v6.0.0

v6.0.0

capa v6.0 brings many bug fixes and quality improvements, including 64 rule updates and 26 new rules. We're now publishing to PyPI via Trusted Publishing and have migrated to using a pyproject.toml file. @Aayush-Goel-04 contributed a lot of new code across many files, so please welcome them to the project, along with @anders-v @crowface28 @dkelly2e @RonnieSalomonsen and @ejfocampo as first-time rule contributors!

For those that use capa as a library, we've introduced some limited breaking changes that better represent data types (versus less-structured data like dictionaries and strings). With the recent deprecation, we've also dropped support for Python 3.7.

New Features

• add script to detect feature overlap between new and existing capa rules #1451 @Aayush-Goel-04
• extract forwarded exports from PE files #1624 @williballenthin
• extract function and API names from ELF symtab entries @yelhamer mandiant/capa-rules#736
• use fancy box drawing characters for default output #1586 @williballenthin

Breaking Changes

• use a class to represent Metadata (not dict) #1411 @Aayush-Goel-04 @manasghandat
• use pathlib.Path to represent file paths #1534 @Aayush-Goel-04
• Python 3.8 is now the minimum supported Python version #1578 @williballenthin
• Require a Contributor License Agreement (CLA) for PRs going forward #1642 @williballenthin

New Rules (26)

• load-code/shellcode/execute-shellcode-via-windows-callback-function [email protected] [email protected]
• nursery/execute-shellcode-via-indirect-call [email protected]
• data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step @mr-tz
• linking/static/aplib/linked-against-aplib [email protected]
• communication/mailslot/read-from-mailslot [email protected]
• nursery/hash-data-using-sha512managed-in-dotnet [email protected]
• nursery/compiled-with-exescript [email protected]
• nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet [email protected]
• host-interaction/hardware/enumerate-devices-by-category @mr-tz
• host-interaction/service/continue-service @mr-tz
• host-interaction/service/pause-service @mr-tz
• persistence/exchange/act-as-exchange-transport-agent [email protected]
• host-interaction/file-system/create-virtual-file-system-in-dotnet [email protected]
• compiler/cx_freeze/compiled-with-cx_freeze @mr-tz [email protected]
• communication/socket/create-vmci-socket [email protected]
• persistence/office/act-as-excel-xll-add-in [email protected]
• persistence/office/act-as-office-com-add-in [email protected]
• persistence/office/act-as-word-wll-add-in [email protected]
• anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger [email protected] [email protected]
• host-interaction/memory/create-new-application-domain-in-dotnet [email protected]
• host-interaction/gui/switch-active-desktop [email protected]
• host-interaction/service/query-service-configuration @mr-tz
• anti-analysis/anti-av/patch-event-tracing-for-windows-function [email protected]
• data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls [email protected]
• linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash [email protected]

Bug Fixes

• extractor: add a Binary Ninja test that asserts its version #1487 @xusheng6
• extractor: update Binary Ninja stack string detection after the new constant outlining feature #1473 @xusheng6
• extractor: update vivisect Arch extraction #1334 @mr-tz
• extractor: avoid Binary Ninja exception when analyzing certain files #1441 @xusheng6
• symtab: fix struct.unpack() format for 64-bit ELF files @yelhamer
• symtab: safeguard against ZeroDivisionError for files containing a symtab with a null entry size @yelhamer
• improve ELF strtab and needed parsing @mr-tz
• better handle exceptional cases when parsing ELF files #1458 @Aayush-Goel-04
• improved testing coverage for Binary Ninja backend #1446 @Aayush-Goel-04
• add logging and print redirect to tqdm for capa main #749 @Aayush-Goel-04
• extractor: fix binja installation path detection does not work with Python 3.11
• tests: refine the IDA test runner script #1513 @williballenthin
• output: don't leave behind traces of progress bar @williballenthin
• import-to-ida: fix bug introduced with JSON report changes in v5 #1584 @williballenthin
• main: don't show spinner when emitting debug messages #1636 @williballenthin

capa explorer IDA Pro plugin

Development

• update ATT&CK/MBC data for linting #1568 @mr-tz
• log time taken to analyze each function #1290 @williballenthin
• tests: make fixture available via conftest.py #1592 @williballenthin
• publish via PyPI trusted publishing #1491 @williballenthin
• migrate to pyproject.toml #1301 @williballenthin
• use pre-commit to invoke linters #1579 @williballenthin

Raw diffs

• capa v5.1.0...v6.0.0
• capa-rules v5.1.0...v6.0.0