Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dynamic vverbose rendering should use process name #1816

Closed
mr-tz opened this issue Oct 18, 2023 · 6 comments
Closed

dynamic vverbose rendering should use process name #1816

mr-tz opened this issue Oct 18, 2023 · 6 comments
Assignees
@williballenthin
Labels
dynamic related to dynamic analysis flavor enhancement New feature or request

Comments

@mr-tz
Copy link
Collaborator

mr-tz commented Oct 18, 2023

this is much clearer than for example:

thread @ process ppid: 1264, process pid: 1312, thread id: 2544 in process process ppid: 1264, process pid: 1312
@mr-tz mr-tz added enhancement New feature or request dynamic related to dynamic analysis flavor labels Oct 18, 2023
@mr-tz mr-tz mentioned this issue Oct 18, 2023
Merged
18 tasks
@williballenthin
Copy link
Collaborator

today:

image

some things of note:

  • process ppid: 2456, process pid: 3052, thread id: 2792, call: 828 doesn't really have much meaning to a human. would be nicer to see:
    • process name instead of/with PID, and
    • rendered API call instead of/with call index
  • there are many call entries with the same thread, so most of the metadata is repeated multiple times. would be better to show pid, tid once and only the differing call data.

@williballenthin
Copy link
Collaborator

williballenthin commented Oct 20, 2023
edited
Loading

today:

write file on Windows
namespace  host-interaction/file-system/write
author     [email protected], [email protected]
scope      Scope.PROCESS
mbc        File System::Writes File [C0052]
Scope.PROCESS @ process ppid: 2456, process pid: 3052
  or:
    and:
      os: windows
      optional:
        or:
          thread:
            or:
              number: 0x2 = FILE_WRITE_DATA @ process ppid: 2456, process pid: 3052, thread id: 2792, call: 828, process ppid: 2456, process pid: 3052, thread id: 2792, call: 834, process ppid: 2456, process pid: 3052, thread id: 2792, call: 850, process ppid: 2456, process pid: 3052, thread id: 2792, call: 866

proposal 1:

write file on Windows
namespace  host-interaction/file-system/write
author     [email protected], [email protected]
scope      Scope.PROCESS
mbc        File System::Writes File [C0052]
Scope.PROCESS @ process ppid: 2456, process pid: 3052
  or:
    and:
      os: windows
      optional:
        or:
          thread:
            or:
              number: 0x2 = FILE_WRITE_DATA @ explorer.exe[3052:2792], WriteFile[828](2, bar), WriteFile[834](2, baz), WriteFile[850](2, woo), WriteFile[866](2, hoo)

proposal 2:

write file on Windows
namespace  host-interaction/file-system/write
author     [email protected], [email protected]
scope      Scope.PROCESS
mbc        File System::Writes File [C0052]
Scope.PROCESS @ process ppid: 2456, process pid: 3052
  or:
    and:
      os: windows
      optional:
        or:
          thread:
            or:
              number: 0x2 = FILE_WRITE_DATA @ explorer.exe[3052:2792]:
                @ WriteFile[828](2, bar), 
                @ WriteFile[834](2, baz), 
                @ WriteFile[850](2, woo), 
                @ WriteFile[866](2, hoo)

proposal 3:

write file on Windows
namespace  host-interaction/file-system/write
author     [email protected], [email protected]
scope      Scope.PROCESS
mbc        File System::Writes File [C0052]
Scope.PROCESS @ process ppid: 2456, process pid: 3052
  or:
    and:
      os: windows
      optional:
        or:
          thread:
            or:
              number: 0x2 = FILE_WRITE_DATA @ explorer.exe[3052:2792]: WriteFile[828](2, bar), and 3 more...

@williballenthin williballenthin self-assigned this Oct 20, 2023
@williballenthin williballenthin mentioned this issue Oct 20, 2023
Merged
3 tasks
@mr-tz
Copy link
Collaborator Author

mr-tz commented Oct 20, 2023

check https://github.com/mandiant/capa-testfiles/blob/dynamic-feature-extractor/dynamic/cape/v2.4/capesandbox_com/0a0882b8da225406cc838991b5f67d11.json.gz as a potential good test candidate (with many processes and repeated calls)

image

@mr-tz
Copy link
Collaborator Author

mr-tz commented Oct 20, 2023

On first glance I like proposal 2 the most.

@williballenthin
Copy link
Collaborator

work in progress:

Screenshot 2023-10-20 4 23 11 PM

@williballenthin
Copy link
Collaborator

closed in #1825

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@williballenthin williballenthin

Labels
dynamic related to dynamic analysis flavor enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@williballenthin @mr-tz