v8.0.0

capa version 8 adds support for IDA Pro 9.0 (and idalib). The release comes with various improvements and bug fixes for the Binary Ninja backend (including to load with database files) -- thanks to @xusheng6.

Additional bug fixes improve the dynamic and BinExport backends.

capa version 8 now requires Python 3.10 or newer.

Special thanks to @Tamir-K, @harshit-wadhwani, @jorik-utwente for their great contributions.

New Features

• allow call as valid subscope for call scoped rules @mr-tz
• support loading and analyzing a Binary Ninja database #2496 @xusheng6
• vmray: record process command line details @mr-tz

Breaking Changes

• remove support for Python 3.8 and use Python 3.10 as minimum now #1966 @mr-tz

New Rules (54)

• nursery/get-shadow-password-file-entry-on-linux [email protected]
• nursery/set-shadow-password-file-entry-on-linux [email protected]
• collection/browser/get-chrome-cookiemonster [email protected]
• collection/browser/get-elevation-service-for-chromium-based-browsers [email protected]
• collection/get-steam-token [email protected]
• nursery/persist-via-application-shimming [email protected]
• nursery/persist-via-bits-job [email protected]
• nursery/persist-via-print-processors-registry-key [email protected]
• linking/static/touchsocket/linked-against-touchsocket [email protected]
• runtime/dotnet/compiled-with-dotnet-aot [email protected]
• nursery/persist-via-errorhandler-script [email protected]
• nursery/persist-via-get-variable-hijack [email protected]
• nursery/persist-via-iphlpapi-dll-hijack [email protected]
• nursery/persist-via-lnk-shortcut [email protected]
• nursery/persist-via-powershell-profile [email protected]
• nursery/persist-via-windows-accessibility-tools [email protected]
• nursery/persist-via-windows-terminal-profile [email protected]
• nursery/write-to-browser-extension-directory [email protected]
• nursery/persist-via-aedebug-registry-key [email protected]
• nursery/persist-via-amsi-registry-key [email protected]
• nursery/persist-via-app-paths-registry-key [email protected]
• nursery/persist-via-appcertdlls-registry-key [email protected]
• nursery/persist-via-appx-registry-key [email protected]
• nursery/persist-via-autodialdll-registry-key [email protected]
• nursery/persist-via-autoplayhandlers-registry-key [email protected]
• nursery/persist-via-bootverificationprogram-registry-key [email protected]
• nursery/persist-via-code-signing-registry-key [email protected]
• nursery/persist-via-com-hijack [email protected]
• nursery/persist-via-command-processor-registry-key [email protected]
• nursery/persist-via-contextmenuhandlers-registry-key [email protected]
• nursery/persist-via-cor_profiler_path-registry-value [email protected]
• nursery/persist-via-default-file-association-registry-key [email protected]
• nursery/persist-via-disk-cleanup-handler-registry-key [email protected]
• nursery/persist-via-dotnet-dbgmanageddebugger-registry-key [email protected]
• nursery/persist-via-dotnet_startup_hooks-registry-key [email protected]
• nursery/persist-via-explorer-tools-registry-key [email protected]
• nursery/persist-via-filter-handlers-registry-key [email protected]
• nursery/persist-via-group-policy-registry-key [email protected]
• nursery/persist-via-hhctrl-com-hijack [email protected]
• nursery/persist-via-htmlhelp-author-registry-key [email protected]
• nursery/persist-via-image-file-execution-options-registry-key [email protected]
• nursery/persist-via-lsa-registry-key [email protected]
• nursery/persist-via-natural-language-registry-key [email protected]
• nursery/persist-via-netsh-registry-key [email protected]
• nursery/persist-via-network-provider-registry-key [email protected]
• nursery/persist-via-path-registry-key [email protected]
• nursery/persist-via-print-monitors-registry-key [email protected]
• nursery/persist-via-rdp-startup-programs-registry-key [email protected]
• nursery/persist-via-silentprocessexit-registry-key [email protected]
• nursery/persist-via-telemetrycontroller-registry-key [email protected]
• nursery/persist-via-timeproviders-registry-key [email protected]
• nursery/persist-via-ts-initialprogram-registry-key [email protected]
• nursery/persist-via-userinitmprlogonscript-registry-value [email protected]
• nursery/persist-via-windows-error-reporting-registry-key [email protected]

Bug Fixes

• extractor: fix exception when PE extractor encounters unknown architecture #2440 @Tamir-K
• IDA Pro: rename ida to idapro module for plugin and idalib in IDA 9.0 #2453 @mr-tz
• ghidra: fix saving of base address @mr-tz
• binja: support loading raw x86/x86_64 shellcode #2489 @xusheng6
• binja: fix crash when the IL of certain functions are not available. #2249 @xusheng6
• binja: major performance improvement on the binja extractor. #1414 @xusheng6
• cape: make Process model flexible and procmemory optional to load newest reports #2466 @mr-tz
• binja: fix unit test failure by fixing up the analysis for file al-khaser_x64.exe_ #2507 @xusheng6
• binja: move the stack string detection to function level #2516 @xusheng6
• BinExport2: fix handling of incorrect thunk functions #2524 @williballenthin
• BinExport2: more precise pruning of expressions @williballenthin
• BinExport2: better handle weird expression trees from Ghidra #2528 #2530 @williballenthin

capa Explorer Web

capa Explorer IDA Pro plugin

• fix bug preventing saving of capa results via Save button @mr-tz
• fix saving of base address @mr-tz

Development

• CI: use macos-13 since macos-12 is deprecated and will be removed on December 3rd, 2024 #2173 @mr-tz
• CI: update Binary Ninja version to 4.2 #2499 @xusheng6

Raw diffs

• capa v7.4.0...v8.0.0
• capa-rules v7.4.0...v8.0.0