mandiant · williballenthin · Aug 12, 2024 · Aug 12, 2024 · Aug 12, 2024 · Aug 12, 2024
diff --git a/.github/workflows/web-deploy.yml b/.github/workflows/web-deploy.yml
@@ -2,7 +2,7 @@ name: deploy web to GitHub Pages
 
 on:
   push:
-    branches: [ master, "wb/webui-actions-1" ]
+    branches: [ master ]
     paths:
       - 'web/**'
 
@@ -22,6 +22,7 @@ concurrency:
 
 jobs:
   build-landing-page:
+    name: Build landing page
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -32,6 +33,7 @@ jobs:
           path: './web/public'
 
   build-explorer:
+    name: Build capa explorer web
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -63,12 +65,49 @@ jobs:
           name: explorer
           path: './web/explorer/dist'
 
+  build-rules:
+    name: Build rules site
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+          fetch-depth: 1
+      - name: Set up Python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: '3.12'
+      - uses: extractions/setup-just@v2
+      - name: Install pagefind
+        uses: supplypike/setup-bin@v4
+        with:
+          uri: "https://github.com/CloudCannon/pagefind/releases/download/v1.1.0/pagefind-v1.1.0-x86_64-unknown-linux-musl.tar.gz"
+          name: "pagefind"
+          version: "1.1.0"
+      - name: Install dependencies
+        working-directory: ./web/rules
+        run: pip install -r requirements.txt
+      - name: Build the website
+        working-directory: ./web/rules
+        run: just build
+      - name: Index the website
+        working-directory: ./web/rules
+        run: pagefind --site "public"
+      # upload the build website to artifacts
+      # so that we can download and inspect, if desired.
+      - uses: actions/upload-artifact@v4
+        with:
+          name: rules
+          path: './web/rules/public'
+
   deploy:
+    name: Deploy site to GitHub Pages
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
-    needs: [build-landing-page, build-explorer]
+    needs: [build-landing-page, build-explorer, build-rules]
     steps:
       - uses: actions/download-artifact@v4
         with:
@@ -78,6 +117,10 @@ jobs:
         with:
           name: explorer
           path: './public/explorer'
+      - uses: actions/download-artifact@v4
+        with:
+          name: rules
+          path: './public/rules'
       - name: Setup Pages
         uses: actions/configure-pages@v4
       - name: Upload artifact

diff --git a/web/public/.gitignore b/web/public/.gitignore
@@ -0,0 +1 @@
+rules/
diff --git a/web/public/css/bootstrap-5.3.3.min.css b/web/public/css/bootstrap-5.3.3.min.css
diff --git a/web/public/img/capa-default-pma0101.png b/web/public/img/capa-default-pma0101.png
diff --git a/web/public/img/capa-rule-create-socket.png b/web/public/img/capa-rule-create-socket.png
diff --git a/web/public/img/capa-vv-pma0101.png b/web/public/img/capa-vv-pma0101.png
diff --git a/web/public/img/capa.cast b/web/public/img/capa.cast
@@ -0,0 +1,33 @@
+{"version": 2, "width": 111, "height": 47, "timestamp": 1723472253, "env": {"SHELL": "/home/wballenthin/.nix-profile/bin/fish", "TERM": "screen-256color"}}
+[0.038662, "o", "Welcome to fish, the friendly interactive shell\r\nType \u001b[32mhelp\u001b[m\u000f for instructions on how to use fish\r\n"]
+[0.043485, "o", "\u001b[?2004h"]
+[0.064059, "o", "\u001b]0;/t/malware\u0007\u001b[30m\u001b[m\u000f\r\u001b[J\u001b[K\r\n\u001b[1;36m/tmp/malware\u001b[0m via \u001b[1;33mpy v3.11.9 (python-3.12) \u001b[0m❄️  \u001b[K\r\n\u001b[1;32m❯\u001b[0m \u001b[K\r\u001b[C\u001b[C"]
+[0.457927, "o", "./capa Practical\r\u001b[18C\\\r\u001b[19C"]
+[0.458186, "o", " Malware\r\u001b[27C"]
+[0.459431, "o", "\\\r\u001b[28C Analysis\r\u001b[37C"]
+[0.461126, "o", "\\\r\u001b[38C Lab\r\u001b[42C"]
+[0.462633, "o", "\\\r\u001b[43C"]
+[0.463438, "o", " 01-01.dll_\r\u001b[54C"]
+[0.463918, "o", "\r\u001b[54C\u001b[52D\u001b[34m./capa\u001b[30m\u001b[m\u000f \u001b[36m\u001b[4mPractical\u001b[96m\\ \u001b[36mMalware\u001b[96m\\ \u001b[36mAnalysis\u001b[96m\\ \u001b[36mLab\u001b[96m\\ \u001b[36m01-01.dll_\u001b[30m\u001b[m\u000f\r\u001b[54C"]
+[2.302267, "o", "\r\u001b[54C\r\n\u001b[30m\u001b[m\u000f"]
+[2.30273, "o", "\u001b[?2004l\u001b[?1004l"]
+[2.308131, "o", "\u001b]0;./capa Practical\\ Ma /t/malware\u0007\u001b[30m\u001b[m\u000f\r"]
+[3.955859, "o", "\u001b[?25l"]
+[4.337335, "o", "\u001b[32m⠋\u001b[0m analyzing program..."]
+[6.980748, "o", "\r\u001b[2K\u001b[32m⠸\u001b[0m analyzing program..."]
+[7.724282, "o", "\r\u001b[2K\u001b[32m⠹\u001b[0m analyzing program..."]
+[7.81513, "o", "\r\u001b[2K\u001b[32m⠸\u001b[0m analyzing program..."]
+[7.905989, "o", "\r\u001b[2K\u001b[32m⠼\u001b[0m analyzing program..."]
+[7.944451, "o", "\r\u001b[2K\u001b[32m⠴\u001b[0m analyzing program...\r\n\u001b[?25h\r\u001b[1A\u001b[2K"]
+[8.010119, "o", "\rmatching:   0%|                                     | 0/5 [00:00<?, ? functions/s, skipped 0 library functions]"]
+[8.038959, "o", "\rmatching:   0%|                               | 0/5 [00:00<?, ? functions/s, skipped 1 library functions (20%)]"]
+[8.039476, "o", "\rmatching:   0%|                               | 0/5 [00:00<?, ? functions/s, skipped 2 library functions (40%)]\rmatching:   0%|                               | 0/5 [00:00<?, ? functions/s, skipped 3 library functions (60%)]"]
+[8.043647, "o", "\r                                                                                                               \r"]
+[8.091772, "o", "┍━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑\r\n│ md5                    │ 290934c61de9176ad682ffdd65f0a669                                                   │\r\n│ sha1                   │ a4b35de71ca20fe776dc72d12fb2886736f43c22                                           │\r\n│ sha256                 │ f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba                   │\r\n│ analysis               │ static                                                                             │\r\n│ os                     │ windows                                                                            │\r\n│ format                 │ pe                                                                                 │\r\n│ arch                   │ i386                                                                               │\r\n│ path                   │ /tmp/malware/Practical Malware Analysis Lab 01-01.dll_                             │\r\n┕━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙\r\n\r\n\r\n\r\n┍━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑\r\n│ MBC Objective               │ MBC Behavior                                                                  │\r\n┝━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥\r\n│ \u001b[36mCOMMAND AND CONTROL\u001b[0m         │ \u001b[36mC2 Communication\u001b[0m::Receive Data [B0030.002]                                    │\r\n│                             │ \u001b[36mC2 Communication\u001b[0m::Send Data [B0030.001]                                       │\r\n├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤\r\n│ \u001b[36mCOMMUNICATION\u001b[0m               │ \u001b[36mSocket Communication\u001b[0m::Connect Socket [C0001.004]                              │\r\n│                             │ \u001b[36mSocket Communication\u001b[0m::Create TCP Socket [C0001.011]                           │\r\n│                             │ \u001b[36mSocket Communication\u001b[0m::Initialize Winsock Library [C0001.009]                  │\r\n"]
+[8.092112, "o", "│                             │ \u001b[36mSocket Communication\u001b[0m::Receive Data [C0001.006]                                │\r\n│                             │ \u001b[36mSocket Communication\u001b[0m::Send Data [C0001.007]                                   │\r\n│                             │ \u001b[36mSocket Communication\u001b[0m::TCP Client [C0001.008]                                  │\r\n├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤\r\n│ \u001b[36mPROCESS\u001b[0m                     │ \u001b[36mCheck Mutex\u001b[0m [C0043]                                                           │\r\n│                             │ \u001b[36mCreate Mutex\u001b[0m [C0042]                                                          │\r\n│                             │ \u001b[36mCreate Process\u001b[0m [C0017]                                                        │\r\n┕━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙\r\n\r\n┍━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑\r\n│ Capability                                           │ Namespace                                            │\r\n┝━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥\r\n│ \u001b[36mreceive data\u001b[0m                                         │ communication                                        │\r\n│ \u001b[36msend data\u001b[0m                                            │ communication                                        │\r\n│ \u001b[36minitialize Winsock library\u001b[0m                           │ communication/socket                                 │\r\n│ \u001b[36mact as TCP client\u001b[0m                                    │ communication/tcp/client                             │\r\n│ \u001b[36mcheck mutex\u001b[0m                                          │ host-interaction/mutex                               │\r\n│ \u001b[36mcreate mutex\u001b[0m                                         │ host-interaction/mutex                               │\r\n│ \u001b[36mcreate process on Windows\u001b[0m                            │ host-interaction/process/create                      │\r\n┕━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙\r\n\r\n"]
+[8.096254, "o", "\u001b[0m"]
+[8.828244, "o", "\u001b[?1004h\u001b[2m⏎\u001b[m\u000f                                                                                                              \r⏎ \r\u001b[K"]
+[8.83384, "o", "\u001b[?2004h"]
+[8.847539, "o", "\u001b]0;/t/malware\u0007\u001b[30m\u001b[m\u000f\u001b[J\u001b[K\r\n\u001b[1;36m/tmp/malware\u001b[0m via \u001b[1;33mpy v3.11.9 (python-3.12) \u001b[0m❄️  took \u001b[1;33m6s\u001b[0m \u001b[K\r\n\u001b[1;32m❯\u001b[0m \u001b[K\r\u001b[C\u001b[C"]
+[10.653996, "o", "\r\n\u001b[30m\u001b[m\u000f\u001b[30m\u001b[m\u000f"]
+[10.654661, "o", "\u001b[?2004l"]
diff --git a/web/public/img/capa.gif b/web/public/img/capa.gif
diff --git a/web/public/img/logo.png b/web/public/img/logo.png