capa v3.1 releases: identify capabilities in executable files
capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
This release improves the performance of capa while also adding 23 new rules and many code quality enhancements. We profiled capa’s CPU usage and optimized the way that it matches rules, such as by short circuiting when appropriate. According to our testing, the matching phase is approximately 66% faster than v3.0.3! We also added support for Python 3.10, aarch64 builds, and additional MAEC metadata in the rule headers.
- engine: short circuit logic nodes for better performance #824 @williballenthin
- engine: add optimizer the order faster nodes first #829 @williballenthin
- engine: optimize rule evaluation by skipping rules that can’t match #830 @williballenthin
- support python 3.10 #816 @williballenthin
- support aarch64 #683 @williballenthin
- rules: support maec/malware-family meta #841 @mr-tz
- engine: better type annotations/exhaustiveness checking #839 @cl30
New Rules (23)
- nursery/delete-windows-backup-catalog firstname.lastname@example.org
- nursery/disable-automatic-windows-recovery-features email@example.com
- nursery/capture-webcam-video @johnk3r
- nursery/create-registry-key-via-stdregprov firstname.lastname@example.org
- nursery/delete-registry-key-via-stdregprov email@example.com
- nursery/delete-registry-value-via-stdregprov firstname.lastname@example.org
- nursery/query-or-enumerate-registry-key-via-stdregprov email@example.com
- nursery/query-or-enumerate-registry-value-via-stdregprov firstname.lastname@example.org
- nursery/set-registry-value-via-stdregprov email@example.com
- data-manipulation/compression/decompress-data-using-ucl firstname.lastname@example.org
- linking/static/wolfcrypt/linked-against-wolfcrypt email@example.com
- linking/static/wolfssl/linked-against-wolfssl firstname.lastname@example.org
- anti-analysis/packer/pespin/packed-with-pespin email@example.com
- load-code/shellcode/execute-shellcode-via-windows-fibers firstname.lastname@example.org
- load-code/shellcode/execute-shellcode-via-enumuilanguages email@example.com
- anti-analysis/packer/themida/packed-with-themida firstname.lastname@example.org
- load-code/shellcode/execute-shellcode-via-createthreadpoolwait email@example.com
- host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object firstname.lastname@example.org
- load-code/shellcode/execute-shellcode-via-copyfile2 email@example.com
- malware-family/plugx/match-known-plugx-module firstname.lastname@example.org
- update ATT&CK mappings by @ryantxu1
- update ATT&CK and MBC mappings by @dzbeck
- aplib detection by @cdong1012
- golang runtime detection by @stevemk14ebr
capa explorer IDA Pro plugin
- add profiling infrastructure #828 @williballenthin
- linter: detect shellcode extension #820 @mr-tz
- show features script: add backend flag #430 @kn0wl3dge
See capa -h for all supported arguments and usage examples.
tips and tricks
only run selected rules
-t option to run rules with the given metadata value (see the rule fields
rule.meta.*). For example,
capa -t email@example.com runs rules that reference Willi’s email address (probably as the author), or
capa -t communication runs rules with the namespace
IDA Pro integrations
You can run capa from within IDA Pro. Run
File - Script file... (or ALT + F7). When running in IDA, capa uses IDA’s disassembly and file analysis as its backend. These results may vary from the standalone version that uses vivisect. IDA’s analysis is generally a bit faster and more thorough than vivisect’s, so you might prefer this mode.
When run under IDA, capa supports both Python 2 and Python 3 interpreters. If you encounter issues with your specific setup, please open a new Issue.
Additionally, capa comes with an IDA Pro plugin located in the capa/ida directory: the explorer.
The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. As you select rules or logic, capa will highlight the addresses that support its analysis conclusions. We like to use capa to help find the most interesting parts of a program, such as where the C2 mechanism might be.
To install the plugin, you’ll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3. Next make sure pip commands are run using the Python install that is configured for your IDA install:
- Only if running Python 2.7, run command
$ pip install https://github.com/williballenthin/vivisect/zipball/master
$ pip install .from capa root directory
- Open IDA and navigate to
File > Script file…or
- Navigate to
Copyright (C) 2020 Mandiant, Inc.