Skip to content

Commit

Permalink
fix backslash handling in string call arguments
Browse files Browse the repository at this point in the history
  • Loading branch information
mr-tz committed Oct 2, 2024
1 parent 591a1e8 commit f7e763e
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
- vmray: collect more process information from flog.xml #2394 @mr-tz @mike-hunhoff
- replace tabulate, tqdm, and termcolor with rich #2374 @s-ff
- dynamic: emit complete features for A/W APIs #2409 @mike-hunhoff
- vmray: fix backslash handling in string call arguments #2428 @mr-tz

### capa Explorer Web
- improve navigation in capa Explorer Web @s-ff #2425
Expand Down
6 changes: 5 additions & 1 deletion capa/features/extractors/vmray/call.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ def get_call_param_features(param: Param, ch: CallHandle) -> Iterator[Tuple[Feat
if param.deref.type_ in PARAM_TYPE_INT:
yield Number(hexint(param.deref.value)), ch.address
elif param.deref.type_ in PARAM_TYPE_STR:
yield String(param.deref.value), ch.address
# TODO(mr-tz) remove FPS like " \\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\..."
# https://github.com/mandiant/capa/issues/2432

# parsing the data up to here results in double-escaped backslashes, remove those here
yield String(param.deref.value.replace("\\\\", "\\")), ch.address
else:
logger.debug("skipping deref param type %s", param.deref.type_)
elif param.value is not None:
Expand Down
25 changes: 25 additions & 0 deletions tests/test_vmray_features.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,31 @@
capa.features.common.String("raw.githubusercontent.com"),
True,
),
# backslashes in paths; see #2428
(
"93b2d1-vmray",
"process=(2176:0),thread=2180,call=267",
capa.features.common.String("C:\\Users\\WhuOXYsD\Desktop\\filename.exe"),
True,
),
(
"93b2d1-vmray",
"process=(2176:0),thread=2180,call=267",
capa.features.common.String("C:\\\\Users\\\\WhuOXYsD\\\\Desktop\\\\filename.exe"),
False,
),
(
"93b2d1-vmray",
"process=(2176:0),thread=2204,call=2395",
capa.features.common.String("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"),
True,
),
(
"93b2d1-vmray",
"process=(2176:0),thread=2204,call=2395",
capa.features.common.String("Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System"),
False,
),
# call/number argument
# VirtualAlloc(4096, 4)
("93b2d1-vmray", "process=(2176:0),thread=2420,call=2358", capa.features.insn.Number(4096), True),
Expand Down

0 comments on commit f7e763e

Please sign in to comment.