Releases: mandiant/capa
Releases · mandiant/capa
v9.3.1
v9.3.1
This patch release fixes a missing import for the capa explorer plugin for IDA Pro.
Bug Fixes
- add missing ida-netnode dependency to project.toml @mike-hunhoff #2765
Development
- ci: bump binja min version @mike-hunhoff #2763
Raw diffs
Contributors
mike-hunhoff
Assets 8
v9.3.0
capa v9.3.0 comes with over 20 new and/or impoved rules.
For IDA users the capa explorer plugin is now available via the IDA Pro plugin repository and contains Qt compatibility layer for PyQt5 and PySide6 support.
Additionally a Binary Ninja bug has been fixed. Released binaries now include ARM64 binaries (Linux and macOS).
New Features
- ci: add support for arm64 binary releases
Breaking Changes
New Rules (24)
- anti-analysis/anti-vm/vm-detection/detect-mouse-movement-via-activity-checks-on-windows [email protected]
- nursery/create-executable-heap [email protected]
- anti-analysis/packer/dxpack/packed-with-dxpack [email protected]
- anti-analysis/anti-av/patch-bitdefender-hooking-dll-function [email protected]
- nursery/acquire-load-driver-privileges [email protected]
- nursery/communicate-using-ftp [email protected]
- linking/static/eclipse-paho-mqtt-c/linked-against-eclipse-paho-mqtt-c [email protected]
- linking/static/qmqtt/linked-against-qmqtt [email protected]
- anti-analysis/anti-forensic/disable-powershell-transcription [email protected]
- host-interaction/powershell/bypass-powershell-constrained-language-mode-via-getsystemlockdownpolicy-patch [email protected]
- linking/static/grpc/linked-against-grpc [email protected]
- linking/static/hp-socket/linked-against-hp-socket [email protected]
- load-code/execute-jscript-via-vsaengine-in-dotnet [email protected]
- linking/static/funchook/linked-against-funchook [email protected]
- linking/static/plthook/linked-against-plthook [email protected]
- host-interaction/network/enumerate-tcp-connections-via-wmi-com-api [email protected]
- host-interaction/network/routing-table/create-routing-table-entry [email protected]
- host-interaction/network/routing-table/get-routing-table [email protected]
- host-interaction/file-system/use-io_uring-io-interface-on-linux [email protected]
- collection/keylog/log-keystrokes-via-direct-input zeze-zeze
- nursery/compiled-from-fsharp [email protected]
- nursery/decrypt-data-using-aes-via-dotnet [email protected]
- nursery/get-dotnet-assembly-entry-point [email protected]
Bug Fixes
capa Explorer Web
capa Explorer IDA Pro plugin
- add
ida-plugin.jsonfor inclusion in the IDA Pro plugin repository @williballenthin - ida plugin: add Qt compatibility layer for PyQt5 and PySide6 support @williballenthin #2707
- delay import to not load Qt* when running under idalib @mr-tz #2752
Development
- ci: remove redundant "test_run" action from build workflow @mike-hunhoff #2692
- dev: add bumpmyversion to bump and sync versions across the project @mr-tz
Raw diffs
Contributors
williballenthin, mr-tz, and 2 other contributors
Assets 8
v9.2.1
This point release fixes bugs including removing an unnecessary PyInstaller warning message and enabling the standalone binary to execute on systems running older versions of glibc.
Bug Fixes
- ci: exclude pkg_resources from PyInstaller build @mike-hunhoff #2684
- ci: downgrade Ubuntu version to accommodate older glibc versions @mike-hunhoff #2684
Development
- ci: upgrade Windows version to avoid deprecation @mike-hunhoff #2684
- ci: check if build runs without warnings or errors @mike-hunhoff #2684
Raw diffs
Contributors
mike-hunhoff
Assets 6
v9.2.0
This release improves a few aspects of dynamic analysis, including relaxing our validation on fields across many CAPE versions and processing additional VMRay submission file types, for example.
It also includes an updated rule pack containing new rules and rule fixes.
New Features
- vmray: do not restrict analysis to PE and ELF files, e.g. docx @mike-hunhoff #2672
Breaking Changes
New Rules (22)
- communication/socket/connect-socket [email protected] [email protected] [email protected]
- communication/socket/udp/connect-udp-socket [email protected]
- nursery/enter-debug-mode-in-dotnet @v1bh475u
- nursery/decrypt-data-using-tripledes-in-dotnet 0xRavenspar
- nursery/encrypt-data-using-tripledes-in-dotnet 0xRavenspar
- nursery/disable-system-features-via-registry-on-windows [email protected]
- data-manipulation/encryption/chaskey/encrypt-data-using-chaskey [email protected]
- data-manipulation/encryption/speck/encrypt-data-using-speck [email protected]
- load-code/dotnet/load-assembly-via-iassembly [email protected]
- malware-family/donut-loader/load-shellcode-via-donut [email protected]
- nursery/disable-device-guard-features-via-registry-on-windows [email protected]
- nursery/disable-firewall-features-via-registry-on-windows [email protected]
- nursery/disable-system-restore-features-via-registry-on-windows [email protected]
- nursery/disable-windows-defender-features-via-registry-on-windows [email protected]
- host-interaction/file-system/write/clear-file-content jakeperalta7
- host-interaction/filter/unload-minifilter-driver JakePeralta7
- exploitation/enumeration/make-suspicious-ntquerysysteminformation-call [email protected]
- exploitation/gadgets/load-ntoskrnl [email protected]
- exploitation/gadgets/resolve-ntoskrnl-gadgets [email protected]
- exploitation/spraying/make-suspicious-ntfscontrolfile-call [email protected]
- anti-analysis/anti-forensic/unload-sysmon JakePeralta7
Bug Fixes
- cape: make some fields optional @williballenthin #2631 #2632
- lint: add WARN for regex features that contain unescaped dot #2635
- lint: add ERROR for incomplete registry control set regex #2643
- binja: update unit test core version #2670
Raw diffs
Contributors
williballenthin, mike-hunhoff, and v1bh475u
Assets 6
v9.1.0
This release improves a few aspects of dynamic analysis, relaxing our validation on fields across many CAPE versions, for example.
It also includes an updated rule pack in which many dynamic rules make better use of the "span of calls" scope.
New Rules (3)
- host-interaction/registry/change-registry-key-timestamp [email protected]
- host-interaction/mutex/check-mutex-and-terminate-process-on-windows @_re_fox [email protected] [email protected]
- anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs-remotely [email protected]
Bug Fixes
- only parse CAPE fields required for analysis @mike-hunhoff #2607
- main: render result document without needing associated rules @williballenthin #2610
- vmray: only verify process OS and monitor IDs match @mike-hunhoff #2613
- render: don't assume prior matches exist within a thread @mike-hunhoff #2612
Raw diffs
Contributors
williballenthin and mike-hunhoff
Assets 6
v9.0.0
This release introduces a new scope for dynamic analysis, "span of calls", that matches features against a across a sliding window of API calls within a thread. Its useful for identifying behaviors that span multiple API calls, such as OpenFile/ReadFile/CloseFile, without having to analyze an entire thread, which may be very long.
The release also contains a number of bug fixes and enhancements by new contributors: @v1bh475u and @dhruvak001. Welcome and thank you!
New Features
- add warning for dynamic .NET samples #1864 @v1bh475u
- add lint for detecting duplicate features in capa-rules #2250 @v1bh475u
- add span-of-calls scope to match features against a across a sliding window of API calls within a thread @williballenthin #2532
- add lint to catch rules that depend on other rules with impossible scope @williballenthin #2124
Breaking Changes
- remove
is_static_limitationmethod fromcapa.rules.Rule - add span-of-calls scope to rule format
- capabilities functions return dataclasses instead of tuples
New Rules (3)
- data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library @Ana06
- data-manipulation/encryption/use-bigint-function @Ana06
- internal/limitation/dynamic/internal-dotnet-file-limitation @v1bh475u
Bug Fixes
- dynamic: only check file limitations for static file formats @mr-tz
- vmray: load more analysis archives @mr-tz
- vmray: skip non-printable strings @mike-hunhoff
- vmray: loosen file checks to enable processing more file types @mike-hunhoff #2571
- strings: add type hints and fix uncovered bugs @williballenthin #2555
- elffile: handle symbols without a name @williballenthin #2553
- project: remove pytest-cov that wasn't used @williballenthin @2491
- replace binascii methods with native Python methods @v1bh475u #2582
- rules: scopes can now have subscope blocks with the same scope @williballenthin #2584
Development
- license & copyright: Correct LICENSE file and improve copyright and license information headers in the source code files @Ana06
- documentation: Improve CLA and Code of Conduct information in CONTRIBUTING @Ana06
Raw diffs
Contributors
williballenthin, 2491, and 5 other contributors
Assets 6
v8.0.1
This point release fixes an issue with the IDAPython API to now handle IDA Pro 8.3, 8.4, and 9.0 correctly.
Bug Fixes
- handle IDA 8.3/8.4 vs. 9.0 API change @mr-tz
Raw diffs
Contributors
mr-tz
Assets 6
v8.0.0
capa version 8 adds support for IDA Pro 9.0 (and idalib). The release comes with various improvements and bug fixes for the Binary Ninja backend (including to load with database files) -- thanks to @xusheng6.
Additional bug fixes improve the dynamic and BinExport backends.
capa version 8 now requires Python 3.10 or newer.
Special thanks to @Tamir-K, @harshit-wadhwani, @jorik-utwente for their great contributions.
New Features
- allow call as valid subscope for call scoped rules @mr-tz
- support loading and analyzing a Binary Ninja database #2496 @xusheng6
- vmray: record process command line details @mr-tz
Breaking Changes
New Rules (54)
- nursery/get-shadow-password-file-entry-on-linux [email protected]
- nursery/set-shadow-password-file-entry-on-linux [email protected]
- collection/browser/get-chrome-cookiemonster [email protected]
- collection/browser/get-elevation-service-for-chromium-based-browsers [email protected]
- collection/get-steam-token [email protected]
- nursery/persist-via-application-shimming [email protected]
- nursery/persist-via-bits-job [email protected]
- nursery/persist-via-print-processors-registry-key [email protected]
- linking/static/touchsocket/linked-against-touchsocket [email protected]
- runtime/dotnet/compiled-with-dotnet-aot [email protected]
- nursery/persist-via-errorhandler-script [email protected]
- nursery/persist-via-get-variable-hijack [email protected]
- nursery/persist-via-iphlpapi-dll-hijack [email protected]
- nursery/persist-via-lnk-shortcut [email protected]
- nursery/persist-via-powershell-profile [email protected]
- nursery/persist-via-windows-accessibility-tools [email protected]
- nursery/persist-via-windows-terminal-profile [email protected]
- nursery/write-to-browser-extension-directory [email protected]
- nursery/persist-via-aedebug-registry-key [email protected]
- nursery/persist-via-amsi-registry-key [email protected]
- nursery/persist-via-app-paths-registry-key [email protected]
- nursery/persist-via-appcertdlls-registry-key [email protected]
- nursery/persist-via-appx-registry-key [email protected]
- nursery/persist-via-autodialdll-registry-key [email protected]
- nursery/persist-via-autoplayhandlers-registry-key [email protected]
- nursery/persist-via-bootverificationprogram-registry-key [email protected]
- nursery/persist-via-code-signing-registry-key [email protected]
- nursery/persist-via-com-hijack [email protected]
- nursery/persist-via-command-processor-registry-key [email protected]
- nursery/persist-via-contextmenuhandlers-registry-key [email protected]
- nursery/persist-via-cor_profiler_path-registry-value [email protected]
- nursery/persist-via-default-file-association-registry-key [email protected]
- nursery/persist-via-disk-cleanup-handler-registry-key [email protected]
- nursery/persist-via-dotnet-dbgmanageddebugger-registry-key [email protected]
- nursery/persist-via-dotnet_startup_hooks-registry-key [email protected]
- nursery/persist-via-explorer-tools-registry-key [email protected]
- nursery/persist-via-filter-handlers-registry-key [email protected]
- nursery/persist-via-group-policy-registry-key [email protected]
- nursery/persist-via-hhctrl-com-hijack [email protected]
- nursery/persist-via-htmlhelp-author-registry-key [email protected]
- nursery/persist-via-image-file-execution-options-registry-key [email protected]
- nursery/persist-via-lsa-registry-key [email protected]
- nursery/persist-via-natural-language-registry-key [email protected]
- nursery/persist-via-netsh-registry-key [email protected]
- nursery/persist-via-network-provider-registry-key [email protected]
- nursery/persist-via-path-registry-key [email protected]
- nursery/persist-via-print-monitors-registry-key [email protected]
- nursery/persist-via-rdp-startup-programs-registry-key [email protected]
- nursery/persist-via-silentprocessexit-registry-key [email protected]
- nursery/persist-via-telemetrycontroller-registry-key [email protected]
- nursery/persist-via-timeproviders-registry-key [email protected]
- nursery/persist-via-ts-initialprogram-registry-key [email protected]
- nursery/persist-via-userinitmprlogonscript-registry-value [email protected]
- nursery/persist-via-windows-error-reporting-registry-key [email protected]
Bug Fixes
- extractor: fix exception when PE extractor encounters unknown architecture #2440 @Tamir-K
- IDA Pro: rename ida to idapro module for plugin and idalib in IDA 9.0 #2453 @mr-tz
- ghidra: fix saving of base address @mr-tz
- binja: support loading raw x86/x86_64 shellcode #2489 @xusheng6
- binja: fix crash when the IL of certain functions are not available. #2249 @xusheng6
- binja: major performance improvement on the binja extractor. #1414 @xusheng6
- cape: make Process model flexible and procmemory optional to load newest reports #2466 @mr-tz
- binja: fix unit test failure by fixing up the analysis for file al-khaser_x64.exe_ #2507 @xusheng6
- binja: move the stack string detection to function level #2516 @xusheng6
- BinExport2: fix handling of incorrect thunk functions #2524 @williballenthin
- BinExport2: more precise pruning of expressions @williballenthin
- BinExport2: better handle weird expression trees from Ghidra #2528 #2530 @williballenthin
capa Explorer Web
capa Explorer IDA Pro plugin
Development
- CI: use macos-13 since macos-12 is deprecated and will be removed on December 3rd, 2024 #2173 @mr-tz
- CI: update Binary Ninja version to 4.2 #2499 @xusheng6
Raw diffs
Contributors
williballenthin, mr-tz, and 4 other contributors
Assets 6
v7.4.0
The v7.4.0 capa release fixes a bug when processing VMRay analysis archives and enhances API extraction for all dynamic backends. For better terminal rendering capa now solely relies on the rich library.
The standalone capa executable can now automatically detect installations of relevant third party applications and use their backends (notably, idalib and Binary Ninja). For the extra standalone Linux build we've upgraded from Python 3.11 to 3.12.
Twelve new rules have been added. Thanks to all the contributors!
This is the last capa version supporting Python 3.8 and 3.9. If you have major concerns about this please reach out to us.
New Features
- add IDA v9.0 backend via idalib #2376 @williballenthin
- locate Binary Ninja API using XDG Desktop Entries #2376 @williballenthin
New Rules (15)
- nursery/access-unmanaged-com-objects-in-dotnet [email protected]
- nursery/implement-ui-automation-client-in-dotnet [email protected]
- nursery/interact-with-shortcut-via-iwshshortcut-in-dotnet [email protected]
- nursery/interact-with-windows-scripting-host-in-dotnet [email protected]
- nursery/use-dotnet-library-simplejson [email protected]
- nursery/use-dotnet-library-websocket-sharp [email protected]
- linking/runtime-linking/populate-syswhispers2-syscall-list [email protected]
- host-interaction/os/hide-shutdown-actions-via-policy [email protected]
- host-interaction/process/get-process-filename [email protected]
- host-interaction/driver/complete-processing-asynchronous-io-request [email protected]
- anti-analysis/packer/nmm-protect/packed-with-nmm-protect [email protected]
- host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2 [email protected]
- host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule [email protected]
- host-interaction/registry/open-recentdocs-registry-key [email protected]
Bug Fixes
- use Python 3.12 to build extra standalone build on Linux #2383 @williballenthin
- bump minimum Python version to 3.8.1 to satisfy uv #2387 @williballenthin
- vmray: collect more process information from flog.xml #2394 @mr-tz @mike-hunhoff
- replace tabulate, tqdm, and termcolor with rich #2374 @s-ff
- dynamic: emit complete features for A/W APIs #2409 @mike-hunhoff
- vmray: fix backslash handling in string call arguments #2428 @mr-tz
capa Explorer Web
Raw diffs
Contributors
williballenthin, mr-tz, and 2 other contributors
Assets 6
v7.3.0
The v7.3.0 capa release comes with the following three major enhancements:
1. Support for VMRay sandbox analysis archives
Unlock powerful malware analysis with capa's new VMRay sandbox integration! Simply provide a VMRay analysis archive, and capa will automatically extract and match capabilities to streamline your workflow. This is the second support for the analysis of dynamic analysis results after CAPE.
2. Support for BinExport files generated by Ghidra
BinExport files store disassembled data into a Protocol Buffer format. capa now supports the analysis of BinExport files generated by Ghidra. Using Ghidra and the BinExport file format users can now analyze ARM (AARCH64) ELF files targeting Android.
3. Introducing the capa rules website
You can now browse capa's default rule set at https://mandiant.github.io/capa/rules. In modern terminals the CLI capa tool hyperlinks to resources on the web, including entries on the capa rules website.
Furthermore, https://mandiant.github.io/capa provides a landing page for the capa tool project.
Additional updates
- capa Explorer Web received several enhancements and bug fixes.
- Support for the IDA Pro 9.0 IDAPython API while keeping compatibility to older IDA Pro versions
- Six rules have been added and two rules have been updated
Thanks to @r-sm2024 for their contribution in #2155 and their further work. And of course a big thanks to the community for reporting issues, participating in discussions, and supporting the capa tool and capa rules.
New Features
- regenerate ruleset cache automatically on source change (only in dev mode) #2133 @s-ff
- add landing page https://mandiant.github.io/capa/ @williballenthin #2310
- add rules website https://mandiant.github.io/capa/rules @DeeyaSingh #2310
- add .justfile @williballenthin #2325
- dynamic: add support for VMRay dynamic sandbox traces #2208 @mike-hunhoff @r-sm2024 @mr-tz
- cli: use modern terminal features to hyperlink to the rules website #2337 @williballenthin
- support analyzing BinExport2 files generated by Ghidra #1950 @williballenthin @mehunhoff @mr-tz
- add support for Android OS #1950 @williballenthin @mehunhoff @mr-tz
- add support for aarch64 architecture via BinExport2 backend #1950 @williballenthin @mehunhoff @mr-tz
New Rules (6)
- linking/static/minhook/linked-against-minhook [email protected]
- linking/static/sqlite3/linked-against-sqlcipher [email protected]
- host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api [email protected]
- host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api [email protected]
- nursery/check-thread-suspend-count-exceeded [email protected]
- nursery/create-thread-bypassing-process-freeze [email protected]
Bug Fixes
- fix duplicate features shown in vverbose mode @williballenthin #2323
- fix code path reference in linter @williballenthin #2350
capa explorer IDA Pro plugin
Raw diffs
Contributors
williballenthin, mr-tz, and 5 other contributors