v6.0.0

capa v6.0 brings many bug fixes and quality improvements, including 64 rule updates and 26 new rules. We're now publishing to PyPI via Trusted Publishing and have migrated to using a pyproject.toml file. @Aayush-Goel-04 contributed a lot of new code across many files, so please welcome them to the project, along with @anders-v @crowface28 @dkelly2e @RonnieSalomonsen and @ejfocampo as first-time rule contributors!

For those that use capa as a library, we've introduced some limited breaking changes that better represent data types (versus less-structured data like dictionaries and strings). With the recent deprecation, we've also dropped support for Python 3.7.

New Features

• add script to detect feature overlap between new and existing capa rules #1451 @Aayush-Goel-04
• extract forwarded exports from PE files #1624 @williballenthin
• extract function and API names from ELF symtab entries @yelhamer https://github.com/mandiant/capa-rules/issues/736
• use fancy box drawing characters for default output #1586 @williballenthin

Breaking Changes

• use a class to represent Metadata (not dict) #1411 @Aayush-Goel-04 @manasghandat
• use pathlib.Path to represent file paths #1534 @Aayush-Goel-04
• Python 3.8 is now the minimum supported Python version #1578 @williballenthin
• Require a Contributor License Agreement (CLA) for PRs going forward #1642 @williballenthin

New Rules (26)

• load-code/shellcode/execute-shellcode-via-windows-callback-function ervin.ocampo@mandiant.com jakub.jozwiak@mandiant.com
• nursery/execute-shellcode-via-indirect-call ronnie.salomonsen@mandiant.com
• data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step @mr-tz
• linking/static/aplib/linked-against-aplib still@teamt5.org
• communication/mailslot/read-from-mailslot nick.simonian@mandiant.com
• nursery/hash-data-using-sha512managed-in-dotnet jonathanlepore@google.com
• nursery/compiled-with-exescript jonathanlepore@google.com
• nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet jonathanlepore@google.com
• host-interaction/hardware/enumerate-devices-by-category @mr-tz
• host-interaction/service/continue-service @mr-tz
• host-interaction/service/pause-service @mr-tz
• persistence/exchange/act-as-exchange-transport-agent jakub.jozwiak@mandiant.com
• host-interaction/file-system/create-virtual-file-system-in-dotnet jakub.jozwiak@mandiant.com
• compiler/cx_freeze/compiled-with-cx_freeze @mr-tz jakub.jozwiak@mandiant.com
• communication/socket/create-vmci-socket jakub.jozwiak@mandiant.com
• persistence/office/act-as-excel-xll-add-in jakub.jozwiak@mandiant.com
• persistence/office/act-as-office-com-add-in jakub.jozwiak@mandiant.com
• persistence/office/act-as-word-wll-add-in jakub.jozwiak@mandiant.com
• anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger michael.hunhoff@mandiant.com jakub.jozwiak@mandiant.com
• host-interaction/memory/create-new-application-domain-in-dotnet jakub.jozwiak@mandiant.com
• host-interaction/gui/switch-active-desktop jakub.jozwiak@mandiant.com
• host-interaction/service/query-service-configuration @mr-tz
• anti-analysis/anti-av/patch-event-tracing-for-windows-function jakub.jozwiak@mandiant.com
• data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls dan.kelly@mandiant.com
• linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash jakub.jozwiak@mandiant.com

Bug Fixes

• extractor: add a Binary Ninja test that asserts its version #1487 @xusheng6
• extractor: update Binary Ninja stack string detection after the new constant outlining feature #1473 @xusheng6
• extractor: update vivisect Arch extraction #1334 @mr-tz
• extractor: avoid Binary Ninja exception when analyzing certain files #1441 @xusheng6
• symtab: fix struct.unpack() format for 64-bit ELF files @yelhamer
• symtab: safeguard against ZeroDivisionError for files containing a symtab with a null entry size @yelhamer
• improve ELF strtab and needed parsing @mr-tz
• better handle exceptional cases when parsing ELF files #1458 @Aayush-Goel-04
• improved testing coverage for Binary Ninja backend #1446 @Aayush-Goel-04
• add logging and print redirect to tqdm for capa main #749 @Aayush-Goel-04
• extractor: fix binja installation path detection does not work with Python 3.11
• tests: refine the IDA test runner script #1513 @williballenthin
• output: don't leave behind traces of progress bar @williballenthin
• import-to-ida: fix bug introduced with JSON report changes in v5 #1584 @williballenthin
• main: don't show spinner when emitting debug messages #1636 @williballenthin

capa explorer IDA Pro plugin

Development

• update ATT&CK/MBC data for linting #1568 @mr-tz
• log time taken to analyze each function #1290 @williballenthin
• tests: make fixture available via conftest.py #1592 @williballenthin
• publish via PyPI trusted publishing #1491 @williballenthin
• migrate to pyproject.toml #1301 @williballenthin
• use pre-commit to invoke linters #1579 @williballenthin

Raw diffs

• capa v5.1.0...v6.0.0
• capa-rules v5.1.0...v6.0.0