From f5c1b50d5aa459d3388d8b3cef3bb4816ce3f999 Mon Sep 17 00:00:00 2001 From: Yacine Elhamer Date: Fri, 16 Aug 2024 08:39:48 +0100 Subject: [PATCH 1/6] update CHANGELOG.md and version.py --- CHANGELOG.md | 32 ++++++++++++++++++++++++++++++-- capa/version.py | 2 +- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 54d41d1f2..d91145d59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,34 @@ ### New Features +### Breaking Changes + +### New Rules (0) + +- + +### Bug Fixes + +### capa explorer IDA Pro plugin + +### Development + +### Raw diffs +- [capa v7.2.0...master](https://github.com/mandiant/capa/compare/v7.2.0...master) +- [capa-rules v7.2.0...master](https://github.com/mandiant/capa-rules/compare/v7.2.0...master) + + +### v7.2.0 +The v7.2.0 release adds a web-based UI for online and offline usage, as well as a DRAKVUF sandbox feature extractor. +Additionally, we fixed several bugs and added other features such as extracting names from dynamically resolved APIs in the IDA extractor. + +Special thanks to our repeat and new contributors: +* @lakshayletsgo for their first contribution in https://github.com/mandiant/capa/pull/2248 +* @msm-cert for their first contribution in https://github.com/mandiant/capa/pull/2143 +* @VascoSch92 for their first contribution in https://github.com/mandiant/capa/pull/2143 + +### New Features + - webui: explore capa analysis results in a web-based UI online and offline #2224 @s-ff - support analyzing DRAKVUF traces #2143 @yelhamer - IDA extractor: extract names from dynamically resolved APIs stored in renamed global variables #2201 @Ana06 @@ -33,8 +61,8 @@ - CI: update build.yml workflow to exclude web and documentation files #2270 @s-ff ### Raw diffs -- [capa v7.1.0...master](https://github.com/mandiant/capa/compare/v7.1.0...master) -- [capa-rules v7.1.0...master](https://github.com/mandiant/capa-rules/compare/v7.1.0...master) +- [capa v7.1.0...7.2.0](https://github.com/mandiant/capa/compare/v7.1.0...7.2.0) +- [capa-rules v7.1.0...7.2.0](https://github.com/mandiant/capa-rules/compare/v7.1.0...7.2.0) ## v7.1.0 The v7.1.0 release brings large performance improvements to capa's rule matching engine. diff --git a/capa/version.py b/capa/version.py index 65fe77ffd..b12f2879b 100644 --- a/capa/version.py +++ b/capa/version.py @@ -5,7 +5,7 @@ # Unless required by applicable law or agreed to in writing, software distributed under the License # is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and limitations under the License. -__version__ = "7.1.0" +__version__ = "7.2.0" def get_major_version(): From ce23158eeefd40df8be080fb1bac2ce5c4977db4 Mon Sep 17 00:00:00 2001 From: Yacine <16624109+yelhamer@users.noreply.github.com> Date: Fri, 16 Aug 2024 08:49:57 +0100 Subject: [PATCH 2/6] Update CHANGELOG.md: remove extra space --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d91145d59..ec718783d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,6 @@ - [capa v7.2.0...master](https://github.com/mandiant/capa/compare/v7.2.0...master) - [capa-rules v7.2.0...master](https://github.com/mandiant/capa-rules/compare/v7.2.0...master) - ### v7.2.0 The v7.2.0 release adds a web-based UI for online and offline usage, as well as a DRAKVUF sandbox feature extractor. Additionally, we fixed several bugs and added other features such as extracting names from dynamically resolved APIs in the IDA extractor. From 6e7292941ce7e2e949e4f88106454ed0e02adde7 Mon Sep 17 00:00:00 2001 From: Yacine <16624109+yelhamer@users.noreply.github.com> Date: Fri, 16 Aug 2024 08:53:23 +0100 Subject: [PATCH 3/6] Update CHANGELOG.md: remove extra dash --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ec718783d..1d948797e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,7 +44,6 @@ Special thanks to our repeat and new contributors: - data-manipulation/encoding/base64/decode-data-using-base64-via-vbmi-lookup-table still@teamt5.org - communication/socket/attach-bpf-to-socket-on-linux jakub.jozwiak@mandiant.com - anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks jakub.jozwiak@mandiant.com -- ### Bug Fixes From b72d370b69edcb0f33b9ef43de804e45e6ccfaa5 Mon Sep 17 00:00:00 2001 From: Yacine <16624109+yelhamer@users.noreply.github.com> Date: Fri, 16 Aug 2024 18:17:42 +0100 Subject: [PATCH 4/6] Update CHANGELOG.md Co-authored-by: Moritz --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d948797e..ffe802736 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,8 +21,11 @@ - [capa-rules v7.2.0...master](https://github.com/mandiant/capa-rules/compare/v7.2.0...master) ### v7.2.0 -The v7.2.0 release adds a web-based UI for online and offline usage, as well as a DRAKVUF sandbox feature extractor. -Additionally, we fixed several bugs and added other features such as extracting names from dynamically resolved APIs in the IDA extractor. +capa v7.2.0 adds support to analyze DRAKVUF sandbox dynamic analysis results. This release also introduces a first version of capa explorer web: a web-based user interface to inspect capa results using your browser. capa explorer web is available at https://mandiant.github.io/capa/explorer/#/. + +These enhancements have been contributed by @yelhamer and @s-ff as part of their Google Summer of Code 2024 projects. + +Additionally, we fixed several bugs handling ELF files and added support to the IDA Pro extractor to leverage analyst recovered API names. Special thanks to our repeat and new contributors: * @lakshayletsgo for their first contribution in https://github.com/mandiant/capa/pull/2248 From 7148e45ac2f77f0250bd741f6d7d81edf6ca585e Mon Sep 17 00:00:00 2001 From: Yacine <16624109+yelhamer@users.noreply.github.com> Date: Tue, 20 Aug 2024 08:10:04 +0100 Subject: [PATCH 5/6] Update CHANGELOG.md --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e3532c28..fc56caf38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,11 +21,11 @@ - [capa-rules v7.2.0...master](https://github.com/mandiant/capa-rules/compare/v7.2.0...master) ### v7.2.0 -capa v7.2.0 adds support to analyze DRAKVUF sandbox dynamic analysis results. This release also introduces a first version of capa explorer web: a web-based user interface to inspect capa results using your browser. capa explorer web is available at https://mandiant.github.io/capa/explorer/#/. +capa v7.2.0 introduces a first version of capa explorer web: a web-based user interface to inspect capa results using your browser. Now, users can upload their samples or sandbox reports to the online web instance and get a list of the capabilities extracted from it. Users can also filter, sort, and see the details of each extracted capabilitiy which makes analyzing samples much easier. capa explorer web was worked on by @s-ff as part of a [GSoC project](https://summerofcode.withgoogle.com/programs/2024/projects/cR3hjbsq), and it is available at https://mandiant.github.io/capa/explorer/#/. -These enhancements have been contributed by @yelhamer and @s-ff as part of their Google Summer of Code 2024 projects. +This release also adds a feature extractor for output from the DRAKVUF sandbox. Now, analysts can pass the resulting `drakmon.log` file to capa and extract capabilities from the artifacts captured by the sandbox. This feature extractor will also be added to the DRAKVUF sandbox as a post-processing script, and it was worked on by @yelhamer as part of a [GSoC project](https://summerofcode.withgoogle.com/programs/2024/projects/fCnBGuEC). -Additionally, we fixed several bugs handling ELF files and added support to the IDA Pro extractor to leverage analyst recovered API names. +Additionally, we fixed several bugs handling ELF files, and added the ability to filter capa analysis by functions or processes. We also added support to the IDA Pro extractor to leverage analyst recovered API names. Special thanks to our repeat and new contributors: * @lakshayletsgo for their first contribution in https://github.com/mandiant/capa/pull/2248 From 964217c3a651710af2a64149553126b4beac8508 Mon Sep 17 00:00:00 2001 From: Yacine <16624109+yelhamer@users.noreply.github.com> Date: Tue, 20 Aug 2024 09:05:07 +0100 Subject: [PATCH 6/6] Update CHANGELOG.md Co-authored-by: Moritz --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc56caf38..72949b61b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,7 +21,7 @@ - [capa-rules v7.2.0...master](https://github.com/mandiant/capa-rules/compare/v7.2.0...master) ### v7.2.0 -capa v7.2.0 introduces a first version of capa explorer web: a web-based user interface to inspect capa results using your browser. Now, users can upload their samples or sandbox reports to the online web instance and get a list of the capabilities extracted from it. Users can also filter, sort, and see the details of each extracted capabilitiy which makes analyzing samples much easier. capa explorer web was worked on by @s-ff as part of a [GSoC project](https://summerofcode.withgoogle.com/programs/2024/projects/cR3hjbsq), and it is available at https://mandiant.github.io/capa/explorer/#/. +capa v7.2.0 introduces a first version of capa explorer web: a web-based user interface to inspect capa results using your browser. Users can inspect capa result JSON documents in an online web instance or a standalone HTML page for offline usage. capa explorer supports interactive exploring of capa results to make it easier to understand them. Users can filter, sort, and see the details of all identified capabilities. capa explorer web was worked on by @s-ff as part of a [GSoC project](https://summerofcode.withgoogle.com/programs/2024/projects/cR3hjbsq), and it is available at https://mandiant.github.io/capa/explorer/#/. This release also adds a feature extractor for output from the DRAKVUF sandbox. Now, analysts can pass the resulting `drakmon.log` file to capa and extract capabilities from the artifacts captured by the sandbox. This feature extractor will also be added to the DRAKVUF sandbox as a post-processing script, and it was worked on by @yelhamer as part of a [GSoC project](https://summerofcode.withgoogle.com/programs/2024/projects/fCnBGuEC).