forked from mandiant/capa
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
196d394
commit 7846ffa
Showing
4 changed files
with
64 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| FLARE capa plugin brings the program capabilities detection of [capa](https://github.com/fireeye/capa) to IDA. This plugin adds | ||
| new user interface elements including an interactive tree view of rule matches and their locations | ||
| within the current database. You can use FLARE capa plugin to dissect capa rules at the assembly level or quickly jump to interesting parts of a program, | ||
| such as where the C2 mechanism might be. | ||
|
|
||
| FLARE capa plugin consists of two components: | ||
|
|
||
| * A [feature extractor](https://github.com/fireeye/capa/tree/master/capa/features/extractors/ida) built on top of IDA's powerful binary analysis engine | ||
| * An [interactive plugin](https://github.com/fireeye/capa/tree/master/capa/ida/plugin) for displaying and exploring capa rules matched against an IDA database | ||
|
|
||
|  | ||
|
|
||
| # requirements | ||
|
|
||
| * IDA Pro 7.4+ with Python 2.7 or Python 3.x | ||
|
|
||
| # supported file types | ||
|
|
||
| * Windows `32-bit` and `64-bit` PE files | ||
| * Windows `32-bit` and `64-bit` shellcode | ||
|
|
||
| # installation | ||
|
|
||
| ## quick install | ||
| 1. Install capa for the Python interpreter used by your IDA installation: | ||
|
|
||
| ``` | ||
| $ pip install flare-capa | ||
| ``` | ||
| 3. Copy [capa_plugin_ida.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_plugin_ida.py) to your IDA plugins directory | ||
| ## development | ||
| 1. Install capa for the Python interpreter used by your IDA installation using method 3 of the instructions found [here](https://github.com/fireeye/capa/blob/master/doc/installation.md#method-3-inspecting-the-capa-source-code) | ||
| 2. Copy [capa_plugin_ida.py](https://raw.githubusercontent.com/fireeye/capa/master/capa/ida/plugin/capa_plugin_ida.py) to your IDA plugins directory | ||
| If you encounter issues with your specific setup, please open a new [Issue](https://github.com/fireeye/capa/issues). | ||
| # usage | ||
| 1. Run IDA and analyze a supported file type (select `Manual Load` and `Load Resources` for best results) | ||
| 2. Open FLARE capa plugin in IDA by navigating to `Edit > Plugins > FLARE capa plugin` or using the keyboard shortcut `Alt+F5` | ||
| 3. Click `Analyze` | ||
| When running the plugin for the first time you are prompted to select a file directory containing capa rules. The plugin conviently | ||
| remembers your selection for future runs; you can change this selection by navigating to `Rules > Change rules directory...`. We recommend | ||
| downloading and using the [standard collection of capa rules](https://github.com/fireeye/capa-rules) when first getting familiar with the plugin but any | ||
| file directory containing [valid capa rules](https://github.com/fireeye/capa-rules/blob/master/doc/format.md) can be used. | ||
| # features | ||
| * Display capa results in an interactive tree view of rule matches and their locations in the current database | ||
| * Export results as formatted JSON by navigating to `File > Export results...` | ||
| * Remember a user's `capa` rules directory for future runs; change `capa` rules directory by navigating to `Rules > Change rules directory...` | ||
| * Search for keywords or phrases found in the `Rule Information`, `Address`, or `Details` columns | ||
| * Display rule source content when a user hovers their cursor over a rule match | ||
| * Double-click `Address` column to view associated feature in the IDA Disassembly view | ||
| * Limit tree view results to the function currently displayed in the IDA Disassembly view; update results as a user navigates to different functions | ||
| * Reset tree view and IDA Disassembly view highlighting by clicking `Reset` | ||
| * Automatically re-analyze database when user performs a program rebase | ||
| * Automatically update results when IDA is used to rename a function | ||
| * Select one or more checkboxes to highlight the associated addresses in the IDA Disassembly view | ||
| * Right-click a function match to rename it; the new function name is propagated to the current IDA database | ||
| * Right-click to copy a result by column or by row |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,27 +12,3 @@ See `capa -h` for all supported arguments and usage examples. | |
| Use the `-t` option to run rules with the given metadata value (see the rule fields `rule.meta.*`). | ||
| For example, `capa -t [email protected]` runs rules that reference Willi's email address (probably as the author), or | ||
| `capa -t communication` runs rules with the namespace `communication`. | ||
|
|
||
| ### IDA Pro integrations | ||
| You can run capa from within IDA Pro. Run `capa/main.py` via `File - Script file...` (or ALT + F7). | ||
| When running in IDA, capa uses IDA's disassembly and file analysis as its backend. | ||
| These results may vary from the standalone version that uses vivisect. | ||
| IDA's analysis is generally a bit faster and more thorough than vivisect's, so you might prefer this mode. | ||
|
|
||
| When run under IDA, capa supports both Python 2 and Python 3 interpreters. | ||
| If you encounter issues with your specific setup, please open a new [Issue](https://github.com/fireeye/capa/issues). | ||
|
|
||
| Additionally, capa comes with an IDA Pro plugin located in the `capa/ida/plugin` directory: the explorer. | ||
|
|
||
| #### capa explorer | ||
| The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. | ||
| As you select rules or logic, capa will highlight the addresses that support its analysis conclusions. | ||
| We like to use capa to help find the most interesting parts of a program, such as where the C2 mechanism might be. | ||
|
|
||
|  | ||
|
|
||
| The plugin currently supports IDA Pro 7.1 through 7.5 with either Python 2 or Python 3. To use the plugin, install capa | ||
| by following method 2 or 3 from the [installation guide](installation.md) and copy [capa_plugin_ida.py](../capa/ida/plugin/capa_plugin_ida.py) | ||
| to the plugins directory of your IDA Pro installation. Following these steps you can run capa explorer in IDA Pro by navigating | ||
| to `Edit > Plugins > capa explorer`. The plugin will prompt you to select a rules directory to use for analysis. You can | ||
| use the [default rule set](https://github.com/fireeye/capa-rules/) or point the plugin to your own directory of rules. | ||