-
Notifications
You must be signed in to change notification settings - Fork 565
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0499f9e
commit b35b345
Showing
8 changed files
with
137 additions
and
109 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,59 +1,61 @@ | ||
from __future__ import annotations | ||
|
||
from typing import TYPE_CHECKING | ||
from typing import TYPE_CHECKING, Any, List, Tuple | ||
|
||
if TYPE_CHECKING: | ||
from dnfile import dnPE | ||
from capa.features.common import Feature | ||
|
||
import dncil | ||
import dnfile | ||
|
||
import capa.features.extractors | ||
import capa.features.extractors.dotnet.file | ||
import capa.features.extractors.dotnet.insn | ||
import capa.features.extractors.dotnet.function | ||
|
||
from capa.features.extractors.dotnet import get_dotnet_methods | ||
from capa.features.extractors.base_extractor import FeatureExtractor | ||
from capa.features.extractors.dotnet.helpers import get_dotnet_methods | ||
|
||
|
||
class DnfileFeatureExtractor(FeatureExtractor): | ||
def __init__(self, path: str): | ||
super(DnfileFeatureExtractor, self).__init__() | ||
self.global_features = [] | ||
self.pe: dnfile.dnPE = dnfile.dnPE(path) | ||
|
||
self.pe: dnPE = dnfile.dnPE(path) | ||
# pre-compute these because we'll yield them at *every* scope. | ||
self.global_features: List[Tuple[Feature, int]] = [] | ||
self.global_features.extend(capa.features.extractors.dnfile_.extract_file_os(pe=self.pe)) | ||
self.global_features.extend(capa.features.extractors.dnfile_.extract_file_arch(pe=self.pe)) | ||
|
||
def get_base_address(self): | ||
raise NotImplementedError() | ||
return 0x0 | ||
|
||
def extract_global_features(self): | ||
yield from self.global_features | ||
|
||
def extract_file_features(self): | ||
raise NotImplementedError() | ||
yield from capa.features.extractors.dotnet.file.extract_features(self.pe) | ||
|
||
def get_functions(self): | ||
ctx = {} | ||
ctx["pe"] = self.pe | ||
|
||
for method in get_dotnet_methods(self.pe): | ||
setattr(method, "ctx", ctx) | ||
yield method | ||
for f in get_dotnet_methods(self.pe): | ||
setattr(f, "ctx", ctx) | ||
yield f | ||
|
||
def extract_function_features(self, f): | ||
raise NotImplementedError() | ||
# TODO | ||
yield from [] | ||
|
||
def get_basic_blocks(self, f): | ||
# we don't support basic blocks for dotnet and treat each method as one large basic block | ||
return f | ||
# each dotnet method is considered 1 basic block | ||
yield f | ||
|
||
def extract_basic_block_features(self, f, bb): | ||
# we don't support basic block features for dotnet | ||
return | ||
# we don't support basic block features | ||
yield from [] | ||
|
||
def get_instructions(self, f, bb): | ||
# we don't support basic blocks for dotnet and treat each method as one large basic block | ||
# each dotnet method is considered 1 basic block | ||
yield from f.instructions | ||
|
||
def extract_insn_features(self, f, bb, insn): | ||
yield from capa.features.extractors.dotnet.insn.extract_features(f, bb, insn) | ||
yield from capa.features.extractors.dotnet.insn.extract_features(f, bb, insn) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
from __future__ import annotations | ||
|
||
from typing import TYPE_CHECKING, List, Tuple, Iterator | ||
|
||
if TYPE_CHECKING: | ||
import dnfile | ||
from capa.features.common import Feature | ||
|
||
import capa.features.extractors.helpers | ||
from capa.features.file import Import | ||
from capa.features.common import FORMAT_DOTNET, Format | ||
from capa.features.extractors.dotnet.helpers import get_dotnet_imports | ||
|
||
|
||
def extract_file_import_names(pe: dnfile.dnPE) -> Iterator[Tuple[Import, int]]: | ||
"""extract file imports""" | ||
for (token, imp) in get_dotnet_imports(pe).items(): | ||
if "::" in imp: | ||
# like System.IO.File::OpenRead | ||
yield Import(imp), token | ||
else: | ||
# like kernel32.CreateFileA | ||
dll, _, symbol = imp.rpartition(".") | ||
for symbol_variant in capa.features.extractors.helpers.generate_symbols(dll, symbol): | ||
yield Import(symbol_variant), token | ||
|
||
|
||
def extract_file_format(pe: dnfile.dnPE) -> Iterator[Tuple[Format, int]]: | ||
yield Format(FORMAT_DOTNET), 0x0 | ||
|
||
|
||
def extract_features(pe: dnfile.dnPE) -> Iterator[Tuple[Feature, int]]: | ||
for file_handler in FILE_HANDLERS: | ||
for (feature, token) in file_handler(pe): | ||
yield feature, token | ||
|
||
|
||
FILE_HANDLERS = ( | ||
extract_file_import_names, | ||
# TODO extract_file_strings, | ||
# TODO extract_file_function_names, | ||
extract_file_format, | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.