Jump to content

capa v4.0.0


Recommended Posts

Version 4 adds support for analyzing .NET executables. capa will autodetect .NET modules, or you can explicitly invoke the new feature extractor via --format dotnet. We've also extended the rule syntax for .NET features including namespace and class.

Additionally, new instruction scope and operand features enable users to create more explicit rules. These features are not backwards compatible. We removed the previously used /x32 and /x64 flavors of number and operand features.

We updated 49 existing rules and added 22 new rules leveraging these new features and characteristics to detect capabilities seen in .NET malware.

More breaking changes include updates to the JSON results document, freeze file format schema (now format version v2), and the internal handling of addresses.

Thanks for all the support, especially to @htnhan, @jtothej, @sara-rn, @anushkavirgaonkar, and @_re_fox!

Deprecation warning: v4.0 will be the last capa version to support the SMDA backend.

New Features

Breaking Changes

  • instruction scope and operand feature are new and are not backwards compatible with older versions of capa
  • Python 3.7 is now the minimum supported Python version #866 @williballenthin
  • remove /x32 and /x64 flavors of number and operand features #932 @williballenthin
  • the tool now accepts multiple paths to rules, and JSON doc updated accordingly @williballenthin
  • extractors must use handles to identify functions/basic blocks/instructions #981 @williballenthin
  • the freeze file format schema was updated, including format version bump to v2 #986 @williballenthin

Deprecation notice: as described in #937, we plan to remove the SMDA backend for v5. If you rely on this backend, please reach out so we can discuss extending the support for SMDA or transitioning your workflow to use vivisect.

New Rules (30)

Bug Fixes

capa explorer IDA Pro plugin

Raw diffs


Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...