Merge pull request #8 from jorgeaduran/master

Enhanced Feature Extraction and Output Customization in Capa CLI
marirs · Feb 15, 2024 · a2b0399 · a2b0399
2 parents 87400ed + 2f40244
commit a2b0399
Show file tree

Hide file tree

Showing 4 changed files with 244 additions and 393 deletions.
diff --git a/examples/capa_cli.rs b/examples/capa_cli.rs
@@ -1,3 +1,4 @@
+use std::fs;
 use capa::FileCapabilities;
 use clap::Parser;
 use prettytable::{color, format::Alignment, Attr, Cell, Row, Table};
@@ -6,10 +7,10 @@ use std::time::Instant;
 
 #[derive(Parser)]
 #[clap(
-    author,
-    version,
-    about,
-    long_about = "Find Capabilities of a given file!"
+author,
+version,
+about,
+long_about = "Find Capabilities of a given file!"
 )]
 struct CliOpts {
     /// File to analyse
@@ -21,19 +22,27 @@ struct CliOpts {
     /// verbose output
     #[clap(long)]
     verbose: bool,
+    /// file path to save the result in json format
+    #[clap(short = 'o', long, value_name = "JSON_PATH")]
+    output: Option<String>,
+    /// map_features
+    #[clap(short = 'm', long, default_value = "false")]
+    map_features: bool,
 }
 
 fn main() {
     let cli = CliOpts::parse();
     let filename = cli.name;
     let rules_path = cli.rules_path;
     let verbose = cli.verbose;
+    let map_features = cli.map_features;
+    let json_path = cli.output;
 
     let start = Instant::now();
-    match FileCapabilities::from_file(&filename, &rules_path, true, true, &|_s| {}) {
+    match FileCapabilities::from_file(&filename, &rules_path, true, true, &|_s| {}, map_features) {
         Err(e) => println!("{:?}", e),
         Ok(s) => {
-            match to_value(s) {
+            match to_value(&s) {
                 Err(e) => println!("serde_json_error: {}", e),
                 Ok(data) => {
                     let data = data.as_object().unwrap();
@@ -105,6 +114,11 @@ fn main() {
                     println!();
                 }
             }
+            if let Some(json_path) = json_path {
+                let json = s.serialize_file_capabilities().unwrap();
+                fs::write(json_path.clone(), json).expect("Unable to write file");
+                println!("Analysis result saved in JSON format at: {}", json_path);
+            }
         }
     }
     println!("Time taken (seconds): {:?}", start.elapsed());
@@ -119,7 +133,7 @@ fn get_properties(props: &Value, features: Option<&Value>) -> Table {
         "File Properties",
         Alignment::CENTER,
     )
-    .with_hspan(2)]));
+        .with_hspan(2)]));
     for (k, v) in meta {
         tbl.add_row(Row::new(vec![
             Cell::new(k)
@@ -147,7 +161,7 @@ fn get_mitre(attacks: &Map<String, Value>) -> Table {
         "MITRE ATT&CK",
         Alignment::CENTER,
     )
-    .with_hspan(2)]));
+        .with_hspan(2)]));
     tbl.set_titles(Row::new(vec![
         Cell::new_align("ATT&CK Tactic", Alignment::LEFT),
         Cell::new_align("ATT&CK Technique", Alignment::LEFT),
@@ -178,7 +192,7 @@ fn get_mbc(mbc: &Map<String, Value>) -> Table {
         "Malware Behavior Catalog",
         Alignment::CENTER,
     )
-    .with_hspan(2)]));
+        .with_hspan(2)]));
     tbl.set_titles(Row::new(vec![
         Cell::new_align("MBC Objective", Alignment::LEFT),
         Cell::new_align("MBC Behavior", Alignment::LEFT),
@@ -208,7 +222,7 @@ fn get_namespace(namespace: &Map<String, Value>) -> Table {
         "File Capability/Namespace",
         Alignment::CENTER,
     )
-    .with_hspan(2)]));
+        .with_hspan(2)]));
     tbl.set_titles(Row::new(vec![
         Cell::new_align("Capability", Alignment::LEFT),
         Cell::new_align("Namespace", Alignment::LEFT),

diff --git a/src/extractor/dnfile.rs b/src/extractor/dnfile.rs
@@ -175,7 +175,7 @@ impl super::Extractor for Extractor {
                     OpCodeValue::Jmp,
                     OpCodeValue::Newobj,
                 ]
-                .contains(&insn.opcode.value)
+                    .contains(&insn.opcode.value)
                 {
                     continue;
                 }
@@ -210,15 +210,15 @@ impl super::Extractor for Extractor {
     ) -> Result<Vec<(crate::rules::features::Feature, u64)>> {
         let f: &Function = f.as_any().downcast_ref::<Function>().unwrap();
         Ok([
-            self.extract_function_call_to_features(f)?,
-            self.extract_function_call_from_features(f)?,
-            self.extract_recurcive_call_features(f)?,
+            self.extract_function_call_to_features(&f)?,
+            self.extract_function_call_from_features(&f)?,
+            self.extract_recurcive_call_features(&f)?,
         ]
-        .into_iter()
-        .fold(Vec::new(), |mut acc, f| {
-            acc.extend(f);
-            acc
-        }))
+            .into_iter()
+            .fold(Vec::new(), |mut acc, f| {
+                acc.extend(f);
+                acc
+            }))
     }
 
     fn get_basic_blocks(
@@ -682,7 +682,7 @@ impl Extractor {
             OpCodeValue::Calli,
             OpCodeValue::Newobj,
         ]
-        .contains(&insn.opcode.value)
+            .contains(&insn.opcode.value)
         {
             return Ok(vec![]);
         }
@@ -765,7 +765,7 @@ impl Extractor {
             OpCodeValue::Jmp,
             OpCodeValue::Calli,
         ]
-        .contains(&insn.opcode.value)
+            .contains(&insn.opcode.value)
         {
             let operand_result = resolve_dotnet_token(
                 &self.pe,
@@ -858,7 +858,7 @@ impl Extractor {
             OpCodeValue::Stfld,
             OpCodeValue::Stsfld,
         ]
-        .contains(&insn.opcode.value)
+            .contains(&insn.opcode.value)
         {
             if let Ok(fields_lock) = self.get_fields() {
                 if let Some(fields) = fields_lock.read().as_ref() {
@@ -955,7 +955,7 @@ impl Extractor {
             OpCodeValue::Stsfld,
             OpCodeValue::Newobj,
         ]
-        .contains(&insn.opcode.value)
+            .contains(&insn.opcode.value)
         {
             return Ok(vec![]);
         }
@@ -1025,7 +1025,7 @@ impl Extractor {
             OpCodeValue::Stsfld,
             OpCodeValue::Newobj,
         ]
-        .contains(&insn.opcode.value)
+            .contains(&insn.opcode.value)
         {
             return Ok(vec![]);
         }
@@ -1099,7 +1099,7 @@ impl Extractor {
             OpCodeValue::Jmp,
             OpCodeValue::Calli,
         ]
-        .contains(&insn.opcode.value)
+            .contains(&insn.opcode.value)
         {
             return Ok(vec![]);
         }

diff --git a/src/extractor/smda.rs b/src/extractor/smda.rs
@@ -111,7 +111,7 @@ impl super::Extractor for Extractor {
         res.extend(self.extract_file_export_names()?);
         res.extend(self.extract_file_import_names()?);
         res.extend(self.extract_file_section_names()?);
-        res.extend(self._extract_file_embedded_pe()?);
+        res.extend(self.extract_file_embedded_pe()?);
         res.extend(self.extract_file_strings()?);
         //        res.extend(self.extract_file_function_names(pbytes)?);
         res.extend(self.extract_file_format()?);
@@ -334,10 +334,10 @@ impl Extractor {
         Ok(res)
     }
 
-    fn _extract_file_embedded_pe(&self) -> Result<Vec<(crate::rules::features::Feature, u64)>> {
+    fn extract_file_embedded_pe(&self) -> Result<Vec<(crate::rules::features::Feature, u64)>> {
         let mut res = vec![];
         for (mz_offset, _pe_offset, _key) in
-            Extractor::find_embedded_pe_headers(&self.report.buffer)
+        Extractor::find_embedded_pe_headers(&self.report.buffer)
         {
             res.push((
                 crate::rules::features::Feature::Characteristic(