Render mode showing capas per function

[mr-tz]

Motivation

This can help to better understand what happens in individual functions. Do this for all capas and/or for "complex" functions with various hits. Example output:

<function va 1>
  - <capa 1>
  - <capa 2>
<function va 2>, <function va 3>, ...
  - <capa 3>
...

Example for PMA Lab 4:

$ capa Practical\ Malware\ Analysis\ Lab\ 01-04.exe_ -vf
0x4011FC
 create process
 extract resource via kernel32 functions
 get common file path
 write file

0x401350
 get common file path
 link function at runtime
 move file

0x401174
 acquire debug privileges
 bypass Windows File Protection
 link function at runtime

0x4010FC
 modify access privileges

For extra bonus could also display referenced strings in these functions.

[mr-tz]

See https://github.com/fireeye/capa/blob/master/scripts/show-capabilities-by-function.py

function at 0x4010FC with 38 features:
  - modify access privileges
function at 0x401174 with 40 features:
  - link function at runtime
  - bypass Windows File Protection
  - acquire debug privileges
function at 0x4011FC with 65 features:
  - get common file path
  - extract resource via kernel32 functions
  - write file
  - create process
function at 0x401350 with 76 features:
  - get common file path
  - move file
  - link function at runtime

Is it worth rolling this into main so it's available from the standalone version?

[williballenthin]

my only concern is the potential explosion of cli arguments (that few people will ever study) for all the possible ways of rendering data. by keeping the script separate, we can encourage people to build their own integrations and views into capa data.

[mr-tz]

Right, this may be better suited for capa explorer and other interactive JSON display modes.

[williballenthin]

the explorer has this rendering mode and it is helpful.

[mr-tz]

closing since we favor #2162