Release v4.0.0 (#1105)

* release: v4 prep * add SMDA deprecation warning * doc: update v4 changes * Update CHANGELOG.md * Update CHANGELOG.md Co-authored-by: Willi Ballenthin <[email protected]> * doc: add DeprecationWarning * fix: add __index__ method * ci: test build run on more OSs * explorer: update supported versions to include IDA 8.0 Co-authored-by: Mike Hunhoff <[email protected]> Co-authored-by: Willi Ballenthin <[email protected]>
mandiant · Aug 10, 2022 · 81cb4b3 · 81cb4b3
1 parent e564466
commit 81cb4b3
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 9 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -56,8 +56,6 @@ jobs:
  path: dist/${{ matrix.artifact_name }}
 
  test_run:
- # test that binaries run on push to master
- if: github.event_name == 'push'
  name: Test run on ${{ matrix.os }}
  runs-on: ${{ matrix.os }}
  needs: [build]

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,37 @@
 
 ## master (unreleased)
 
+### New Features
+
+### Breaking Changes
+
+### New Rules (0)
+
+- 
+
+### Bug Fixes
+
+### capa explorer IDA Pro plugin
+
+### Development
+
+### Raw diffs
+- [capa v4.0.0...master](https://github.com/mandiant/capa/compare/v4.0.0...master)
+- [capa-rules v4.0.0...master](https://github.com/mandiant/capa-rules/compare/v4.0.0...master)
+
+## v4.0.0 (2022-07-XX)
+Version 4 adds support for analyzing .NET executables. capa will autodetect .NET modules, or you can explicitly invoke the new feature extractor via `--format dotnet`. We've also extended the rule syntax for .NET features including `namespace` and `class`.
+
+Additionally, new `instruction` scope and `operand` features enable users to create more explicit rules. These features are not backwards compatible. We removed the previously used `/x32` and `/x64` flavors of number and operand features.
+
+We updated 49 existing rules and added 22 new rules leveraging these new features and characteristics to detect capabilities seen in .NET malware.
+
+More breaking changes include updates to the JSON results document, freeze file format schema (now format version v2), and the internal handling of addresses.
+
+Thanks for all the support, especially to @htnhan, @jtothej, @sara-rn, @anushkavirgaonkar, and @_re_fox!
+
+*Deprecation warning: v4.0 will be the last capa version to support the SMDA backend.*
+
 ### New Features
 
  - add new scope "instruction" for matching mnemonics and operands #767 @williballenthin
@@ -37,7 +68,7 @@ Deprecation notice: as described in [#937](https://github.com/mandiant/capa/issu
 - anti-analysis/packer/huan/packed-with-huan [email protected]
 - internal/limitation/file/internal-dotnet-file-limitation [email protected]
 - nursery/get-os-information-via-kuser_shared_data @mr-tz
-- load-code/pe/resolve-function-by-parsing-PE-exports sara-rn
+- load-code/pe/resolve-function-by-parsing-PE-exports @sara-rn
 - anti-analysis/packer/huan/packed-with-huan [email protected]
 - nursery/execute-dotnet-assembly [email protected]
 - nursery/invoke-dotnet-assembly-method [email protected]
@@ -60,7 +91,6 @@ Deprecation notice: as described in [#937](https://github.com/mandiant/capa/issu
 - nursery/hash-data-using-rshash @_re_fox
 - persistence/authentication-process/act-as-credential-manager-dll [email protected]
 - persistence/authentication-process/act-as-password-filter-dll [email protected]
--
 
 ### Bug Fixes
 - improve handling _ prefix compile/link artifact #924 @mike-hunhoff
@@ -75,8 +105,19 @@ Deprecation notice: as described in [#937](https://github.com/mandiant/capa/issu
 ### Development
 
 ### Raw diffs
-- [capa v3.2.0...master](https://github.com/mandiant/capa/compare/v3.2.0...master)
-- [capa-rules v3.2.0...master](https://github.com/mandiant/capa-rules/compare/v3.2.0...master)
+- [capa v3.2.0...v4.0.0](https://github.com/mandiant/capa/compare/v3.2.0...master)
+- [capa-rules v3.2.0...v4.0.0](https://github.com/mandiant/capa-rules/compare/v3.2.0...master)
+
+## v3.2.1 (2022-06-06)
+This out-of-band release bumps the SMDA dependency version to enable installation on Python 3.10.
+
+### Bug Fixes
+
+- update SMDA dependency @mike-hunhoff #922
+
+### Raw diffs
+- [capa v3.2.0...v3.2.1](https://github.com/mandiant/capa/compare/v3.2.0...v3.2.1)
+- [capa-rules v3.2.0...v3.2.1](https://github.com/mandiant/capa-rules/compare/v3.2.0...v3.2.1)
 
 ## v3.2.0 (2022-03-03)
 This release adds a new characteristic `characteristic: call $+5` enabling users to create more explicit rules. The linter now also validates ATT&CK and MBC categories. Additionally, many dependencies, including the vivisect backend, have been updated.

diff --git a/capa/features/address.py b/capa/features/address.py
@@ -71,6 +71,10 @@ def __hash__(self):
  def __repr__(self):
  return f"token(0x{self.token.value:x})"
 
+ def __index__(self):
+ # returns the object converted to an integer
+ return self.token.value
+
 
 class DNTokenOffsetAddress(Address):
  """an offset into an object specified by a .NET token"""
@@ -92,6 +96,9 @@ def __hash__(self):
  def __repr__(self):
  return f"token(0x{self.token.value:x})+(0x{self.offset:x})"
 
+ def __index__(self):
+ return self.token.value + self.offset
+
 
 class _NoAddress(Address):
  def __eq__(self, other):

diff --git a/capa/ida/helpers.py b/capa/ida/helpers.py
@@ -40,10 +40,10 @@ def inform_user_ida_ui(message):
 
 def is_supported_ida_version():
  version = float(idaapi.get_kernel_version())
- if version < 7.4 or version >= 8:
+ if version < 7.4 or version >= 9:
  warning_msg = "This plugin does not support your IDA Pro version"
  logger.warning(warning_msg)
- logger.warning("Your IDA Pro version is: %s. Supported versions are: IDA >= 7.4 and IDA < 8.0." % version)
+ logger.warning("Your IDA Pro version is: %s. Supported versions are: IDA >= 7.4 and IDA < 9.0." % version)
  return False
  return True
 

diff --git a/capa/main.py b/capa/main.py
@@ -17,6 +17,7 @@
 import argparse
 import datetime
 import textwrap
+import warnings
 import itertools
 import contextlib
 import collections
@@ -518,6 +519,8 @@ def get_extractor(
 
  import capa.features.extractors.smda.extractor
 
+ logger.warning("Deprecation warning: v4.0 will be the last capa version to support the SMDA backend.")
+ warnings.warn("v4.0 will be the last capa version to support the SMDA backend.", DeprecationWarning)
  smda_report = None
  with halo.Halo(text="analyzing program", spinner="simpleDots", stream=sys.stderr, enabled=not disable_progress):
  config = SmdaConfig()

diff --git a/capa/version.py b/capa/version.py
@@ -1,4 +1,4 @@
-__version__ = "3.2.0"
+__version__ = "4.0.0"
 
 
 def get_major_version():