded into the vw
+        return list(self.vw.filemeta.values())[0]["imagebase"]
+
     def extract_file_features(self):
         for feature, va in capa.features.extractors.viv.file.extract_features(self.vw, self.path):
             yield feature, va

diff --git a/capa/main.py b/capa/main.py
@@ -344,7 +344,11 @@ def collect_metadata(argv, path, format, extractor):
             "sha256": sha256.hexdigest(),
             "path": os.path.normpath(path),
         },
-        "analysis": {"format": format, "extractor": extractor.__class__.__name__,},
+        "analysis": {
+            "format": format,
+            "extractor": extractor.__class__.__name__,
+            "base_address": extractor.get_base_address(),
+        },
     }
 
 

diff --git a/capa/render/verbose.py b/capa/render/verbose.py
@@ -31,7 +31,9 @@ def render_verbose(doc):
         rows.append((k, doc["meta"]["sample"][k]))
 
     for k in ("format", "extractor"):
-        rows.append((k, doc["meta"]["analysis"][k]))
+        rows.append((k.replace("_", " "), doc["meta"]["analysis"][k]))
+
+    rows.append(("base address", rutils.hex(doc["meta"]["analysis"]["base_address"])))
 
     ostream.writeln(tabulate.tabulate(rows, tablefmt="plain"))
     ostream.write("\n")

diff --git a/capa/render/vverbose.py b/capa/render/vverbose.py
@@ -149,7 +149,9 @@ def render_vverbose(doc):
         rows.append((k, doc["meta"]["sample"][k]))
 
     for k in ("format", "extractor"):
-        rows.append((k, doc["meta"]["analysis"][k]))
+        rows.append((k.replace("_", " "), doc["meta"]["analysis"][k]))
+
+    rows.append(("base address", rutils.hex(doc["meta"]["analysis"]["base_address"])))
 
     ostream.writeln(rutils.bold("Capa Report for " + doc["meta"]["sample"]["md5"]))
     ostream.writeln(tabulate.tabulate(rows, tablefmt="plain"))