From dedd538576fb433962a6ee3fe0ab3de8f918c2f6 Mon Sep 17 00:00:00 2001
From: Xusheng <xusheng@vector35.com>
Date: Wed, 4 Dec 2024 14:57:13 +0800
Subject: [PATCH] binja: fix up the analysis for the al-khaser_x64.exe_ file.
 Fix https://github.com/mandiant/capa/issues/2507

---
 CHANGELOG.md                           |  1 +
 capa/features/extractors/binja/insn.py | 11 ++++++-----
 tests/fixtures.py                      |  6 ++++++
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5df9d3b7f..ce457bf30 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -43,6 +43,7 @@
 - binja: fix crash when the IL of certain functions are not available. #2249 @xusheng6
 - binja: major performance improvement on the binja extractor. #1414 @xusheng6
 - cape: make Process model flexible and procmemory optional to load newest reports #2466 @mr-tz
+- binja: fix unit test failure by fixing up the analysis for file al-khaser_x64.exe_ #2507 @xusheng6
 
 ### capa Explorer Web
 
diff --git a/capa/features/extractors/binja/insn.py b/capa/features/extractors/binja/insn.py
index 618ee7a13..7ebbb6d7f 100644
--- a/capa/features/extractors/binja/insn.py
+++ b/capa/features/extractors/binja/insn.py
@@ -45,14 +45,15 @@ def is_stub_function(bv: BinaryView, addr: int) -> Optional[int]:
     ]:
         return None
 
-    if llil.dest.value.type not in [
-        RegisterValueType.ImportedAddressValue,
-        RegisterValueType.ConstantValue,
-        RegisterValueType.ConstantPointerValue,
+    # The LLIL instruction retrieved by `get_llil_instr_at_addr` did not go through a full analysis, so we cannot check
+    # `llil.dest.value.type` here
+    if llil.dest.operation not in [
+        LowLevelILOperation.LLIL_CONST,
+        LowLevelILOperation.LLIL_CONST_PTR,
     ]:
         return None
 
-    return llil.dest.value.value
+    return llil.dest.constant
 
 
 def extract_insn_api_features(fh: FunctionHandle, bbh: BBHandle, ih: InsnHandle) -> Iterator[tuple[Feature, Address]]:
diff --git a/tests/fixtures.py b/tests/fixtures.py
index 110b7228e..ad70a1663 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -180,6 +180,12 @@ def get_binja_extractor(path: Path):
     if path.name.endswith("kernel32-64.dll_"):
         settings.set_bool("pdb.loadGlobalSymbols", old_pdb)
 
+    # TODO(xusheng6): Temporary fix for https://github.com/mandiant/capa/issues/2507. Remove this once it is fixed in
+    # binja
+    if "al-khaser_x64.exe_" in path.name:
+        bv.create_user_function(0x14004B4F0)
+        bv.update_analysis_and_wait()
+
     extractor = capa.features.extractors.binja.extractor.BinjaFeatureExtractor(bv)
 
     # overload the extractor so that the fixture exposes `extractor.path`