MBot Postado Fevereiro 1, 2024 em 14:30 Compartilhar Postado Fevereiro 1, 2024 em 14:30 This is the v7.0.0 release of capa which was mainly worked on during the Google Summer of Code (GSoC) 2023. A huge shoutout to our GSoC contributors @colton-gabertan and @yelhamer for their amazing work. Also, a big thanks to the other contributors: @aaronatp, @Aayush-Goel-04, @bkojusner, @doomedraven, @ruppde, @larchchen, @JCoonradt, and @xusheng6. New Features add Ghidra backend #1770 #1767 @colton-gabertan @mike-hunhoff add Ghidra UI integration #1734 @colton-gabertan @mike-hunhoff add dynamic analysis via CAPE sandbox reports #48 #1535 @yelhamer add call scope #771 @yelhamer add thread scope #1517 @yelhamer add process scope #1517 @yelhamer rules: change meta.scope to meta.scopes @yelhamer protobuf: add Metadata.flavor @williballenthin binja: add support for forwarded exports #1646 @xusheng6 binja: add support for symtab names #1504 @xusheng6 add com class/interface features #322 @Aayush-Goel-04 dotnet: emit enclosing class information for nested classes #1780 #1913 @bkojusner @mike-hunhoff Breaking Changes remove the SCOPE_* constants in favor of the Scope enum #1764 @williballenthin protobuf: deprecate RuleMetadata.scope in favor of RuleMetadata.scopes @williballenthin protobuf: deprecate Metadata.analysis in favor of Metadata.analysis2 that is dynamic analysis aware @williballenthin update freeze format to v3, adding support for dynamic analysis @williballenthin extractor: ignore DLL name for api features #1815 @mr-tz main: introduce wrapping routines within main for working with CLI args #1813 @williballenthin move functions from capa.main to new capa.loader namespace #1821 @williballenthin proto: add package declaration #1960 @larchchen New Rules (41) nursery/get-ntoskrnl-base-address @mr-tz host-interaction/network/connectivity/set-tcp-connection-state @johnk3r nursery/capture-process-snapshot-data @mr-tz collection/network/capture-packets-using-sharppcap jakub.jozwiak@mandiant.com nursery/communicate-with-kernel-module-via-netlink-socket-on-linux michael.hunhoff@mandiant.com nursery/get-current-pid-on-linux michael.hunhoff@mandiant.com nursery/get-file-system-information-on-linux michael.hunhoff@mandiant.com nursery/get-password-database-entry-on-linux michael.hunhoff@mandiant.com nursery/mark-thread-detached-on-linux michael.hunhoff@mandiant.com nursery/persist-via-gnome-autostart-on-linux michael.hunhoff@mandiant.com nursery/set-thread-name-on-linux michael.hunhoff@mandiant.com load-code/dotnet/load-windows-common-language-runtime michael.hunhoff@mandiant.com blas.kojusner@mandiant.com jakub.jozwiak@mandiant.com nursery/log-keystrokes-via-input-method-manager @mr-tz nursery/encrypt-data-using-rc4-via-systemfunction032 richard.weiss@mandiant.com nursery/add-value-to-global-atom-table @mr-tz nursery/enumerate-processes-that-use-resource @Ana06 host-interaction/process/inject/allocate-or-change-rwx-memory @mr-tz lib/allocate-or-change-rw-memory 0x534a@mailbox.org @mr-tz lib/change-memory-protection @mr-tz anti-analysis/anti-av/patch-antimalware-scan-interface-function jakub.jozwiak@mandiant.com executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment sara.rincon@mandiant.com internal/limitation/file/internal-dotnet-single-file-deployment-limitation sara.rincon@mandiant.com data-manipulation/encoding/encode-data-using-add-xor-sub-operations jakub.jozwiak@mandiant.com nursery/access-camera-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/capture-microphone-audio-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/capture-screenshot-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/check-for-incoming-call-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/check-for-outgoing-call-in-dotnet-on-android michael.hunhoff@mandiant.com nursery/compiled-with-xamarin michael.hunhoff@mandiant.com nursery/get-os-version-in-dotnet-on-android michael.hunhoff@mandiant.com data-manipulation/compression/create-cabinet-on-windows michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com data-manipulation/compression/extract-cabinet-on-windows jakub.jozwiak@mandiant.com lib/create-file-decompression-interface-context-on-windows jakub.jozwiak@mandiant.com nursery/enumerate-files-in-dotnet moritz.raabe@mandiant.com anushka.virgaonkar@mandiant.com nursery/get-mac-address-in-dotnet moritz.raabe@mandiant.com michael.hunhoff@mandiant.com echernofsky@google.com nursery/get-current-process-command-line william.ballenthin@mandiant.com nursery/get-current-process-file-path william.ballenthin@mandiant.com nursery/hook-routines-via-dlsym-rtld_next william.ballenthin@mandiant.com nursery/linked-against-hp-socket still@teamt5.org host-interaction/process/inject/process-ghostly-hollowing sara.rincon@mandiant.com Bug Fixes ghidra: fix ints_to_bytes performance #1761 @mike-hunhoff binja: improve function call site detection @xusheng6 binja: use binaryninja.load to open files @xusheng6 binja: bump binja version to 3.5 #1789 @xusheng6 elf: better detect ELF OS via GCC .ident directives #1928 @williballenthin elf: better detect ELF OS via Android dependencies #1947 @williballenthin fix setuptools package discovery #1886 @gmacon @mr-tz remove unnecessary scripts/vivisect-py2-vs-py3.sh file #1949 @JCoonradt capa explorer IDA Pro plugin various integration updates and minor bug fixes Development update ATT&CK/MBC data for linting #1932 @mr-tz Developer Notes With this new release, many classes and concepts have been split up into static (mostly identical to the prior implementations) and dynamic ones. For example, the legacy FeatureExtractor class has been renamed to StaticFeatureExtractor and the DynamicFeatureExtractor has been added. Starting from version 7.0, we have moved the component responsible for feature extractor from main to a new capabilities' module. Now, users wishing to utilize capa’s feature extraction abilities should use that module instead of importing the relevant logic from the main file. For sandbox-based feature extractors, we are using Pydantic models. Contributions of more models for other sandboxes are very welcome! With this release we've reorganized the logic found in main() to localize logic and ease readability and ease changes and integrations. The new "main routines" are expected to be used only within main functions, either capa main or related scripts. These functions should not be invoked from library code. Beyond copying code around, we've refined the handling of the input file/format/backend. The logic for picking the format and backend is more consistent. We've documented that the input file is not necessarily the sample itself (cape/freeze/etc.) inputs are not actually the sample. Raw diffs capa v6.1.0...v7.0.0 capa-rules v6.1.0...v7.0.0 Download Link para o comentário Compartilhar em outros sites More sharing options...
Posts Recomendados