Releases: mandiant/capa
Releases · mandiant/capa
v2.0.0
We are excited to announce version 2.0! 🎉
This release:
- enables anyone to contribute rules more easily
- is the first Python 3 ONLY version
- provides more concise and relevant results via identification of library functions using FLIRT
- includes many features and enhancements for the capa explorer IDA plugin
- adds 93 new rules, including all new techniques introduced in MITRE ATT&CK v9
A huge thanks to everyone who submitted issues, provided feedback, and contributed code and rules. Many colleagues across dozens of organizations have volunteered their experience to improve this tool! ❤️
New Features
- rules: update ATT&CK and MBC mappings mandiant/capa-rules#317 @williballenthin
- main: use FLIRT signatures to identify and ignore library code #446 @williballenthin
- tests: update test cases and caching #545 @mr-tz
- scripts: capa2yara.py convert capa rules to YARA rules #561 @ruppde
- rule: add file-scope feature (
function-name) for recognized library functions #567 @williballenthin - main: auto detect shellcode based on file extension #516 @mr-tz
- main: more detailed progress bar output when matching functions #562 @mr-tz
- main: detect file limitations without doing code analysis for better performance #583 @williballenthin
- show-features: don't show features from library functions #569 @williballenthin
- linter: summarize results at the end #571 @williballenthin
- linter: check for
orwith always true child statement, e.g.optional, colors #348 @mr-tz
Breaking Changes
- py3: drop Python 2 support #480 @Ana06
- meta: added
library_functionsfield,feature_counts.functionsdoes not include library functions any more #562 @mr-tz - json: results document now contains parsed ATT&CK and MBC fields instead of canonical representation #526 @mr-tz
- json: record all matching strings for regex #159 @williballenthin
- main: implement file limitations via rules not code #390 @williballenthin
- json: correctly render negative offsets #619 @williballenthin
- library: remove logic from
__init__.pythroughout #622 @williballenthin
New Rules (93)
- anti-analysis/packer/amber/packed-with-amber @gormaniac
- collection/file-managers/gather-3d-ftp-information @re-fox
- collection/file-managers/gather-alftp-information @re-fox
- collection/file-managers/gather-bitkinex-information @re-fox
- collection/file-managers/gather-blazeftp-information @re-fox
- collection/file-managers/gather-bulletproof-ftp-information @re-fox
- collection/file-managers/gather-classicftp-information @re-fox
- collection/file-managers/gather-coreftp-information @re-fox
- collection/file-managers/gather-cuteftp-information @re-fox
- collection/file-managers/gather-cyberduck-information @re-fox
- collection/file-managers/gather-direct-ftp-information @re-fox
- collection/file-managers/gather-directory-opus-information @re-fox
- collection/file-managers/gather-expandrive-information @re-fox
- collection/file-managers/gather-faststone-browser-information @re-fox
- collection/file-managers/gather-fasttrack-ftp-information @re-fox
- collection/file-managers/gather-ffftp-information @re-fox
- collection/file-managers/gather-filezilla-information @re-fox
- collection/file-managers/gather-flashfxp-information @re-fox
- collection/file-managers/gather-fling-ftp-information @re-fox
- collection/file-managers/gather-freshftp-information @re-fox
- collection/file-managers/gather-frigate3-information @re-fox
- collection/file-managers/gather-ftp-commander-information @re-fox
- collection/file-managers/gather-ftp-explorer-information @re-fox
- collection/file-managers/gather-ftp-voyager-information @re-fox
- collection/file-managers/gather-ftpgetter-information @re-fox
- collection/file-managers/gather-ftpinfo-information @re-fox
- collection/file-managers/gather-ftpnow-information @re-fox
- collection/file-managers/gather-ftprush-information @re-fox
- collection/file-managers/gather-ftpshell-information @re-fox
- collection/file-managers/gather-global-downloader-information @re-fox
- collection/file-managers/gather-goftp-information @re-fox
- collection/file-managers/gather-leapftp-information @re-fox
- collection/file-managers/gather-netdrive-information @re-fox
- collection/file-managers/gather-nexusfile-information @re-fox
- collection/file-managers/gather-nova-ftp-information @re-fox
- collection/file-managers/gather-robo-ftp-information @re-fox
- collection/file-managers/gather-securefx-information @re-fox
- collection/file-managers/gather-smart-ftp-information @re-fox
- collection/file-managers/gather-softx-ftp-information @re-fox
- collection/file-managers/gather-southriver-webdrive-information @re-fox
- collection/file-managers/gather-staff-ftp-information @re-fox
- collection/file-managers/gather-total-commander-information @re-fox
- collection/file-managers/gather-turbo-ftp-information @re-fox
- collection/file-managers/gather-ultrafxp-information @re-fox
- collection/file-managers/gather-winscp-information @re-fox
- collection/file-managers/gather-winzip-information @re-fox
- collection/file-managers/gather-wise-ftp-information @re-fox
- collection/file-managers/gather-ws-ftp-information @re-fox
- collection/file-managers/gather-xftp-information @re-fox
- data-manipulation/compression/decompress-data-using-aplib @r3c0nst @mr-tz
- host-interaction/bootloader/disable-code-signing @williballenthin
- host-interaction/bootloader/manipulate-boot-configuration @williballenthin
- host-interaction/driver/disable-driver-code-integrity @williballenthin
- host-interaction/file-system/bypass-mark-of-the-web @williballenthin
- host-interaction/network/domain/get-domain-information @recvfrom
- host-interaction/session/get-logon-sessions @recvfrom
- linking/runtime-linking/resolve-function-by-fin8-fasthash @r3c0nst @mr-tz
- nursery/build-docker-image @williballenthin
- nursery/create-container @williballenthin
- nursery/encrypt-data-using-fakem-cipher @mike-hunhoff
- nursery/list-containers @williballenthin
- nursery/run-in-container @williballenthin
- persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement @williballenthin
- collection/password-manager/steal-keepass-passwords-using-keefarce @Ana06
- host-interaction/network/connectivity/check-internet-connectivity-via-wininet matthew.williams@fireeye.com michael.hunhoff@fireeye.com
- nursery/create-bits-job @mr-tz
- nursery/execute-syscall-instruction @kulinacs @mr-tz
- nursery/connect-to-wmi-namespace-via-wbemlocator michael.hunhoff@fireeye.com
- anti-analysis/obfuscation/obfuscated-with-callobfuscator johnk3r
- executable/installer/inno-setup/packaged-as-an-inno-setup-installer awillia2@cisco.com
- data-manipulation/hashing/djb2/hash-data-using-djb2 awillia2@cisco.com
- data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table gilbert.elliot@fireeye.com
- nursery/list-tcp-connections-and-listeners michael.hunhoff@fireeye.com
- nursery/list-udp-connections-and-listeners michael.hunhoff@fireeye.com
- nursery/log-keystrokes-via-raw-input-data michael.hunhoff@fireeye.com
- nursery/register-http-server-url michael.hunhoff@fireeye.com
- internal/limitation/file/internal-autoit-file-limitation.yml william.ballenthin@fireeye.com
- internal/limitation/file/internal-dotnet-file-limitation.yml william.ballenthin@fireeye.com
- internal/limitation/file/internal-installer-file-limitation.yml william.ballenthin@fireeye.com
- internal/limitation/file/internal-packer-file-limitation.yml william.ballenthin@fireeye.com
- host-interaction/network/domain/enumerate-domain-computers-via-ldap awillia2@cisco.com
- host-interaction/network/domain/get-domain-controller-name awillia2@cisco.com
- internal/limitation/file/internal-visual-basic-file-limitation @mr-tz
- data-manipulation/hashing/md5/hash-data-with-md5 moritz.raabe@fireeye.com
- compiler/autohotkey/compiled-with-autohotkey awillia2@cisco.com
- internal/limitation/file/internal-autohotkey-file-limitation @mr-tz
- host-interaction/process/dump/create-process-memory-minidump michael.hunhoff@fireeye.com
- nursery/get-storage-device-properties michael.hunhoff@fireeye.com
- nursery/execute-shell-command-via-windows-remote-management michael.hunhoff@fireeye.com
- nursery/get-token-privileges michael.hunhoff@fireeye.com
- nursery/prompt-user-for-credentials michael.hunhoff@fireeye.com
- nursery/spoof-parent-pid michael.hunhoff@fireeye.com
Bug Fixes
- build: use Python 3.8 for PyInstaller to support consistently running across multiple operating systems including Windows 7 #505 @mr-tz
- main: correctly match BB-scope matches at file scope #605 @williballenthin
- main: do not process non-PE files even when --format explicitly provided #664 @mr-tz
capa explorer IDA Pro plugin
- explorer: IDA 7.6 support #497 @williballenthin
- explorer: explain how to install IDA 7.6 patch to enable the plugin #528 @williballenthin
- explorer: document IDA 7.6sp1 as alternative to the patch #536 @Ana06
- explorer: add support for function-name feature #618 @mike-hunhoff
- explorer: circular import workaround #654 @mike-hunhoff
- explorer: add argument to control whether to automatically analyze when running capa explorer #548 @Ana06
- explorer: extract API features via function names recognized by IDA/FLIRT #661 @mr-tz
Development
- ci: add capa release link to capa-rules tag #517 @Ana06
- ci, changelog: update
New Rulessection in CHANGELOG automatically mandiant/capa-rules#374 #549 #604 @Ana06 - ci, changelog: support multiple author in sync GH mandiant/capa-rules#378 @Ana06
- ci, lint: check statements for single child statements #563 @mr-tz
- ci: reject PRs without CHANGELOG up...
v1.6.3
v1.6.3 (2021-04-29)
This release adds IDA 7.6 support to capa.
Changes
- IDA 7.6 support @williballenthin @Ana06
Raw diffs
v1.6.2
v1.6.1
v1.6.1 (2021-04-07)
This release includes several bug fixes, such as a vivisect issue that prevented capa from working on Windows with Python 3. It also adds 17 new rules and a bunch of improvements in the rules and IDA rule generator. We appreciate everyone who opened issues, provided feedback, and contributed code and rules.
Upcoming changes
This is the very last capa release that supports Python 2. The next release will be v2.0 and will have breaking changes, including the removal of Python 2 support.
New features
- explorer: add support for multi-line tab and SHIFT + Tab #474 @mike-hunhoff
New Rules (17)
- encrypt data using RC4 with custom key via WinAPI @MalwareMechanic
- encrypt data using Curve25519 @dandonov
- packaged as an IExpress self-extracting archive @recvfrom
- create registry key via offline registry library @johnk3r
- open registry key via offline registry library @johnk3r
- query registry key via offline registry library @johnk3r
- set registry key via offline registry library @johnk3r
- delete registry key via offline registry library @johnk3r
- enumerate PE sections @Ana06
- inject DLL reflectively @Ana06
- inspect section memory permissions @Ana06
- parse PE exports @Ana06
- rebuild import table @Ana06
- compare security identifiers @mike-hunhoff
- get user security identifier @mike-hunhoff
- listen for remote procedure calls @mike-hunhoff
- query remote server for available data @mike-hunhoff
Bug Fixes
- vivisect: update to v1.0.1 which includes bug fix for #459 (capa failed in Windows with Python 3 and vivisect) #512 @williballenthin
- explorer: fix initialize rules directory #464 @mike-hunhoff
- explorer: support subscope rules #493 @mike-hunhoff
- explorer: add checks to validate matched data when searching #500 @mike-hunhoff
- features, explorer: add support for string features with special characters e.g. '\n' #468 @mike-hunhoff
Changes
- vivisect: raises
IncompatibleVivVersioninstead ofUnicodeDecodeErrorwhen using incompatible Python 2.vivfiles with Python3 #479 @Ana06 - explorer: improve settings modification #465 @mike-hunhoff
- rules: improvements @mr-tz, @re-fox, @mike-hunhoff
- rules, lint: enforce string with double quotes formatting in rules #468 @mike-hunhoff
- lint: ensure LF end of line #485 #486 @mr-tz
- setup: pin dependencies #513 #504 @Ana06 @mr-tz
Development
- ci: test on Windows, Ubuntu, macOS across Python versions #470 @mr-tz @Ana06
- ci: pin OS versions #491 @williballenthin
- ci: tag capa-rules on release #476 @Ana06
- doc: document release process #476 @Ana06
- doc: Improve README badges #477 #478 @Ana06 @mr-tz
- doc: update capa explorer documentation #503 @mike-hunhoff
- doc: add PR template #495 @mr-tz
- changelog: document incompatibility of viv files #475 @Ana06
- rule loading: ignore files starting with .git #492 @mr-tz
Raw diffs
v1.6.0
v1.6.0 (2021-03-09)
This release adds the capa explorer rule generator plugin for IDA Pro, vivisect support for Python 3 and 12 new rules. We appreciate everyone who opened issues, provided feedback, and contributed code and rules. Thank you also to the vivisect development team (@rakuy0, @atlas0fd00m) for the Python 3 support (vivisect==1.0.0) and the fixes for Python 2 (vivisect==0.2.1).
Rule Generator IDA Plugin
The capa explorer IDA plugin now helps you quickly build new capa rules using features extracted directly from your IDA database. Without leaving the plugin interface you can use the features extracted by capa explorer to develop and test new rules and save your work directly to your capa rules directory. To get started select the new Rule Generator tab, navigate to a function in the IDA Disassembly view, and click Analyze. For more information check out the capa explorer readme.
Python 2/3 vivisect workspace compatibility
This version of capa adds Python 3 support in vivisect. Note that .viv files (generated by vivisect) are not compatible between Python 2 and Python 3. When updating to Python 3 you need to delete all the .viv files for capa to work.
If you get the following error (or a similar one), you most likely need to delete .viv files:
UnicodeDecodeError: 'ascii' codec can't decode byte 0x90 in position 2: ordinal not in range(128)
Upcoming changes
This is the last capa release that supports Python 2. The next release will be v2.0 and will have breaking changes, including the removal of Python 2 support.
If you have workflows that rely on the Python 2 version and need future maintenance, please reach out. We may be able to supply limited backports of key fixes and features.
New features
- explorer: Add capa explorer rule generator plugin for IDA Pro. Now capa explorer helps you build new capa rules! #426, #438, #439 @mike-hunhoff
- python: Python 3 support in vivisect #421 @Ana06
- main: Add backend option in Python 3 to select the backend to be used (either SMDA or vivisect) #421 @Ana06
- python: Python 3 support in IDA #429, #437 @mike-hunhoff
- ci: test pyinstaller CI #452 @williballenthin
- scripts: enable multiple backends in
show-features.py#429 @mike-hunhoff - scripts: add
scripts/vivisect-py2-vs-py3.shto compare vivisect Python 2 vs 3 (can easily be modified to test run times and compare different versions) #421 @Ana06
New Rules (12)
- patch process command line @re-fox @williballenthin (graduated from nursery)
- compiled with dmd @re-fox
- compiled with exe4j @johnk3r
- compiled from Visual Basic @williballenthin
- capture screenshot in Go @TcM1911
- compiled with Nim @mike-hunhoff
- linked against Go process enumeration library @TcM1911
- linked against Go registry library @TcM1911
- linked against Go WMI library @TcM1911
- linked against Go static asset library @TcM1911
- inspect load icon resource @mike-hunhoff
- linked against XZip @mr-tz
Bug Fixes
- ida: check for unmapped addresses when resolving data references #436 @mike-hunhoff
Changes
- setup: vivisect v1.0.0 is the default backend for Python3 (it was SMDA before) #421 @Ana06
- setup: bump vivisect to 0.2.1 #454 @mr-tz
- linter: adding ntoskrnl, ntdll overlap lint #428 @mike-hunhoff
- ci: use py3.9 and pyinstaller 4.2 to build standalone binaries #452 @williballenthin
- scripts: remove old migration script #450 @williballenthin
Development
- main: factor out common cli argument handling #450 @williballenthin
Raw diffs
v1.5.1
v1.5.1 (2021-02-09)
This release fixes the version number that we forgot to update for v1.5.0 (therefore, v1.5.0 was not published to pypi). It also includes 1 new rule and some rule improvements.
New Rules (1)
- encrypt data using vest @re-fox
Raw diffs
v1.5.0
v1.5.0 (2021-02-05)
This release brings support for running capa under Python 3 via SMDA, more thorough CI testing and linting, better extraction of strings and byte features, and 50 (!) new rules. We appreciate everyone who opened issues, provided feedback, and contributed code and rules. A special shout out to the following new project contributors:
@dzbeck also added Malware Behavior Catalog (MBC) and ATT&CK mappings for many rules.
Download a standalone binary below and checkout the readme here on GitHub. Report issues on our issue tracker and contribute new rules at capa-rules.
New Features
- py3 support via SMDA #355 @danielplohmann @jcrussell
- scripts: example of using capa as a library #372, #380 @doomedraven
- freeze: add base address #391 @mr-tz
- json: meta: add base address #412 @mr-tz
New Rules (50)
- 64-bit execution via heavens gate @recvfrom
- contain anti-disasm techniques @mr-tz
- check for microsoft office emulation @re-fox
- check for windows sandbox via device @re-fox
- check for windows sandbox via dns suffix @re-fox
- check for windows sandbox via genuine state @re-fox
- check for windows sandbox via process name @re-fox
- check for windows sandbox via registry @re-fox
- capture microphone audio @re-fox
- capture public ip @re-fox
- get domain trust relationships @johnk3r
- check HTTP status code @mr-tz
- compiled with perl2exe @re-fox
- compiled with ps2exe @re-fox
- compiled with pyarmor @stvemillertime, @itreallynick
- validate payment card number using luhn algorithm @re-fox
- hash data using fnv @re-fox @mr-tz
- generate random numbers via WinAPI @mike-hunhoff @johnk3r
- enumerate files recursively @re-fox
- get file system object information @mike-hunhoff
- read virtual disk @re-fox
- register minifilter driver @mike-hunhoff
- start minifilter driver @mike-hunhoff
- enumerate gui resources @johnk3r
- simulate CTRL ALT DEL @mike-hunhoff
- hijack thread execution @0x534a
- inject dll @0x534a
- inject pe @0x534a
- create or open registry key @mike-hunhoff
- delete registry value @mike-hunhoff
- query or enumerate registry key @mike-hunhoff
- query or enumerate registry value @mike-hunhoff
- resume thread @0x534a
- suspend thread @0x534a
- allocate memory @0x534a
- allocate RW memory @0x534a
- contain pusha popa sequence @mr-tz
- create or open file @mike-hunhoff
- open process @0x534a
- open thread @0x534a
- get kernel32 base address @mr-tz
- get ntdll base address @mr-tz
- encrypt or decrypt data via BCrypt @mike-hunhoff
- generate random numbers using the Delphi LCG @williballenthin
- hash data via BCrypt @mike-hunhoff
- migrate process to active window station @williballenthin
- patch process command line @williballenthin
- resolve function by hash @williballenthin
- persist via Winlogon Helper DLL registry key @0x534a
- schedule task via command line @0x534a
Bug Fixes
- doc: pyinstaller build process @mr-tz
- ida: better bytes extraction #409 @mike-hunhoff
- viv: better unicode string extraction #364 @mike-hunhoff
- viv: better unicode string extraction #378 @mr-tz
- viv: more xor instructions #379 @mr-tz
- viv: decrease logging verbosity #381 @mr-tz
- rules: fix api description syntax #403 @mike-hunhoff
- main: disable progress background thread #410 @mike-hunhoff
Changes
- rules: return lib rules for scopes #398 @mr-tz
- ci: enable dependabot #373 @mr-tz
- ci: lint rules @mr-tz
- ci: lint rule format #401 @mr-tz
Raw diffs
v1.4.1
v1.4.1 (2020-10-23)
This release fixes an issue building capa on our CI server, which prevented us from building standalone binaries for v1.4.0.
Bug Fixes
- install VC dependencies for Python 2.7 during Windows build
Raw diffs
v1.4.0
v1.4.0 (2020-10-23)
This capa release includes changes to the rule parsing, enhanced feature extraction, various bug fixes, and improved capa scripts. Everyone should benefit from the improved functionality and performance. The community helped to add 69 new rules. We appreciate everyone who opened issues, provided feedback, and contributed code and rules. A special shout out to the following new project contributors:
@dzbeck added Malware Behavior Catalog (MBC) and ATT&CK mappings for 86 rules.
Due to an issue with our CI build configuration, please download standalone binaries from the v1.4.1 release here. Checkout the readme here on GitHub. Report issues on our issue tracker and contribute new rules at capa-rules.
New features
- script that demonstrates bulk processing @williballenthin #307
- main: render MBC table @mr-tz #332
- ida backend: improve detection of APIs called via two or more chained thunks @mike-hunhoff #340
- viv backend: improve detection of APIs called via two or more chained thunks @mr-tz #341
- features: extract APIs called via jmp instruction @mr-tz #337
New rules
- clear the Windows event log @mike-hunhoff
- crash the Windows event logging service @mike-hunhoff
- packed with kkrunchy @re-fox
- packed with nspack @re-fox
- packed with pebundle @re-fox
- packed with pelocknt @re-fox
- packed with peshield @re-fox
- packed with petite @re-fox
- packed with rlpack @re-fox
- packed with upack @re-fox
- packed with y0da crypter @re-fox
- compiled with rust @re-fox
- compute adler32 checksum @mwilliams31
- encrypt-data-using-hc-128 @recvfrom
- manipulate console @williballenthin
- references logon banner @re-fox
- terminate process via fastfail @re-fox
- delete volume shadow copies @mr-tz
- authenticate HMAC @mr-tz
- compiled from EPL @williballenthin
- compiled with Go @williballenthin
- create Restart Manager session @mike-hunhoff
- decode data using Base64 via WinAPI @mike-hunhoff
- empty recycle bin quietly @mwilliams31
- enumerate network shares @mike-hunhoff
- hook routines via microsoft detours @williballenthin
- hooked by API Override @williballenthin
- impersonate user @mike-hunhoff
- the @williballenthin packer detection package, thanks to Hexacorn for the data, see https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/
- packed with CCG
- packed with Crunch
- packed with Dragon Armor
- packed with enigma
- packed with Epack
- packed with MaskPE
- packed with MEW
- packed with Mpress
- packed with Neolite
- packed with PECompact
- packed with Pepack
- packed with Perplex
- packed with ProCrypt
- packed with RPCrypt
- packed with SeauSFX
- packed with Shrinker
- packed with Simple Pack
- packed with StarForce
- packed with SVKP
- packed with Themida
- packed with TSULoader
- packed with VProtect
- packed with WWPACK
- rebuilt by ImpRec
- packaged as a Pintool
- packaged as a CreateInstall installer
- packaged as a WinZip self-extracting archive
- reference 114DNS DNS server @williballenthin
- reference AliDNS DNS server @williballenthin
- reference Cloudflare DNS server @williballenthin
- reference Comodo Secure DNS server @williballenthin
- reference Google Public DNS server @williballenthin
- reference Hurricane Electric DNS server @williballenthin
- reference kornet DNS server @williballenthin
- reference L3 DNS server @williballenthin
- reference OpenDNS DNS server @williballenthin
- reference Quad9 DNS server @williballenthin
- reference Verisign DNS server @williballenthin
- run as service @mike-hunhoff
- schedule task via ITaskService @mike-hunhoff
- references DNS over HTTPS endpoints @yt0ng
Bug fixes
- ida plugin: fix tree-view exception @mike-hunhoff #315
- ida plugin: fix feature count @mike-hunhoff
- main: fix reported total rule count @williballenthin #325
- features: fix handling of API names with multiple periods @mike-hunhoff #329
- ida backend: find all byte sequences instead of only first @mike-hunhoff #335
- features: display 0 value @mr-tz #338
- ida backend: extract ordinal and name imports @mr-tz #343
- show-features: improvements and support within IDA @mr-tz #342
- main: sanity check MBC rendering @williballenthin
- main: handle sample path that contains non-ASCII characters @mr-tz #328
Changes
- rules: use yaml.CLoader for better performance @williballenthin #306
- rules: parse descriptions for statements @mr-tz #312
Raw diffs
Standalone binaries
Due to an issue with our CI build configuration, please download standalone binaries from the v1.4.1 release here.
v1.3.0
v1.3.0 (2020-09-14)
This release brings newly updated mappings to the Malware Behavior Catalog version 2.0, many enhancements to the IDA Pro plugin, flare-capa on PyPI, a bunch of bug fixes to improve feature extraction, and four new rules. We received contributions from ten reverse engineers, including seven new ones:
Download a standalone binary below and checkout the readme here on GitHub. Report issues on our issue tracker and contribute new rules at capa-rules.
Key changes to IDA Plugin
The IDA Pro integration is now distributed as a real plugin, instead of a script. This enables a few things:
- keyboard shortcuts and file menu integration
- updates distributed PyPI/
pip install --upgradewithout touching your%IDADIR% - generally doing thing the "right way"
How to get this new version? Its easy: download capa_explorer.py to your IDA plugins directory and update your capa installation (incidentally, this is a good opportunity to migrate to pip install flare-capa instead of git checkouts). Now you should see the plugin listed in the Edit > Plugins > FLARE capa explorer menu in IDA.
Please refer to the plugin readme for additional information on installing and using the IDA Pro plugin.
Please open an issue in this repository if you notice anything weird.
New features
- ida plugin: now a real plugin, not a script @mike-hunhoff
- core: distributed via PyPI as flare-capa @williballenthin
- features: enable automatic A/W handling for imports @williballenthin @Ana06 #246
- ida plugin: persist rules directory setting via ida-settings @williballenthin #268
- ida plugin: add search bar to results view @williballenthin #285
- ida plugin: add
AnalyzeandResetbuttons to tree view @mike-hunhoff #304 - ida plugin: add status label to tree view @mike-hunhoff
- ida plugin: add progress indicator @mike-hunhoff, @mr-tz
New rules
- compiled with py2exe @re-fox
- resolve path using msvcrt @re-fox
- decompress data using QuickLZ @edeca
- encrypt data using sosemanuk @recvfrom
Bug fixes
- rule: reduce FP in DNS resolution @toomanybananas
- engine: report correct strings matched via regex @williballenthin #262
- formatter: correctly format descriptions in two-line syntax @williballenthin @recvfrom #263
- viv: better extract offsets from SibOper operands @williballenthin @edeca #276
- import-to-ida: fix import error @cclauss
- viv: don't write settings to ~/.viv/viv.json @williballenthin @rakuy0 @weslambert #244
- ida plugin: remove dependency loop that resulted in unnecessary overhead @mike-hunhoff #303
- ida plugin: correctly highlight regex matches in IDA Disassembly view @mike-hunhoff #305
- ida plugin: better handle rule directory prompt and failure case @stevemk14ebr @mike-hunhoff #309
Changes
- rules: update meta mapping to MBC 2.0! @dzbeck
- render: don't display rules that are also matched by other rules @williballenthin @Ana06 #224
- ida plugin: simplify tabs, removing summary and adding detail to results view @williballenthin #286
- ida plugin: analysis is no longer automatically started when plugin is first opened @mike-hunhoff #304
- ida plugin: user must manually select a capa rules directory before analysis can be performed @mike-hunhoff
- ida plugin: user interface controls are disabled until analysis is performed @mike-hunhoff #304