bytes feature unable to detect CLSID/RID when pushed via stack

[Still34]

Summary

The following example of a code in Examples currently does not match the relevant rule schedule-task-via-itaskservice, even when the rule was stripped down to just the bytes features, suggesting the bytes feature is currently unable to detect such bytes when pushed via stack at the moment.

Examples

Possible improvements

Additional context

[williballenthin]

yes this is definitely an issue, and i would expect this behavior today. the bytes (and guid) feature only matches pointers to byte sequences.

the analysis backends don't attempt to do any code reconstruction or emulation to recognize stack data, though it's possible that Binary Ninja might do some of this with their "function outlining" capability.

we could attempt to recognize the 4-byte little endian portion at the instruction level (mov mnemonic, operand 1 number = 0x...), which might be sufficient??

do you have any ideas or suggestions?

do you happen to have a few examples we could use as case studies?

[Still34]

I only have this specific shellcode that matches something like this on top of my head at the moment. I think attempting to match mov instructions would be good enough if this is something that can be attempted on capa's backend.

867dc1142e5a01f991670d41d0ce4362f0814c5171445c44208af10ba9779f06-decrypted.zip