add Address abstraction #986
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* feat: start dotnet detection * Apply suggestions from code review Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com> * refactor: dn instead of dotnet * refactor: format branches, extractor reorg * refactor: format selection and dotnet detect * feat: get format, arch, os * refactor: log errors and exceptions * ci: also test and build for dotnet-main dev * fix: import path * fix: circular dep * fix: remove buf argument feat: get runtime meta data * fix: log unsupported runtime error * fix: type ignore Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com>
* Sync capa rules submodule * Sync capa-testfiles submodule * Sync capa rules submodule * changelog * *: remove /x32 and /x64 flavors from number and offset features * *: remove more references to /x32 and /x64 * linter: accept instruction scope * rules: fix max operand index (4) * API: better support A/W functions * vverbose: show lib rule matches * main: accept multiple paths to rules * main: fix removal of default rules path * lint: fix rules path * changelog * capa_as_library: fix rules path is list now * main: better handle multiple rules paths * main: bail if python 3.6 or below closes #964 * ida: readme: remove python 3.6 support * capa2yara: fix rules paths * render: meta: display rule paths on separate lines closes #971 * render: verbose: add doc * verbose: make rule path multiline more concise * vverbose: don't show examples in output closes #970 * vverbose: render subscope name, like "basic block:" closes #963 * build(deps-dev): bump pytest from 7.0.1 to 7.1.1 Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.0.1 to 7.1.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@7.0.1...7.1.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * ci: build: update pip and setuptools * ci: build: bump pyinstall to v4.10 * Sync capa rules submodule * Dotnet mixed mode detect (#969) * feat: start dotnet detection (#955) * feat: start dotnet detection * Apply suggestions from code review Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com> * refactor: dn instead of dotnet * refactor: format branches, extractor reorg * refactor: format selection and dotnet detect * feat: get format, arch, os * refactor: log errors and exceptions * ci: also test and build for dotnet-main dev * fix: import path * fix: circular dep * fix: remove buf argument feat: get runtime meta data * fix: log unsupported runtime error * fix: type ignore Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com> * fix: imports and add tests * feat: detect mixed mode and tests * feat: start dotnet detection (#955) * feat: start dotnet detection * Apply suggestions from code review Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com> * refactor: dn instead of dotnet * refactor: format branches, extractor reorg * refactor: format selection and dotnet detect * feat: get format, arch, os * refactor: log errors and exceptions * ci: also test and build for dotnet-main dev * fix: import path * fix: circular dep * fix: remove buf argument feat: get runtime meta data * fix: log unsupported runtime error * fix: type ignore Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com> * fix: imports and add tests Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com> * test: checkout submodules recursively Co-authored-by: Capa Bot <capa-dev@mandiant.com> Co-authored-by: Willi Ballenthin <willi.ballenthin@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Please add bug fixes, new features, breaking changes and anything else you think is worthwhile mentioning to the master (unreleased) section of CHANGELOG.md. If no CHANGELOG update is needed add the following to the PR description: [x] No CHANGELOG update needed
This comment was marked as outdated.
This comment was marked as outdated.
CHANGELOG updated or no update needed, thanks! 😄
This comment was marked as outdated.
This comment was marked as outdated.
Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>
|
I've updated the IDA plugin so this PR is now ready for final review and merge. I'm not aware of any issues (aside from how big it is!). |
williballenthin
commented
Jun 14, 2022
williballenthin
commented
Jun 14, 2022
williballenthin
commented
Jun 14, 2022
williballenthin
commented
Jun 14, 2022
Comment on lines
+223
to
+224
| assert isinstance(location, AbsoluteVirtualAddress) | ||
| ea = int(location) |
There was a problem hiding this comment.
note that we assume that IDA only works with absolute addresses. that is, it doesn't work with .NET tokens, etc. as of today, this is true. if we change the behavior of the plugin in the future, we may have to update these assumptions. thats why i used an assert here.
williballenthin
commented
Jun 14, 2022
Comment on lines
-175
to
+176
| class CapaExplorerRulgenPreview(QtWidgets.QTextEdit): | ||
| class CapaExplorerRulegenPreview(QtWidgets.QTextEdit): |
There was a problem hiding this comment.
fixed typo
|
|
dotnet tests failing due to .NET limitation rule presence fixed by mandiant/capa-rules#563 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduce a dedicated Address representation. capa can now handle VA vs RVA vs file offset vs .NET token vs .NET token+offset. This ended up touching a lot of code, so this PR also introduces a codification of the freeze and json formats via pydantic.
closes #981
closes #983
closes #756
In summary: add an
Addressabstract base class (ABC) and some implementors for things like VA, file offset, .NET tokens. Whenever we'd previously emit anintto represent the VA, we now emit an Address instance with appropriate details.Because we can't use
intto identify locations anymore, as extractors enumerate functions/bb/insn, they now return a unified*Handlethat contains:Here's an example of how the handles are used in an extractor: dnfile.extract_insn_api_features
It should be pretty easy, or something is wrong.
Things like
renderand the matching engine know what to do with Addresses, so these can be used consistently throughout the codebase. And, each extractor knows what to do withinnerto pull out features. Previously, we required that location-like things supportedint(...)with varying levels of success. This design is both cleaner and more explicit.Making Addresses complex also involves breaking changes to the freeze and result document formats, because they can no longer be used as the key in a json dictionary. In most places, a
Dict[Address, Foo]becomes aList[Tuple[Address, Foo]]within the serialized format.As I made changes to the freeze and result document formats, I became quite worried that I was leaving things broken, as we didn't have any type checking around the structures (also, these formats weren't documented outside of the code :-( ). So, I made some (fairly big) changes to use pydantic to declare the serialization of these types. These changes weren't really in scope for the original issue, but now seemed like a prudent time for them. Sorry :-/
render examples:
virtual addresses: like before, such as 0x401000
file offsets: file+0x1000
TODO
Checklist