The v7.1.0 release brings large performance improvements to capa's rule matching engine. Additionally, we've fixed various bugs and added new features for people using and developing capa.

This capa version now supports Python 3.12.

Special thanks to our repeat and new contributors:

• @sjha2048 made their first contribution in https://github.com/mandiant/capa/pull/2000
• @Rohit1123 made their first contribution in https://github.com/mandiant/capa/pull/1990
• @psahithireddy made their first contribution in https://github.com/mandiant/capa/pull/2020
• @Atlas-64 made their first contribution in https://github.com/mandiant/capa/pull/2018
• @s-ff made their first contribution in https://github.com/mandiant/capa/pull/2011
• @samadpls made their first contribution in https://github.com/mandiant/capa/pull/2024
• @acelynnzhang made their first contribution in https://github.com/mandiant/capa/pull/2044
• @RainRat made their first contribution in https://github.com/mandiant/capa/pull/2058
• @ReversingWithMe made their first contribution in https://github.com/mandiant/capa/pull/2093
• @malwarefrank made their first contribution in https://github.com/mandiant/capa/pull/2037

New Features

• Emit "dotnet" as format to ResultDocument when processing .NET files #2024 @samadpls
• ELF: detect OS from statically-linked Go binaries #1978 @williballenthin
• add function in capa/helpers to load plain and compressed JSON reports #1883 @Rohit1123
• document Antivirus warnings and VirusTotal false positive detections #2028 @RionEV @mr-tz
• Add json to sarif conversion script @reversingwithme
• render maec/* fields #843 @s-ff
• replace Halo spinner with Rich #2086 @s-ff
• optimize rule matching #2080 @williballenthin
• add aarch64 as a valid architecture #2144 mehunhoff@google.com @williballenthin
• relax dependency version requirements for the capa library #2053 @williballenthin
• add scripts dependency group and update documentation #2145 @mr-tz

New Rules (25)

• impact/wipe-disk/delete-drive-layout-via-ioctl william.ballenthin@mandiant.com
• host-interaction/driver/interact-with-driver-via-ioctl moritz.raabe@mandiant.com
• host-interaction/driver/unload-driver moritz.raabe@mandiant.com
• nursery/get-disk-information-via-ioctl william.ballenthin@mandiant.com
• nursery/get-volume-information-via-ioctl william.ballenthin@mandiant.com
• nursery/unmount-volume-via-ioctl william.ballenthin@mandiant.com
• data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033 daniel.stepanic@elastic.co
• anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams daniel.stepanic@elastic.co
• nursery/change-memory-permission-on-linux mehunhoff@google.com
• nursery/check-file-permission-on-linux mehunhoff@google.com
• nursery/check-if-process-is-running-under-android-emulator-on-android mehunhoff@google.com
• nursery/map-or-unmap-memory-on-linux mehunhoff@google.com
• persistence/act-as-share-provider-dll jakub.jozwiak@mandiant.com
• persistence/act-as-windbg-extension jakub.jozwiak@mandiant.com
• persistence/act-as-time-provider-dll jakub.jozwiak@mandiant.com
• host-interaction/gui/window/hide/hide-graphical-window-from-taskbar jakub.jozwiak@mandiant.com
• compiler/dart/compiled-with-dart jakub.jozwiak@mandiant.com
• nursery/bypass-hidden-api-restrictions-via-jni-on-android mehunhoff@google.com
• nursery/get-current-process-filesystem-mounts-on-linux mehunhoff@google.com
• nursery/get-current-process-memory-mapping-on-linux mehunhoff@google.com
• nursery/get-system-property-on-android mehunhoff@google.com
• nursery/hook-routines-via-lsplant mehunhoff@google.com
• nursery/load-packed-dex-via-jiagu-on-android mehunhoff@google.com
• nursery/modify-api-blacklist-or-denylist-via-jni-on-android mehunhoff@google.com
• nursery/truncate-file-on-linux mehunhoff@google.com

Bug Fixes

• do some imports closer to where they are used #1810 @williballenthin
• binja: fix and simplify stack string detection code after binja 4.0 @xusheng6
• binja: add support for forwarded export #1646 @xusheng6
• cape: support more report formats #2035 @mr-tz

capa explorer IDA Pro plugin

• replace deprecated IDA API find_binary with bin_search #1606 @s-ff

Development

• ci: Fix PR review in the changelog check GH action #2004 @Ana06
• ci: use rules number badge stored in our bot gist and generated using schneegans/dynamic-badges-action #2001 capa-rules#882 @Ana06
• ci: update github workflows to use latest version of actions that were using a deprecated version of node #1967 #2003 capa-rules#883 @sjha2048 @Ana06
• ci: update binja version to stable 4.0 #2016 @xusheng6
• ci: update github workflows to reflect the latest ghidrathon installation and bumped up jep, ghidra versions #2020 @psahithireddy
• ci: include rule caching in PyInstaller build process #2097 @s-ff
• add deptry support #1497 @s-ff

Raw diffs

• capa v7.0.1...v7.1.0
• capa-rules v7.0.1...v7.1.0