Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Refactor: extend Feature with access attribute

See original GitHub issue

Taking this a step further - would it make sense to extend the Feature class to support an “access” attribute similar to the bitness attribute that we previously supported (https://github.com/mandiant/capa/commit/55a5d10859e0a0e0d046c621bb4985faf9769e20).

where the “access” attribute is a simple enum e.g.:

class Access(Enum):
    Read = 1
    Write = 2

This would enable us to (optionally) extend the read/write specifier to all current features, including Property, and future features. This may even help reduce FPs e.g. the difference between cmp and mov using a number feature to detect PE parsing (we’d likely expect the number 0x5A4D to be read, not written, in this case) e.g.

- number/read: 0x5A4D

We currently use mnemonic features to accomplish the above example but that doesn’t easily allow for technology-agnostic rules e.g. a rule author wants to detect when the number 0x5A4D is read by both native PE and .NET executables.

_Originally posted by @mike-hunhoff in https://github.com/mandiant/capa/pull/1122#discussion_r943722740_

Issue Analytics

State:
Created a year ago
Comments:5

Top GitHub Comments

1reaction

mr-tzcommented, Aug 18, 2022

I’m leaning towards a separate branch/PR based on #1122 which is fairly big already. Maybe we branch off #1122 and merge in the Feature extension first?

0reactions

mike-hunhoffcommented, Sep 12, 2022

added in #1168