From f7e763e87c02e050f87437bbe8c16276e46d9738 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 2 Oct 2024 16:49:34 +0000 Subject: [PATCH] fix backslash handling in string call arguments --- CHANGELOG.md | 1 + capa/features/extractors/vmray/call.py | 6 +++++- tests/test_vmray_features.py | 25 +++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 481be3197..b8b612489 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ - vmray: collect more process information from flog.xml #2394 @mr-tz @mike-hunhoff - replace tabulate, tqdm, and termcolor with rich #2374 @s-ff - dynamic: emit complete features for A/W APIs #2409 @mike-hunhoff +- vmray: fix backslash handling in string call arguments #2428 @mr-tz ### capa Explorer Web - improve navigation in capa Explorer Web @s-ff #2425 diff --git a/capa/features/extractors/vmray/call.py b/capa/features/extractors/vmray/call.py index 6b87d7d89..d39f7697a 100644 --- a/capa/features/extractors/vmray/call.py +++ b/capa/features/extractors/vmray/call.py @@ -27,7 +27,11 @@ def get_call_param_features(param: Param, ch: CallHandle) -> Iterator[Tuple[Feat if param.deref.type_ in PARAM_TYPE_INT: yield Number(hexint(param.deref.value)), ch.address elif param.deref.type_ in PARAM_TYPE_STR: - yield String(param.deref.value), ch.address + # TODO(mr-tz) remove FPS like " \\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\..." + # https://github.com/mandiant/capa/issues/2432 + + # parsing the data up to here results in double-escaped backslashes, remove those here + yield String(param.deref.value.replace("\\\\", "\\")), ch.address else: logger.debug("skipping deref param type %s", param.deref.type_) elif param.value is not None: diff --git a/tests/test_vmray_features.py b/tests/test_vmray_features.py index e0803236d..643b3cf78 100644 --- a/tests/test_vmray_features.py +++ b/tests/test_vmray_features.py @@ -35,6 +35,31 @@ capa.features.common.String("raw.githubusercontent.com"), True, ), + # backslashes in paths; see #2428 + ( + "93b2d1-vmray", + "process=(2176:0),thread=2180,call=267", + capa.features.common.String("C:\\Users\\WhuOXYsD\Desktop\\filename.exe"), + True, + ), + ( + "93b2d1-vmray", + "process=(2176:0),thread=2180,call=267", + capa.features.common.String("C:\\\\Users\\\\WhuOXYsD\\\\Desktop\\\\filename.exe"), + False, + ), + ( + "93b2d1-vmray", + "process=(2176:0),thread=2204,call=2395", + capa.features.common.String("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"), + True, + ), + ( + "93b2d1-vmray", + "process=(2176:0),thread=2204,call=2395", + capa.features.common.String("Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System"), + False, + ), # call/number argument # VirtualAlloc(4096, 4) ("93b2d1-vmray", "process=(2176:0),thread=2420,call=2358", capa.features.insn.Number(4096), True),