capa icon indicating copy to clipboard operation
capa copied to clipboard
verified publisher icon mandiant

substring/regex support for API

Open mbevilacqua opened this issue 3 years ago • 2 comments

Summary

Allow substring or regex matching for API to allow for more generic rules.

Motivation

Want to key on something like this regardless of glibc version:

  • api: .dynsym.fopen@@glibc_2.2.5

Describe alternatives you've considered

Could enumerate all glibc versions out there but rule would be expensive and high maintenance.

mbevilacqua avatar Jul 20 '22 08:07 mbevilacqua

We could add regex/substring matching to API features, though I'd prefer to try to find another solution first, so that we don't get tempted to be lazy in the future with rule writing.

For example, I wonder if we could de-mangle the symbols to extract the function name from the ABI, e.g. emit both fopen and .dynsym.fopen@@glibc_2.2.5, similar to how we handle DLLs + exports in PE files. In fact, I believe this is what the existing TODO means: https://github.com/mandiant/capa/blob/bae1b2950542d34c7d8c88e16d016784a7638213/capa/features/extractors/elffile.py#L42

Do you think this could work?

williballenthin avatar Jul 22 '22 03:07 williballenthin

Yes that would certainly work. Thanks.

mbevilacqua avatar Jul 22 '22 09:07 mbevilacqua