Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Error running CAPA(1.6.0) as library using vivisect backend

See original GitHub issue

Description

The latest CAPA (1.6.0) failed to extract results from a pe file while using vivisect backend.

Steps to Reproduce

pip install flare-capa
run capa -r path/to/rules -b vivisect "tests/data/Practical Malware Analysis Lab 01-01.dll_"
Get the following error :

loading : 100%|██████████████████████████████████████████████████████████████| 469/469 [00:04<00:00, 99.90     rules/s]
Traceback (most recent call last):
  File "c:\program files\python38\lib\runpy.py", line 193, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "c:\program files\python38\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\Scripts\capa.exe\__main__.py", line 7, in <module>
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\capa\main.py", line 707, in main
    extractor = get_extractor(args.sample, args.format, backend, disable_progress=args.quiet)
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\capa\main.py", line 346, in get_extractor
    return get_extractor_py3(path, format, backend, disable_progress=disable_progress)
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\capa\main.py", line 329, in get_extractor_py3
    vw = get_workspace(path, format, should_save=False)
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\capa\main.py", line 278, in get_workspace
    vw = viv_utils.getWorkspace(path, should_save=should_save)
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\viv_utils\__init__.py", line 86, in getWorkspace
    vw.loadFromFile(fp)
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\vivisect\__init__.py", line 2648, in loadFromFile
    fname = mod.parseFile(self, filename, baseaddr=baseaddr)
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\vivisect\parsers\pe.py", line 36, in parseFile
    return loadPeIntoWorkspace(vw, pe, filename, baseaddr=baseaddr)
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\vivisect\parsers\pe.py", line 455, in loadPeIntoWorkspace
    s.parse()
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\vtrace\platforms\win32.py", line 2154, in parse
    self.symInit()
  File "C:\Users\Rony\AppData\Roaming\Python\Python38\site-packages\vtrace\platforms\win32.py", line 2105, in symInit
    x = dbghelp.SymLoadModule64(self.phandle,
ctypes.ArgumentError: argument 3: <class 'TypeError'>: wrong type

Expected behavior:

CAPA should extract the information as expected.

Actual behavior:

See 3.

Versions:

CAPA 1.6.0 windows 10 python 3.8

Additional Information

I also setup an workflow to re-verify the issue, the CI failed for V1.6.0 but It’s all good in V1.5.1. This is the workflow file I have used to check:

name: capa 1.6.0

on:
  workflow_dispatch:

jobs:
  build:
    runs-on: windows-latest
    steps:
      - name: Set up Python 3.8
        uses: actions/setup-python@v2
        with: 
         python-version: 3.8
      - name: Install capa from pypi
        run: pip install flare-capa
      - name: Checkout capa
        uses: actions/checkout@v2
        with:
         repository: fireeye/capa
         submodules: true
      - name: Does it run?
        run: capa -r rules -b vivisect "tests/data/Practical Malware Analysis Lab 01-01.dll_"