Rename architecture-specific rules and update rule names inside YAML files #1011

akh7177 · 2025-02-28T11:42:59Z

This PR addresses issue #979 by renaming architecture-specific rules.

Since all identified architecture-specific rules are x86-only, only x86-related rules have been renamed.

Each renamed rule now explicitly includes -x86.yml in its filename.
The name: field inside each YAML file has been updated to append "via x86 assembly" for consistency.

closes #979

…files

anti-analysis/anti-forensic/patch-process-command-line-via-x86-assembly.yml

…6 rules

akh7177 · 2025-02-28T17:25:55Z

I also noticed that there's a mistake in the logic of this script because the rule always returns False. Could you please let me know if I'm right? If so I'll quick fix that one too!

williballenthin · 2025-02-28T18:55:21Z

i agree that looks impossible. nice catch! would you please research and fix this? (if you want, of course)

akh7177 · 2025-03-01T02:33:48Z

Sure! I'm happy to fix it!
Will start working on it soon

akh7177 · 2025-03-01T07:48:54Z

Done with changing the logic of the rule 🌟

mike-hunhoff · 2025-03-10T19:05:29Z

@akh7177 it appears lints are failing now:

ERROR    capa: invalid rule: rule "packed with generic packer"       main.py:678
         depends on missing rule "contain pusha popa sequence"

This is likely the results of a match feature that references an outdated rule name. You can verify rule lints are passing locally by setting capa up for development following the instructions outlined here.

mike-hunhoff

Please see my comment about lints failing.

akh7177 · 2025-03-10T19:11:11Z

Please see my comment about lints failing.

Yup! I'll verify that and put up a comment over here. Is that okay?

…e-address-via-x86-assembly.yml

akh7177 · 2025-03-11T02:30:13Z

@mike-hunhoff Verified that it passes the lints locally!

mike-hunhoff · 2025-03-11T16:08:24Z

@akh7177 lints are still failing:

Run python scripts/lint.py rules/
  python scripts/lint.py rules/
[...]
ERROR    capa: invalid rule: rule "packed with generic packer"       main.py:678
         depends on missing rule "contain pusha popa sequence"              
[...]

akh7177 · 2025-03-11T16:11:29Z

@akh7177 lints are still failing:

Run python scripts/lint.py rules/
  python scripts/lint.py rules/
[...]
ERROR    capa: invalid rule: rule "packed with generic packer"       main.py:678
         depends on missing rule "contain pusha popa sequence"              
[...]

I ran the lint.py script again just now on my PC with the new rules and it seems to be passing perfectly 🤔

mike-hunhoff · 2025-03-11T16:14:46Z

@akh7177 lints are still failing:
Run python scripts/lint.py rules/
  python scripts/lint.py rules/
[...]
ERROR    capa: invalid rule: rule "packed with generic packer"       main.py:678
         depends on missing rule "contain pusha popa sequence"              
[...]
I ran the lint.py script again just now on my PC with the new rules and it seems to be passing perfectly 🤔

Have you pushed all of your local changes?

akh7177 · 2025-03-11T16:22:07Z

Yes, I've made sure to push the entire rules folder. As discussed yesterday, I believe it is the match feature which is causing the issue over here because all the rules that are flagged in the above test report are the ones that I've renamed

mike-hunhoff · 2025-03-11T16:24:50Z

This PR currently does not include any changes to the rule packed with generic packer, which is causing lints to fail. What are the contents of this rule in your local copy?

akh7177 · 2025-03-11T16:29:37Z

This PR currently does not include any changes to the rule packed with generic packer, which is causing lints to fail. What are the contents of this rule in your local copy?

That rule is indeed untouched. But it does not seem to be effecting the lint script locally when I run it to the entire rules folder.

rule:
meta:
name: packed with generic packer
namespace: anti-analysis/packer/generic
authors:
- [email protected]
scopes:
static: function
dynamic: unsupported
att&ck:
- Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
mbc:
- Anti-Static Analysis::Software Packing::Standard Compression [F0001.002]
examples:
- Practical Malware Analysis Lab 18-01.exe_:0x409dc0
features:
- and:
- or:
- mnemonic: pusha
- mnemonic: pushad # vivisect
- or:
- mnemonic: popa
- mnemonic: popad # vivisect
- characteristic: cross section flow
- not:
- match: contain pusha popa sequence

mike-hunhoff · 2025-03-11T16:32:36Z

Hmm I'm not sure what is happening in your local environment that would allow the tests to pass. Please verify that you're running lint.py on the expected rules folder and, if so, that the rules folder contains the updates that you've pushed here.

akh7177 · 2025-03-11T16:36:57Z

Hmm I'm not sure what is happening in your local environment that would allow the tests to pass. Please verify that you're running lint.py on the expected rules folder and, if so, that the rules folder contains the updates that you've pushed here.

Yes, it indeed is indeed intriguing. I have a fix in my mind. I'll try implementing it and get back to you ( Still not 100% sure why its failing. All the changes are are pushed 🥲 )

…e-address-via-x86-assembly.yml

akh7177 · 2025-03-11T16:48:34Z

@mike-hunhoff Could you pls try running the test now? 🤞

akh7177 · 2025-03-11T16:50:30Z

Okay. I believe changing the match feature of all the files will do the job. On my way!

mike-hunhoff · 2025-03-11T16:55:42Z

@akh7177 lints failed again. I pulled your changes locally and ran lint.py to receive the error:

$ python scripts/lint.py rules/
ERROR    capa: invalid rule: rule "get kernel32 base address via x86 assembly" depends on missing rule "access PEB ldr_data"                                                   main.py:678
ERROR    capa: Make sure your file directory contains properly formatted capa rules. You can download the standard collection of capa rules from                               main.py:679
         https://github.com/mandiant/capa-rules/releases.                                                                                                                                 
ERROR    capa: Please ensure you're using the rules that correspond to your major version of capa (9)                                                                          main.py:683
ERROR    capa: Or, for more details, see the rule set documentation here: https://github.com/mandiant/capa/blob/master/doc/rules.md

There must be something going on with your local environment, I'd recommend fixing this before proceeding.

akh7177 · 2025-03-11T17:01:13Z

Sure! I'll try to find a solution for it. My other PR regarding screen-capture rule seems to be passing the lints though 🤔

akh7177 · 2025-03-12T07:29:33Z

There must be something going on with your local environment, I'd recommend fixing this before proceeding.

@mike-hunhoff Yes, there indeed was something off with my local environment. I re-installed everything and then ran the lints. Faced the same error that you had mentioned. Now, I've fixed the match feature that references the old rule names to use new new names. I also ran the capafmt.py through the entire folder to result in proper formatting and made sure to pass the lints. Let's see how it goes.

…ture inside YAML files

mike-hunhoff

I've left comments for your review. It appears that the file mode of multiple files have been changed. Please revert these changes.

mike-hunhoff · 2025-03-12T14:55:09Z

host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml

@@ -1,6 +1,6 @@
 rule:
  meta:
-    name: get number of processors
+    name: get number of processors via x86 assembly


There is branch that does not use x86 assembly, please revert.

There is branch that does not use x86 assembly, please revert.

My bad! I oversaw the last statement. Will revert it back

mike-hunhoff · 2025-03-12T15:01:31Z

load-code/pe/resolve-function-by-parsing-pe-exports.yml