This release adds a new characteristic call $+5 enabling users to create rules that match this instruction commonly seen in obfuscators. The linter now also validates ATT&CK and MBC categories. Additionally, many dependencies, including the vivisect backend, have been updated.

One rule has been added and many more have been improved.

Thanks for all the support, especially to @kn0wl3dge and first time contributor @uckelman-sf!

New Features

• linter: validate ATT&CK/MBC categories and IDs #103 @kn0wl3dge
• extractor: add characteristic "call $+5" feature #366 @kn0wl3dge

New Rules (1)

• anti-analysis/obfuscation/obfuscated-with-advobfuscator jakub.jozwiak@mandiant.com

Bug Fixes

• remove typing package as a requirement for Python 3.7+ compatibility #901 @uckelman-sf
• elf: fix OS detection for Linux kernel modules #867 @williballenthin

Raw diffs

• capa v3.1.0...v3.2.0
• capa-rules v3.1.0...v3.2.0