capa v1.3 releases: identify capabilities in executable files
capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
This release brings newly updated mappings to the Malware Behavior Catalog version 2.0, many enhancements to the IDA Pro plugin, flare-capa on PyPI, a bunch of bug fixes to improve feature extraction, and four new rules.
Key changes to IDA Plugin
The IDA Pro integration is now distributed as a real plugin, instead of a script. This enables a few things:
- keyboard shortcuts and file menu integration
- updates distributed PyPI/
pip install --upgradewithout touching your
- generally doing thing the “right way”
How to get this new version? Its easy: download capa_explorer.py to your IDA plugins directory and update your capa installation (incidentally, this is a good opportunity to migrate to
pip install flare-capa instead of git checkouts). Now you should see the plugin listed in the
Edit > Plugins > FLARE capa explorer menu in IDA.
Please refer to the plugin readme for additional information on installing and using the IDA Pro plugin.
Please open an issue in this repository if you notice anything weird.
- ida plugin: now a real plugin, not a script @mike-hunhoff
- core: distributed via PyPI as flare-capa @williballenthin
- features: enable automatic A/W handling for imports @williballenthin @Ana06 #246
- ida plugin: persist rules directory setting via ida-settings @williballenthin #268
- ida plugin: add search bar to results view @williballenthin #285
- ida plugin: add
Resetbuttons to tree view @mike-hunhoff #304
- ida plugin: add status label to tree view @mike-hunhoff
- ida plugin: add progress indicator @mike-hunhoff, @mr-tz
- compiled with py2exe @re-fox
- resolve path using msvcrt @re-fox
- decompress data using QuickLZ @edeca
- encrypt data using sosemanuk @recvfrom
- rule: reduce FP in DNS resolution @toomanybananas
- engine: report correct strings matched via regex @williballenthin #262
- formatter: correctly format descriptions in two-line syntax @williballenthin @recvfrom #263
- viv: better extract offsets from SibOper operands @williballenthin @edeca #276
- import-to-ida: fix import error @cclauss
- viv: don’t write settings to ~/.viv/viv.json @williballenthin @rakuy0 @weslambert #244
- ida plugin: remove dependency loop that resulted in unnecessary overhead @mike-hunhoff #303
- ida plugin: correctly highlight regex matches in IDA Disassembly view @mike-hunhoff #305
- ida plugin: better handle rule directory prompt and failure case @stevemk14ebr @mike-hunhoff #309
- rules: update meta mapping to MBC 2.0! @dzbeck
- render: don’t display rules that are also matched by other rules @williballenthin @Ana06 #224
- ida plugin: simplify tabs, removing summary and adding detail to results view @williballenthin #286
- ida plugin: analysis is no longer automatically started when plugin is first opened @mike-hunhoff #304
- ida plugin: user must manually select a capa rules directory before analysis can be performed @mike-hunhoff
- ida plugin: user interface controls are disabled until analysis is performed @mike-hunhoff #304
See capa -h for all supported arguments and usage examples.
tips and tricks
only run selected rules
-t option to run rules with the given metadata value (see the rule fields
rule.meta.*). For example,
capa -t firstname.lastname@example.org runs rules that reference Willi’s email address (probably as the author), or
capa -t communication runs rules with the namespace
IDA Pro integrations
You can run capa from within IDA Pro. Run
File - Script file... (or ALT + F7). When running in IDA, capa uses IDA’s disassembly and file analysis as its backend. These results may vary from the standalone version that uses vivisect. IDA’s analysis is generally a bit faster and more thorough than vivisect’s, so you might prefer this mode.
When run under IDA, capa supports both Python 2 and Python 3 interpreters. If you encounter issues with your specific setup, please open a new Issue.
Additionally, capa comes with an IDA Pro plugin located in the capa/ida directory: the explorer.
The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. As you select rules or logic, capa will highlight the addresses that support its analysis conclusions. We like to use capa to help find the most interesting parts of a program, such as where the C2 mechanism might be.
To install the plugin, you’ll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3. Next make sure pip commands are run using the Python install that is configured for your IDA install:
- Only if running Python 2.7, run command
$ pip install https://github.com/williballenthin/vivisect/zipball/master
$ pip install .from capa root directory
- Open IDA and navigate to
File > Script file…or
- Navigate to
Copyright (C) 2020 FireEye