fxb-cocacoding · October 30, 2022 10:12
diff --git a/capa_patch b/capa_patch
 ###
 ### Patch for capa to use apiscout and malpedia source (dumped malware):
 ### venv/lib/python3.8/site-packages/capa/main.py or just capa/main.py
 ### line 306
 ### 
 ###

 def get_extractor_py3(path, format, disable_progress=False):
    from smda.SmdaConfig import SmdaConfig
    from smda.Disassembler import Disassembler

    import capa.features.extractors.smda

    smda_report = None
    with halo.Halo(text="analyzing program", spinner="simpleDots", stream=sys.stderr, enabled=not disable_progress):
        config = SmdaConfig()
        config.STORE_BUFFER = True
        rel_path_fix = "/home/fxb/PycharmProjects/capa-malpedia-scanner/"

        is_malpedia_file = False

        if "_dump_" in path:
            logger.info("Malpedia File detected, XP dump! " + path)
            config.API_COLLECTION_FILES = {
                "win_xp": rel_path_fix + "apiscout/apiscout_winxp_prof_sp3.json"}
            is_malpedia_file = True
        elif "_dump7_" in path:
            logger.info("Malpedia File detected, Win7 dump! " + path)
            config.API_COLLECTION_FILES = {
                "win_7": rel_path_fix + "apiscout/apiscout_win7_prof-n_sp1.json"}
            is_malpedia_file = True
        else:
            logger.warning("File " + path + " is not a dump!")
            logger.warning("Adding win7 as apiscout reference!")
            config.API_COLLECTION_FILES = {
                "win_7": rel_path_fix + "apiscout/apiscout_win7_prof-n_sp1.json"}

        smda_disasm = Disassembler(config)

        if is_malpedia_file:
            baddr_match = re.search(re.compile("0x(?P<base_addr>[0-9a-fA-F]{8,16})$"), path)
            if baddr_match:
                base_addr = int(baddr_match.group("base_addr"), 16)
                if len(baddr_match.group("base_addr")) == 8:
                    bitness = 32
                else:
                    bitness = 64
                logging.info("Parsed base address from file name: 0x%08x %d", parsed_base_addr, parsed_base_addr)
            with open(path, "rb") as filereader:
                file_content = filereader.read()

            smda_report = smda_disasm.disassembleBuffer(file_content, base_addr, bitness)
        else:
            smda_report = smda_disasm.disassembleFile(path)

    return capa.features.extractors.smda.SmdaFeatureExtractor(smda_report, path)
	###
	### Patch for capa to use apiscout and malpedia source (dumped malware):
	### venv/lib/python3.8/site-packages/capa/main.py or just capa/main.py
	### line 306
	###
	###

	def get_extractor_py3(path, format, disable_progress=False):
	from smda.SmdaConfig import SmdaConfig
	from smda.Disassembler import Disassembler

	import capa.features.extractors.smda

	smda_report = None
	with halo.Halo(text="analyzing program", spinner="simpleDots", stream=sys.stderr, enabled=not disable_progress):
	config = SmdaConfig()
	config.STORE_BUFFER = True
	rel_path_fix = "/home/fxb/PycharmProjects/capa-malpedia-scanner/"

	is_malpedia_file = False

	if "_dump_" in path:
	logger.info("Malpedia File detected, XP dump! " + path)
	config.API_COLLECTION_FILES = {
	"win_xp": rel_path_fix + "apiscout/apiscout_winxp_prof_sp3.json"}
	is_malpedia_file = True
	elif "_dump7_" in path:
	logger.info("Malpedia File detected, Win7 dump! " + path)
	config.API_COLLECTION_FILES = {
	"win_7": rel_path_fix + "apiscout/apiscout_win7_prof-n_sp1.json"}
	is_malpedia_file = True
	else:
	logger.warning("File " + path + " is not a dump!")
	logger.warning("Adding win7 as apiscout reference!")
	config.API_COLLECTION_FILES = {
	"win_7": rel_path_fix + "apiscout/apiscout_win7_prof-n_sp1.json"}

	smda_disasm = Disassembler(config)

	if is_malpedia_file:
	baddr_match = re.search(re.compile("0x(?P<base_addr>[0-9a-fA-F]{8,16})$"), path)
	if baddr_match:
	base_addr = int(baddr_match.group("base_addr"), 16)
	if len(baddr_match.group("base_addr")) == 8:
	bitness = 32
	else:
	bitness = 64
	logging.info("Parsed base address from file name: 0x%08x %d", parsed_base_addr, parsed_base_addr)
	with open(path, "rb") as filereader:
	file_content = filereader.read()

	smda_report = smda_disasm.disassembleBuffer(file_content, base_addr, bitness)
	else:
	smda_report = smda_disasm.disassembleFile(path)

	return capa.features.extractors.smda.SmdaFeatureExtractor(smda_report, path)
No results found