diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c82e2507..1703ae491 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,7 @@ - cape: make Process model flexible and procmemory optional to load newest reports #2466 @mr-tz - binja: fix unit test failure by fixing up the analysis for file al-khaser_x64.exe_ #2507 @xusheng6 - binja: move the stack string detection to function level #2516 @xusheng6 +- BinExport2: fix handling of incorrect thunk functions #2524 @williballenthin ### capa Explorer Web diff --git a/capa/features/extractors/binexport2/__init__.py b/capa/features/extractors/binexport2/__init__.py index 8032b2fca..b5897ef75 100644 --- a/capa/features/extractors/binexport2/__init__.py +++ b/capa/features/extractors/binexport2/__init__.py @@ -280,11 +280,13 @@ def _compute_thunks(self): curr_idx: int = idx for _ in range(capa.features.common.THUNK_CHAIN_DEPTH_DELTA): thunk_callees: list[int] = self.idx.callees_by_vertex_index[curr_idx] - # if this doesn't hold, then it doesn't seem like this is a thunk, + # If this doesn't hold, then it doesn't seem like this is a thunk, # because either, len is: - # 0 and the thunk doesn't point to anything, or + # 0 and the thunk doesn't point to anything or is indirect, like `call eax`, or # >1 and the thunk may end up at many functions. - assert len(thunk_callees) == 1, f"thunk @ {hex(addr)} failed" + # In any case, this doesn't appear to be the sort of thunk we're looking for. + if len(thunk_callees) != 1: + break thunked_idx: int = thunk_callees[0] thunked_vertex: BinExport2.CallGraph.Vertex = self.be2.call_graph.vertex[thunked_idx]