Merge branch 'dotnet-main' into dotnet/test-update-refs

CHANGELOG.md

@@ -4,18 +4,15 @@
 
 ### New Features
 
- - add new scope "instruction" for matching mnemonics and operands #767 @williballenthin
- - add new feature "operand[{0, 1, 2}].number" for matching instruction operand immediate values #767 @williballenthin
- - add new feature "operand[{0, 1, 2}].offset" for matching instruction operand offsets #767 @williballenthin
- - extract additional offset/number features in certain circumstances #320 @williballenthin
+- add new scope "instruction" for matching mnemonics and operands #767 @williballenthin
+- add new feature "operand[{0, 1, 2}].number" for matching instruction operand immediate values #767 @williballenthin
+- add new feature "operand[{0, 1, 2}].offset" for matching instruction operand offsets #767 @williballenthin
+- main: detect dotnet binaries #955 @mr-tz
 
 ### Breaking Changes
 
   - instruction scope and operand feature are new and are not backwards compatible with older versions of capa
-<<<<<<< HEAD
   - Python 3.7 is now the minimum supported Python version #866 @williballenthin
-=======
->>>>>>> 65552575 (Update dotnet-main (#979))
   - remove /x32 and /x64 flavors of number and operand features #932 @williballenthin
   - the tool now accepts multiple paths to rules, and JSON doc updated accordingly @williballenthin
 

capa/features/extractors/ida/insn.py

@@ -12,11 +12,7 @@
 
 import capa.features.extractors.helpers
 import capa.features.extractors.ida.helpers
-<<<<<<< HEAD
-from capa.features.insn import API, MAX_STRUCTURE_SIZE, Number, Offset, Mnemonic, OperandNumber, OperandOffset
-=======
 from capa.features.insn import API, Number, Offset, Mnemonic, OperandNumber, OperandOffset
->>>>>>> 65552575 (Update dotnet-main (#979))
 from capa.features.common import MAX_BYTES_FEATURE_SIZE, THUNK_CHAIN_DEPTH_DELTA, Bytes, String, Characteristic
 
 # security cookie checks may perform non-zeroing XORs, these are expected within a certain

capa/features/extractors/smda/insn.py

@@ -5,11 +5,7 @@
 from smda.common.SmdaReport import SmdaReport
 
 import capa.features.extractors.helpers
-<<<<<<< HEAD
 from capa.features.insn import API, MAX_STRUCTURE_SIZE, Number, Offset, Mnemonic, OperandNumber, OperandOffset
-=======
-from capa.features.insn import API, Number, Offset, Mnemonic
->>>>>>> 65552575 (Update dotnet-main (#979))
 from capa.features.common import MAX_BYTES_FEATURE_SIZE, THUNK_CHAIN_DEPTH_DELTA, Bytes, String, Characteristic
 
 # security cookie checks may perform non-zeroing XORs, these are expected within a certain
@@ -73,13 +69,7 @@ def extract_insn_number_features(f, bb, insn):
             # The result of bitwise operations is calculated as though carried out
             # in two’s complement with an infinite number of sign bits
             value = int(operand, 16) & ((1 << f.smda_report.bitness) - 1)
-<<<<<<< HEAD
         except ValueError:
-=======
-
-            yield Number(value), insn.offset
-        except:
->>>>>>> 65552575 (Update dotnet-main (#979))
             continue
         else:
             yield Number(value), insn.offset
@@ -250,10 +240,7 @@ def extract_insn_offset_features(f, bb, insn):
             continue
 
         yield Offset(number), insn.offset
-<<<<<<< HEAD
         yield OperandOffset(i, number), insn.offset
-=======
->>>>>>> 65552575 (Update dotnet-main (#979))
 
 
 def is_security_cookie(f, bb, insn):

capa/features/extractors/viv/insn.py

@@ -17,11 +17,7 @@
 
 import capa.features.extractors.helpers
 import capa.features.extractors.viv.helpers
-<<<<<<< HEAD
 from capa.features.insn import API, MAX_STRUCTURE_SIZE, Number, Offset, Mnemonic, OperandNumber, OperandOffset
-=======
-from capa.features.insn import API, Number, Offset, Mnemonic, OperandNumber, OperandOffset
->>>>>>> 65552575 (Update dotnet-main (#979))
 from capa.features.common import MAX_BYTES_FEATURE_SIZE, THUNK_CHAIN_DEPTH_DELTA, Bytes, String, Characteristic
 from capa.features.extractors.viv.indirect_calls import NotFoundError, resolve_indirect_call
 

tests/fixtures.py

@@ -37,8 +37,12 @@
 )
 
 CD = os.path.dirname(__file__)
+<<<<<<< HEAD
 DOTNET_DIR = os.path.join(CD, "data", "dotnet")
 DNFILE_TESTFILES = os.path.join(DOTNET_DIR, "dnfile-testfiles")
+=======
+DNFILE_TESTFILES = "dnfile-testfiles"
+>>>>>>> dotnet-main
 
 
 @contextlib.contextmanager
@@ -243,7 +247,11 @@ def get_data_path_by_name(name):
     elif name.startswith("b9f5b"):
         return os.path.join(CD, "data", "b9f5bd514485fb06da39beff051b9fdc.exe_")
     elif name.startswith("mixed-mode-64"):
+<<<<<<< HEAD
         return os.path.join(DNFILE_TESTFILES, "mixed-mode", "ModuleCode", "bin", "ModuleCode_amd64.exe")
+=======
+        return os.path.join(CD, "data", DNFILE_TESTFILES, "mixed-mode", "ModuleCode", "bin", "ModuleCode_amd64.exe")
+>>>>>>> dotnet-main
     else:
         raise ValueError("unexpected sample fixture: %s" % name)
 
@@ -499,6 +507,7 @@ def parametrize(params, values, **kwargs):
         # insn/offset: negative
         ("mimikatz", "function=0x4011FB", capa.features.insn.Offset(-0x1), True),
         ("mimikatz", "function=0x4011FB", capa.features.insn.Offset(-0x2), True),
+<<<<<<< HEAD
         #
         # insn/offset from mnemonic: add
         #
@@ -523,6 +532,8 @@ def parametrize(params, values, **kwargs):
         # yes, this is also a number (imagine edx is zero):
         #    .text:004018C0 8D 4B 02                lea     ecx, [ebx+2]
         ("mimikatz", "function=0x401873,bb=0x4018B2,insn=0x4018C0", capa.features.insn.Number(0x2), True),
+=======
+>>>>>>> dotnet-main
         # insn/api
         ("mimikatz", "function=0x403BAC", capa.features.insn.API("advapi32.CryptAcquireContextW"), True),
         ("mimikatz", "function=0x403BAC", capa.features.insn.API("advapi32.CryptAcquireContext"), True),