Merge pull request #10 from jorgeaduran/master

Refactor byte extraction to align with capa rules specifications
marirs · Feb 28, 2024 · f3822ec · f3822ec
2 parents c8955e1 + 1bb0a92
commit f3822ec
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 29 deletions.
diff --git a/src/extractor/dnfile.rs b/src/extractor/dnfile.rs
@@ -950,21 +950,7 @@ impl Extractor {
         _f: &cil::function::Function,
         insn: &cil::instruction::Instruction,
     ) -> Result<Vec<(crate::rules::features::Feature, u64)>> {
-        if ![
-            OpCodeValue::Call,
-            OpCodeValue::Callvirt,
-            OpCodeValue::Jmp,
-            OpCodeValue::Calli,
-            OpCodeValue::Ldfld,
-            OpCodeValue::Ldflda,
-            OpCodeValue::Ldsfld,
-            OpCodeValue::Ldsflda,
-            OpCodeValue::Stfld,
-            OpCodeValue::Stsfld,
-            OpCodeValue::Newobj,
-        ]
-        .contains(&insn.opcode.value)
-        {
+        if self.check_contains_opcode(insn) {
             return Ok(vec![]);
         }
         let mut res = vec![];
@@ -1025,12 +1011,7 @@ impl Extractor {
         Ok(res)
     }
 
-    ///parse instruction class features
-    pub fn extract_insn_class_features(
-        &self,
-        _f: &cil::function::Function,
-        insn: &cil::instruction::Instruction,
-    ) -> Result<Vec<(crate::rules::features::Feature, u64)>> {
+    fn check_contains_opcode(&self, insn: &cil::instruction::Instruction) -> bool {
         if ![
             OpCodeValue::Call,
             OpCodeValue::Callvirt,
@@ -1046,8 +1027,21 @@ impl Extractor {
         ]
         .contains(&insn.opcode.value)
         {
+            return true;
+        }
+        false
+
+    }
+    ///parse instruction class features
+    pub fn extract_insn_class_features(
+        &self,
+        _f: &cil::function::Function,
+        insn: &cil::instruction::Instruction,
+    ) -> Result<Vec<(crate::rules::features::Feature, u64)>> {
+        if self.check_contains_opcode(insn) {
             return Ok(vec![]);
         }
+
         let mut res = vec![];
         let operand = resolve_dotnet_token(
             &self.pe,

diff --git a/src/extractor/smda.rs b/src/extractor/smda.rs
@@ -763,19 +763,14 @@ impl Extractor {
 
     pub fn extract_insn_bytes_features(
         &self,
-        f: &Function,
+        _f: &Function,
         insn: &Instruction,
     ) -> Result<Vec<(crate::rules::features::Feature, u64)>> {
         let mut res = vec![];
-        let instruction_length = insn.bytes.len();
-        let context_based_length = if f.arch == crate::FileArchitecture::AMD64 {
-            std::cmp::min(instruction_length, 16)
-        } else {
-            instruction_length
-        };
+
         for data_ref in insn.get_data_refs(&self.report)? {
             for v in derefs(&self.report, &data_ref)? {
-                let bytes_read = read_bytes(&self.report, &v, context_based_length)?;
+                let bytes_read = read_bytes(&self.report, &v, 0x100)?;
                 if all_zeros(bytes_read)? || is_padding(bytes_read)? {
                     continue;
                 }