add JSON-formatted output mode #31
Assignees
Labels
enhancement
New feature or request
Comments
|
plan: {
$rule-name: {
"meta": {...copy of rule.meta...},
"matches": {
0x401000: { ...TODO: details of logic match...},
...
}
},
...
} |
|
example output: {
"calculate module 256 via x86 assembly": {...},
"read file via mapping": {
"matches": {
"4198560": {
"children": [
{
"children": [],
"locations": [
4198630
],
"node": {
"feature": {
"api": "kernel32.MapViewOfFile",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [],
"locations": [
4198599,
4198661
],
"node": {
"feature": {
"number": 4,
"type": "number"
},
"type": "feature"
},
"success": true
},
{
"children": [
{
"children": [],
"locations": [
4198843
],
"node": {
"feature": {
"api": "kernel32.UnmapViewOfFile",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [
{
"children": [],
"node": {
"feature": {
"match": "get file size",
"type": "match"
},
"type": "feature"
},
"success": false
},
{
"children": [],
"locations": [
4198608
],
"node": {
"feature": {
"api": "kernel32.CreateFileMapping",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [],
"locations": [
4198803
],
"node": {
"feature": {
"number": 2,
"type": "number"
},
"type": "feature"
},
"success": true
}
],
"node": {
"statement": {
"type": "and"
},
"type": "statement"
},
"success": false
}
],
"node": {
"statement": {
"type": "optional"
},
"type": "statement"
},
"success": true
}
],
"node": {
"statement": {
"type": "and"
},
"type": "statement"
},
"success": true
},
"4199488": {
"children": [
{
"children": [],
"locations": [
4199636,
4199717
],
"node": {
"feature": {
"api": "kernel32.MapViewOfFile",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [],
"locations": [
4199633,
4199687,
4199903,
4200316,
4200346,
4200382
],
"node": {
"feature": {
"number": 4,
"type": "number"
},
"type": "feature"
},
"success": true
},
{
"children": [
{
"children": [],
"node": {
"feature": {
"api": "kernel32.UnmapViewOfFile",
"type": "api"
},
"type": "feature"
},
"success": false
},
{
"children": [
{
"children": [],
"node": {
"feature": {
"match": "get file size",
"type": "match"
},
"type": "feature"
},
"success": false
},
{
"children": [],
"locations": [
4199619,
4199692
],
"node": {
"feature": {
"api": "kernel32.CreateFileMapping",
"type": "api"
},
"type": "feature"
},
"success": true
},
{
"children": [],
"locations": [
4199495,
4199546,
4199549,
4199610,
4199869,
4200156,
4200264,
4200313,
4200335
],
"node": {
"feature": {
"number": 2,
"type": "number"
},
"type": "feature"
},
"success": true
}
],
"node": {
"statement": {
"type": "and"
},
"type": "statement"
},
"success": false
}
],
"node": {
"statement": {
"type": "optional"
},
"type": "statement"
},
"success": true
}
],
"node": {
"statement": {
"type": "and"
},
"type": "statement"
},
"success": true
}
},
"meta": {
"author": "michael.hunhoff@fireeye.com",
"capa/nursery": true,
"capa/path": "/home/user/code/capa-pub/capa/../rules/nursery/read-file-via-mapping.yml",
"name": "read file via mapping",
"namespace": "host-interaction/file-system/read",
"scope": "function"
}
}
} |
|
added in #34 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
use this JSON as the source data for all formatters. this will ensure it has all data necessary to render complete details of capa matches.
the JSON document will be the primary method of integration for external tools and scripts, rather than supporting a multitude of integrations.
The text was updated successfully, but these errors were encountered: