Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

output/doc missing description for offsets #102

Closed
mike-hunhoff opened this issue Jul 4, 2020 · 8 comments · Fixed by #115
Closed

output/doc missing description for offsets #102

mike-hunhoff opened this issue Jul 4, 2020 · 8 comments · Fixed by #115
Assignees
@williballenthin
Labels
bug Something isn't working
Milestone
1.0

Comments

@mike-hunhoff
Copy link
Collaborator

capa match snippet:

parse PE header (8 matches)
...
function @ 0x1000B090
  or:
    and:
      mnemonic: cmp @ 0x1000B09C, 0x1000B0B8, 0x1000B12B
      or:
        number: 0x4550 = IMAGE_DOS_SIGNATURE (MZ) @ 0x1000B0B8
      or:
        number: 0x5A4D = IMAGE_NT_SIGNATURE (PE) @ 0x1000B097
    and:
      or:
        and:
          offset: 0x50 @ 0x1000B0D2, 0x1000B0F1
          offset: 0x34 @ 0x1000B0D5, 0x1000B1A3, 0x1000B1B0
...

rule snippet:

rule:
  meta:
    name: parse PE header
...
        - or:
          - and:  # 32-bit
            - offset: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage
            - offset: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase
...

doc snippet:

...
                      "children": [
                        {
                          "children": [],
                          "locations": [
                            268480722,
                            268480753
                          ],
                          "node": {
                            "feature": {
                              "offset": "0x50",
                              "type": "offset"
                            },
                            "type": "feature"
                          },
                          "success": true
                        },
                        {
                          "children": [],
                          "locations": [
                            268480725,
                            268480931,
                            268480944
                          ],
                          "node": {
                            "feature": {
                              "offset": "0x34",
                              "type": "offset"
                            },
                            "type": "feature"
                          },
                          "success": true
                        }
                      ],
...
@mike-hunhoff mike-hunhoff added the bug Something isn't working label Jul 4, 2020
@williballenthin williballenthin self-assigned this Jul 5, 2020
@williballenthin williballenthin added this to the 1.0 milestone Jul 5, 2020
@williballenthin
Copy link
Collaborator

i think this information is here

image

@williballenthin
Copy link
Collaborator

vverbose mode renders using the json, so if its able to emit the description, then it must be somewhere in the json.

can you share more details on where this info is missing?

@mike-hunhoff mike-hunhoff changed the title output/doc missing description for number constants output/doc missing description for offsets Jul 6, 2020
@mike-hunhoff
Copy link
Collaborator Author

For this specific case I was referring to the descriptions included with the following two offsets specified in the rule parse PE header (I mistakenly specified number constants before 🤦):

  • - offset: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage
  • - offset: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase

The above offsets are matched but the descriptions are not displayed in capa's output:

...
        and:
          offset: 0x50 @ 0x1000B0D2, 0x1000B0F1
          offset: 0x34 @ 0x1000B0D5, 0x1000B1A3, 0x1000B1B0
...

Nor are the descriptions included in the JSON output:

...
                      "children": [
                        {
                          "children": [],
                          "locations": [
                            268480722,
                            268480753
                          ],
                          "node": {
                            "feature": {
                              "offset": "0x50",
                              "type": "offset"
                            },
                            "type": "feature"
                          },
                          "success": true
                        },
                        {
                          "children": [],
                          "locations": [
                            268480725,
                            268480931,
                            268480944
                          ],
                          "node": {
                            "feature": {
                              "offset": "0x34",
                              "type": "offset"
                            },
                            "type": "feature"
                          },
                          "success": true
                        }
                      ],
...

I would expect the descriptions IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage and IMAGE_NT_HEADERS.OptionalHeader.ImageBase to be included.

@williballenthin
Copy link
Collaborator

williballenthin commented Jul 6, 2020
edited
Loading

can you share the command you're using to get this output (primarily looking for the sample hash)

edit: non-public hash shared with me via PM

@williballenthin
Copy link
Collaborator

sorry, i didn't notice that the descriptions didn't match in your original post. i do see there is a description in the vverbose output, but it doesn't match whats provided by the rule?

@williballenthin
Copy link
Collaborator

passing the description was missing here:

image

@williballenthin
Copy link
Collaborator

looks better now

image

@williballenthin
Copy link
Collaborator

@Ana06

williballenthin added a commit that referenced this issue Jul 6, 2020
@williballenthin
offset: use description
d15f6ae 
closes #102
@williballenthin williballenthin mentioned this issue Jul 6, 2020
Merged
@mr-tz mr-tz closed this as completed in #115 Jul 7, 2020
mr-tz added a commit that referenced this issue Jul 7, 2020
@mr-tz
Merge pull request #115 from fireeye/fix-102
f35263f 
#102 #87
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@williballenthin williballenthin

Labels
bug Something isn't working
Projects
None yet
Milestone
1.0
Development

Successfully merging a pull request may close this issue.

#102 #87 mandiant/capa
2 participants
@williballenthin @mike-hunhoff