-
Notifications
You must be signed in to change notification settings - Fork 569
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ida extractor: extract APIs from renamed globals #2201
Conversation
481f93b
to
8761a6e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please pull some of the GH comments into code comments so future readers have more context, then I think we're good to go here.
capa/features/extractors/ida/insn.py
Outdated
op_name = match.group(1) | ||
yield API(op_name), ih.address | ||
if capa.features.extractors.helpers.is_aw_function(op_name): | ||
yield API(op_name[:-1]), ih.address |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please add a comment that calls out the fact that the DLL name cannot be recovered here, unfortunately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we are in a debugger we maybe can by following the reference. But it complicates the code and does not work without the debugger, so I tend to think it is not worth to try to extract it. I'll add the comment.
capa/features/extractors/ida/insn.py
Outdated
if capa.features.extractors.helpers.is_aw_function(op_name): | ||
yield API(op_name[:-1]), ih.address |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good @Ana06 , thank you! I've left some comments in addition to Wili's.
a1713f6
to
f736613
Compare
It seems the removal of |
c113f91
to
e572a03
Compare
fef1c64
to
902912b
Compare
CI is green! 💚 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only a few minor comments, then good to go, thanks for resolving the mypy issue
Add support to extract dynamically resolved APIs stored in global variables that have been renamed (for example using the `renimp.idc` script included with IDA Pro).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thank you very much!
🥳 thank you! |
Add support to extract dynamically resolved APIs stored in global variables that have been renamed (for example using the
renimp.idc
script included with IDA Pro).It supports (and may close if we do not want to support the extraction of other types of API dynamic resolution) #252
Checklist