Releases: mandiant/capa
Releases · mandiant/capa
v5.0.0
This capa version comes with major improvements and additions to better handle .NET binaries. To showcase this we've updated and added over 30 .NET rules.
Additionally, capa now caches its rule set for better performance. The capa explorer also caches its analysis results, so that multiple IDA Pro or plugin invocations don't need to repeat the same analysis.
We have removed the SMDA backend and changed the program return codes to be positive numbers.
Other improvements to highlight include better ELF OS detection, various rendering bug fixes, and enhancements to the feature extraction. We've also added support for Python 3.11.
Thanks for all the support, especially to @jsoref, @bkojusner, @edeca, @richardweiss80, @joren485, @ryantxu1, @mwilliams31, @anushkavirgaonkar, @MalwareMechanic, @Still34, @dzbeck, @johnk3r, and everyone else who submitted bugs and provided feedback!
New Features
- verify rule metadata format on load #1160 @mr-tz
- dotnet: emit property features #1168 @anushkavirgaonkar
- dotnet: emit API features for objects created via the newobj instruction #1186 @mike-hunhoff
- dotnet: emit API features for generic methods #1231 @mike-hunhoff
- Python 3.11 support #1192 @williballenthin
- dotnet: emit calls to/from MethodDef methods #1236 @mike-hunhoff
- dotnet: emit namespace/class features for ldvirtftn/ldftn instructions #1241 @mike-hunhoff
- dotnet: emit namespace/class features for type references #1242 @mike-hunhoff
- dotnet: extract dotnet and pe format #1187 @mr-tz
- don't render all library rule matches in vverbose output #1174 @mr-tz
- cache the rule set across invocations for better performance #1212 @williballenthin
- update ATT&CK/MBC data for linting #1297 @mr-tz
Breaking Changes
- remove SMDA backend #1062 @williballenthin
- error return codes are now positive numbers #1269 @mr-tz
New Rules (77)
- collection/use-dotnet-library-sharpclipboard @johnk3r
- data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils @johnk3r
- data-manipulation/json/use-dotnet-library-newtonsoftjson @johnk3r
- data-manipulation/svg/use-dotnet-library-sharpvectors @johnk3r
- executable/resource/embed-dependencies-as-resources-using-fodycostura @johnk3r @mr-tz
- communication/ftp/send/send-file-using-ftp [email protected] [email protected]
- nursery/extract-zip-archive [email protected]
- nursery/allocate-unmanaged-memory-in-dotnet [email protected]
- nursery/check-file-extension-in-dotnet [email protected]
- nursery/decode-data-using-base64-in-dotnet [email protected]
- nursery/deserialize-json-in-dotnet [email protected]
- nursery/find-data-using-regex-in-dotnet [email protected]
- nursery/generate-random-filename-in-dotnet [email protected]
- nursery/get-os-version-in-dotnet [email protected]
- nursery/load-xml-in-dotnet [email protected]
- nursery/manipulate-unmanaged-memory-in-dotnet [email protected]
- nursery/save-image-in-dotnet [email protected]
- nursery/send-email-in-dotnet [email protected]
- nursery/serialize-json-in-dotnet [email protected]
- nursery/set-http-user-agent-in-dotnet [email protected]
- nursery/compile-csharp-in-dotnet [email protected]
- nursery/compile-visual-basic-in-dotnet [email protected]
- nursery/compress-data-using-gzip-in-dotnet [email protected]
- nursery/execute-sqlite-statement-in-dotnet [email protected]
- nursery/execute-via-asynchronous-task-in-dotnet [email protected]
- nursery/execute-via-timer-in-dotnet [email protected]
- nursery/execute-wmi-query-in-dotnet [email protected]
- nursery/manipulate-network-credentials-in-dotnet [email protected]
- nursery/encrypt-data-using-aes [email protected] Ivan Kwiatkowski (@JusticeRage)
- host-interaction/uac/bypass/bypass-uac-via-rpc [email protected] [email protected]
- nursery/check-for-vm-using-instruction-vpcext [email protected]
- nursery/get-windows-directory-from-kuser_shared_data [email protected]
- nursery/encrypt-data-using-openssl-dsa Ana06
- nursery/encrypt-data-using-openssl-ecdsa Ana06
- nursery/encrypt-data-using-openssl-rsa Ana06
- runtime/dotnet/execute-via-dotnet-startup-hook [email protected]
- host-interaction/console/manipulate-console-buffer [email protected] [email protected]
- nursery/access-wmi-data-in-dotnet [email protected]
- nursery/allocate-unmanaged-memory-via-dotnet [email protected]
- nursery/generate-random-bytes-in-dotnet [email protected]
- nursery/manipulate-console-window [email protected]
- nursery/obfuscated-with-koivm [email protected]
- nursery/implement-com-dll [email protected]
- nursery/linked-against-libsodium @mr-tz
- compiler/nuitka/compiled-with-nuitka @williballenthin
- nursery/authenticate-data-with-md5-mac [email protected]
- nursery/resolve-function-by-djb2-hash [email protected]
- host-interaction/mutex/create-semaphore-on-linux @ramen0x3f
- host-interaction/mutex/lock-semaphore-on-linux @ramen0x3f
- host-interaction/mutex/unlock-semaphore-on-linux @ramen0x3f
- data-manipulation/hashing/sha384/hash-data-using-sha384 [email protected]
- data-manipulation/hashing/sha512/hash-data-using-sha512 [email protected]
- nursery/decode-data-using-url-encoding [email protected]
- nursery/manipulate-user-privileges [email protected]
- lib/get-os-version @mr-tz
- nursery/decrypt-data-using-tea [email protected]
- nursery/encrypt-data-using-tea [email protected]
- nursery/hash-data-using-whirlpool [email protected]
- nursery/reference-base58-string [email protected]
- communication/mailslot/create-mailslot [email protected]
- executable/resource/access-dotnet-resource @mr-tz
- linking/static/linked-against-cpp-standard-library @mr-tz
- data-manipulation/compression/compress-data-using-lzo [email protected] [email protected]
- data-manipulation/compression/decompress-data-using-lzo [email protected] [email protected]
- communication/socket/tcp/create-tcp-socket-via-raw-afd-driver [email protected]
- host-interaction/process/map-section-object [email protected]
- lib/create-or-open-section-object [email protected]
- load-code/dotnet/execute-dotnet-assembly-via-clr-host [email protected]
- load-code/execute-vbscript-javascript-or-jscript-in-memory [email protected]
- host-interaction/file-system/reference-absolute-stream-path-on-windows [email protected]
- nursery/generate-method-via-reflection-in-dotnet [email protected]
- nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet [email protected]
Bug Fixes
- render: convert feature attributes to aliased dictionary for vverbose #1152 @mike-hunhoff
- decouple Token dependency / extractor and features #1139 @mr-tz
- update pydantic model to guarantee type coercion #1176 @mike-hunhoff
- do not overwrite version in version.py during PyInstaller build #1169 @mr-tz
- render: fix vverbose rendering of offsets #1215 @williballenthin
- elf: better detect OS via GLIBC ABI version needed and dependencies #1221 @williballenthin
- dotnet: address unhandled exceptions with improved type checking #1230 @mike-hunhoff
- fix import-to-ida script formatting #1208 @williballenthin
- render: fix verbose rendering of scopes #1263 @williballenthin
- rules: better detect invalid rules #1282 @williballenthin
- show-features: better render strings with embedded whitespace #1267 @williballenthin
- handle vivisect bug around strings at instruction level, use min length 4 #1271 @williballenthin @mr-tz
- extractor: guard against invalid "calls from" features #1177 @mr-tz
- extractor: add format to global features #1258 @mr-tz
- extractor: discover all strings with length >= 4 #1280 @mr-tz
- extractor: don't extract byte features for strings #1293 @mr-tz
capa explorer IDA Pro plugin
- fix: display instruction items #1154 @mr-tz
- fix: accept only plaintext pasted content #1194 @williballenthin
- fix: UnboundLocalError #1217 @williballenthin
- extractor: add support for COFF files and extern functions #1223 @mike-hunhoff
- doc: improve error messaging and documentation related to capa rule set #1249 @mike-hunhoff
- fix: assume 32-bit displacement for offsets #1250 @mike-hunhoff
- generator: refactor caching and matching #1251 @mike-hunhoff
- fix: improve exception handling to prevent IDA from locking up when errors occur #1262 @mike-hunhoff
- verify rule metadata using Pydantic #1167 @mr-tz
- extractor: make read consistent with file object behavior #1254 @mr-tz
- fix: UnboundLocalError x2 #1302 @mike-hunhoff
- cache capa results across IDA sessions #1279 @mr-tz
Raw diffs
Contributors
williballenthin, edeca, and 15 other contributors
Assets 5
v4.0.1
Some rules contained invalid metadata fields that caused an error when rendering rule hits. We've updated all rules and enhanced the rule linter to catch such issues.
New Rules (1)
- anti-analysis/obfuscation/obfuscated-with-vs-obfuscation [email protected]
Bug Fixes
- linter: use pydantic to validate rule metadata #1141 @mike-hunhoff
- build binaries using PyInstaller no longer overwrites functions in version.py #1136 @mr-tz
Raw diffs
Contributors
mr-tz and mike-hunhoff
Assets 5
v4.0.0
Version 4 adds support for analyzing .NET executables. capa will autodetect .NET modules, or you can explicitly invoke the new feature extractor via --format dotnet. We've also extended the rule syntax for .NET features including namespace and class.
Additionally, new instruction scope and operand features enable users to create more explicit rules. These features are not backwards compatible. We removed the previously used /x32 and /x64 flavors of number and operand features.
We updated 49 existing rules and added 22 new rules leveraging these new features and characteristics to detect capabilities seen in .NET malware.
More breaking changes include updates to the JSON results document, freeze file format schema (now format version v2), and the internal handling of addresses.
Thanks for all the support, especially to @htnhan, @jtothej, @sara-rn, @anushkavirgaonkar, and @_re_fox!
Deprecation warning: v4.0 will be the last capa version to support the SMDA backend.
New Features
- add new scope "instruction" for matching mnemonics and operands #767 @williballenthin
- add new feature "operand[{0, 1, 2}].number" for matching instruction operand immediate values #767 @williballenthin
- add new feature "operand[{0, 1, 2}].offset" for matching instruction operand offsets #767 @williballenthin
- extract additional offset/number features in certain circumstances #320 @williballenthin
- add detection and basic feature extraction for dotnet #987 @mr-tz, @mike-hunhoff, @williballenthin
- add file string extraction for dotnet files #1012 @mike-hunhoff
- add file function-name extraction for dotnet files #1015 @mike-hunhoff
- add unmanaged call characteristic for dotnet files #1023 @mike-hunhoff
- add mixed mode characteristic feature extraction for dotnet files #1024 @mike-hunhoff
- emit class and namespace features for dotnet files #1030 @mike-hunhoff
- render: support Addresses that aren't simple integers, like .NET token+offset #981 @williballenthin
- document rule tags and branches #1006 @williballenthin, @mr-tz
Breaking Changes
- instruction scope and operand feature are new and are not backwards compatible with older versions of capa
- Python 3.7 is now the minimum supported Python version #866 @williballenthin
- remove /x32 and /x64 flavors of number and operand features #932 @williballenthin
- the tool now accepts multiple paths to rules, and JSON doc updated accordingly @williballenthin
- extractors must use handles to identify functions/basic blocks/instructions #981 @williballenthin
- the freeze file format schema was updated, including format version bump to v2 #986 @williballenthin
Deprecation notice: as described in #937, we plan to remove the SMDA backend for v5. If you rely on this backend, please reach out so we can discuss extending the support for SMDA or transitioning your workflow to use vivisect.
New Rules (30)
- data-manipulation/encryption/aes/manually-build-aes-constants [email protected]
- nursery/get-process-image-filename [email protected]
- compiler/v/compiled-with-v [email protected]
- compiler/zig/compiled-with-zig [email protected]
- anti-analysis/packer/huan/packed-with-huan [email protected]
- internal/limitation/file/internal-dotnet-file-limitation [email protected]
- nursery/get-os-information-via-kuser_shared_data @mr-tz
- load-code/pe/resolve-function-by-parsing-PE-exports @sara-rn
- anti-analysis/packer/huan/packed-with-huan [email protected]
- nursery/execute-dotnet-assembly [email protected]
- nursery/invoke-dotnet-assembly-method [email protected]
- collection/screenshot/capture-screenshot-via-keybd-event @_re_fox
- collection/browser/gather-chrome-based-browser-login-information @_re_fox
- nursery/power-down-monitor [email protected]
- nursery/hash-data-using-aphash @_re_fox
- nursery/hash-data-using-jshash @_re_fox
- host-interaction/file-system/files/list/enumerate-files-on-windows [email protected] [email protected]
- nursery/check-clipboard-data [email protected]
- nursery/clear-clipboard-data [email protected]
- nursery/compile-dotnet-assembly [email protected]
- nursery/create-process-via-wmi [email protected]
- nursery/display-service-notification-message-box [email protected]
- nursery/find-process-by-name [email protected]
- nursery/generate-random-numbers-in-dotnet [email protected]
- nursery/send-keystrokes [email protected]
- nursery/send-request-in-dotnet [email protected]
- nursery/terminate-process-by-name-in-dotnet [email protected]
- nursery/hash-data-using-rshash @_re_fox
- persistence/authentication-process/act-as-credential-manager-dll [email protected]
- persistence/authentication-process/act-as-password-filter-dll [email protected]
Bug Fixes
- improve handling _ prefix compile/link artifact #924 @mike-hunhoff
- better detect OS in ELF samples #988 @williballenthin
- display number feature zero in vverbose #1097 @mike-hunhoff
capa explorer IDA Pro plugin
- improve file format extraction #918 @mike-hunhoff
- remove decorators added by IDA to ELF imports #919 @mike-hunhoff
- bug fixes for Address abstraction #1091 @mike-hunhoff
Raw diffs
Contributors
williballenthin, htnhan, and 5 other contributors
Assets 5
v3.2.1
This release bumps the SMDA dependency version to enable installation on Python 3.10.
Bug Fixes
- update SMDA dependency @mike-hunhoff #922
Raw diffs
Contributors
mike-hunhoff
Assets 3
v3.2.0
This release adds a new characteristic call $+5 enabling users to create rules that match this instruction commonly seen in obfuscators. The linter now also validates ATT&CK and MBC categories. Additionally, many dependencies, including the vivisect backend, have been updated.
One rule has been added and many more have been improved.
Thanks for all the support, especially to @kn0wl3dge and first time contributor @uckelman-sf!
New Features
- linter: validate ATT&CK/MBC categories and IDs #103 @kn0wl3dge
- extractor: add characteristic "call $+5" feature #366 @kn0wl3dge
New Rules (1)
- anti-analysis/obfuscation/obfuscated-with-advobfuscator [email protected]
Bug Fixes
- remove typing package as a requirement for Python 3.7+ compatibility #901 @uckelman-sf
- elf: fix OS detection for Linux kernel modules #867 @williballenthin
Raw diffs
Contributors
williballenthin, kn0wl3dge, and uckelman-sf
Assets 5
v3.1.0
This release improves the performance of capa while also adding 23 new rules and many code quality enhancements. We profiled capa's CPU usage and optimized the way that it matches rules, such as by short circuiting when appropriate. According to our testing, the matching phase is approximately 66% faster than v3.0.3! We also added support for Python 3.10, aarch64 builds, and additional MAEC metadata in the rule headers.
This release adds 23 new rules, including nine by Jakub Jozwiak of Mandiant. @ryantxu1 and @dzbeck updated the ATT&CK and MBC mappings for many rules. Thank you!
And as always, welcome first time contributors!
New Features
- engine: short circuit logic nodes for better performance #824 @williballenthin
- engine: add optimizer the order faster nodes first #829 @williballenthin
- engine: optimize rule evaluation by skipping rules that can't match #830 @williballenthin
- support python 3.10 #816 @williballenthin
- support aarch64 #683 @williballenthin
- rules: support maec/malware-family meta #841 @mr-tz
- engine: better type annotations/exhaustiveness checking #839 @cl30
Breaking Changes: None
New Rules (23)
- nursery/delete-windows-backup-catalog [email protected]
- nursery/disable-automatic-windows-recovery-features [email protected]
- nursery/capture-webcam-video @johnk3r
- nursery/create-registry-key-via-stdregprov [email protected]
- nursery/delete-registry-key-via-stdregprov [email protected]
- nursery/delete-registry-value-via-stdregprov [email protected]
- nursery/query-or-enumerate-registry-key-via-stdregprov [email protected]
- nursery/query-or-enumerate-registry-value-via-stdregprov [email protected]
- nursery/set-registry-value-via-stdregprov [email protected]
- data-manipulation/compression/decompress-data-using-ucl [email protected]
- linking/static/wolfcrypt/linked-against-wolfcrypt [email protected]
- linking/static/wolfssl/linked-against-wolfssl [email protected]
- anti-analysis/packer/pespin/packed-with-pespin [email protected]
- load-code/shellcode/execute-shellcode-via-windows-fibers [email protected]
- load-code/shellcode/execute-shellcode-via-enumuilanguages [email protected]
- anti-analysis/packer/themida/packed-with-themida [email protected]
- load-code/shellcode/execute-shellcode-via-createthreadpoolwait [email protected]
- host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object [email protected]
- load-code/shellcode/execute-shellcode-via-copyfile2 [email protected]
- malware-family/plugx/match-known-plugx-module [email protected]
Rule Changes
- update ATT&CK mappings by @ryantxu1
- update ATT&CK and MBC mappings by @dzbeck
- aplib detection by @cdong1012
- golang runtime detection by @stevemk14ebr
Bug Fixes
- fix circular import error #825 @williballenthin
- fix smda negative number extraction #430 @kn0wl3dge
capa explorer IDA Pro plugin
- pin supported versions to >= 7.4 and < 8.0 #849 @mike-hunhoff
Development
- add profiling infrastructure #828 @williballenthin
- linter: detect shellcode extension #820 @mr-tz
- show features script: add backend flag #430 @kn0wl3dge
Raw diffs
Contributors
williballenthin, cl30, and 9 other contributors
Assets 5
v3.0.3
v3.0.3 (2021-10-27)
This is primarily a rule maintenance release:
- eight new rules, including all relevant techniques from ATT&CK v10, and
- two rules removed, due to the prevalence of false positives
We've also tweaked the status codes returned by capa.exe to be more specific and added a bit more metadata to the JSON output format.
As always, welcome first time contributors!
New Features
- show in which function a BB match is #130 @williballenthin
- main: exit with unique error codes when bailing #802 @williballenthin
New Rules (8)
- nursery/resolve-function-by-fnv-1a-hash [email protected]
- data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc [email protected]
- collection/group-policy/discover-group-policy-via-gpresult [email protected]
- host-interaction/bootloader/manipulate-safe-mode-programs [email protected]
- nursery/enable-safe-mode-boot [email protected]
- persistence/iis/persist-via-iis-module [email protected]
- persistence/iis/persist-via-isapi-extension [email protected]
- targeting/language/identify-system-language-via-api [email protected]
Removed rules (2)
- load-code/pe/parse-pe-exports: too many false positives in unrelated structure accesses
- anti-analysis/anti-vm/vm-detection/execute-anti-vm-instructions: too many false positives in junk code
Bug Fixes
- update references from FireEye to Mandiant
Raw diffs
Contributors
williballenthin
Assets 5
v3.0.2
This release fixes an issue with the standalone executables built with PyInstaller when running capa against ELF files.
Bug Fixes
Raw diffs
Contributors
mr-tz
Assets 5
v3.0.1
This version updates the version of vivisect used by capa. Users will experience fewer bugs and find improved analysis results.
Thanks to the community for highlighting issues and analysis misses. Your feedback is crucial to further improve capa.
Bug Fixes
- fix many underlying bugs in vivisect analysis and update to version v1.0.5 #786 @williballenthin
Raw diffs
Contributors
williballenthin
Assets 5
v3.0.0
Here comes capa version 3.0! 🥳
capa 3.0:
- adds support for ELF files targeting Linux thanks to Intezer
- adds new features to specify OS, CPU architecture, and file format
- fixes a few bugs that may have led to false negatives (missed capabilities) in older versions
- adds 80 new rules, including 36 describing techniques for Linux
A huge thanks to everyone who submitted issues, provided feedback, and contributed code and rules.
Special acknowledgement to @Adir-Shemesh and @TcM1911 of Intezer for contributing the code to enable ELF support.
Also, welcome first time contributors:
New Features
- all: add support for ELF files #700 @Adir-Shemesh @TcM1911
- rule format: add feature
format:for file format, likeformat: pe#723 @williballenthin - rule format: add feature
arch:for architecture, likearch: amd64#723 @williballenthin - rule format: add feature
os:for operating system, likeos: windows#723 @williballenthin - rule format: add feature
substring:for verbatim strings with leading/trailing wildcards #737 @williballenthin - scripts: add
profile-memory.pyfor profiling memory usage #736 @williballenthin - main: add light weight ELF file feature extractor to detect file limitations #770 @mr-tz
Breaking Changes
- rules using
format,arch,os, orsubstringfeatures cannot be used by capa versions prior to v3 - legacy term
arch(i.e., "x32") is now calledbitness@williballenthin - freeze format gains new section for "global" features #759 @williballenthin
New Rules (80)
- collection/webcam/capture-webcam-image @johnk3r
- nursery/list-drag-and-drop-files [email protected]
- nursery/monitor-clipboard-content [email protected]
- nursery/monitor-local-ipv4-address-changes [email protected]
- nursery/load-windows-common-language-runtime [email protected]
- nursery/resize-volume-shadow-copy-storage [email protected]
- nursery/add-user-account-group [email protected]
- nursery/add-user-account-to-group [email protected]
- nursery/add-user-account [email protected]
- nursery/change-user-account-password [email protected]
- nursery/delete-user-account-from-group [email protected]
- nursery/delete-user-account-group [email protected]
- nursery/delete-user-account [email protected]
- nursery/list-domain-servers [email protected]
- nursery/list-groups-for-user-account [email protected]
- nursery/list-user-account-groups [email protected]
- nursery/list-user-accounts-for-group [email protected]
- nursery/list-user-accounts [email protected]
- nursery/parse-url [email protected]
- nursery/register-raw-input-devices [email protected]
- anti-analysis/packer/gopacker/packed-with-gopacker [email protected]
- host-interaction/driver/create-device-object @mr-tz
- host-interaction/process/create/execute-command @mr-tz
- data-manipulation/encryption/create-new-key-via-cryptacquirecontext [email protected]
- host-interaction/log/clfs/append-data-to-clfs-log-container [email protected]
- host-interaction/log/clfs/read-data-from-clfs-log-container [email protected]
- data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl [email protected]
- c2/shell/create-unix-reverse-shell [email protected]
- c2/shell/execute-shell-command-received-from-socket [email protected]
- collection/get-current-user [email protected]
- host-interaction/file-system/change-file-permission [email protected]
- host-interaction/hardware/memory/get-memory-information [email protected]
- host-interaction/mutex/lock-file [email protected]
- host-interaction/os/version/get-kernel-version [email protected]
- host-interaction/os/version/get-linux-distribution [email protected]
- host-interaction/process/terminate/terminate-process-via-kill [email protected]
- lib/duplicate-stdin-and-stdout [email protected]
- nursery/capture-network-configuration-via-ifconfig [email protected]
- nursery/collect-ssh-keys [email protected]
- nursery/enumerate-processes-via-procfs [email protected]
- nursery/interact-with-iptables [email protected]
- persistence/persist-via-desktop-autostart [email protected]
- persistence/persist-via-shell-profile-or-rc-file [email protected]
- persistence/service/persist-via-rc-script [email protected]
- collection/get-current-user-on-linux [email protected]
- collection/network/get-mac-address-on-windows [email protected]
- host-interaction/file-system/read/read-file-on-linux [email protected] [email protected]
- host-interaction/file-system/read/read-file-on-windows [email protected]
- host-interaction/file-system/write/write-file-on-windows [email protected]
- host-interaction/os/info/get-system-information-on-windows [email protected] [email protected]
- host-interaction/process/create/create-process-on-windows [email protected]
- linking/runtime-linking/link-function-at-runtime-on-windows [email protected]
- nursery/create-process-on-linux [email protected]
- nursery/enumerate-files-on-linux [email protected]
- nursery/get-mac-address-on-linux [email protected]
- nursery/get-system-information-on-linux [email protected]
- nursery/link-function-at-runtime-on-linux [email protected]
- nursery/write-file-on-linux [email protected]
- communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl [email protected]
- nursery/linked-against-cpp-http-library @mr-tz
- nursery/linked-against-cpp-json-library @mr-tz
Bug Fixes
- main: fix
KeyError: 0when reporting results @williballehtin #703 - main: fix potential false negatives due to namespaces across scopes @williballenthin #721
- linter: suppress some warnings about imports from ntdll/ntoskrnl @williballenthin #743
- linter: suppress some warnings about missing examples in the nursery @williballenthin #747
capa explorer IDA Pro plugin
- explorer: add additional filter logic when displaying matches by function #686 @mike-hunhoff
- explorer: remove duplicate check when saving file #687 @mike-hunhoff
- explorer: update IDA extractor to use non-canon mnemonics #688 @mike-hunhoff
- explorer: allow user to add specified number of bytes when adding a Bytes feature in the Rule Generator #689 @mike-hunhoff
- explorer: enforce max column width Features and Editor panes #691 @mike-hunhoff
- explorer: add option to limit features to currently selected disassembly address #692 @mike-hunhoff
- explorer: update support documentation and runtime checks #741 @mike-hunhoff
- explorer: small performance boost to rule generator search functionality #742 @mike-hunhoff
- explorer: add support for arch, os, and format features #758 @mike-hunhoff
- explorer: improve parsing algorithm for rule generator feature editor #768 @mike-hunhoff
Development
Raw diffs
Contributors
williballenthin, johnk3r, and 7 other contributors