capa v3.2 releases: identify capabilities in executable files
capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
This release adds a new characteristic
call $+5 enabling users to create rules that match this instruction commonly seen in obfuscators. The linter now also validates ATT&CK and MBC categories. Additionally, many dependencies, including the vivisect backend, have been updated.
One rule has been added and many more have been improved.
- linter: validate ATT&CK/MBC categories and IDs #103 @kn0wl3dge
- extractor: add characteristic “call $+5” feature #366 @kn0wl3dge
New Rules (1)
- anti-analysis/obfuscation/obfuscated-with-advobfuscator firstname.lastname@example.org
- remove typing package as a requirement for Python 3.7+ compatibility #901 @uckelman-sf
- elf: fix OS detection for Linux kernel modules #867 @williballenthin
See capa -h for all supported arguments and usage examples.
tips and tricks
only run selected rules
-t option to run rules with the given metadata value (see the rule fields
rule.meta.*). For example,
capa -t email@example.com runs rules that reference Willi’s email address (probably as the author), or
capa -t communication runs rules with the namespace
IDA Pro integrations
You can run capa from within IDA Pro. Run
File - Script file... (or ALT + F7). When running in IDA, capa uses IDA’s disassembly and file analysis as its backend. These results may vary from the standalone version that uses vivisect. IDA’s analysis is generally a bit faster and more thorough than vivisect’s, so you might prefer this mode.
When run under IDA, capa supports both Python 2 and Python 3 interpreters. If you encounter issues with your specific setup, please open a new Issue.
Additionally, capa comes with an IDA Pro plugin located in the capa/ida directory: the explorer.
The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. As you select rules or logic, capa will highlight the addresses that support its analysis conclusions. We like to use capa to help find the most interesting parts of a program, such as where the C2 mechanism might be.
To install the plugin, you’ll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3. Next make sure pip commands are run using the Python install that is configured for your IDA install:
- Only if running Python 2.7, run command
$ pip install https://github.com/williballenthin/vivisect/zipball/master
$ pip install .from capa root directory
- Open IDA and navigate to
File > Script file…or
- Navigate to
Copyright (C) 2020 Mandiant, Inc.