The FLARE team's open-source tool to identify capabilities in executable files.
This release adds a new characteristic call $+5
enabling users to create rules that match this instruction commonly seen in obfuscators. The linter now also validates ATT&CK and MBC categories. Additionally, many dependencies, including the vivisect backend, have been updated.
One rule has been added and many more have been improved.
Thanks for all the support, especially to @kn0wl3dge and first time contributor @uckelman-sf!
This release improves the performance of capa while also adding 23 new rules and many code quality enhancements. We profiled capa's CPU usage and optimized the way that it matches rules, such as by short circuiting when appropriate. According to our testing, the matching phase is approximately 66% faster than v3.0.3! We also added support for Python 3.10, aarch64 builds, and additional MAEC metadata in the rule headers.
This release adds 23 new rules, including nine by Jakub Jozwiak of Mandiant. @ryantxu1 and @dzbeck updated the ATT&CK and MBC mappings for many rules. Thank you!
And as always, welcome first time contributors!
This is primarily a rule maintenance release:
We've also tweaked the status codes returned by capa.exe to be more specific and added a bit more metadata to the JSON output format.
As always, welcome first time contributors!
This version updates the version of vivisect used by capa. Users will experience fewer bugs and find improved analysis results.
Thanks to the community for highlighting issues and analysis misses. Your feedback is crucial to further improve capa.
Here comes capa version 3.0! 🥳
capa 3.0:
A huge thanks to everyone who submitted issues, provided feedback, and contributed code and rules. Special acknowledgement to @Adir-Shemesh and @TcM1911 of Intezer for contributing the code to enable ELF support. Also, welcome first time contributors:
format:
for file format, like format: pe
#723 @williballenthinarch:
for architecture, like arch: amd64
#723 @williballenthinos:
for operating system, like os: windows
#723 @williballenthinsubstring:
for verbatim strings with leading/trailing wildcards #737 @williballenthinprofile-memory.py
for profiling memory usage #736 @williballenthinformat
, arch
, os
, or substring
features cannot be used by capa versions prior to v3arch
(i.e., "x32") is now called bitness
@williballenthinKeyError: 0
when reporting results @williballehtin #703We are excited to announce version 2.0! :tada:
This release:
A huge thanks to everyone who submitted issues, provided feedback, and contributed code and rules. Many colleagues across dozens of organizations have volunteered their experience to improve this tool! :heart:
function-name
) for recognized library functions #567 @williballenthinor
with always true child statement, e.g. optional
, colors #348 @mr-tzlibrary_functions
field, feature_counts.functions
does not include library functions any more #562 @mr-tz__init__.py
throughout #622 @williballenthinNew Rules
section in CHANGELOG automatically https://github.com/fireeye/capa-rules/pull/374 #549 #604 @Ana06This release includes several bug fixes, such as a vivisect issue that prevented capa from working on Windows with Python 3. It also adds 17 new rules and a bunch of improvements in the rules and IDA rule generator. We appreciate everyone who opened issues, provided feedback, and contributed code and rules.
This is the very last capa release that supports Python 2. The next release will be v2.0 and will have breaking changes, including the removal of Python 2 support.
IncompatibleVivVersion
instead of UnicodeDecodeError
when using incompatible Python 2 .viv
files with Python3 #479 @Ana06