Malcat capa integration detects capabilities missed by standalone capa #2474
Comments
|
thanks for the detailed report @as0ni! this sort of issue is usually due to malcat recovering more code than our built in framework can. especially with shellcode, where calls are often indirect, vivisect often has trouble finding all the functions. then capa isn't able to find the capabilities you see. i can take a look at the sample you provided and confirm this behavior. there might be some things we can do to more aggressively recover code. |
|
Thanks for the quick feedback, @williballenthin! That makes a lot of sense. This lines up with what I'm seeing in Ghidra; initially, capa finds no capabilities in this shellcode. However, once I manually define a function, capa identifies |
Description
I recently analyzed some Cobalt Strike shellcode (VT Link)
in Malcat, and its capa integration correctly identified several capabilities. However, running the standalone
capa.exewith the same shellcode sample did not detect any capabilities.Steps to Reproduce
capa.execommand:capa.exe -r C:\Tools\capa-rules -f sc64 scwow.bin**Note: ** I used
capa.exeversion 7.40 and the latest rules from GitHub.Expected behavior:
The standalone
capa.exeshould identify the same capabilities as Malcat’s capa integration.Actual behavior:
The standalone
capa.exereturnedno capabilities found.Versions
Malcat: Appears to use capa 4.0.1.
Standalone capa.exe: Version 7.40. I also downloaded and tested
capa.exeversion 4.0.1 to see if the issue was specific to newer versions, but it also identified no capabilities.Capa Rules: Cross-checked rules like
reference-http-user-agent-string.ymlandresolve-function-by-parsing-pe-exports.ymlbetween Malcat and the up-to-date versions on GitHub, with no identified significant differences.All of this testing was done on a Windows 10 Enterprise VM.
If any additional screenshots or details are needed, please let me know. Thank you!
The text was updated successfully, but these errors were encountered: