MBot Posted August 25, 2023 Posted August 25, 2023 capa v6.1.0 is a bug fix release, most notably fixing unhandled exceptions in the capa explorer IDA Pro plugin. @Aayush-Goel-04 put a lot of effort into improving code quality and adding a script for rule authors. The script shows which features are present in a sample but not referenced by any existing rule. You could use this script to find opportunities for new rules. Speaking of new rules, we have eight additions, coming from Ronnie, Jakub, Moritz, Ervin, and still@teamt5.org! New Features ELF: implement import and export name extractor #1607 #1608 @Aayush-Goel-04 bump pydantic from 1.10.9 to 2.1.1 #1582 @Aayush-Goel-04 develop script to highlight features not used during matching #331 @Aayush-Goel-04 New Rules (8) executable/pe/export/forwarded-export ronnie.salomonsen@mandiant.com host-interaction/bootloader/get-uefi-variable jakub.jozwiak@mandiant.com host-interaction/bootloader/set-uefi-variable jakub.jozwiak@mandiant.com nursery/enumerate-device-drivers-on-linux @mr-tz anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch ervin.ocampo@mandiant.com linking/static/sqlite3/linked-against-cppsqlite3 still@teamt5.org linking/static/sqlite3/linked-against-sqlite3 still@teamt5.org Modified rules (9) anti-analysis/anti-forensic/self-deletion/self-delete.yml collection/browser/gather-chrome-based-browser-login-information.yml collection/browser/gather-firefox-profile-information.yml data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml host-interaction/process/inject/free-user-process-memory.yml lib/get-os-version.yml nursery/deserialize-json-in-dotnet.yml nursery/serialize-json-in-dotnet.yml persistence/authentication-process/act-as-credential-manager-dll.yml Renamed rules (1) persistence/create-shortcut-via-ishelllink.yml (was nursery/create-shortcut-via-ishelllink.yml) Bug Fixes rules: fix forwarded export characteristic #1656 @RonnieSalomonsen Binary Ninja: Fix stack string detection #1473 @xusheng6 linter: skip native API check for NtProtectVirtualMemory #1675 @williballenthin OS: detect Android ELF files #1705 @williballenthin ELF: fix parsing of symtab #1704 @williballenthin result document: don't use deprecated pydantic functions #1718 @williballenthin pytest: don't mark IDA tests as pytest tests #1719 @williballenthin capa explorer IDA Pro plugin fix unhandled exception when resolving rule path #1693 @mike-hunhoff Raw diffs capa v6.0.0...v6.1.0 capa-rules v6.0.0...v6.1.0 Download
Recommended Posts