Error when running capa with Binary Ninja backend on shellcode

[as0ni]

Description

When running capa against shellcode using the Binary Ninja backend, I encountered an error related to an unexpected file format. The analysis fails, preventing capa from assessing shellcode capabilities as expected.

Steps to Reproduce

Run capa on shellcode using Binary Ninja as a backend with the following command:
capa.exe -r C:\Tools\capa-rules -f sc64 sc.bin -b binja -d

Expected behavior:
capa should analyze the shellcode file and report any detected capabilities based on the specified rules.

Actual behavior:
The above command produces the following error:

File "C:\Users\<USER>\AppData\Local\Programs\Python\Python311\Lib\site-packages\capa\features\extractors\binja\file.py", line 174, in extract_file_format
    raise NotImplementedError(f"unexpected file format: {view_type}")
NotImplementedError: unexpected file format: Mapped

Versions

capa version: 7.3.0
Installed as: Python library
Backend: Binary Ninja 4.1.5902

Potential solution:

To work around this issue, I modified the file file.py in the Binary Ninja extractor by changing the line:

elif view_type == "Raw":
to
elif view_type == "Mapped":

within the extract_file_format function. After this change, capa ran successfully and produced the expected results.

[mr-tz]

Good find, there's no proper support for shellcode in Binary Ninja.
@xusheng6, is using Mapped a proper way to handle/identify shellcode?

[xusheng6]

Good find, there's no proper support for shellcode in Binary Ninja. @xusheng6, is using Mapped a proper way to handle/identify shellcode?

Yes! I think you can change the line at https://github.com/mandiant/capa/blob/2987eeb0acc03e187bdd90bb1644377774a2045a/capa/features/extractors/binja/file.py#L136 from

elif view_type == "Raw": to elif view_type in ["Raw", "Mapped"]: