binja: fix up the analysis for the al-khaser_x64.exe_ file. Fix mandi…

…ant#2507

CHANGELOG.md

@@ -43,6 +43,7 @@
 - binja: fix crash when the IL of certain functions are not available. #2249 @xusheng6
 - binja: major performance improvement on the binja extractor. #1414 @xusheng6
 - cape: make Process model flexible and procmemory optional to load newest reports #2466 @mr-tz
+- binja: fix unit test failure by fixing up the analysis for file al-khaser_x64.exe_ #2507 @xusheng6
 
 ### capa Explorer Web
 

capa/features/extractors/binja/insn.py

@@ -45,14 +45,15 @@ def is_stub_function(bv: BinaryView, addr: int) -> Optional[int]:
     ]:
         return None
 
-    if llil.dest.value.type not in [
-        RegisterValueType.ImportedAddressValue,
-        RegisterValueType.ConstantValue,
-        RegisterValueType.ConstantPointerValue,
+    # The LLIL instruction retrieved by `get_llil_instr_at_addr` did not go through a full analysis, so we cannot check
+    # `llil.dest.value.type` here
+    if llil.dest.operation not in [
+        LowLevelILOperation.LLIL_CONST,
+        LowLevelILOperation.LLIL_CONST_PTR,
     ]:
         return None
 
-    return llil.dest.value.value
+    return llil.dest.constant
 
 
 def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle) -> Iterator[tuple[Feature, Address]]:

tests/fixtures.py

@@ -180,6 +180,12 @@ def get_binja_extractor(path: Path):
     if path.name.endswith("kernel32-64.dll_"):
         settings.set_bool("pdb.loadGlobalSymbols", old_pdb)
 
+    # TODO(xusheng6): Temporary fix for https://github.com/mandiant/capa/issues/2507. Remove this once it is fixed in
+    # binja
+    if "al-khaser_x64.exe_" in path.name:
+        bv.create_user_function(0x14004B4F0)
+        bv.update_analysis_and_wait()
+
     extractor = capa.features.extractors.binja.extractor.BinjaFeatureExtractor(bv)
 
     # overload the extractor so that the fixture exposes `extractor.path`