Skip to content

Add socks5 proxy capabilities rule #1038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add socks5 proxy capabilities rule #1038

wants to merge 3 commits into from

Conversation

@ArkaprabhaChakraborty
Copy link

Fixes #971

Features Reffered: observation.txt
Binary used: mandiant/capa-testfiles#282

@ArkaprabhaChakraborty
Copy link
Author

The rule is not yet complete. I have just made a PR as I think I'm clearly making a mistake while writing it.

cc @williballenthin @mike-hunhoff for visibility.

@mike-hunhoff
Copy link
Collaborator

Thanks for creating the PR @ArkaprabhaChakraborty . I'd recommend taking another took at our rule format documentation, e.g., the following syntax is not supported:

  insn: 0x20027F9: mnemonic(movzx)
  insn: 0x20027F9: offset(0x0)
  insn: 0x20027F9: operand[1].offset(0x0)
  insn: 0x20027FC: mnemonic(movzx)
  insn: 0x20027FF: mnemonic(mov)
  insn: 0x2002806: mnemonic(mov)
  insn: 0x200280D: mnemonic(add)
  insn: 0x200280D: number(0x7)
  insn: 0x200280D: operand[1].number(0x7)
  insn: 0x200280D: offset(0x7)
  insn: 0x200280D: operand[1].offset(0x7)
  insn: 0x2002811: mnemonic(mov)
  insn: 0x2002818: mnemonic(mov)
  insn: 0x200281F: mnemonic(add)
  insn: 0x200281F: number(0x7)
  insn: 0x200281F: operand[1].number(0x7)
  insn: 0x200281F: offset(0x7)
  insn: 0x200281F: operand[1].offset(0x7)
  insn: 0x2002823: mnemonic(cmp)

You can also run https://github.com/mandiant/capa/blob/master/scripts/lint.py to know if your rule is formatted correctly prior to pushing changes.

Please let us know if you have any specific questions 😄

@ArkaprabhaChakraborty
Copy link
Author

Thanks for creating the PR @ArkaprabhaChakraborty . I'd recommend taking another took at our rule format documentation, e.g., the following syntax is not supported:

  insn: 0x20027F9: mnemonic(movzx)
  insn: 0x20027F9: offset(0x0)
  insn: 0x20027F9: operand[1].offset(0x0)
  insn: 0x20027FC: mnemonic(movzx)
  insn: 0x20027FF: mnemonic(mov)
  insn: 0x2002806: mnemonic(mov)
  insn: 0x200280D: mnemonic(add)
  insn: 0x200280D: number(0x7)
  insn: 0x200280D: operand[1].number(0x7)
  insn: 0x200280D: offset(0x7)
  insn: 0x200280D: operand[1].offset(0x7)
  insn: 0x2002811: mnemonic(mov)
  insn: 0x2002818: mnemonic(mov)
  insn: 0x200281F: mnemonic(add)
  insn: 0x200281F: number(0x7)
  insn: 0x200281F: operand[1].number(0x7)
  insn: 0x200281F: offset(0x7)
  insn: 0x200281F: operand[1].offset(0x7)
  insn: 0x2002823: mnemonic(cmp)

You can also run https://github.com/mandiant/capa/blob/master/scripts/lint.py to know if your rule is formatted correctly prior to pushing changes.

Please let us know if you have any specific questions 😄

Yes I know I have just made the PR to know If in going in the right direction. It's still a WIP.

@mr-tz
Copy link
Collaborator

mr-tz commented Mar 26, 2025

On first glance this rule is rather confusing and doesn't quite match our philosophy. There's probably better ways to detect this and additional documentation is needed in the rule to make it easier to understand for humans.

@ArkaprabhaChakraborty
Copy link
Author

ArkaprabhaChakraborty commented Mar 26, 2025 via email

@mr-tz
Copy link
Collaborator

mr-tz commented Mar 26, 2025

Please see the rule documentation and existing rules.

@ArkaprabhaChakraborty
Copy link
Author

I get this error while running lint.py on my rule. I know I'm doing almost everything wrong, so I need some help here.

ERROR    capa: invalid rule: subscope must have exactly one child statement                                  main.py:678ERROR    capa: Make sure your file directory contains properly formatted capa rules. You can download the    main.py:679         standard collection of capa rules from https://github.com/mandiant/capa-rules/releases.
ERROR    capa: Please ensure you're using the rules that correspond to your major version of capa (9)        main.py:683ERROR    capa: Or, for more details, see the rule set documentation here:                                    main.py:687         https://github.com/mandiant/capa/blob/master/doc/rules.md

@mike-hunhoff
Copy link
Collaborator

I get this error while running lint.py on my rule. I know I'm doing almost everything wrong, so I need some help here.

ERROR    capa: invalid rule: subscope must have exactly one child statement                                  main.py:678ERROR    capa: Make sure your file directory contains properly formatted capa rules. You can download the    main.py:679         standard collection of capa rules from https://github.com/mandiant/capa-rules/releases.
ERROR    capa: Please ensure you're using the rules that correspond to your major version of capa (9)        main.py:683ERROR    capa: Or, for more details, see the rule set documentation here:                                    main.py:687         https://github.com/mandiant/capa/blob/master/doc/rules.md

@ArkaprabhaChakraborty this error is a result of basic block subscope matching in your rule that does not contain a single child element, e.g.

- basic block
  - [feature]
  - [feature]

must be something like:

- basic block
  - and:
    - [feature]
    - [feature]

I'm happy to answer specific questions that you have about the capa rule format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

detect socks5 proxy capabilities

3 participants

@ArkaprabhaChakraborty @mike-hunhoff @mr-tz