capa v1.1.0

[MBot]

This release brings new rule format updates, such as adding offset/x32 and negative offsets, fixes some bugs identified by the community, and 28 (!) new rules. We received contributions from eight reverse engineers, including four new ones:

• @re-fox
• @psifertex
• @BitsOfBinary
• @threathive

Download a standalone binary below and checkout the readme here on GitHub. Report issues on our issue tracker and contribute new rules at capa-rules.

New features

• import: add Binary Ninja import script #205 #207 @psifertex
• rules: offsets can be negative #197 #208 @williballenthin
• rules: enable descriptions for statement nodes #194 #209 @Ana06
• rules: add arch flavors to number and offset features #210 #216 @williballenthin
• render: show SHA1/SHA256 in default report #164 @threathive
• tests: add tests for IDA Pro backend #202 @williballenthin

New rules

• check for unmoving mouse cursor @BitsOfBinary
• check mutex and exit @re-fox
• parse credit card information @re-fox
• read ini file @re-fox
• validate credit card number with luhn algorithm @re-fox
• change the wallpaper @re-fox
• acquire debug privileges @williballenthin
• import public key @williballenthin
• terminate process by name @williballenthin
• encrypt data using DES @re-fox
• encrypt data using DES via WinAPI @re-fox
• hash data using sha1 via x86 extensions @re-fox
• hash data using sha256 via x86 extensions @re-fox
• capture network configuration via ipconfig @re-fox
• hash data via WinCrypt @mike-hunhoff
• get file attributes @mike-hunhoff
• allocate thread local storage @mike-hunhoff
• get thread local storage value @mike-hunhoff
• set thread local storage @mike-hunhoff
• get session integrity level @mike-hunhoff
• add file to cabinet file @mike-hunhoff
• flush cabinet file @mike-hunhoff
• open cabinet file @mike-hunhoff
• gather firefox profile information @re-fox
• encrypt data using skipjack @re-fox
• encrypt data using camellia @re-fox
• hash data using tiger @re-fox
• encrypt data using blowfish @re-fox
• encrypt data using twofish @re-fox

Bug fixes

• linter: fix exception when examples is None @Ana06
• linter: fix suggested recommendations via templating @williballenthin
• render: fix exception when rendering counts @williballenthin
• render: fix render of negative offsets @williballenthin
• extractor: fix segmentation violation from vivisect @williballenthin
• main: fix crash when .viv cannot be saved #168 @secshoggoth @williballenthin
• main: fix shellcode .viv save path @williballenthin

Changes

• doc: explain how to bypass gatekeeper on macOS @psifertex
• doc: explain supported linux distributions @Ana06
• doc: explain submodule update with --init @psifertex
• main: improve program help output @mr-tz
• main: disable progress when run in quiet mode @mr-tz
• main: assert supported IDA versions @mr-tz
• extractor: better identify nested pointers to strings @williballenthin
• setup: specify vivisect download url @Ana06
• setup: pin vivisect version @williballenthin
• setup: bump vivisect dependency version @williballenthin
• setup: set Python project name to flare-capa @williballenthin
• ci: run tests and linter via Github Actions @Ana06
• hooks: run style checkers and hide stashed output @Ana06
• linter: ignore period in rule filename @williballenthin
• linter: warn on nursery rule with no changes needed @williballenthin

Raw diffs

• capa v1.0.0...v1.1.0
• capa-rules v1.0.0...v1.1.0

Download