Skip to content

Commit

Permalink
trying to fix the lint issue
Browse files Browse the repository at this point in the history
  • Loading branch information
Atlas-64 committed Mar 14, 2024
1 parent 94c9ada commit e57ad9b
Showing 1 changed file with 61 additions and 16 deletions.
77 changes: 61 additions & 16 deletions capa/ghidra/capa_explorer.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,10 @@ def create_label(ghidra_addr, name, capa_namespace):
# prevent duplicate labels under the same capa-generated namespace
symbol_table = currentProgram().getSymbolTable() # type: ignore [name-defined] # noqa: F821
for sym in symbol_table.getSymbols(ghidra_addr):
if sym.getName(True) == capa_namespace.getName(True) + Namespace.DELIMITER + name:
if (
sym.getName(True)
== capa_namespace.getName(True) + Namespace.DELIMITER + name
):
return

# create SymbolType.LABEL at addr
Expand Down Expand Up @@ -98,7 +101,9 @@ def bookmark_functions(self):
for part in item.get("parts", {}):
attack_txt = attack_txt + part + Namespace.DELIMITER
attack_txt = attack_txt + item.get("id", {})
add_bookmark(func_addr, attack_txt, "CapaExplorer::MITRE ATT&CK")
add_bookmark(
func_addr, attack_txt, "CapaExplorer::MITRE ATT&CK"
)

if self.mbc != []:
for item in self.mbc:
Expand Down Expand Up @@ -127,11 +132,28 @@ def set_pre_comment(self, ghidra_addr, sub_type, description):
"""set pre comments at subscoped matches of main rules"""
comment = getPreComment(ghidra_addr) # type: ignore [name-defined] # noqa: F821
if comment is None:
comment = "capa: " + sub_type + "(" + description + ")" + ' matched in "' + self.capability + '"\n'
comment = (
"capa: "
+ sub_type
+ "("
+ description
+ ")"
+ ' matched in "'
+ self.capability
+ '"\n'
)
setPreComment(ghidra_addr, comment) # type: ignore [name-defined] # noqa: F821
elif self.capability not in comment:
comment = (
comment + "capa: " + sub_type + "(" + description + ")" + ' matched in "' + self.capability + '"\n'
comment
+ "capa: "
+ sub_type
+ "("
+ description
+ ")"
+ ' matched in "'
+ self.capability
+ '"\n'
)
setPreComment(ghidra_addr, comment) # type: ignore [name-defined] # noqa: F821
else:
Expand Down Expand Up @@ -167,7 +189,9 @@ def label_matches(self):
# precomment subscope matches under the function
if node != {}:
for sub_type, description in parse_node(node):
self.set_pre_comment(sub_ghidra_addr, sub_type, description)
self.set_pre_comment(
sub_ghidra_addr, sub_type, description
)
else:
# resolve the encompassing function for the capa namespace
# of non-function scoped main matches
Expand All @@ -191,7 +215,9 @@ def label_matches(self):
if func is not None:
# basic block/ insn scope under resolved function
for sub_type, description in parse_node(node):
self.set_pre_comment(sub_ghidra_addr, sub_type, description)
self.set_pre_comment(
sub_ghidra_addr, sub_type, description
)
else:
# this would be a global/file scoped main match
# try to resolve the encompassing function via the subscope match, instead
Expand All @@ -200,21 +226,31 @@ def label_matches(self):
if sub_func is not None:
sub_func_addr = sub_func.getEntryPoint()
# place function in capa namespace & create the subscope match label in Ghidra's global namespace
create_label(sub_func_addr, sub_func.getName(), capa_namespace)
create_label(
sub_func_addr,
sub_func.getName(),
capa_namespace,
)
self.set_plate_comment(sub_func_addr)
for sub_type, description in parse_node(node):
self.set_pre_comment(sub_ghidra_addr, sub_type, description)
self.set_pre_comment(
sub_ghidra_addr, sub_type, description
)
else:
# addr is in some other file section like .data
# represent this location with a label symbol under the capa namespace
# Ex. See "Reference Base64 String" rule
for sub_type, description in parse_node(node):
# in many cases, these will be ghidra-labeled data, so just add the existing
# label symbol to the capa namespace
for sym in symbol_table.getSymbols(sub_ghidra_addr):
for sym in symbol_table.getSymbols(
sub_ghidra_addr
):
if sym.getSymbolType() == SymbolType.LABEL:
sym.setNamespace(capa_namespace)
self.set_pre_comment(sub_ghidra_addr, sub_type, description)
self.set_pre_comment(
sub_ghidra_addr, sub_type, description
)


def get_capabilities():
Expand All @@ -238,9 +274,13 @@ def get_capabilities():
meta = capa.ghidra.helpers.collect_metadata([rules_path])
extractor = capa.features.extractors.ghidra.extractor.GhidraFeatureExtractor()

capabilities, counts = capa.capabilities.common.find_capabilities(rules, extractor, True)
capabilities, counts = capa.capabilities.common.find_capabilities(
rules, extractor, True
)

if capa.capabilities.common.has_file_limitation(rules, capabilities, is_standalone=False):
if capa.capabilities.common.has_file_limitation(
rules, capabilities, is_standalone=False
):
popup("capa explorer encountered warnings during analysis. Please check the console output for more information.") # type: ignore [name-defined] # noqa: F821
logger.info("capa encountered warnings during analysis")

Expand Down Expand Up @@ -360,9 +400,12 @@ def main():
return capa.main.E_EMPTY_REPORT

user_choice = askChoice( # type: ignore [name-defined] # noqa: F821
"Choose b/w bookmarks & comments", "preferred action:", ["bookmarks", "comments", "both", "none"], "both"
"Choose b/w bookmarks & comments",
"preferred action:",
["bookmarks", "comments", "both", "none"],
"both",
)

if user_choice == "bookmarks":
for item in parse_json(capa_data):
item.bookmark_functions()
Expand All @@ -375,7 +418,7 @@ def main():
item.label_matches()
else:
pass

logger.info("capa explorer analysis complete")
popup("capa explorer analysis complete.\nPlease see results in the Bookmarks Window and Namespaces section of the Symbol Tree Window.") # type: ignore [name-defined] # noqa: F821
return 0
Expand All @@ -385,7 +428,9 @@ def main():
if sys.version_info < (3, 8):
from capa.exceptions import UnsupportedRuntimeError

raise UnsupportedRuntimeError("This version of capa can only be used with Python 3.8+")
raise UnsupportedRuntimeError(
"This version of capa can only be used with Python 3.8+"
)
exit_code = main()
if exit_code != 0:
popup("capa explorer encountered errors during analysis. Please check the console output for more information.") # type: ignore [name-defined] # noqa: F821
Expand Down

0 comments on commit e57ad9b

Please sign in to comment.