You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
allocate or change rw memory is a static: basic block/dynamic: call rule that has a instruction subscope block. This subscope block gets translated into a derived rule with static: instruction scope. When capa tries to score the match: <derived rule> in dynamic mode, it can't find it, because static: instruction scoped rules won't ever run/be matched. So, we'd need a default score for this case (that will never be matched, so maybe it should be score = 1).
The most correct thing to do is to prune this impossible match in dynamic mode, but this requires some partial evaluation infrastructure that we don't have yet. That should be done in another issue.
https://github.com/mandiant/capa-rules/blob/9e0ffdf7c51af31bb668c8ffbbe7c8f6fd9199cb/lib/allocate-or-change-rw-memory.yml#L24
allocate or change rw memoryis astatic: basic block/dynamic: callrule that has ainstructionsubscope block. This subscope block gets translated into a derived rule withstatic: instructionscope. When capa tries to score thematch: <derived rule>in dynamic mode, it can't find it, becausestatic: instructionscoped rules won't ever run/be matched. So, we'd need a default score for this case (that will never be matched, so maybe it should bescore = 1).The most correct thing to do is to prune this impossible match in dynamic mode, but this requires some partial evaluation infrastructure that we don't have yet. That should be done in another issue.
Originally posted by @williballenthin in #2080 (comment)
The text was updated successfully, but these errors were encountered: