capa v3.2 releases: identify capabilities in executable files
capa
capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
Changelog v3.2
This release adds a new characteristic call $+5
enabling users to create rules that match this instruction commonly seen in obfuscators. The linter now also validates ATT&CK and MBC categories. Additionally, many dependencies, including the vivisect backend, have been updated.
One rule has been added and many more have been improved.
Thanks for all the support, especially to @kn0wl3dge and first time contributor @uckelman-sf!
New Features
- linter: validate ATT&CK/MBC categories and IDs #103 @kn0wl3dge
- extractor: add characteristic “call $+5” feature #366 @kn0wl3dge
New Rules (1)
- anti-analysis/obfuscation/obfuscated-with-advobfuscator jakub.jozwiak@mandiant.com
Bug Fixes
- remove typing package as a requirement for Python 3.7+ compatibility #901 @uckelman-sf
- elf: fix OS detection for Linux kernel modules #867 @williballenthin
Usage
See capa -h for all supported arguments and usage examples.
tips and tricks
only run selected rules
Use the -t
option to run rules with the given metadata value (see the rule fields rule.meta.*
). For example, capa -t william.ballenthin@mandiant.com
runs rules that reference Willi’s email address (probably as the author), or capa -t communication
runs rules with the namespace communication
.
IDA Pro integrations
You can run capa from within IDA Pro. Run capa/main.py
via File - Script file...
(or ALT + F7). When running in IDA, capa uses IDA’s disassembly and file analysis as its backend. These results may vary from the standalone version that uses vivisect. IDA’s analysis is generally a bit faster and more thorough than vivisect’s, so you might prefer this mode.
When run under IDA, capa supports both Python 2 and Python 3 interpreters. If you encounter issues with your specific setup, please open a new Issue.
Additionally, capa comes with an IDA Pro plugin located in the capa/ida directory: the explorer.
capa explorer
The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. As you select rules or logic, capa will highlight the addresses that support its analysis conclusions. We like to use capa to help find the most interesting parts of a program, such as where the C2 mechanism might be.
To install the plugin, you’ll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3. Next make sure pip commands are run using the Python install that is configured for your IDA install:
- Only if running Python 2.7, run command
$ pip install https://github.com/williballenthin/vivisect/zipball/master
- Run
$ pip install .
from capa root directory - Open IDA and navigate to
File > Script file…
orAlt+F7
- Navigate to
<capa_install_dir>\capa\ida\
and chooseida_capa_explorer.py
Download
Copyright (C) 2020 Mandiant, Inc.