Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dotnet: support file/function scope class and namespace features #1030

Merged
merged 15 commits into from
May 26, 2022
Merged

dotnet: support file/function scope class and namespace features #1030

merged 15 commits into from
May 26, 2022

Conversation

mike-hunhoff
Copy link
Collaborator

@mike-hunhoff mike-hunhoff commented May 19, 2022
edited
Loading

see #1013 for additional context.

we emit both imported and user-defined class/namespace features allowing rules like:

rule:
  meta:
    name: manipulate files using dotnet
    namespace: host-interaction
    author: [email protected]
    scope: file
  features:
    - or:
      - class: System.IO.File

we emit user-defined class/namespace features as this may be useful for writing rules that detect dotnet malware families.

github-actions[bot]
github-actions bot previously requested changes May 19, 2022
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add bug fixes, new features, breaking changes and anything else you think is worthwhile mentioning to the master (unreleased) section of CHANGELOG.md. If no CHANGELOG update is needed add the following to the PR description: [x] No CHANGELOG update needed

@github-actions github-actions bot dismissed their stale review May 19, 2022 19:28

CHANGELOG updated or no update needed, thanks! 😄

@mike-hunhoff
Copy link
Collaborator Author

note: if merged we will emit for, e.g. System.IO.File::Exists, the following features:

- namespace: System.IO
- class: System.IO.File
- api: System.IO.File::Exists

@williballenthin
Copy link
Collaborator

williballenthin commented May 20, 2022 via email

mr-tz
mr-tz reviewed May 20, 2022
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very cool, I have one suggestion around abstracting namespace, class, method into a class

capa/features/extractors/dnfile/helpers.py Outdated Show resolved Hide resolved
capa/features/extractors/dnfile/helpers.py Outdated Show resolved Hide resolved
capa/features/extractors/dnfile/insn.py Outdated Show resolved Hide resolved
@mike-hunhoff mike-hunhoff requested a review from mr-tz May 20, 2022 22:55
mr-tz
mr-tz approved these changes May 23, 2022
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very cool, thanks for the cleanup!

capa/features/extractors/dnfile/insn.py Show resolved Hide resolved
williballenthin
williballenthin approved these changes May 23, 2022
View reviewed changes
Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is awesome, thank you!

@williballenthin
Copy link
Collaborator

shall we merge @mike-hunhoff
(i'd like to sync my branch with latest changes :-) )

@mike-hunhoff
Copy link
Collaborator Author

@williballenthin yes let's merge!

@mike-hunhoff mike-hunhoff merged commit 3514d5c into master May 26, 2022
@mike-hunhoff mike-hunhoff deleted the fix/1013 branch May 26, 2022 17:19
@williballenthin williballenthin mentioned this pull request Jun 28, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mr-tz mr-tz mr-tz approved these changes

@williballenthin williballenthin williballenthin approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mike-hunhoff @williballenthin @mr-tz