MBot Posted September 14, 2020 at 09:55 PM Share Posted September 14, 2020 at 09:55 PM v1.3.0 (2020-09-14) This release brings newly updated mappings to the Malware Behavior Catalog version 2.0, many enhancements to the IDA Pro plugin, flare-capa on PyPI, a bunch of bug fixes to improve feature extraction, and four new rules. We received contributions from ten reverse engineers, including seven new ones: @dzbeck @recvfrom @toomanybananas @cclauss @adamprescott91 @weslambert @stevemk14ebr Download a standalone binary below and checkout the readme here on GitHub. Report issues on our issue tracker and contribute new rules at capa-rules. Key changes to IDA Plugin The IDA Pro integration is now distributed as a real plugin, instead of a script. This enables a few things: keyboard shortcuts and file menu integration updates distributed PyPI/pip install --upgrade without touching your %IDADIR% generally doing thing the "right way" How to get this new version? Its easy: download capa_explorer.py to your IDA plugins directory and update your capa installation (incidentally, this is a good opportunity to migrate to pip install flare-capa instead of git checkouts). Now you should see the plugin listed in the Edit > Plugins > FLARE capa explorer menu in IDA. Please refer to the plugin readme for additional information on installing and using the IDA Pro plugin. Please open an issue in this repository if you notice anything weird. New features ida plugin: now a real plugin, not a script @mike-hunhoff core: distributed via PyPI as flare-capa @williballenthin features: enable automatic A/W handling for imports @williballenthin @Ana06 #246 ida plugin: persist rules directory setting via ida-settings @williballenthin #268 ida plugin: add search bar to results view @williballenthin #285 ida plugin: add Analyze and Reset buttons to tree view @mike-hunhoff #304 ida plugin: add status label to tree view @mike-hunhoff ida plugin: add progress indicator @mike-hunhoff, @mr-tz New rules compiled with py2exe @re-fox resolve path using msvcrt @re-fox decompress data using QuickLZ @edeca encrypt data using sosemanuk @recvfrom Bug fixes rule: reduce FP in DNS resolution @toomanybananas engine: report correct strings matched via regex @williballenthin #262 formatter: correctly format descriptions in two-line syntax @williballenthin @recvfrom #263 viv: better extract offsets from SibOper operands @williballenthin @edeca #276 import-to-ida: fix import error @cclauss viv: don't write settings to ~/.viv/viv.json @williballenthin @rakuy0 @weslambert #244 ida plugin: remove dependency loop that resulted in unnecessary overhead @mike-hunhoff #303 ida plugin: correctly highlight regex matches in IDA Disassembly view @mike-hunhoff #305 ida plugin: better handle rule directory prompt and failure case @stevemk14ebr @mike-hunhoff #309 Changes rules: update meta mapping to MBC 2.0! @dzbeck render: don't display rules that are also matched by other rules @williballenthin @Ana06 #224 ida plugin: simplify tabs, removing summary and adding detail to results view @williballenthin #286 ida plugin: analysis is no longer automatically started when plugin is first opened @mike-hunhoff #304 ida plugin: user must manually select a capa rules directory before analysis can be performed @mike-hunhoff ida plugin: user interface controls are disabled until analysis is performed @mike-hunhoff #304 Raw diffs capa v1.2.0...v1.3.0 capa-rules v1.2.0...v1.3.0 Download Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.