From ef846fc17a97672e968f3e1f0400f1a387d83641 Mon Sep 17 00:00:00 2001 From: Soufiane Fariss Date: Fri, 7 Jun 2024 21:56:07 +0200 Subject: [PATCH 1/6] add api call and import count metadata fields This commit introduces two new metadata fields: - apicall_count: total count of all API calls made in the sample - import_count: total count of Import symbols in the sample --- capa/capabilities/common.py | 2 +- capa/capabilities/static.py | 26 +- capa/ghidra/helpers.py | 2 + capa/ida/helpers.py | 2 + capa/loader.py | 2 + capa/main.py | 4 + capa/render/default.py | 24 ++ capa/render/proto/__init__.py | 2 + capa/render/proto/capa.proto | 3 + capa/render/proto/capa_pb2.py | 321 ++++++++++---------- capa/render/proto/capa_pb2.pyi | 516 +++++++++++++++++---------------- capa/render/result_document.py | 2 + 12 files changed, 496 insertions(+), 410 deletions(-) diff --git a/capa/capabilities/common.py b/capa/capabilities/common.py index a73f40afe..2dedc6f09 100644 --- a/capa/capabilities/common.py +++ b/capa/capabilities/common.py @@ -37,7 +37,7 @@ def find_file_capabilities(ruleset: RuleSet, extractor: FeatureExtractor, functi file_features.update(function_features) _, matches = ruleset.match(Scope.FILE, file_features, NO_ADDRESS) - return matches, len(file_features) + return matches, file_features def has_file_limitation(rules: RuleSet, capabilities: MatchResults, is_standalone=True) -> bool: diff --git a/capa/capabilities/static.py b/capa/capabilities/static.py index 4f3b3b6a1..65066c98a 100644 --- a/capa/capabilities/static.py +++ b/capa/capabilities/static.py @@ -21,6 +21,8 @@ from capa.rules import Scope, RuleSet from capa.engine import FeatureSet, MatchResults from capa.helpers import redirecting_print_to_tqdm +from capa.features.file import Import +from capa.features.insn import API from capa.capabilities.common import find_file_capabilities from capa.features.extractors.base_extractor import BBHandle, InsnHandle, FunctionHandle, StaticFeatureExtractor @@ -96,7 +98,7 @@ def find_basic_block_capabilities( def find_code_capabilities( ruleset: RuleSet, extractor: StaticFeatureExtractor, fh: FunctionHandle -) -> Tuple[MatchResults, MatchResults, MatchResults, int]: +) -> Tuple[MatchResults, MatchResults, MatchResults, FeatureSet]: """ find matches for the given rules within the given function. @@ -129,7 +131,7 @@ def find_code_capabilities( function_features[feature].add(va) _, function_matches = ruleset.match(Scope.FUNCTION, function_features, fh.address) - return function_matches, bb_matches, insn_matches, len(function_features) + return function_matches, bb_matches, insn_matches, function_features def find_static_capabilities( @@ -141,6 +143,8 @@ def find_static_capabilities( feature_counts = rdoc.StaticFeatureCounts(file=0, functions=()) library_functions: Tuple[rdoc.LibraryFunction, ...] = () + apicall_count: int = 0 + import_count: int = 0 assert isinstance(extractor, StaticFeatureExtractor) with redirecting_print_to_tqdm(disable_progress): @@ -180,12 +184,18 @@ def pbar(s, *args, **kwargs): pb.set_postfix_str(f"skipped {n_libs} library functions ({percentage}%)") continue - function_matches, bb_matches, insn_matches, feature_count = find_code_capabilities( + function_matches, bb_matches, insn_matches, function_features = find_code_capabilities( ruleset, extractor, f ) + feature_count = len(function_features) feature_counts.functions += ( rdoc.FunctionFeatureCount(address=frz.Address.from_capa(f.address), count=feature_count), ) + # cumulatively count the total number of API calls + for feature, vas in function_features.items(): + if isinstance(feature, API): + apicall_count += len(vas) + t1 = time.time() match_count = 0 @@ -223,9 +233,15 @@ def pbar(s, *args, **kwargs): rule = ruleset[rule_name] capa.engine.index_rule_matches(function_and_lower_features, rule, locations) - all_file_matches, feature_count = find_file_capabilities(ruleset, extractor, function_and_lower_features) + all_file_matches, file_features = find_file_capabilities(ruleset, extractor, function_and_lower_features) + feature_count = len(file_features) feature_counts.file = feature_count + # cumulatively count the total number of Import features + for feature, _ in file_features.items(): + if isinstance(feature, Import): + import_count += 1 + matches: MatchResults = dict( itertools.chain( # each rule exists in exactly one scope, @@ -241,6 +257,8 @@ def pbar(s, *args, **kwargs): meta = { "feature_counts": feature_counts, "library_functions": library_functions, + "apicall_count": apicall_count, + "import_count": import_count, } return matches, meta diff --git a/capa/ghidra/helpers.py b/capa/ghidra/helpers.py index b32c534a3..2d643f658 100644 --- a/capa/ghidra/helpers.py +++ b/capa/ghidra/helpers.py @@ -156,5 +156,7 @@ def collect_metadata(rules: List[Path]): ), feature_counts=rdoc.StaticFeatureCounts(file=0, functions=()), library_functions=(), + apicall_count=0, + import_count=0, ), ) diff --git a/capa/ida/helpers.py b/capa/ida/helpers.py index 02046ecf1..4a5409334 100644 --- a/capa/ida/helpers.py +++ b/capa/ida/helpers.py @@ -170,6 +170,8 @@ def collect_metadata(rules: List[Path]): # ignore these for now - not used by IDA plugin. feature_counts=rdoc.StaticFeatureCounts(file=0, functions=()), library_functions=(), + apicall_count=0, + import_count=0, ), ) diff --git a/capa/loader.py b/capa/loader.py index 8e91fae0f..7d8149d0c 100644 --- a/capa/loader.py +++ b/capa/loader.py @@ -350,6 +350,8 @@ def get_sample_analysis(format_, arch, os_, extractor, rules_path, counts): ), feature_counts=counts["feature_counts"], library_functions=counts["library_functions"], + apicall_count=counts["apicall_count"], + import_count=counts["import_count"], ) elif isinstance(extractor, DynamicFeatureExtractor): return rdoc.DynamicAnalysis( diff --git a/capa/main.py b/capa/main.py index eb43769d2..1ab850a00 100644 --- a/capa/main.py +++ b/capa/main.py @@ -890,6 +890,8 @@ def ida_main(): meta.analysis.feature_counts = counts["feature_counts"] meta.analysis.library_functions = counts["library_functions"] + meta.analysis.apicall_count = counts["apicall_count"] + meta.analysis.import_count = counts["import_count"] if has_file_limitation(rules, capabilities, is_standalone=False): capa.ida.helpers.inform_user_ida_ui("capa encountered warnings during analysis") @@ -928,6 +930,8 @@ def ghidra_main(): meta.analysis.feature_counts = counts["feature_counts"] meta.analysis.library_functions = counts["library_functions"] + meta.analysis.apicall_count = counts["apicall_count"] + meta.analysis.import_count = counts["import_count"] if has_file_limitation(rules, capabilities, is_standalone=False): logger.info("capa encountered warnings during analysis") diff --git a/capa/render/default.py b/capa/render/default.py index e49a31e3c..a216a9243 100644 --- a/capa/render/default.py +++ b/capa/render/default.py @@ -19,6 +19,9 @@ tabulate.PRESERVE_WHITESPACE = True +MIN_LIBFUNCS_RATIO = 0.4 +MIN_API_CALLS = 10 + def width(s: str, character_count: int) -> str: """pad the given string to at least `character_count`""" @@ -29,6 +32,27 @@ def width(s: str, character_count: int) -> str: def render_meta(doc: rd.ResultDocument, ostream: StringIO): + if isinstance(doc.meta.analysis, rd.StaticAnalysis): + + if doc.meta.analysis.apicall_count < MIN_API_CALLS: + ostream.write( + rutils.warn( + "The analyzed sample reports very few API calls, this could indicate that it is packed, encrypted, corrupted, or tiny\n" + ) + ) + + n_libs: int = len(doc.meta.analysis.library_functions) + n_funcs: int = len(doc.meta.analysis.feature_counts.functions) + lib_ratio: float = n_libs / (n_funcs + n_libs) if (n_funcs + n_libs) > 0 else 0 + + if lib_ratio < MIN_LIBFUNCS_RATIO: + ostream.write( + rutils.warn( + "Few library functions (%.2f%% of all functions) recognized by FLIRT signatures, results may contain false positives\n" + ) + % (100 * lib_ratio) + ) + rows = [ (width("md5", 22), width(doc.meta.sample.md5, 82)), ("sha1", doc.meta.sample.sha1), diff --git a/capa/render/proto/__init__.py b/capa/render/proto/__init__.py index ed4c690e1..3acdcfcfc 100644 --- a/capa/render/proto/__init__.py +++ b/capa/render/proto/__init__.py @@ -703,6 +703,8 @@ def static_analysis_from_pb2(analysis: capa_pb2.StaticAnalysis) -> rd.StaticAnal library_functions=tuple( [rd.LibraryFunction(address=addr_from_pb2(lf.address), name=lf.name) for lf in analysis.library_functions] ), + apicall_count=analysis.apicall_count, + import_count=analysis.import_count, ) diff --git a/capa/render/proto/capa.proto b/capa/render/proto/capa.proto index 50508bf50..6fc29db14 100644 --- a/capa/render/proto/capa.proto +++ b/capa/render/proto/capa.proto @@ -403,6 +403,9 @@ message StaticAnalysis { StaticLayout layout = 7; StaticFeatureCounts feature_counts = 8; repeated LibraryFunction library_functions = 9; + uint64 apicall_count = 10; + uint64 import_count = 11; + } message StaticFeatureCounts { diff --git a/capa/render/proto/capa_pb2.py b/capa/render/proto/capa_pb2.py index 8b55fed4f..04a7f4e7d 100644 --- a/capa/render/proto/capa_pb2.py +++ b/capa/render/proto/capa_pb2.py @@ -1,11 +1,22 @@ # -*- coding: utf-8 -*- # Generated by the protocol buffer compiler. DO NOT EDIT! +# NO CHECKED-IN PROTOBUF GENCODE # source: capa/render/proto/capa.proto +# Protobuf Python Version: 5.27.0 """Generated protocol buffer code.""" -from google.protobuf.internal import builder as _builder from google.protobuf import descriptor as _descriptor from google.protobuf import descriptor_pool as _descriptor_pool +from google.protobuf import runtime_version as _runtime_version from google.protobuf import symbol_database as _symbol_database +from google.protobuf.internal import builder as _builder +_runtime_version.ValidateProtobufRuntimeVersion( + _runtime_version.Domain.PUBLIC, + 5, + 27, + 0, + '', + 'capa/render/proto/capa.proto' +) # @@protoc_insertion_point(imports) _sym_db = _symbol_database.Default() @@ -13,159 +24,159 @@ -DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1c\x63\x61pa/render/proto/capa.proto\x12\rmandiant.capa\"Q\n\nAPIFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0b\n\x03\x61pi\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xb3\x02\n\x07\x41\x64\x64ress\x12(\n\x04type\x18\x01 \x01(\x0e\x32\x1a.mandiant.capa.AddressType\x12#\n\x01v\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.IntegerH\x00\x12\x33\n\x0ctoken_offset\x18\x03 \x01(\x0b\x32\x1b.mandiant.capa.Token_OffsetH\x00\x12+\n\x08ppid_pid\x18\x04 \x01(\x0b\x32\x17.mandiant.capa.Ppid_PidH\x00\x12\x33\n\x0cppid_pid_tid\x18\x05 \x01(\x0b\x32\x1b.mandiant.capa.Ppid_Pid_TidH\x00\x12\x39\n\x0fppid_pid_tid_id\x18\x06 \x01(\x0b\x32\x1e.mandiant.capa.Ppid_Pid_Tid_IdH\x00\x42\x07\n\x05value\"\x9c\x02\n\x08\x41nalysis\x12\x0e\n\x06\x66ormat\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\n\n\x02os\x18\x03 \x01(\t\x12\x11\n\textractor\x18\x04 \x01(\t\x12\r\n\x05rules\x18\x05 \x03(\t\x12,\n\x0c\x62\x61se_address\x18\x06 \x01(\x0b\x32\x16.mandiant.capa.Address\x12%\n\x06layout\x18\x07 \x01(\x0b\x32\x15.mandiant.capa.Layout\x12\x34\n\x0e\x66\x65\x61ture_counts\x18\x08 \x01(\x0b\x32\x1c.mandiant.capa.FeatureCounts\x12\x39\n\x11library_functions\x18\t \x03(\x0b\x32\x1e.mandiant.capa.LibraryFunction\"S\n\x0b\x41rchFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"`\n\nAttackSpec\x12\r\n\x05parts\x18\x01 \x03(\t\x12\x0e\n\x06tactic\x18\x02 \x01(\t\x12\x11\n\ttechnique\x18\x03 \x01(\t\x12\x14\n\x0csubtechnique\x18\x04 \x01(\t\x12\n\n\x02id\x18\x05 \x01(\t\"K\n\x11\x42\x61sicBlockFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x02 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\";\n\x10\x42\x61sicBlockLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\"U\n\x0c\x42ytesFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05\x62ytes\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"g\n\x15\x43haracteristicFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x16\n\x0e\x63haracteristic\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"V\n\x0c\x43lassFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x63lass_\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"K\n\x11\x43ompoundStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x02 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xc8\x01\n\x0f\x44ynamicAnalysis\x12\x0e\n\x06\x66ormat\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\n\n\x02os\x18\x03 \x01(\t\x12\x11\n\textractor\x18\x04 \x01(\t\x12\r\n\x05rules\x18\x05 \x03(\t\x12,\n\x06layout\x18\x06 \x01(\x0b\x32\x1c.mandiant.capa.DynamicLayout\x12;\n\x0e\x66\x65\x61ture_counts\x18\x07 \x01(\x0b\x32#.mandiant.capa.DynamicFeatureCounts\"[\n\x14\x44ynamicFeatureCounts\x12\x0c\n\x04\x66ile\x18\x01 \x01(\x04\x12\x35\n\tprocesses\x18\x02 \x03(\x0b\x32\".mandiant.capa.ProcessFeatureCount\"@\n\rDynamicLayout\x12/\n\tprocesses\x18\x01 \x03(\x0b\x32\x1c.mandiant.capa.ProcessLayout\"W\n\rExportFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x65xport\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"U\n\rFeatureCounts\x12\x0c\n\x04\x66ile\x18\x01 \x01(\x04\x12\x36\n\tfunctions\x18\x02 \x03(\x0b\x32#.mandiant.capa.FunctionFeatureCount\"\xb9\t\n\x0b\x46\x65\x61tureNode\x12\x0c\n\x04type\x18\x01 \x01(\t\x12&\n\x02os\x18\x02 \x01(\x0b\x32\x18.mandiant.capa.OSFeatureH\x00\x12*\n\x04\x61rch\x18\x03 \x01(\x0b\x32\x1a.mandiant.capa.ArchFeatureH\x00\x12.\n\x06\x66ormat\x18\x04 \x01(\x0b\x32\x1c.mandiant.capa.FormatFeatureH\x00\x12,\n\x05match\x18\x05 \x01(\x0b\x32\x1b.mandiant.capa.MatchFeatureH\x00\x12>\n\x0e\x63haracteristic\x18\x06 \x01(\x0b\x32$.mandiant.capa.CharacteristicFeatureH\x00\x12.\n\x06\x65xport\x18\x07 \x01(\x0b\x32\x1c.mandiant.capa.ExportFeatureH\x00\x12/\n\x07import_\x18\x08 \x01(\x0b\x32\x1c.mandiant.capa.ImportFeatureH\x00\x12\x30\n\x07section\x18\t \x01(\x0b\x32\x1d.mandiant.capa.SectionFeatureH\x00\x12;\n\rfunction_name\x18\n \x01(\x0b\x32\".mandiant.capa.FunctionNameFeatureH\x00\x12\x34\n\tsubstring\x18\x0b \x01(\x0b\x32\x1f.mandiant.capa.SubstringFeatureH\x00\x12,\n\x05regex\x18\x0c \x01(\x0b\x32\x1b.mandiant.capa.RegexFeatureH\x00\x12.\n\x06string\x18\r \x01(\x0b\x32\x1c.mandiant.capa.StringFeatureH\x00\x12-\n\x06\x63lass_\x18\x0e \x01(\x0b\x32\x1b.mandiant.capa.ClassFeatureH\x00\x12\x34\n\tnamespace\x18\x0f \x01(\x0b\x32\x1f.mandiant.capa.NamespaceFeatureH\x00\x12(\n\x03\x61pi\x18\x10 \x01(\x0b\x32\x19.mandiant.capa.APIFeatureH\x00\x12\x33\n\tproperty_\x18\x11 \x01(\x0b\x32\x1e.mandiant.capa.PropertyFeatureH\x00\x12.\n\x06number\x18\x12 \x01(\x0b\x32\x1c.mandiant.capa.NumberFeatureH\x00\x12,\n\x05\x62ytes\x18\x13 \x01(\x0b\x32\x1b.mandiant.capa.BytesFeatureH\x00\x12.\n\x06offset\x18\x14 \x01(\x0b\x32\x1c.mandiant.capa.OffsetFeatureH\x00\x12\x32\n\x08mnemonic\x18\x15 \x01(\x0b\x32\x1e.mandiant.capa.MnemonicFeatureH\x00\x12=\n\x0eoperand_number\x18\x16 \x01(\x0b\x32#.mandiant.capa.OperandNumberFeatureH\x00\x12=\n\x0eoperand_offset\x18\x17 \x01(\x0b\x32#.mandiant.capa.OperandOffsetFeatureH\x00\x12\x37\n\x0b\x62\x61sic_block\x18\x18 \x01(\x0b\x32 .mandiant.capa.BasicBlockFeatureH\x00\x42\t\n\x07\x66\x65\x61ture\"W\n\rFormatFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x66ormat\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"N\n\x14\x46unctionFeatureCount\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\r\n\x05\x63ount\x18\x02 \x01(\x04\"x\n\x0e\x46unctionLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12=\n\x14matched_basic_blocks\x18\x02 \x03(\x0b\x32\x1f.mandiant.capa.BasicBlockLayout\"d\n\x13\x46unctionNameFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x15\n\rfunction_name\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"X\n\rImportFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0f\n\x07import_\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\":\n\x06Layout\x12\x30\n\tfunctions\x18\x01 \x03(\x0b\x32\x1d.mandiant.capa.FunctionLayout\"H\n\x0fLibraryFunction\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\x0c\n\x04name\x18\x02 \x01(\t\"Y\n\x07MBCSpec\x12\r\n\x05parts\x18\x01 \x03(\t\x12\x11\n\tobjective\x18\x02 \x01(\t\x12\x10\n\x08\x62\x65havior\x18\x03 \x01(\t\x12\x0e\n\x06method\x18\x04 \x01(\t\x12\n\n\x02id\x18\x05 \x01(\t\"\x9a\x01\n\x0cMaecMetadata\x12\x1b\n\x13\x61nalysis_conclusion\x18\x01 \x01(\t\x12\x1e\n\x16\x61nalysis_conclusion_ov\x18\x02 \x01(\t\x12\x16\n\x0emalware_family\x18\x03 \x01(\t\x12\x18\n\x10malware_category\x18\x04 \x01(\t\x12\x1b\n\x13malware_category_ov\x18\x05 \x01(\t\"\xd6\x02\n\x05Match\x12\x0f\n\x07success\x18\x01 \x01(\x08\x12\x31\n\tstatement\x18\x02 \x01(\x0b\x32\x1c.mandiant.capa.StatementNodeH\x00\x12-\n\x07\x66\x65\x61ture\x18\x03 \x01(\x0b\x32\x1a.mandiant.capa.FeatureNodeH\x00\x12&\n\x08\x63hildren\x18\x05 \x03(\x0b\x32\x14.mandiant.capa.Match\x12)\n\tlocations\x18\x06 \x03(\x0b\x32\x16.mandiant.capa.Address\x12\x34\n\x08\x63\x61ptures\x18\x07 \x03(\x0b\x32\".mandiant.capa.Match.CapturesEntry\x1aI\n\rCapturesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\'\n\x05value\x18\x02 \x01(\x0b\x32\x18.mandiant.capa.Addresses:\x02\x38\x01\x42\x06\n\x04node\"U\n\x0cMatchFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05match\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xbc\x02\n\x08Metadata\x12\x11\n\ttimestamp\x18\x01 \x01(\t\x12\x0f\n\x07version\x18\x02 \x01(\t\x12\x0c\n\x04\x61rgv\x18\x03 \x03(\t\x12%\n\x06sample\x18\x04 \x01(\x0b\x32\x15.mandiant.capa.Sample\x12-\n\x08\x61nalysis\x18\x05 \x01(\x0b\x32\x17.mandiant.capa.AnalysisB\x02\x18\x01\x12%\n\x06\x66lavor\x18\x06 \x01(\x0e\x32\x15.mandiant.capa.Flavor\x12\x38\n\x0fstatic_analysis\x18\x07 \x01(\x0b\x32\x1d.mandiant.capa.StaticAnalysisH\x00\x12:\n\x10\x64ynamic_analysis\x18\x08 \x01(\x0b\x32\x1e.mandiant.capa.DynamicAnalysisH\x00\x42\x0b\n\tanalysis2\"[\n\x0fMnemonicFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x10\n\x08mnemonic\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"]\n\x10NamespaceFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"n\n\rNumberFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12%\n\x06number\x18\x02 \x01(\x0b\x32\x15.mandiant.capa.Number\x12\x18\n\x0b\x64\x65scription\x18\x05 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"O\n\tOSFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\n\n\x02os\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"o\n\rOffsetFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12&\n\x06offset\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\x8d\x01\n\x14OperandNumberFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05index\x18\x02 \x01(\r\x12.\n\x0eoperand_number\x18\x03 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\x18\n\x0b\x64\x65scription\x18\x04 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\x8d\x01\n\x14OperandOffsetFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05index\x18\x02 \x01(\r\x12.\n\x0eoperand_offset\x18\x03 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\x18\n\x0b\x64\x65scription\x18\x04 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"M\n\x13ProcessFeatureCount\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\r\n\x05\x63ount\x18\x02 \x01(\x04\"|\n\rProcessLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\x34\n\x0fmatched_threads\x18\x02 \x03(\x0b\x32\x1b.mandiant.capa.ThreadLayout\x12\x0c\n\x04name\x18\x03 \x01(\t\"|\n\x0fPropertyFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tproperty_\x18\x02 \x01(\t\x12\x13\n\x06\x61\x63\x63\x65ss\x18\x03 \x01(\tH\x00\x88\x01\x01\x12\x18\n\x0b\x64\x65scription\x18\x04 \x01(\tH\x01\x88\x01\x01\x42\t\n\x07_accessB\x0e\n\x0c_description\"\x8d\x01\n\x0eRangeStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0b\n\x03min\x18\x02 \x01(\x04\x12\x0b\n\x03max\x18\x03 \x01(\x04\x12)\n\x05\x63hild\x18\x04 \x01(\x0b\x32\x1a.mandiant.capa.FeatureNode\x12\x18\n\x0b\x64\x65scription\x18\x05 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"U\n\x0cRegexFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05regex\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xba\x01\n\x0eResultDocument\x12%\n\x04meta\x18\x01 \x01(\x0b\x32\x17.mandiant.capa.Metadata\x12\x37\n\x05rules\x18\x02 \x03(\x0b\x32(.mandiant.capa.ResultDocument.RulesEntry\x1aH\n\nRulesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12)\n\x05value\x18\x02 \x01(\x0b\x32\x1a.mandiant.capa.RuleMatches:\x02\x38\x01\"|\n\x0bRuleMatches\x12)\n\x04meta\x18\x01 \x01(\x0b\x32\x1b.mandiant.capa.RuleMetadata\x12\x0e\n\x06source\x18\x02 \x01(\t\x12\x32\n\x07matches\x18\x03 \x03(\x0b\x32!.mandiant.capa.Pair_Address_Match\"\xed\x02\n\x0cRuleMetadata\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x0f\n\x07\x61uthors\x18\x03 \x03(\t\x12\'\n\x05scope\x18\x04 \x01(\x0e\x32\x14.mandiant.capa.ScopeB\x02\x18\x01\x12)\n\x06\x61ttack\x18\x05 \x03(\x0b\x32\x19.mandiant.capa.AttackSpec\x12#\n\x03mbc\x18\x06 \x03(\x0b\x32\x16.mandiant.capa.MBCSpec\x12\x12\n\nreferences\x18\x07 \x03(\t\x12\x10\n\x08\x65xamples\x18\x08 \x03(\t\x12\x13\n\x0b\x64\x65scription\x18\t \x01(\t\x12\x0b\n\x03lib\x18\n \x01(\x08\x12)\n\x04maec\x18\x0b \x01(\x0b\x32\x1b.mandiant.capa.MaecMetadata\x12\x18\n\x10is_subscope_rule\x18\x0c \x01(\x08\x12%\n\x06scopes\x18\r \x01(\x0b\x32\x15.mandiant.capa.Scopes\"A\n\x06Sample\x12\x0b\n\x03md5\x18\x01 \x01(\t\x12\x0c\n\x04sha1\x18\x02 \x01(\t\x12\x0e\n\x06sha256\x18\x03 \x01(\t\x12\x0c\n\x04path\x18\x04 \x01(\t\"v\n\x06Scopes\x12)\n\x06static\x18\x01 \x01(\x0e\x32\x14.mandiant.capa.ScopeH\x00\x88\x01\x01\x12*\n\x07\x64ynamic\x18\x02 \x01(\x0e\x32\x14.mandiant.capa.ScopeH\x01\x88\x01\x01\x42\t\n\x07_staticB\n\n\x08_dynamic\"Y\n\x0eSectionFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0f\n\x07section\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"V\n\rSomeStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05\x63ount\x18\x02 \x01(\r\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xf4\x01\n\rStatementNode\x12\x0c\n\x04type\x18\x01 \x01(\t\x12.\n\x05range\x18\x02 \x01(\x0b\x32\x1d.mandiant.capa.RangeStatementH\x00\x12,\n\x04some\x18\x03 \x01(\x0b\x32\x1c.mandiant.capa.SomeStatementH\x00\x12\x34\n\x08subscope\x18\x04 \x01(\x0b\x32 .mandiant.capa.SubscopeStatementH\x00\x12\x34\n\x08\x63ompound\x18\x05 \x01(\x0b\x32 .mandiant.capa.CompoundStatementH\x00\x42\x0b\n\tstatement\"\xae\x02\n\x0eStaticAnalysis\x12\x0e\n\x06\x66ormat\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\n\n\x02os\x18\x03 \x01(\t\x12\x11\n\textractor\x18\x04 \x01(\t\x12\r\n\x05rules\x18\x05 \x03(\t\x12,\n\x0c\x62\x61se_address\x18\x06 \x01(\x0b\x32\x16.mandiant.capa.Address\x12+\n\x06layout\x18\x07 \x01(\x0b\x32\x1b.mandiant.capa.StaticLayout\x12:\n\x0e\x66\x65\x61ture_counts\x18\x08 \x01(\x0b\x32\".mandiant.capa.StaticFeatureCounts\x12\x39\n\x11library_functions\x18\t \x03(\x0b\x32\x1e.mandiant.capa.LibraryFunction\"[\n\x13StaticFeatureCounts\x12\x0c\n\x04\x66ile\x18\x01 \x01(\x04\x12\x36\n\tfunctions\x18\x02 \x03(\x0b\x32#.mandiant.capa.FunctionFeatureCount\"@\n\x0cStaticLayout\x12\x30\n\tfunctions\x18\x01 \x03(\x0b\x32\x1d.mandiant.capa.FunctionLayout\"W\n\rStringFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06string\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"p\n\x11SubscopeStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12#\n\x05scope\x18\x02 \x01(\x0e\x32\x14.mandiant.capa.Scope\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"]\n\x10SubstringFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tsubstring\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"C\n\nCallLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\x0c\n\x04name\x18\x02 \x01(\t\"i\n\x0cThreadLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\x30\n\rmatched_calls\x18\x02 \x03(\x0b\x32\x19.mandiant.capa.CallLayout\"4\n\tAddresses\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x03(\x0b\x32\x16.mandiant.capa.Address\"b\n\x12Pair_Address_Match\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12#\n\x05match\x18\x02 \x01(\x0b\x32\x14.mandiant.capa.Match\"E\n\x0cToken_Offset\x12%\n\x05token\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\x0e\n\x06offset\x18\x02 \x01(\x04\"U\n\x08Ppid_Pid\x12$\n\x04ppid\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03pid\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.Integer\"~\n\x0cPpid_Pid_Tid\x12$\n\x04ppid\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03pid\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03tid\x18\x03 \x01(\x0b\x32\x16.mandiant.capa.Integer\"\xa5\x01\n\x0fPpid_Pid_Tid_Id\x12$\n\x04ppid\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03pid\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03tid\x18\x03 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\"\n\x02id\x18\x04 \x01(\x0b\x32\x16.mandiant.capa.Integer\",\n\x07Integer\x12\x0b\n\x01u\x18\x01 \x01(\x04H\x00\x12\x0b\n\x01i\x18\x02 \x01(\x12H\x00\x42\x07\n\x05value\"8\n\x06Number\x12\x0b\n\x01u\x18\x01 \x01(\x04H\x00\x12\x0b\n\x01i\x18\x02 \x01(\x12H\x00\x12\x0b\n\x01\x66\x18\x03 \x01(\x01H\x00\x42\x07\n\x05value*\x92\x02\n\x0b\x41\x64\x64ressType\x12\x1b\n\x17\x41\x44\x44RESSTYPE_UNSPECIFIED\x10\x00\x12\x18\n\x14\x41\x44\x44RESSTYPE_ABSOLUTE\x10\x01\x12\x18\n\x14\x41\x44\x44RESSTYPE_RELATIVE\x10\x02\x12\x14\n\x10\x41\x44\x44RESSTYPE_FILE\x10\x03\x12\x18\n\x14\x41\x44\x44RESSTYPE_DN_TOKEN\x10\x04\x12\x1f\n\x1b\x41\x44\x44RESSTYPE_DN_TOKEN_OFFSET\x10\x05\x12\x1a\n\x16\x41\x44\x44RESSTYPE_NO_ADDRESS\x10\x06\x12\x17\n\x13\x41\x44\x44RESSTYPE_PROCESS\x10\x07\x12\x16\n\x12\x41\x44\x44RESSTYPE_THREAD\x10\x08\x12\x14\n\x10\x41\x44\x44RESSTYPE_CALL\x10\t*G\n\x06\x46lavor\x12\x16\n\x12\x46LAVOR_UNSPECIFIED\x10\x00\x12\x11\n\rFLAVOR_STATIC\x10\x01\x12\x12\n\x0e\x46LAVOR_DYNAMIC\x10\x02*\xa5\x01\n\x05Scope\x12\x15\n\x11SCOPE_UNSPECIFIED\x10\x00\x12\x0e\n\nSCOPE_FILE\x10\x01\x12\x12\n\x0eSCOPE_FUNCTION\x10\x02\x12\x15\n\x11SCOPE_BASIC_BLOCK\x10\x03\x12\x15\n\x11SCOPE_INSTRUCTION\x10\x04\x12\x11\n\rSCOPE_PROCESS\x10\x05\x12\x10\n\x0cSCOPE_THREAD\x10\x06\x12\x0e\n\nSCOPE_CALL\x10\x07\x62\x06proto3') - -_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, globals()) -_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'capa.render.proto.capa_pb2', globals()) -if _descriptor._USE_C_DESCRIPTORS == False: +DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1c\x63\x61pa/render/proto/capa.proto\x12\rmandiant.capa\"Q\n\nAPIFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0b\n\x03\x61pi\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xb3\x02\n\x07\x41\x64\x64ress\x12(\n\x04type\x18\x01 \x01(\x0e\x32\x1a.mandiant.capa.AddressType\x12#\n\x01v\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.IntegerH\x00\x12\x33\n\x0ctoken_offset\x18\x03 \x01(\x0b\x32\x1b.mandiant.capa.Token_OffsetH\x00\x12+\n\x08ppid_pid\x18\x04 \x01(\x0b\x32\x17.mandiant.capa.Ppid_PidH\x00\x12\x33\n\x0cppid_pid_tid\x18\x05 \x01(\x0b\x32\x1b.mandiant.capa.Ppid_Pid_TidH\x00\x12\x39\n\x0fppid_pid_tid_id\x18\x06 \x01(\x0b\x32\x1e.mandiant.capa.Ppid_Pid_Tid_IdH\x00\x42\x07\n\x05value\"\x9c\x02\n\x08\x41nalysis\x12\x0e\n\x06\x66ormat\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\n\n\x02os\x18\x03 \x01(\t\x12\x11\n\textractor\x18\x04 \x01(\t\x12\r\n\x05rules\x18\x05 \x03(\t\x12,\n\x0c\x62\x61se_address\x18\x06 \x01(\x0b\x32\x16.mandiant.capa.Address\x12%\n\x06layout\x18\x07 \x01(\x0b\x32\x15.mandiant.capa.Layout\x12\x34\n\x0e\x66\x65\x61ture_counts\x18\x08 \x01(\x0b\x32\x1c.mandiant.capa.FeatureCounts\x12\x39\n\x11library_functions\x18\t \x03(\x0b\x32\x1e.mandiant.capa.LibraryFunction\"S\n\x0b\x41rchFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"`\n\nAttackSpec\x12\r\n\x05parts\x18\x01 \x03(\t\x12\x0e\n\x06tactic\x18\x02 \x01(\t\x12\x11\n\ttechnique\x18\x03 \x01(\t\x12\x14\n\x0csubtechnique\x18\x04 \x01(\t\x12\n\n\x02id\x18\x05 \x01(\t\"K\n\x11\x42\x61sicBlockFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x02 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\";\n\x10\x42\x61sicBlockLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\"U\n\x0c\x42ytesFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05\x62ytes\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"g\n\x15\x43haracteristicFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x16\n\x0e\x63haracteristic\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"V\n\x0c\x43lassFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x63lass_\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"K\n\x11\x43ompoundStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x02 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xc8\x01\n\x0f\x44ynamicAnalysis\x12\x0e\n\x06\x66ormat\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\n\n\x02os\x18\x03 \x01(\t\x12\x11\n\textractor\x18\x04 \x01(\t\x12\r\n\x05rules\x18\x05 \x03(\t\x12,\n\x06layout\x18\x06 \x01(\x0b\x32\x1c.mandiant.capa.DynamicLayout\x12;\n\x0e\x66\x65\x61ture_counts\x18\x07 \x01(\x0b\x32#.mandiant.capa.DynamicFeatureCounts\"[\n\x14\x44ynamicFeatureCounts\x12\x0c\n\x04\x66ile\x18\x01 \x01(\x04\x12\x35\n\tprocesses\x18\x02 \x03(\x0b\x32\".mandiant.capa.ProcessFeatureCount\"@\n\rDynamicLayout\x12/\n\tprocesses\x18\x01 \x03(\x0b\x32\x1c.mandiant.capa.ProcessLayout\"W\n\rExportFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x65xport\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"U\n\rFeatureCounts\x12\x0c\n\x04\x66ile\x18\x01 \x01(\x04\x12\x36\n\tfunctions\x18\x02 \x03(\x0b\x32#.mandiant.capa.FunctionFeatureCount\"\xb9\t\n\x0b\x46\x65\x61tureNode\x12\x0c\n\x04type\x18\x01 \x01(\t\x12&\n\x02os\x18\x02 \x01(\x0b\x32\x18.mandiant.capa.OSFeatureH\x00\x12*\n\x04\x61rch\x18\x03 \x01(\x0b\x32\x1a.mandiant.capa.ArchFeatureH\x00\x12.\n\x06\x66ormat\x18\x04 \x01(\x0b\x32\x1c.mandiant.capa.FormatFeatureH\x00\x12,\n\x05match\x18\x05 \x01(\x0b\x32\x1b.mandiant.capa.MatchFeatureH\x00\x12>\n\x0e\x63haracteristic\x18\x06 \x01(\x0b\x32$.mandiant.capa.CharacteristicFeatureH\x00\x12.\n\x06\x65xport\x18\x07 \x01(\x0b\x32\x1c.mandiant.capa.ExportFeatureH\x00\x12/\n\x07import_\x18\x08 \x01(\x0b\x32\x1c.mandiant.capa.ImportFeatureH\x00\x12\x30\n\x07section\x18\t \x01(\x0b\x32\x1d.mandiant.capa.SectionFeatureH\x00\x12;\n\rfunction_name\x18\n \x01(\x0b\x32\".mandiant.capa.FunctionNameFeatureH\x00\x12\x34\n\tsubstring\x18\x0b \x01(\x0b\x32\x1f.mandiant.capa.SubstringFeatureH\x00\x12,\n\x05regex\x18\x0c \x01(\x0b\x32\x1b.mandiant.capa.RegexFeatureH\x00\x12.\n\x06string\x18\r \x01(\x0b\x32\x1c.mandiant.capa.StringFeatureH\x00\x12-\n\x06\x63lass_\x18\x0e \x01(\x0b\x32\x1b.mandiant.capa.ClassFeatureH\x00\x12\x34\n\tnamespace\x18\x0f \x01(\x0b\x32\x1f.mandiant.capa.NamespaceFeatureH\x00\x12(\n\x03\x61pi\x18\x10 \x01(\x0b\x32\x19.mandiant.capa.APIFeatureH\x00\x12\x33\n\tproperty_\x18\x11 \x01(\x0b\x32\x1e.mandiant.capa.PropertyFeatureH\x00\x12.\n\x06number\x18\x12 \x01(\x0b\x32\x1c.mandiant.capa.NumberFeatureH\x00\x12,\n\x05\x62ytes\x18\x13 \x01(\x0b\x32\x1b.mandiant.capa.BytesFeatureH\x00\x12.\n\x06offset\x18\x14 \x01(\x0b\x32\x1c.mandiant.capa.OffsetFeatureH\x00\x12\x32\n\x08mnemonic\x18\x15 \x01(\x0b\x32\x1e.mandiant.capa.MnemonicFeatureH\x00\x12=\n\x0eoperand_number\x18\x16 \x01(\x0b\x32#.mandiant.capa.OperandNumberFeatureH\x00\x12=\n\x0eoperand_offset\x18\x17 \x01(\x0b\x32#.mandiant.capa.OperandOffsetFeatureH\x00\x12\x37\n\x0b\x62\x61sic_block\x18\x18 \x01(\x0b\x32 .mandiant.capa.BasicBlockFeatureH\x00\x42\t\n\x07\x66\x65\x61ture\"W\n\rFormatFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06\x66ormat\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"N\n\x14\x46unctionFeatureCount\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\r\n\x05\x63ount\x18\x02 \x01(\x04\"x\n\x0e\x46unctionLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12=\n\x14matched_basic_blocks\x18\x02 \x03(\x0b\x32\x1f.mandiant.capa.BasicBlockLayout\"d\n\x13\x46unctionNameFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x15\n\rfunction_name\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"X\n\rImportFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0f\n\x07import_\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\":\n\x06Layout\x12\x30\n\tfunctions\x18\x01 \x03(\x0b\x32\x1d.mandiant.capa.FunctionLayout\"H\n\x0fLibraryFunction\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\x0c\n\x04name\x18\x02 \x01(\t\"Y\n\x07MBCSpec\x12\r\n\x05parts\x18\x01 \x03(\t\x12\x11\n\tobjective\x18\x02 \x01(\t\x12\x10\n\x08\x62\x65havior\x18\x03 \x01(\t\x12\x0e\n\x06method\x18\x04 \x01(\t\x12\n\n\x02id\x18\x05 \x01(\t\"\x9a\x01\n\x0cMaecMetadata\x12\x1b\n\x13\x61nalysis_conclusion\x18\x01 \x01(\t\x12\x1e\n\x16\x61nalysis_conclusion_ov\x18\x02 \x01(\t\x12\x16\n\x0emalware_family\x18\x03 \x01(\t\x12\x18\n\x10malware_category\x18\x04 \x01(\t\x12\x1b\n\x13malware_category_ov\x18\x05 \x01(\t\"\xd6\x02\n\x05Match\x12\x0f\n\x07success\x18\x01 \x01(\x08\x12\x31\n\tstatement\x18\x02 \x01(\x0b\x32\x1c.mandiant.capa.StatementNodeH\x00\x12-\n\x07\x66\x65\x61ture\x18\x03 \x01(\x0b\x32\x1a.mandiant.capa.FeatureNodeH\x00\x12&\n\x08\x63hildren\x18\x05 \x03(\x0b\x32\x14.mandiant.capa.Match\x12)\n\tlocations\x18\x06 \x03(\x0b\x32\x16.mandiant.capa.Address\x12\x34\n\x08\x63\x61ptures\x18\x07 \x03(\x0b\x32\".mandiant.capa.Match.CapturesEntry\x1aI\n\rCapturesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\'\n\x05value\x18\x02 \x01(\x0b\x32\x18.mandiant.capa.Addresses:\x02\x38\x01\x42\x06\n\x04node\"U\n\x0cMatchFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05match\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xbc\x02\n\x08Metadata\x12\x11\n\ttimestamp\x18\x01 \x01(\t\x12\x0f\n\x07version\x18\x02 \x01(\t\x12\x0c\n\x04\x61rgv\x18\x03 \x03(\t\x12%\n\x06sample\x18\x04 \x01(\x0b\x32\x15.mandiant.capa.Sample\x12-\n\x08\x61nalysis\x18\x05 \x01(\x0b\x32\x17.mandiant.capa.AnalysisB\x02\x18\x01\x12%\n\x06\x66lavor\x18\x06 \x01(\x0e\x32\x15.mandiant.capa.Flavor\x12\x38\n\x0fstatic_analysis\x18\x07 \x01(\x0b\x32\x1d.mandiant.capa.StaticAnalysisH\x00\x12:\n\x10\x64ynamic_analysis\x18\x08 \x01(\x0b\x32\x1e.mandiant.capa.DynamicAnalysisH\x00\x42\x0b\n\tanalysis2\"[\n\x0fMnemonicFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x10\n\x08mnemonic\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"]\n\x10NamespaceFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"n\n\rNumberFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12%\n\x06number\x18\x02 \x01(\x0b\x32\x15.mandiant.capa.Number\x12\x18\n\x0b\x64\x65scription\x18\x05 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"O\n\tOSFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\n\n\x02os\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"o\n\rOffsetFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12&\n\x06offset\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\x8d\x01\n\x14OperandNumberFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05index\x18\x02 \x01(\r\x12.\n\x0eoperand_number\x18\x03 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\x18\n\x0b\x64\x65scription\x18\x04 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\x8d\x01\n\x14OperandOffsetFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05index\x18\x02 \x01(\r\x12.\n\x0eoperand_offset\x18\x03 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\x18\n\x0b\x64\x65scription\x18\x04 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"M\n\x13ProcessFeatureCount\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\r\n\x05\x63ount\x18\x02 \x01(\x04\"|\n\rProcessLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\x34\n\x0fmatched_threads\x18\x02 \x03(\x0b\x32\x1b.mandiant.capa.ThreadLayout\x12\x0c\n\x04name\x18\x03 \x01(\t\"|\n\x0fPropertyFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tproperty_\x18\x02 \x01(\t\x12\x13\n\x06\x61\x63\x63\x65ss\x18\x03 \x01(\tH\x00\x88\x01\x01\x12\x18\n\x0b\x64\x65scription\x18\x04 \x01(\tH\x01\x88\x01\x01\x42\t\n\x07_accessB\x0e\n\x0c_description\"\x8d\x01\n\x0eRangeStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0b\n\x03min\x18\x02 \x01(\x04\x12\x0b\n\x03max\x18\x03 \x01(\x04\x12)\n\x05\x63hild\x18\x04 \x01(\x0b\x32\x1a.mandiant.capa.FeatureNode\x12\x18\n\x0b\x64\x65scription\x18\x05 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"U\n\x0cRegexFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05regex\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xba\x01\n\x0eResultDocument\x12%\n\x04meta\x18\x01 \x01(\x0b\x32\x17.mandiant.capa.Metadata\x12\x37\n\x05rules\x18\x02 \x03(\x0b\x32(.mandiant.capa.ResultDocument.RulesEntry\x1aH\n\nRulesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12)\n\x05value\x18\x02 \x01(\x0b\x32\x1a.mandiant.capa.RuleMatches:\x02\x38\x01\"|\n\x0bRuleMatches\x12)\n\x04meta\x18\x01 \x01(\x0b\x32\x1b.mandiant.capa.RuleMetadata\x12\x0e\n\x06source\x18\x02 \x01(\t\x12\x32\n\x07matches\x18\x03 \x03(\x0b\x32!.mandiant.capa.Pair_Address_Match\"\xed\x02\n\x0cRuleMetadata\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x0f\n\x07\x61uthors\x18\x03 \x03(\t\x12\'\n\x05scope\x18\x04 \x01(\x0e\x32\x14.mandiant.capa.ScopeB\x02\x18\x01\x12)\n\x06\x61ttack\x18\x05 \x03(\x0b\x32\x19.mandiant.capa.AttackSpec\x12#\n\x03mbc\x18\x06 \x03(\x0b\x32\x16.mandiant.capa.MBCSpec\x12\x12\n\nreferences\x18\x07 \x03(\t\x12\x10\n\x08\x65xamples\x18\x08 \x03(\t\x12\x13\n\x0b\x64\x65scription\x18\t \x01(\t\x12\x0b\n\x03lib\x18\n \x01(\x08\x12)\n\x04maec\x18\x0b \x01(\x0b\x32\x1b.mandiant.capa.MaecMetadata\x12\x18\n\x10is_subscope_rule\x18\x0c \x01(\x08\x12%\n\x06scopes\x18\r \x01(\x0b\x32\x15.mandiant.capa.Scopes\"A\n\x06Sample\x12\x0b\n\x03md5\x18\x01 \x01(\t\x12\x0c\n\x04sha1\x18\x02 \x01(\t\x12\x0e\n\x06sha256\x18\x03 \x01(\t\x12\x0c\n\x04path\x18\x04 \x01(\t\"v\n\x06Scopes\x12)\n\x06static\x18\x01 \x01(\x0e\x32\x14.mandiant.capa.ScopeH\x00\x88\x01\x01\x12*\n\x07\x64ynamic\x18\x02 \x01(\x0e\x32\x14.mandiant.capa.ScopeH\x01\x88\x01\x01\x42\t\n\x07_staticB\n\n\x08_dynamic\"Y\n\x0eSectionFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0f\n\x07section\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"V\n\rSomeStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\r\n\x05\x63ount\x18\x02 \x01(\r\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"\xf4\x01\n\rStatementNode\x12\x0c\n\x04type\x18\x01 \x01(\t\x12.\n\x05range\x18\x02 \x01(\x0b\x32\x1d.mandiant.capa.RangeStatementH\x00\x12,\n\x04some\x18\x03 \x01(\x0b\x32\x1c.mandiant.capa.SomeStatementH\x00\x12\x34\n\x08subscope\x18\x04 \x01(\x0b\x32 .mandiant.capa.SubscopeStatementH\x00\x12\x34\n\x08\x63ompound\x18\x05 \x01(\x0b\x32 .mandiant.capa.CompoundStatementH\x00\x42\x0b\n\tstatement\"\xdb\x02\n\x0eStaticAnalysis\x12\x0e\n\x06\x66ormat\x18\x01 \x01(\t\x12\x0c\n\x04\x61rch\x18\x02 \x01(\t\x12\n\n\x02os\x18\x03 \x01(\t\x12\x11\n\textractor\x18\x04 \x01(\t\x12\r\n\x05rules\x18\x05 \x03(\t\x12,\n\x0c\x62\x61se_address\x18\x06 \x01(\x0b\x32\x16.mandiant.capa.Address\x12+\n\x06layout\x18\x07 \x01(\x0b\x32\x1b.mandiant.capa.StaticLayout\x12:\n\x0e\x66\x65\x61ture_counts\x18\x08 \x01(\x0b\x32\".mandiant.capa.StaticFeatureCounts\x12\x39\n\x11library_functions\x18\t \x03(\x0b\x32\x1e.mandiant.capa.LibraryFunction\x12\x15\n\rapicall_count\x18\n \x01(\x04\x12\x14\n\x0cimport_count\x18\x0b \x01(\x04\"[\n\x13StaticFeatureCounts\x12\x0c\n\x04\x66ile\x18\x01 \x01(\x04\x12\x36\n\tfunctions\x18\x02 \x03(\x0b\x32#.mandiant.capa.FunctionFeatureCount\"@\n\x0cStaticLayout\x12\x30\n\tfunctions\x18\x01 \x03(\x0b\x32\x1d.mandiant.capa.FunctionLayout\"W\n\rStringFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x0e\n\x06string\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"p\n\x11SubscopeStatement\x12\x0c\n\x04type\x18\x01 \x01(\t\x12#\n\x05scope\x18\x02 \x01(\x0e\x32\x14.mandiant.capa.Scope\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"]\n\x10SubstringFeature\x12\x0c\n\x04type\x18\x01 \x01(\t\x12\x11\n\tsubstring\x18\x02 \x01(\t\x12\x18\n\x0b\x64\x65scription\x18\x03 \x01(\tH\x00\x88\x01\x01\x42\x0e\n\x0c_description\"C\n\nCallLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\x0c\n\x04name\x18\x02 \x01(\t\"i\n\x0cThreadLayout\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12\x30\n\rmatched_calls\x18\x02 \x03(\x0b\x32\x19.mandiant.capa.CallLayout\"4\n\tAddresses\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x03(\x0b\x32\x16.mandiant.capa.Address\"b\n\x12Pair_Address_Match\x12\'\n\x07\x61\x64\x64ress\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Address\x12#\n\x05match\x18\x02 \x01(\x0b\x32\x14.mandiant.capa.Match\"E\n\x0cToken_Offset\x12%\n\x05token\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\x0e\n\x06offset\x18\x02 \x01(\x04\"U\n\x08Ppid_Pid\x12$\n\x04ppid\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03pid\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.Integer\"~\n\x0cPpid_Pid_Tid\x12$\n\x04ppid\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03pid\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03tid\x18\x03 \x01(\x0b\x32\x16.mandiant.capa.Integer\"\xa5\x01\n\x0fPpid_Pid_Tid_Id\x12$\n\x04ppid\x18\x01 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03pid\x18\x02 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12#\n\x03tid\x18\x03 \x01(\x0b\x32\x16.mandiant.capa.Integer\x12\"\n\x02id\x18\x04 \x01(\x0b\x32\x16.mandiant.capa.Integer\",\n\x07Integer\x12\x0b\n\x01u\x18\x01 \x01(\x04H\x00\x12\x0b\n\x01i\x18\x02 \x01(\x12H\x00\x42\x07\n\x05value\"8\n\x06Number\x12\x0b\n\x01u\x18\x01 \x01(\x04H\x00\x12\x0b\n\x01i\x18\x02 \x01(\x12H\x00\x12\x0b\n\x01\x66\x18\x03 \x01(\x01H\x00\x42\x07\n\x05value*\x92\x02\n\x0b\x41\x64\x64ressType\x12\x1b\n\x17\x41\x44\x44RESSTYPE_UNSPECIFIED\x10\x00\x12\x18\n\x14\x41\x44\x44RESSTYPE_ABSOLUTE\x10\x01\x12\x18\n\x14\x41\x44\x44RESSTYPE_RELATIVE\x10\x02\x12\x14\n\x10\x41\x44\x44RESSTYPE_FILE\x10\x03\x12\x18\n\x14\x41\x44\x44RESSTYPE_DN_TOKEN\x10\x04\x12\x1f\n\x1b\x41\x44\x44RESSTYPE_DN_TOKEN_OFFSET\x10\x05\x12\x1a\n\x16\x41\x44\x44RESSTYPE_NO_ADDRESS\x10\x06\x12\x17\n\x13\x41\x44\x44RESSTYPE_PROCESS\x10\x07\x12\x16\n\x12\x41\x44\x44RESSTYPE_THREAD\x10\x08\x12\x14\n\x10\x41\x44\x44RESSTYPE_CALL\x10\t*G\n\x06\x46lavor\x12\x16\n\x12\x46LAVOR_UNSPECIFIED\x10\x00\x12\x11\n\rFLAVOR_STATIC\x10\x01\x12\x12\n\x0e\x46LAVOR_DYNAMIC\x10\x02*\xa5\x01\n\x05Scope\x12\x15\n\x11SCOPE_UNSPECIFIED\x10\x00\x12\x0e\n\nSCOPE_FILE\x10\x01\x12\x12\n\x0eSCOPE_FUNCTION\x10\x02\x12\x15\n\x11SCOPE_BASIC_BLOCK\x10\x03\x12\x15\n\x11SCOPE_INSTRUCTION\x10\x04\x12\x11\n\rSCOPE_PROCESS\x10\x05\x12\x10\n\x0cSCOPE_THREAD\x10\x06\x12\x0e\n\nSCOPE_CALL\x10\x07\x62\x06proto3') - DESCRIPTOR._options = None - _MATCH_CAPTURESENTRY._options = None - _MATCH_CAPTURESENTRY._serialized_options = b'8\001' - _METADATA.fields_by_name['analysis']._options = None - _METADATA.fields_by_name['analysis']._serialized_options = b'\030\001' - _RESULTDOCUMENT_RULESENTRY._options = None - _RESULTDOCUMENT_RULESENTRY._serialized_options = b'8\001' - _RULEMETADATA.fields_by_name['scope']._options = None - _RULEMETADATA.fields_by_name['scope']._serialized_options = b'\030\001' - _ADDRESSTYPE._serialized_start=9062 - _ADDRESSTYPE._serialized_end=9336 - _FLAVOR._serialized_start=9338 - _FLAVOR._serialized_end=9409 - _SCOPE._serialized_start=9412 - _SCOPE._serialized_end=9577 - _APIFEATURE._serialized_start=47 - _APIFEATURE._serialized_end=128 - _ADDRESS._serialized_start=131 - _ADDRESS._serialized_end=438 - _ANALYSIS._serialized_start=441 - _ANALYSIS._serialized_end=725 - _ARCHFEATURE._serialized_start=727 - _ARCHFEATURE._serialized_end=810 - _ATTACKSPEC._serialized_start=812 - _ATTACKSPEC._serialized_end=908 - _BASICBLOCKFEATURE._serialized_start=910 - _BASICBLOCKFEATURE._serialized_end=985 - _BASICBLOCKLAYOUT._serialized_start=987 - _BASICBLOCKLAYOUT._serialized_end=1046 - _BYTESFEATURE._serialized_start=1048 - _BYTESFEATURE._serialized_end=1133 - _CHARACTERISTICFEATURE._serialized_start=1135 - _CHARACTERISTICFEATURE._serialized_end=1238 - _CLASSFEATURE._serialized_start=1240 - _CLASSFEATURE._serialized_end=1326 - _COMPOUNDSTATEMENT._serialized_start=1328 - _COMPOUNDSTATEMENT._serialized_end=1403 - _DYNAMICANALYSIS._serialized_start=1406 - _DYNAMICANALYSIS._serialized_end=1606 - _DYNAMICFEATURECOUNTS._serialized_start=1608 - _DYNAMICFEATURECOUNTS._serialized_end=1699 - _DYNAMICLAYOUT._serialized_start=1701 - _DYNAMICLAYOUT._serialized_end=1765 - _EXPORTFEATURE._serialized_start=1767 - _EXPORTFEATURE._serialized_end=1854 - _FEATURECOUNTS._serialized_start=1856 - _FEATURECOUNTS._serialized_end=1941 - _FEATURENODE._serialized_start=1944 - _FEATURENODE._serialized_end=3153 - _FORMATFEATURE._serialized_start=3155 - _FORMATFEATURE._serialized_end=3242 - _FUNCTIONFEATURECOUNT._serialized_start=3244 - _FUNCTIONFEATURECOUNT._serialized_end=3322 - _FUNCTIONLAYOUT._serialized_start=3324 - _FUNCTIONLAYOUT._serialized_end=3444 - _FUNCTIONNAMEFEATURE._serialized_start=3446 - _FUNCTIONNAMEFEATURE._serialized_end=3546 - _IMPORTFEATURE._serialized_start=3548 - _IMPORTFEATURE._serialized_end=3636 - _LAYOUT._serialized_start=3638 - _LAYOUT._serialized_end=3696 - _LIBRARYFUNCTION._serialized_start=3698 - _LIBRARYFUNCTION._serialized_end=3770 - _MBCSPEC._serialized_start=3772 - _MBCSPEC._serialized_end=3861 - _MAECMETADATA._serialized_start=3864 - _MAECMETADATA._serialized_end=4018 - _MATCH._serialized_start=4021 - _MATCH._serialized_end=4363 - _MATCH_CAPTURESENTRY._serialized_start=4282 - _MATCH_CAPTURESENTRY._serialized_end=4355 - _MATCHFEATURE._serialized_start=4365 - _MATCHFEATURE._serialized_end=4450 - _METADATA._serialized_start=4453 - _METADATA._serialized_end=4769 - _MNEMONICFEATURE._serialized_start=4771 - _MNEMONICFEATURE._serialized_end=4862 - _NAMESPACEFEATURE._serialized_start=4864 - _NAMESPACEFEATURE._serialized_end=4957 - _NUMBERFEATURE._serialized_start=4959 - _NUMBERFEATURE._serialized_end=5069 - _OSFEATURE._serialized_start=5071 - _OSFEATURE._serialized_end=5150 - _OFFSETFEATURE._serialized_start=5152 - _OFFSETFEATURE._serialized_end=5263 - _OPERANDNUMBERFEATURE._serialized_start=5266 - _OPERANDNUMBERFEATURE._serialized_end=5407 - _OPERANDOFFSETFEATURE._serialized_start=5410 - _OPERANDOFFSETFEATURE._serialized_end=5551 - _PROCESSFEATURECOUNT._serialized_start=5553 - _PROCESSFEATURECOUNT._serialized_end=5630 - _PROCESSLAYOUT._serialized_start=5632 - _PROCESSLAYOUT._serialized_end=5756 - _PROPERTYFEATURE._serialized_start=5758 - _PROPERTYFEATURE._serialized_end=5882 - _RANGESTATEMENT._serialized_start=5885 - _RANGESTATEMENT._serialized_end=6026 - _REGEXFEATURE._serialized_start=6028 - _REGEXFEATURE._serialized_end=6113 - _RESULTDOCUMENT._serialized_start=6116 - _RESULTDOCUMENT._serialized_end=6302 - _RESULTDOCUMENT_RULESENTRY._serialized_start=6230 - _RESULTDOCUMENT_RULESENTRY._serialized_end=6302 - _RULEMATCHES._serialized_start=6304 - _RULEMATCHES._serialized_end=6428 - _RULEMETADATA._serialized_start=6431 - _RULEMETADATA._serialized_end=6796 - _SAMPLE._serialized_start=6798 - _SAMPLE._serialized_end=6863 - _SCOPES._serialized_start=6865 - _SCOPES._serialized_end=6983 - _SECTIONFEATURE._serialized_start=6985 - _SECTIONFEATURE._serialized_end=7074 - _SOMESTATEMENT._serialized_start=7076 - _SOMESTATEMENT._serialized_end=7162 - _STATEMENTNODE._serialized_start=7165 - _STATEMENTNODE._serialized_end=7409 - _STATICANALYSIS._serialized_start=7412 - _STATICANALYSIS._serialized_end=7714 - _STATICFEATURECOUNTS._serialized_start=7716 - _STATICFEATURECOUNTS._serialized_end=7807 - _STATICLAYOUT._serialized_start=7809 - _STATICLAYOUT._serialized_end=7873 - _STRINGFEATURE._serialized_start=7875 - _STRINGFEATURE._serialized_end=7962 - _SUBSCOPESTATEMENT._serialized_start=7964 - _SUBSCOPESTATEMENT._serialized_end=8076 - _SUBSTRINGFEATURE._serialized_start=8078 - _SUBSTRINGFEATURE._serialized_end=8171 - _CALLLAYOUT._serialized_start=8173 - _CALLLAYOUT._serialized_end=8240 - _THREADLAYOUT._serialized_start=8242 - _THREADLAYOUT._serialized_end=8347 - _ADDRESSES._serialized_start=8349 - _ADDRESSES._serialized_end=8401 - _PAIR_ADDRESS_MATCH._serialized_start=8403 - _PAIR_ADDRESS_MATCH._serialized_end=8501 - _TOKEN_OFFSET._serialized_start=8503 - _TOKEN_OFFSET._serialized_end=8572 - _PPID_PID._serialized_start=8574 - _PPID_PID._serialized_end=8659 - _PPID_PID_TID._serialized_start=8661 - _PPID_PID_TID._serialized_end=8787 - _PPID_PID_TID_ID._serialized_start=8790 - _PPID_PID_TID_ID._serialized_end=8955 - _INTEGER._serialized_start=8957 - _INTEGER._serialized_end=9001 - _NUMBER._serialized_start=9003 - _NUMBER._serialized_end=9059 +_globals = globals() +_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals) +_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'capa.render.proto.capa_pb2', _globals) +if not _descriptor._USE_C_DESCRIPTORS: + DESCRIPTOR._loaded_options = None + _globals['_MATCH_CAPTURESENTRY']._loaded_options = None + _globals['_MATCH_CAPTURESENTRY']._serialized_options = b'8\001' + _globals['_METADATA'].fields_by_name['analysis']._loaded_options = None + _globals['_METADATA'].fields_by_name['analysis']._serialized_options = b'\030\001' + _globals['_RESULTDOCUMENT_RULESENTRY']._loaded_options = None + _globals['_RESULTDOCUMENT_RULESENTRY']._serialized_options = b'8\001' + _globals['_RULEMETADATA'].fields_by_name['scope']._loaded_options = None + _globals['_RULEMETADATA'].fields_by_name['scope']._serialized_options = b'\030\001' + _globals['_ADDRESSTYPE']._serialized_start=9107 + _globals['_ADDRESSTYPE']._serialized_end=9381 + _globals['_FLAVOR']._serialized_start=9383 + _globals['_FLAVOR']._serialized_end=9454 + _globals['_SCOPE']._serialized_start=9457 + _globals['_SCOPE']._serialized_end=9622 + _globals['_APIFEATURE']._serialized_start=47 + _globals['_APIFEATURE']._serialized_end=128 + _globals['_ADDRESS']._serialized_start=131 + _globals['_ADDRESS']._serialized_end=438 + _globals['_ANALYSIS']._serialized_start=441 + _globals['_ANALYSIS']._serialized_end=725 + _globals['_ARCHFEATURE']._serialized_start=727 + _globals['_ARCHFEATURE']._serialized_end=810 + _globals['_ATTACKSPEC']._serialized_start=812 + _globals['_ATTACKSPEC']._serialized_end=908 + _globals['_BASICBLOCKFEATURE']._serialized_start=910 + _globals['_BASICBLOCKFEATURE']._serialized_end=985 + _globals['_BASICBLOCKLAYOUT']._serialized_start=987 + _globals['_BASICBLOCKLAYOUT']._serialized_end=1046 + _globals['_BYTESFEATURE']._serialized_start=1048 + _globals['_BYTESFEATURE']._serialized_end=1133 + _globals['_CHARACTERISTICFEATURE']._serialized_start=1135 + _globals['_CHARACTERISTICFEATURE']._serialized_end=1238 + _globals['_CLASSFEATURE']._serialized_start=1240 + _globals['_CLASSFEATURE']._serialized_end=1326 + _globals['_COMPOUNDSTATEMENT']._serialized_start=1328 + _globals['_COMPOUNDSTATEMENT']._serialized_end=1403 + _globals['_DYNAMICANALYSIS']._serialized_start=1406 + _globals['_DYNAMICANALYSIS']._serialized_end=1606 + _globals['_DYNAMICFEATURECOUNTS']._serialized_start=1608 + _globals['_DYNAMICFEATURECOUNTS']._serialized_end=1699 + _globals['_DYNAMICLAYOUT']._serialized_start=1701 + _globals['_DYNAMICLAYOUT']._serialized_end=1765 + _globals['_EXPORTFEATURE']._serialized_start=1767 + _globals['_EXPORTFEATURE']._serialized_end=1854 + _globals['_FEATURECOUNTS']._serialized_start=1856 + _globals['_FEATURECOUNTS']._serialized_end=1941 + _globals['_FEATURENODE']._serialized_start=1944 + _globals['_FEATURENODE']._serialized_end=3153 + _globals['_FORMATFEATURE']._serialized_start=3155 + _globals['_FORMATFEATURE']._serialized_end=3242 + _globals['_FUNCTIONFEATURECOUNT']._serialized_start=3244 + _globals['_FUNCTIONFEATURECOUNT']._serialized_end=3322 + _globals['_FUNCTIONLAYOUT']._serialized_start=3324 + _globals['_FUNCTIONLAYOUT']._serialized_end=3444 + _globals['_FUNCTIONNAMEFEATURE']._serialized_start=3446 + _globals['_FUNCTIONNAMEFEATURE']._serialized_end=3546 + _globals['_IMPORTFEATURE']._serialized_start=3548 + _globals['_IMPORTFEATURE']._serialized_end=3636 + _globals['_LAYOUT']._serialized_start=3638 + _globals['_LAYOUT']._serialized_end=3696 + _globals['_LIBRARYFUNCTION']._serialized_start=3698 + _globals['_LIBRARYFUNCTION']._serialized_end=3770 + _globals['_MBCSPEC']._serialized_start=3772 + _globals['_MBCSPEC']._serialized_end=3861 + _globals['_MAECMETADATA']._serialized_start=3864 + _globals['_MAECMETADATA']._serialized_end=4018 + _globals['_MATCH']._serialized_start=4021 + _globals['_MATCH']._serialized_end=4363 + _globals['_MATCH_CAPTURESENTRY']._serialized_start=4282 + _globals['_MATCH_CAPTURESENTRY']._serialized_end=4355 + _globals['_MATCHFEATURE']._serialized_start=4365 + _globals['_MATCHFEATURE']._serialized_end=4450 + _globals['_METADATA']._serialized_start=4453 + _globals['_METADATA']._serialized_end=4769 + _globals['_MNEMONICFEATURE']._serialized_start=4771 + _globals['_MNEMONICFEATURE']._serialized_end=4862 + _globals['_NAMESPACEFEATURE']._serialized_start=4864 + _globals['_NAMESPACEFEATURE']._serialized_end=4957 + _globals['_NUMBERFEATURE']._serialized_start=4959 + _globals['_NUMBERFEATURE']._serialized_end=5069 + _globals['_OSFEATURE']._serialized_start=5071 + _globals['_OSFEATURE']._serialized_end=5150 + _globals['_OFFSETFEATURE']._serialized_start=5152 + _globals['_OFFSETFEATURE']._serialized_end=5263 + _globals['_OPERANDNUMBERFEATURE']._serialized_start=5266 + _globals['_OPERANDNUMBERFEATURE']._serialized_end=5407 + _globals['_OPERANDOFFSETFEATURE']._serialized_start=5410 + _globals['_OPERANDOFFSETFEATURE']._serialized_end=5551 + _globals['_PROCESSFEATURECOUNT']._serialized_start=5553 + _globals['_PROCESSFEATURECOUNT']._serialized_end=5630 + _globals['_PROCESSLAYOUT']._serialized_start=5632 + _globals['_PROCESSLAYOUT']._serialized_end=5756 + _globals['_PROPERTYFEATURE']._serialized_start=5758 + _globals['_PROPERTYFEATURE']._serialized_end=5882 + _globals['_RANGESTATEMENT']._serialized_start=5885 + _globals['_RANGESTATEMENT']._serialized_end=6026 + _globals['_REGEXFEATURE']._serialized_start=6028 + _globals['_REGEXFEATURE']._serialized_end=6113 + _globals['_RESULTDOCUMENT']._serialized_start=6116 + _globals['_RESULTDOCUMENT']._serialized_end=6302 + _globals['_RESULTDOCUMENT_RULESENTRY']._serialized_start=6230 + _globals['_RESULTDOCUMENT_RULESENTRY']._serialized_end=6302 + _globals['_RULEMATCHES']._serialized_start=6304 + _globals['_RULEMATCHES']._serialized_end=6428 + _globals['_RULEMETADATA']._serialized_start=6431 + _globals['_RULEMETADATA']._serialized_end=6796 + _globals['_SAMPLE']._serialized_start=6798 + _globals['_SAMPLE']._serialized_end=6863 + _globals['_SCOPES']._serialized_start=6865 + _globals['_SCOPES']._serialized_end=6983 + _globals['_SECTIONFEATURE']._serialized_start=6985 + _globals['_SECTIONFEATURE']._serialized_end=7074 + _globals['_SOMESTATEMENT']._serialized_start=7076 + _globals['_SOMESTATEMENT']._serialized_end=7162 + _globals['_STATEMENTNODE']._serialized_start=7165 + _globals['_STATEMENTNODE']._serialized_end=7409 + _globals['_STATICANALYSIS']._serialized_start=7412 + _globals['_STATICANALYSIS']._serialized_end=7759 + _globals['_STATICFEATURECOUNTS']._serialized_start=7761 + _globals['_STATICFEATURECOUNTS']._serialized_end=7852 + _globals['_STATICLAYOUT']._serialized_start=7854 + _globals['_STATICLAYOUT']._serialized_end=7918 + _globals['_STRINGFEATURE']._serialized_start=7920 + _globals['_STRINGFEATURE']._serialized_end=8007 + _globals['_SUBSCOPESTATEMENT']._serialized_start=8009 + _globals['_SUBSCOPESTATEMENT']._serialized_end=8121 + _globals['_SUBSTRINGFEATURE']._serialized_start=8123 + _globals['_SUBSTRINGFEATURE']._serialized_end=8216 + _globals['_CALLLAYOUT']._serialized_start=8218 + _globals['_CALLLAYOUT']._serialized_end=8285 + _globals['_THREADLAYOUT']._serialized_start=8287 + _globals['_THREADLAYOUT']._serialized_end=8392 + _globals['_ADDRESSES']._serialized_start=8394 + _globals['_ADDRESSES']._serialized_end=8446 + _globals['_PAIR_ADDRESS_MATCH']._serialized_start=8448 + _globals['_PAIR_ADDRESS_MATCH']._serialized_end=8546 + _globals['_TOKEN_OFFSET']._serialized_start=8548 + _globals['_TOKEN_OFFSET']._serialized_end=8617 + _globals['_PPID_PID']._serialized_start=8619 + _globals['_PPID_PID']._serialized_end=8704 + _globals['_PPID_PID_TID']._serialized_start=8706 + _globals['_PPID_PID_TID']._serialized_end=8832 + _globals['_PPID_PID_TID_ID']._serialized_start=8835 + _globals['_PPID_PID_TID_ID']._serialized_end=9000 + _globals['_INTEGER']._serialized_start=9002 + _globals['_INTEGER']._serialized_end=9046 + _globals['_NUMBER']._serialized_start=9048 + _globals['_NUMBER']._serialized_end=9104 # @@protoc_insertion_point(module_scope) diff --git a/capa/render/proto/capa_pb2.pyi b/capa/render/proto/capa_pb2.pyi index ecb330bc6..661eb3d00 100644 --- a/capa/render/proto/capa_pb2.pyi +++ b/capa/render/proto/capa_pb2.pyi @@ -2,6 +2,7 @@ @generated by mypy-protobuf. Do not edit manually! isort:skip_file """ + import builtins import collections.abc import google.protobuf.descriptor @@ -93,7 +94,7 @@ SCOPE_THREAD: Scope.ValueType # 6 SCOPE_CALL: Scope.ValueType # 7 global___Scope = Scope -@typing_extensions.final +@typing.final class APIFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -110,13 +111,13 @@ class APIFeature(google.protobuf.message.Message): api: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "api", b"api", "description", b"description", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "api", b"api", "description", b"description", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___APIFeature = APIFeature -@typing_extensions.final +@typing.final class Address(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -147,13 +148,13 @@ class Address(google.protobuf.message.Message): ppid_pid_tid: global___Ppid_Pid_Tid | None = ..., ppid_pid_tid_id: global___Ppid_Pid_Tid_Id | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["ppid_pid", b"ppid_pid", "ppid_pid_tid", b"ppid_pid_tid", "ppid_pid_tid_id", b"ppid_pid_tid_id", "token_offset", b"token_offset", "v", b"v", "value", b"value"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["ppid_pid", b"ppid_pid", "ppid_pid_tid", b"ppid_pid_tid", "ppid_pid_tid_id", b"ppid_pid_tid_id", "token_offset", b"token_offset", "type", b"type", "v", b"v", "value", b"value"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["value", b"value"]) -> typing_extensions.Literal["v", "token_offset", "ppid_pid", "ppid_pid_tid", "ppid_pid_tid_id"] | None: ... + def HasField(self, field_name: typing.Literal["ppid_pid", b"ppid_pid", "ppid_pid_tid", b"ppid_pid_tid", "ppid_pid_tid_id", b"ppid_pid_tid_id", "token_offset", b"token_offset", "v", b"v", "value", b"value"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["ppid_pid", b"ppid_pid", "ppid_pid_tid", b"ppid_pid_tid", "ppid_pid_tid_id", b"ppid_pid_tid_id", "token_offset", b"token_offset", "type", b"type", "v", b"v", "value", b"value"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["value", b"value"]) -> typing.Literal["v", "token_offset", "ppid_pid", "ppid_pid_tid", "ppid_pid_tid_id"] | None: ... global___Address = Address -@typing_extensions.final +@typing.final class Analysis(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -193,12 +194,12 @@ class Analysis(google.protobuf.message.Message): feature_counts: global___FeatureCounts | None = ..., library_functions: collections.abc.Iterable[global___LibraryFunction] | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["base_address", b"base_address", "feature_counts", b"feature_counts", "layout", b"layout"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["arch", b"arch", "base_address", b"base_address", "extractor", b"extractor", "feature_counts", b"feature_counts", "format", b"format", "layout", b"layout", "library_functions", b"library_functions", "os", b"os", "rules", b"rules"]) -> None: ... + def HasField(self, field_name: typing.Literal["base_address", b"base_address", "feature_counts", b"feature_counts", "layout", b"layout"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["arch", b"arch", "base_address", b"base_address", "extractor", b"extractor", "feature_counts", b"feature_counts", "format", b"format", "layout", b"layout", "library_functions", b"library_functions", "os", b"os", "rules", b"rules"]) -> None: ... global___Analysis = Analysis -@typing_extensions.final +@typing.final class ArchFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -215,13 +216,13 @@ class ArchFeature(google.protobuf.message.Message): arch: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "arch", b"arch", "description", b"description", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "arch", b"arch", "description", b"description", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___ArchFeature = ArchFeature -@typing_extensions.final +@typing.final class AttackSpec(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -230,12 +231,12 @@ class AttackSpec(google.protobuf.message.Message): TECHNIQUE_FIELD_NUMBER: builtins.int SUBTECHNIQUE_FIELD_NUMBER: builtins.int ID_FIELD_NUMBER: builtins.int - @property - def parts(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... tactic: builtins.str technique: builtins.str subtechnique: builtins.str id: builtins.str + @property + def parts(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... def __init__( self, *, @@ -245,11 +246,11 @@ class AttackSpec(google.protobuf.message.Message): subtechnique: builtins.str = ..., id: builtins.str = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["id", b"id", "parts", b"parts", "subtechnique", b"subtechnique", "tactic", b"tactic", "technique", b"technique"]) -> None: ... + def ClearField(self, field_name: typing.Literal["id", b"id", "parts", b"parts", "subtechnique", b"subtechnique", "tactic", b"tactic", "technique", b"technique"]) -> None: ... global___AttackSpec = AttackSpec -@typing_extensions.final +@typing.final class BasicBlockFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -263,13 +264,13 @@ class BasicBlockFeature(google.protobuf.message.Message): type: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___BasicBlockFeature = BasicBlockFeature -@typing_extensions.final +@typing.final class BasicBlockLayout(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -281,12 +282,12 @@ class BasicBlockLayout(google.protobuf.message.Message): *, address: global___Address | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["address", b"address"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address"]) -> None: ... + def HasField(self, field_name: typing.Literal["address", b"address"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["address", b"address"]) -> None: ... global___BasicBlockLayout = BasicBlockLayout -@typing_extensions.final +@typing.final class BytesFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -303,13 +304,13 @@ class BytesFeature(google.protobuf.message.Message): bytes: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "bytes", b"bytes", "description", b"description", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "bytes", b"bytes", "description", b"description", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___BytesFeature = BytesFeature -@typing_extensions.final +@typing.final class CharacteristicFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -326,13 +327,13 @@ class CharacteristicFeature(google.protobuf.message.Message): characteristic: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "characteristic", b"characteristic", "description", b"description", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "characteristic", b"characteristic", "description", b"description", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___CharacteristicFeature = CharacteristicFeature -@typing_extensions.final +@typing.final class ClassFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -350,13 +351,13 @@ class ClassFeature(google.protobuf.message.Message): class_: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "class_", b"class_", "description", b"description", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "class_", b"class_", "description", b"description", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___ClassFeature = ClassFeature -@typing_extensions.final +@typing.final class CompoundStatement(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -370,13 +371,13 @@ class CompoundStatement(google.protobuf.message.Message): type: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___CompoundStatement = CompoundStatement -@typing_extensions.final +@typing.final class DynamicAnalysis(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -408,12 +409,12 @@ class DynamicAnalysis(google.protobuf.message.Message): layout: global___DynamicLayout | None = ..., feature_counts: global___DynamicFeatureCounts | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["feature_counts", b"feature_counts", "layout", b"layout"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["arch", b"arch", "extractor", b"extractor", "feature_counts", b"feature_counts", "format", b"format", "layout", b"layout", "os", b"os", "rules", b"rules"]) -> None: ... + def HasField(self, field_name: typing.Literal["feature_counts", b"feature_counts", "layout", b"layout"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["arch", b"arch", "extractor", b"extractor", "feature_counts", b"feature_counts", "format", b"format", "layout", b"layout", "os", b"os", "rules", b"rules"]) -> None: ... global___DynamicAnalysis = DynamicAnalysis -@typing_extensions.final +@typing.final class DynamicFeatureCounts(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -428,11 +429,11 @@ class DynamicFeatureCounts(google.protobuf.message.Message): file: builtins.int = ..., processes: collections.abc.Iterable[global___ProcessFeatureCount] | None = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["file", b"file", "processes", b"processes"]) -> None: ... + def ClearField(self, field_name: typing.Literal["file", b"file", "processes", b"processes"]) -> None: ... global___DynamicFeatureCounts = DynamicFeatureCounts -@typing_extensions.final +@typing.final class DynamicLayout(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -444,11 +445,11 @@ class DynamicLayout(google.protobuf.message.Message): *, processes: collections.abc.Iterable[global___ProcessLayout] | None = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["processes", b"processes"]) -> None: ... + def ClearField(self, field_name: typing.Literal["processes", b"processes"]) -> None: ... global___DynamicLayout = DynamicLayout -@typing_extensions.final +@typing.final class ExportFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -465,13 +466,13 @@ class ExportFeature(google.protobuf.message.Message): export: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "export", b"export", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "export", b"export", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___ExportFeature = ExportFeature -@typing_extensions.final +@typing.final class FeatureCounts(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -486,11 +487,11 @@ class FeatureCounts(google.protobuf.message.Message): file: builtins.int = ..., functions: collections.abc.Iterable[global___FunctionFeatureCount] | None = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["file", b"file", "functions", b"functions"]) -> None: ... + def ClearField(self, field_name: typing.Literal["file", b"file", "functions", b"functions"]) -> None: ... global___FeatureCounts = FeatureCounts -@typing_extensions.final +@typing.final class FeatureNode(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -534,6 +535,7 @@ class FeatureNode(google.protobuf.message.Message): @property def import_(self) -> global___ImportFeature: """import is Python keyword""" + @property def section(self) -> global___SectionFeature: ... @property @@ -553,6 +555,7 @@ class FeatureNode(google.protobuf.message.Message): @property def property_(self) -> global___PropertyFeature: """property is a Python top-level decorator name""" + @property def number(self) -> global___NumberFeature: ... @property @@ -595,13 +598,13 @@ class FeatureNode(google.protobuf.message.Message): operand_offset: global___OperandOffsetFeature | None = ..., basic_block: global___BasicBlockFeature | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["api", b"api", "arch", b"arch", "basic_block", b"basic_block", "bytes", b"bytes", "characteristic", b"characteristic", "class_", b"class_", "export", b"export", "feature", b"feature", "format", b"format", "function_name", b"function_name", "import_", b"import_", "match", b"match", "mnemonic", b"mnemonic", "namespace", b"namespace", "number", b"number", "offset", b"offset", "operand_number", b"operand_number", "operand_offset", b"operand_offset", "os", b"os", "property_", b"property_", "regex", b"regex", "section", b"section", "string", b"string", "substring", b"substring"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["api", b"api", "arch", b"arch", "basic_block", b"basic_block", "bytes", b"bytes", "characteristic", b"characteristic", "class_", b"class_", "export", b"export", "feature", b"feature", "format", b"format", "function_name", b"function_name", "import_", b"import_", "match", b"match", "mnemonic", b"mnemonic", "namespace", b"namespace", "number", b"number", "offset", b"offset", "operand_number", b"operand_number", "operand_offset", b"operand_offset", "os", b"os", "property_", b"property_", "regex", b"regex", "section", b"section", "string", b"string", "substring", b"substring", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["feature", b"feature"]) -> typing_extensions.Literal["os", "arch", "format", "match", "characteristic", "export", "import_", "section", "function_name", "substring", "regex", "string", "class_", "namespace", "api", "property_", "number", "bytes", "offset", "mnemonic", "operand_number", "operand_offset", "basic_block"] | None: ... + def HasField(self, field_name: typing.Literal["api", b"api", "arch", b"arch", "basic_block", b"basic_block", "bytes", b"bytes", "characteristic", b"characteristic", "class_", b"class_", "export", b"export", "feature", b"feature", "format", b"format", "function_name", b"function_name", "import_", b"import_", "match", b"match", "mnemonic", b"mnemonic", "namespace", b"namespace", "number", b"number", "offset", b"offset", "operand_number", b"operand_number", "operand_offset", b"operand_offset", "os", b"os", "property_", b"property_", "regex", b"regex", "section", b"section", "string", b"string", "substring", b"substring"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["api", b"api", "arch", b"arch", "basic_block", b"basic_block", "bytes", b"bytes", "characteristic", b"characteristic", "class_", b"class_", "export", b"export", "feature", b"feature", "format", b"format", "function_name", b"function_name", "import_", b"import_", "match", b"match", "mnemonic", b"mnemonic", "namespace", b"namespace", "number", b"number", "offset", b"offset", "operand_number", b"operand_number", "operand_offset", b"operand_offset", "os", b"os", "property_", b"property_", "regex", b"regex", "section", b"section", "string", b"string", "substring", b"substring", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["feature", b"feature"]) -> typing.Literal["os", "arch", "format", "match", "characteristic", "export", "import_", "section", "function_name", "substring", "regex", "string", "class_", "namespace", "api", "property_", "number", "bytes", "offset", "mnemonic", "operand_number", "operand_offset", "basic_block"] | None: ... global___FeatureNode = FeatureNode -@typing_extensions.final +@typing.final class FormatFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -618,33 +621,33 @@ class FormatFeature(google.protobuf.message.Message): format: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "format", b"format", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "format", b"format", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___FormatFeature = FormatFeature -@typing_extensions.final +@typing.final class FunctionFeatureCount(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor ADDRESS_FIELD_NUMBER: builtins.int COUNT_FIELD_NUMBER: builtins.int + count: builtins.int @property def address(self) -> global___Address: ... - count: builtins.int def __init__( self, *, address: global___Address | None = ..., count: builtins.int = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["address", b"address"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address", "count", b"count"]) -> None: ... + def HasField(self, field_name: typing.Literal["address", b"address"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["address", b"address", "count", b"count"]) -> None: ... global___FunctionFeatureCount = FunctionFeatureCount -@typing_extensions.final +@typing.final class FunctionLayout(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -660,12 +663,12 @@ class FunctionLayout(google.protobuf.message.Message): address: global___Address | None = ..., matched_basic_blocks: collections.abc.Iterable[global___BasicBlockLayout] | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["address", b"address"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address", "matched_basic_blocks", b"matched_basic_blocks"]) -> None: ... + def HasField(self, field_name: typing.Literal["address", b"address"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["address", b"address", "matched_basic_blocks", b"matched_basic_blocks"]) -> None: ... global___FunctionLayout = FunctionLayout -@typing_extensions.final +@typing.final class FunctionNameFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -682,13 +685,13 @@ class FunctionNameFeature(google.protobuf.message.Message): function_name: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "function_name", b"function_name", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "function_name", b"function_name", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___FunctionNameFeature = FunctionNameFeature -@typing_extensions.final +@typing.final class ImportFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -705,13 +708,13 @@ class ImportFeature(google.protobuf.message.Message): import_: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "import_", b"import_", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "import_", b"import_", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___ImportFeature = ImportFeature -@typing_extensions.final +@typing.final class Layout(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -723,31 +726,31 @@ class Layout(google.protobuf.message.Message): *, functions: collections.abc.Iterable[global___FunctionLayout] | None = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["functions", b"functions"]) -> None: ... + def ClearField(self, field_name: typing.Literal["functions", b"functions"]) -> None: ... global___Layout = Layout -@typing_extensions.final +@typing.final class LibraryFunction(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor ADDRESS_FIELD_NUMBER: builtins.int NAME_FIELD_NUMBER: builtins.int + name: builtins.str @property def address(self) -> global___Address: ... - name: builtins.str def __init__( self, *, address: global___Address | None = ..., name: builtins.str = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["address", b"address"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address", "name", b"name"]) -> None: ... + def HasField(self, field_name: typing.Literal["address", b"address"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["address", b"address", "name", b"name"]) -> None: ... global___LibraryFunction = LibraryFunction -@typing_extensions.final +@typing.final class MBCSpec(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -756,12 +759,12 @@ class MBCSpec(google.protobuf.message.Message): BEHAVIOR_FIELD_NUMBER: builtins.int METHOD_FIELD_NUMBER: builtins.int ID_FIELD_NUMBER: builtins.int - @property - def parts(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... objective: builtins.str behavior: builtins.str method: builtins.str id: builtins.str + @property + def parts(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... def __init__( self, *, @@ -771,11 +774,11 @@ class MBCSpec(google.protobuf.message.Message): method: builtins.str = ..., id: builtins.str = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["behavior", b"behavior", "id", b"id", "method", b"method", "objective", b"objective", "parts", b"parts"]) -> None: ... + def ClearField(self, field_name: typing.Literal["behavior", b"behavior", "id", b"id", "method", b"method", "objective", b"objective", "parts", b"parts"]) -> None: ... global___MBCSpec = MBCSpec -@typing_extensions.final +@typing.final class MaecMetadata(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -798,15 +801,15 @@ class MaecMetadata(google.protobuf.message.Message): malware_category: builtins.str = ..., malware_category_ov: builtins.str = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["analysis_conclusion", b"analysis_conclusion", "analysis_conclusion_ov", b"analysis_conclusion_ov", "malware_category", b"malware_category", "malware_category_ov", b"malware_category_ov", "malware_family", b"malware_family"]) -> None: ... + def ClearField(self, field_name: typing.Literal["analysis_conclusion", b"analysis_conclusion", "analysis_conclusion_ov", b"analysis_conclusion_ov", "malware_category", b"malware_category", "malware_category_ov", b"malware_category_ov", "malware_family", b"malware_family"]) -> None: ... global___MaecMetadata = MaecMetadata -@typing_extensions.final +@typing.final class Match(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor - @typing_extensions.final + @typing.final class CapturesEntry(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -821,8 +824,8 @@ class Match(google.protobuf.message.Message): key: builtins.str = ..., value: global___Addresses | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["value", b"value"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["key", b"key", "value", b"value"]) -> None: ... + def HasField(self, field_name: typing.Literal["value", b"value"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["key", b"key", "value", b"value"]) -> None: ... SUCCESS_FIELD_NUMBER: builtins.int STATEMENT_FIELD_NUMBER: builtins.int @@ -851,13 +854,13 @@ class Match(google.protobuf.message.Message): locations: collections.abc.Iterable[global___Address] | None = ..., captures: collections.abc.Mapping[builtins.str, global___Addresses] | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["feature", b"feature", "node", b"node", "statement", b"statement"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["captures", b"captures", "children", b"children", "feature", b"feature", "locations", b"locations", "node", b"node", "statement", b"statement", "success", b"success"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["node", b"node"]) -> typing_extensions.Literal["statement", "feature"] | None: ... + def HasField(self, field_name: typing.Literal["feature", b"feature", "node", b"node", "statement", b"statement"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["captures", b"captures", "children", b"children", "feature", b"feature", "locations", b"locations", "node", b"node", "statement", b"statement", "success", b"success"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["node", b"node"]) -> typing.Literal["statement", "feature"] | None: ... global___Match = Match -@typing_extensions.final +@typing.final class MatchFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -874,13 +877,13 @@ class MatchFeature(google.protobuf.message.Message): match: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "match", b"match", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "match", b"match", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___MatchFeature = MatchFeature -@typing_extensions.final +@typing.final class Metadata(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -895,6 +898,7 @@ class Metadata(google.protobuf.message.Message): timestamp: builtins.str """iso8601 format, like: 2019-01-01T00:00:00Z""" version: builtins.str + flavor: global___Flavor.ValueType @property def argv(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... @property @@ -904,10 +908,11 @@ class Metadata(google.protobuf.message.Message): """deprecated in v7.0. use analysis2 instead. """ - flavor: global___Flavor.ValueType + @property def static_analysis(self) -> global___StaticAnalysis: """use analysis2 instead of analysis (deprecated in v7.0).""" + @property def dynamic_analysis(self) -> global___DynamicAnalysis: ... def __init__( @@ -922,13 +927,13 @@ class Metadata(google.protobuf.message.Message): static_analysis: global___StaticAnalysis | None = ..., dynamic_analysis: global___DynamicAnalysis | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["analysis", b"analysis", "analysis2", b"analysis2", "dynamic_analysis", b"dynamic_analysis", "sample", b"sample", "static_analysis", b"static_analysis"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["analysis", b"analysis", "analysis2", b"analysis2", "argv", b"argv", "dynamic_analysis", b"dynamic_analysis", "flavor", b"flavor", "sample", b"sample", "static_analysis", b"static_analysis", "timestamp", b"timestamp", "version", b"version"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["analysis2", b"analysis2"]) -> typing_extensions.Literal["static_analysis", "dynamic_analysis"] | None: ... + def HasField(self, field_name: typing.Literal["analysis", b"analysis", "analysis2", b"analysis2", "dynamic_analysis", b"dynamic_analysis", "sample", b"sample", "static_analysis", b"static_analysis"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["analysis", b"analysis", "analysis2", b"analysis2", "argv", b"argv", "dynamic_analysis", b"dynamic_analysis", "flavor", b"flavor", "sample", b"sample", "static_analysis", b"static_analysis", "timestamp", b"timestamp", "version", b"version"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["analysis2", b"analysis2"]) -> typing.Literal["static_analysis", "dynamic_analysis"] | None: ... global___Metadata = Metadata -@typing_extensions.final +@typing.final class MnemonicFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -945,13 +950,13 @@ class MnemonicFeature(google.protobuf.message.Message): mnemonic: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "mnemonic", b"mnemonic", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "mnemonic", b"mnemonic", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___MnemonicFeature = MnemonicFeature -@typing_extensions.final +@typing.final class NamespaceFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -968,13 +973,13 @@ class NamespaceFeature(google.protobuf.message.Message): namespace: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "namespace", b"namespace", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "namespace", b"namespace", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___NamespaceFeature = NamespaceFeature -@typing_extensions.final +@typing.final class NumberFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -982,10 +987,11 @@ class NumberFeature(google.protobuf.message.Message): NUMBER_FIELD_NUMBER: builtins.int DESCRIPTION_FIELD_NUMBER: builtins.int type: builtins.str + description: builtins.str @property def number(self) -> global___Number: """this can be positive (range: u64), negative (range: i64), or a double.""" - description: builtins.str + def __init__( self, *, @@ -993,13 +999,13 @@ class NumberFeature(google.protobuf.message.Message): number: global___Number | None = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "number", b"number"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "number", b"number", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "number", b"number"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "number", b"number", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___NumberFeature = NumberFeature -@typing_extensions.final +@typing.final class OSFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1016,13 +1022,13 @@ class OSFeature(google.protobuf.message.Message): os: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "os", b"os", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "os", b"os", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___OSFeature = OSFeature -@typing_extensions.final +@typing.final class OffsetFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1030,10 +1036,11 @@ class OffsetFeature(google.protobuf.message.Message): OFFSET_FIELD_NUMBER: builtins.int DESCRIPTION_FIELD_NUMBER: builtins.int type: builtins.str + description: builtins.str @property def offset(self) -> global___Integer: """offset can be negative""" - description: builtins.str + def __init__( self, *, @@ -1041,13 +1048,13 @@ class OffsetFeature(google.protobuf.message.Message): offset: global___Integer | None = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "offset", b"offset"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "offset", b"offset", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "offset", b"offset"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "offset", b"offset", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___OffsetFeature = OffsetFeature -@typing_extensions.final +@typing.final class OperandNumberFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1057,10 +1064,11 @@ class OperandNumberFeature(google.protobuf.message.Message): DESCRIPTION_FIELD_NUMBER: builtins.int type: builtins.str index: builtins.int + description: builtins.str @property def operand_number(self) -> global___Integer: """this can be positive (range: u64), negative (range: i64), or a double.""" - description: builtins.str + def __init__( self, *, @@ -1069,13 +1077,13 @@ class OperandNumberFeature(google.protobuf.message.Message): operand_number: global___Integer | None = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "operand_number", b"operand_number"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "index", b"index", "operand_number", b"operand_number", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "operand_number", b"operand_number"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "index", b"index", "operand_number", b"operand_number", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___OperandNumberFeature = OperandNumberFeature -@typing_extensions.final +@typing.final class OperandOffsetFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1085,9 +1093,9 @@ class OperandOffsetFeature(google.protobuf.message.Message): DESCRIPTION_FIELD_NUMBER: builtins.int type: builtins.str index: builtins.int + description: builtins.str @property def operand_offset(self) -> global___Integer: ... - description: builtins.str def __init__( self, *, @@ -1096,44 +1104,44 @@ class OperandOffsetFeature(google.protobuf.message.Message): operand_offset: global___Integer | None = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "operand_offset", b"operand_offset"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "index", b"index", "operand_offset", b"operand_offset", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "operand_offset", b"operand_offset"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "index", b"index", "operand_offset", b"operand_offset", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___OperandOffsetFeature = OperandOffsetFeature -@typing_extensions.final +@typing.final class ProcessFeatureCount(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor ADDRESS_FIELD_NUMBER: builtins.int COUNT_FIELD_NUMBER: builtins.int + count: builtins.int @property def address(self) -> global___Address: ... - count: builtins.int def __init__( self, *, address: global___Address | None = ..., count: builtins.int = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["address", b"address"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address", "count", b"count"]) -> None: ... + def HasField(self, field_name: typing.Literal["address", b"address"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["address", b"address", "count", b"count"]) -> None: ... global___ProcessFeatureCount = ProcessFeatureCount -@typing_extensions.final +@typing.final class ProcessLayout(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor ADDRESS_FIELD_NUMBER: builtins.int MATCHED_THREADS_FIELD_NUMBER: builtins.int NAME_FIELD_NUMBER: builtins.int + name: builtins.str @property def address(self) -> global___Address: ... @property def matched_threads(self) -> google.protobuf.internal.containers.RepeatedCompositeFieldContainer[global___ThreadLayout]: ... - name: builtins.str def __init__( self, *, @@ -1141,12 +1149,12 @@ class ProcessLayout(google.protobuf.message.Message): matched_threads: collections.abc.Iterable[global___ThreadLayout] | None = ..., name: builtins.str = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["address", b"address"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address", "matched_threads", b"matched_threads", "name", b"name"]) -> None: ... + def HasField(self, field_name: typing.Literal["address", b"address"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["address", b"address", "matched_threads", b"matched_threads", "name", b"name"]) -> None: ... global___ProcessLayout = ProcessLayout -@typing_extensions.final +@typing.final class PropertyFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1167,16 +1175,16 @@ class PropertyFeature(google.protobuf.message.Message): access: builtins.str | None = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_access", b"_access", "_description", b"_description", "access", b"access", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_access", b"_access", "_description", b"_description", "access", b"access", "description", b"description", "property_", b"property_", "type", b"type"]) -> None: ... + def HasField(self, field_name: typing.Literal["_access", b"_access", "_description", b"_description", "access", b"access", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_access", b"_access", "_description", b"_description", "access", b"access", "description", b"description", "property_", b"property_", "type", b"type"]) -> None: ... @typing.overload - def WhichOneof(self, oneof_group: typing_extensions.Literal["_access", b"_access"]) -> typing_extensions.Literal["access"] | None: ... + def WhichOneof(self, oneof_group: typing.Literal["_access", b"_access"]) -> typing.Literal["access"] | None: ... @typing.overload - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___PropertyFeature = PropertyFeature -@typing_extensions.final +@typing.final class RangeStatement(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1188,10 +1196,11 @@ class RangeStatement(google.protobuf.message.Message): type: builtins.str min: builtins.int max: builtins.int + description: builtins.str @property def child(self) -> global___FeatureNode: """reusing FeatureNode here to avoid duplication and list all features OSFeature, ArchFeature, ... again.""" - description: builtins.str + def __init__( self, *, @@ -1201,13 +1210,13 @@ class RangeStatement(google.protobuf.message.Message): child: global___FeatureNode | None = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "child", b"child", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "child", b"child", "description", b"description", "max", b"max", "min", b"min", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "child", b"child", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "child", b"child", "description", b"description", "max", b"max", "min", b"min", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___RangeStatement = RangeStatement -@typing_extensions.final +@typing.final class RegexFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1224,17 +1233,17 @@ class RegexFeature(google.protobuf.message.Message): regex: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "regex", b"regex", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "regex", b"regex", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___RegexFeature = RegexFeature -@typing_extensions.final +@typing.final class ResultDocument(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor - @typing_extensions.final + @typing.final class RulesEntry(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1249,8 +1258,8 @@ class ResultDocument(google.protobuf.message.Message): key: builtins.str = ..., value: global___RuleMatches | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["value", b"value"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["key", b"key", "value", b"value"]) -> None: ... + def HasField(self, field_name: typing.Literal["value", b"value"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["key", b"key", "value", b"value"]) -> None: ... META_FIELD_NUMBER: builtins.int RULES_FIELD_NUMBER: builtins.int @@ -1264,21 +1273,21 @@ class ResultDocument(google.protobuf.message.Message): meta: global___Metadata | None = ..., rules: collections.abc.Mapping[builtins.str, global___RuleMatches] | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["meta", b"meta"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["meta", b"meta", "rules", b"rules"]) -> None: ... + def HasField(self, field_name: typing.Literal["meta", b"meta"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["meta", b"meta", "rules", b"rules"]) -> None: ... global___ResultDocument = ResultDocument -@typing_extensions.final +@typing.final class RuleMatches(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor META_FIELD_NUMBER: builtins.int SOURCE_FIELD_NUMBER: builtins.int MATCHES_FIELD_NUMBER: builtins.int + source: builtins.str @property def meta(self) -> global___RuleMetadata: ... - source: builtins.str @property def matches(self) -> google.protobuf.internal.containers.RepeatedCompositeFieldContainer[global___Pair_Address_Match]: ... def __init__( @@ -1288,12 +1297,12 @@ class RuleMatches(google.protobuf.message.Message): source: builtins.str = ..., matches: collections.abc.Iterable[global___Pair_Address_Match] | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["meta", b"meta"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["matches", b"matches", "meta", b"meta", "source", b"source"]) -> None: ... + def HasField(self, field_name: typing.Literal["meta", b"meta"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["matches", b"matches", "meta", b"meta", "source", b"source"]) -> None: ... global___RuleMatches = RuleMatches -@typing_extensions.final +@typing.final class RuleMetadata(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1312,12 +1321,15 @@ class RuleMetadata(google.protobuf.message.Message): SCOPES_FIELD_NUMBER: builtins.int name: builtins.str namespace: builtins.str - @property - def authors(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... scope: global___Scope.ValueType """deprecated in v7.0. use scopes instead. """ + description: builtins.str + lib: builtins.bool + is_subscope_rule: builtins.bool + @property + def authors(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... @property def attack(self) -> google.protobuf.internal.containers.RepeatedCompositeFieldContainer[global___AttackSpec]: ... @property @@ -1326,14 +1338,12 @@ class RuleMetadata(google.protobuf.message.Message): def references(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... @property def examples(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... - description: builtins.str - lib: builtins.bool @property def maec(self) -> global___MaecMetadata: ... - is_subscope_rule: builtins.bool @property def scopes(self) -> global___Scopes: """use scopes over scope (deprecated in v7.0).""" + def __init__( self, *, @@ -1351,12 +1361,12 @@ class RuleMetadata(google.protobuf.message.Message): is_subscope_rule: builtins.bool = ..., scopes: global___Scopes | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["maec", b"maec", "scopes", b"scopes"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["attack", b"attack", "authors", b"authors", "description", b"description", "examples", b"examples", "is_subscope_rule", b"is_subscope_rule", "lib", b"lib", "maec", b"maec", "mbc", b"mbc", "name", b"name", "namespace", b"namespace", "references", b"references", "scope", b"scope", "scopes", b"scopes"]) -> None: ... + def HasField(self, field_name: typing.Literal["maec", b"maec", "scopes", b"scopes"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["attack", b"attack", "authors", b"authors", "description", b"description", "examples", b"examples", "is_subscope_rule", b"is_subscope_rule", "lib", b"lib", "maec", b"maec", "mbc", b"mbc", "name", b"name", "namespace", b"namespace", "references", b"references", "scope", b"scope", "scopes", b"scopes"]) -> None: ... global___RuleMetadata = RuleMetadata -@typing_extensions.final +@typing.final class Sample(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1376,11 +1386,11 @@ class Sample(google.protobuf.message.Message): sha256: builtins.str = ..., path: builtins.str = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["md5", b"md5", "path", b"path", "sha1", b"sha1", "sha256", b"sha256"]) -> None: ... + def ClearField(self, field_name: typing.Literal["md5", b"md5", "path", b"path", "sha1", b"sha1", "sha256", b"sha256"]) -> None: ... global___Sample = Sample -@typing_extensions.final +@typing.final class Scopes(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1394,16 +1404,16 @@ class Scopes(google.protobuf.message.Message): static: global___Scope.ValueType | None = ..., dynamic: global___Scope.ValueType | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_dynamic", b"_dynamic", "_static", b"_static", "dynamic", b"dynamic", "static", b"static"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_dynamic", b"_dynamic", "_static", b"_static", "dynamic", b"dynamic", "static", b"static"]) -> None: ... + def HasField(self, field_name: typing.Literal["_dynamic", b"_dynamic", "_static", b"_static", "dynamic", b"dynamic", "static", b"static"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_dynamic", b"_dynamic", "_static", b"_static", "dynamic", b"dynamic", "static", b"static"]) -> None: ... @typing.overload - def WhichOneof(self, oneof_group: typing_extensions.Literal["_dynamic", b"_dynamic"]) -> typing_extensions.Literal["dynamic"] | None: ... + def WhichOneof(self, oneof_group: typing.Literal["_dynamic", b"_dynamic"]) -> typing.Literal["dynamic"] | None: ... @typing.overload - def WhichOneof(self, oneof_group: typing_extensions.Literal["_static", b"_static"]) -> typing_extensions.Literal["static"] | None: ... + def WhichOneof(self, oneof_group: typing.Literal["_static", b"_static"]) -> typing.Literal["static"] | None: ... global___Scopes = Scopes -@typing_extensions.final +@typing.final class SectionFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1420,13 +1430,13 @@ class SectionFeature(google.protobuf.message.Message): section: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "section", b"section", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "section", b"section", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___SectionFeature = SectionFeature -@typing_extensions.final +@typing.final class SomeStatement(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1443,13 +1453,13 @@ class SomeStatement(google.protobuf.message.Message): count: builtins.int = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "count", b"count", "description", b"description", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "count", b"count", "description", b"description", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___SomeStatement = SomeStatement -@typing_extensions.final +@typing.final class StatementNode(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1476,13 +1486,13 @@ class StatementNode(google.protobuf.message.Message): subscope: global___SubscopeStatement | None = ..., compound: global___CompoundStatement | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["compound", b"compound", "range", b"range", "some", b"some", "statement", b"statement", "subscope", b"subscope"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["compound", b"compound", "range", b"range", "some", b"some", "statement", b"statement", "subscope", b"subscope", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["statement", b"statement"]) -> typing_extensions.Literal["range", "some", "subscope", "compound"] | None: ... + def HasField(self, field_name: typing.Literal["compound", b"compound", "range", b"range", "some", b"some", "statement", b"statement", "subscope", b"subscope"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["compound", b"compound", "range", b"range", "some", b"some", "statement", b"statement", "subscope", b"subscope", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["statement", b"statement"]) -> typing.Literal["range", "some", "subscope", "compound"] | None: ... global___StatementNode = StatementNode -@typing_extensions.final +@typing.final class StaticAnalysis(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1495,10 +1505,14 @@ class StaticAnalysis(google.protobuf.message.Message): LAYOUT_FIELD_NUMBER: builtins.int FEATURE_COUNTS_FIELD_NUMBER: builtins.int LIBRARY_FUNCTIONS_FIELD_NUMBER: builtins.int + APICALL_COUNT_FIELD_NUMBER: builtins.int + IMPORT_COUNT_FIELD_NUMBER: builtins.int format: builtins.str arch: builtins.str os: builtins.str extractor: builtins.str + apicall_count: builtins.int + import_count: builtins.int @property def rules(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.str]: ... @property @@ -1521,13 +1535,15 @@ class StaticAnalysis(google.protobuf.message.Message): layout: global___StaticLayout | None = ..., feature_counts: global___StaticFeatureCounts | None = ..., library_functions: collections.abc.Iterable[global___LibraryFunction] | None = ..., + apicall_count: builtins.int = ..., + import_count: builtins.int = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["base_address", b"base_address", "feature_counts", b"feature_counts", "layout", b"layout"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["arch", b"arch", "base_address", b"base_address", "extractor", b"extractor", "feature_counts", b"feature_counts", "format", b"format", "layout", b"layout", "library_functions", b"library_functions", "os", b"os", "rules", b"rules"]) -> None: ... + def HasField(self, field_name: typing.Literal["base_address", b"base_address", "feature_counts", b"feature_counts", "layout", b"layout"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["apicall_count", b"apicall_count", "arch", b"arch", "base_address", b"base_address", "extractor", b"extractor", "feature_counts", b"feature_counts", "format", b"format", "import_count", b"import_count", "layout", b"layout", "library_functions", b"library_functions", "os", b"os", "rules", b"rules"]) -> None: ... global___StaticAnalysis = StaticAnalysis -@typing_extensions.final +@typing.final class StaticFeatureCounts(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1542,11 +1558,11 @@ class StaticFeatureCounts(google.protobuf.message.Message): file: builtins.int = ..., functions: collections.abc.Iterable[global___FunctionFeatureCount] | None = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["file", b"file", "functions", b"functions"]) -> None: ... + def ClearField(self, field_name: typing.Literal["file", b"file", "functions", b"functions"]) -> None: ... global___StaticFeatureCounts = StaticFeatureCounts -@typing_extensions.final +@typing.final class StaticLayout(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1558,11 +1574,11 @@ class StaticLayout(google.protobuf.message.Message): *, functions: collections.abc.Iterable[global___FunctionLayout] | None = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["functions", b"functions"]) -> None: ... + def ClearField(self, field_name: typing.Literal["functions", b"functions"]) -> None: ... global___StaticLayout = StaticLayout -@typing_extensions.final +@typing.final class StringFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1579,13 +1595,13 @@ class StringFeature(google.protobuf.message.Message): string: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "string", b"string", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "string", b"string", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___StringFeature = StringFeature -@typing_extensions.final +@typing.final class SubscopeStatement(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1602,13 +1618,13 @@ class SubscopeStatement(google.protobuf.message.Message): scope: global___Scope.ValueType = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "scope", b"scope", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "scope", b"scope", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___SubscopeStatement = SubscopeStatement -@typing_extensions.final +@typing.final class SubstringFeature(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1625,33 +1641,33 @@ class SubstringFeature(google.protobuf.message.Message): substring: builtins.str = ..., description: builtins.str | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["_description", b"_description", "description", b"description", "substring", b"substring", "type", b"type"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["_description", b"_description"]) -> typing_extensions.Literal["description"] | None: ... + def HasField(self, field_name: typing.Literal["_description", b"_description", "description", b"description"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["_description", b"_description", "description", b"description", "substring", b"substring", "type", b"type"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["_description", b"_description"]) -> typing.Literal["description"] | None: ... global___SubstringFeature = SubstringFeature -@typing_extensions.final +@typing.final class CallLayout(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor ADDRESS_FIELD_NUMBER: builtins.int NAME_FIELD_NUMBER: builtins.int + name: builtins.str @property def address(self) -> global___Address: ... - name: builtins.str def __init__( self, *, address: global___Address | None = ..., name: builtins.str = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["address", b"address"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address", "name", b"name"]) -> None: ... + def HasField(self, field_name: typing.Literal["address", b"address"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["address", b"address", "name", b"name"]) -> None: ... global___CallLayout = CallLayout -@typing_extensions.final +@typing.final class ThreadLayout(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1667,12 +1683,12 @@ class ThreadLayout(google.protobuf.message.Message): address: global___Address | None = ..., matched_calls: collections.abc.Iterable[global___CallLayout] | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["address", b"address"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address", "matched_calls", b"matched_calls"]) -> None: ... + def HasField(self, field_name: typing.Literal["address", b"address"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["address", b"address", "matched_calls", b"matched_calls"]) -> None: ... global___ThreadLayout = ThreadLayout -@typing_extensions.final +@typing.final class Addresses(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1684,11 +1700,11 @@ class Addresses(google.protobuf.message.Message): *, address: collections.abc.Iterable[global___Address] | None = ..., ) -> None: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address"]) -> None: ... + def ClearField(self, field_name: typing.Literal["address", b"address"]) -> None: ... global___Addresses = Addresses -@typing_extensions.final +@typing.final class Pair_Address_Match(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1704,33 +1720,33 @@ class Pair_Address_Match(google.protobuf.message.Message): address: global___Address | None = ..., match: global___Match | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["address", b"address", "match", b"match"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["address", b"address", "match", b"match"]) -> None: ... + def HasField(self, field_name: typing.Literal["address", b"address", "match", b"match"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["address", b"address", "match", b"match"]) -> None: ... global___Pair_Address_Match = Pair_Address_Match -@typing_extensions.final +@typing.final class Token_Offset(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor TOKEN_FIELD_NUMBER: builtins.int OFFSET_FIELD_NUMBER: builtins.int - @property - def token(self) -> global___Integer: ... offset: builtins.int """offset is always >= 0""" + @property + def token(self) -> global___Integer: ... def __init__( self, *, token: global___Integer | None = ..., offset: builtins.int = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["token", b"token"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["offset", b"offset", "token", b"token"]) -> None: ... + def HasField(self, field_name: typing.Literal["token", b"token"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["offset", b"offset", "token", b"token"]) -> None: ... global___Token_Offset = Token_Offset -@typing_extensions.final +@typing.final class Ppid_Pid(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1746,12 +1762,12 @@ class Ppid_Pid(google.protobuf.message.Message): ppid: global___Integer | None = ..., pid: global___Integer | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["pid", b"pid", "ppid", b"ppid"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["pid", b"pid", "ppid", b"ppid"]) -> None: ... + def HasField(self, field_name: typing.Literal["pid", b"pid", "ppid", b"ppid"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["pid", b"pid", "ppid", b"ppid"]) -> None: ... global___Ppid_Pid = Ppid_Pid -@typing_extensions.final +@typing.final class Ppid_Pid_Tid(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1771,12 +1787,12 @@ class Ppid_Pid_Tid(google.protobuf.message.Message): pid: global___Integer | None = ..., tid: global___Integer | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["pid", b"pid", "ppid", b"ppid", "tid", b"tid"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["pid", b"pid", "ppid", b"ppid", "tid", b"tid"]) -> None: ... + def HasField(self, field_name: typing.Literal["pid", b"pid", "ppid", b"ppid", "tid", b"tid"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["pid", b"pid", "ppid", b"ppid", "tid", b"tid"]) -> None: ... global___Ppid_Pid_Tid = Ppid_Pid_Tid -@typing_extensions.final +@typing.final class Ppid_Pid_Tid_Id(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1800,12 +1816,12 @@ class Ppid_Pid_Tid_Id(google.protobuf.message.Message): tid: global___Integer | None = ..., id: global___Integer | None = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["id", b"id", "pid", b"pid", "ppid", b"ppid", "tid", b"tid"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["id", b"id", "pid", b"pid", "ppid", b"ppid", "tid", b"tid"]) -> None: ... + def HasField(self, field_name: typing.Literal["id", b"id", "pid", b"pid", "ppid", b"ppid", "tid", b"tid"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["id", b"id", "pid", b"pid", "ppid", b"ppid", "tid", b"tid"]) -> None: ... global___Ppid_Pid_Tid_Id = Ppid_Pid_Tid_Id -@typing_extensions.final +@typing.final class Integer(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1819,13 +1835,13 @@ class Integer(google.protobuf.message.Message): u: builtins.int = ..., i: builtins.int = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["i", b"i", "u", b"u", "value", b"value"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["i", b"i", "u", b"u", "value", b"value"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["value", b"value"]) -> typing_extensions.Literal["u", "i"] | None: ... + def HasField(self, field_name: typing.Literal["i", b"i", "u", b"u", "value", b"value"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["i", b"i", "u", b"u", "value", b"value"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["value", b"value"]) -> typing.Literal["u", "i"] | None: ... global___Integer = Integer -@typing_extensions.final +@typing.final class Number(google.protobuf.message.Message): DESCRIPTOR: google.protobuf.descriptor.Descriptor @@ -1842,8 +1858,8 @@ class Number(google.protobuf.message.Message): i: builtins.int = ..., f: builtins.float = ..., ) -> None: ... - def HasField(self, field_name: typing_extensions.Literal["f", b"f", "i", b"i", "u", b"u", "value", b"value"]) -> builtins.bool: ... - def ClearField(self, field_name: typing_extensions.Literal["f", b"f", "i", b"i", "u", b"u", "value", b"value"]) -> None: ... - def WhichOneof(self, oneof_group: typing_extensions.Literal["value", b"value"]) -> typing_extensions.Literal["u", "i", "f"] | None: ... + def HasField(self, field_name: typing.Literal["f", b"f", "i", b"i", "u", b"u", "value", b"value"]) -> builtins.bool: ... + def ClearField(self, field_name: typing.Literal["f", b"f", "i", b"i", "u", b"u", "value", b"value"]) -> None: ... + def WhichOneof(self, oneof_group: typing.Literal["value", b"value"]) -> typing.Literal["u", "i", "f"] | None: ... global___Number = Number diff --git a/capa/render/result_document.py b/capa/render/result_document.py index 975e37431..7ceab09f4 100644 --- a/capa/render/result_document.py +++ b/capa/render/result_document.py @@ -114,6 +114,8 @@ class StaticAnalysis(Model): layout: StaticLayout feature_counts: StaticFeatureCounts library_functions: Tuple[LibraryFunction, ...] + apicall_count: int + import_count: int class DynamicAnalysis(Model): From 76df545b03f9729e716a528247def829a6e6f0fa Mon Sep 17 00:00:00 2001 From: Soufiane Fariss Date: Mon, 10 Jun 2024 01:17:16 +0200 Subject: [PATCH 2/6] remove unsued flag is_standalone --- capa/capabilities/common.py | 5 +---- capa/ghidra/capa_explorer.py | 2 +- capa/ghidra/capa_ghidra.py | 4 ++-- capa/ida/plugin/form.py | 2 +- capa/main.py | 20 ++++---------------- 5 files changed, 9 insertions(+), 24 deletions(-) diff --git a/capa/capabilities/common.py b/capa/capabilities/common.py index 2dedc6f09..7121191d4 100644 --- a/capa/capabilities/common.py +++ b/capa/capabilities/common.py @@ -40,7 +40,7 @@ def find_file_capabilities(ruleset: RuleSet, extractor: FeatureExtractor, functi return matches, file_features -def has_file_limitation(rules: RuleSet, capabilities: MatchResults, is_standalone=True) -> bool: +def has_file_limitation(rules: RuleSet, capabilities: MatchResults) -> bool: file_limitation_rules = list(filter(lambda r: r.is_file_limitation_rule(), rules.rules.values())) for file_limitation_rule in file_limitation_rules: @@ -51,9 +51,6 @@ def has_file_limitation(rules: RuleSet, capabilities: MatchResults, is_standalon for line in file_limitation_rule.meta.get("description", "").split("\n"): logger.warning(" %s", line) logger.warning(" Identified via rule: %s", file_limitation_rule.name) - if is_standalone: - logger.warning(" ") - logger.warning(" Use -v or -vv if you really want to see the capabilities identified by capa.") logger.warning("-" * 80) # bail on first file limitation diff --git a/capa/ghidra/capa_explorer.py b/capa/ghidra/capa_explorer.py index e0b2cf19a..c7e1b0458 100644 --- a/capa/ghidra/capa_explorer.py +++ b/capa/ghidra/capa_explorer.py @@ -240,7 +240,7 @@ def get_capabilities(): capabilities, counts = capa.capabilities.common.find_capabilities(rules, extractor, True) - if capa.capabilities.common.has_file_limitation(rules, capabilities, is_standalone=False): + if capa.capabilities.common.has_file_limitation(rules, capabilities): popup("capa explorer encountered warnings during analysis. Please check the console output for more information.") # type: ignore [name-defined] # noqa: F821 logger.info("capa encountered warnings during analysis") diff --git a/capa/ghidra/capa_ghidra.py b/capa/ghidra/capa_ghidra.py index 55ab8046e..d66c905e9 100644 --- a/capa/ghidra/capa_ghidra.py +++ b/capa/ghidra/capa_ghidra.py @@ -80,7 +80,7 @@ def run_headless(): meta.analysis.library_functions = counts["library_functions"] meta.analysis.layout = capa.loader.compute_layout(rules, extractor, capabilities) - if capa.capabilities.common.has_file_limitation(rules, capabilities, is_standalone=True): + if capa.capabilities.common.has_file_limitation(rules, capabilities): logger.info("capa encountered warnings during analysis") if args.json: @@ -130,7 +130,7 @@ def run_ui(): meta.analysis.library_functions = counts["library_functions"] meta.analysis.layout = capa.loader.compute_layout(rules, extractor, capabilities) - if capa.capabilities.common.has_file_limitation(rules, capabilities, is_standalone=False): + if capa.capabilities.common.has_file_limitation(rules, capabilities): logger.info("capa encountered warnings during analysis") if verbose == "vverbose": diff --git a/capa/ida/plugin/form.py b/capa/ida/plugin/form.py index 0aee6cea2..607ce4cc3 100644 --- a/capa/ida/plugin/form.py +++ b/capa/ida/plugin/form.py @@ -811,7 +811,7 @@ def slot_progress_feature_extraction(text): capa.ida.helpers.inform_user_ida_ui("capa encountered file type warnings during analysis") - if capa.capabilities.common.has_file_limitation(ruleset, capabilities, is_standalone=False): + if capa.capabilities.common.has_file_limitation(ruleset, capabilities): capa.ida.helpers.inform_user_ida_ui("capa encountered file limitation warnings during analysis") except Exception as e: logger.exception("Failed to check for file limitations (error: %s)", e) diff --git a/capa/main.py b/capa/main.py index 1ab850a00..b91c6c6fc 100644 --- a/capa/main.py +++ b/capa/main.py @@ -75,7 +75,7 @@ FORMAT_RESULT, ) from capa.capabilities.common import find_capabilities, has_file_limitation, find_file_capabilities -from capa.features.extractors.base_extractor import FeatureExtractor, StaticFeatureExtractor, DynamicFeatureExtractor +from capa.features.extractors.base_extractor import FeatureExtractor, DynamicFeatureExtractor RULES_PATH_DEFAULT_STRING = "(embedded rules)" SIGNATURES_PATH_DEFAULT_STRING = "(embedded signatures)" @@ -670,12 +670,6 @@ def find_file_limitations_from_cli(args, rules: RuleSet, file_extractors: List[F # file limitations that rely on non-file scope won't be detected here. # nor on FunctionName features, because pefile doesn't support this. found_file_limitation = has_file_limitation(rules, pure_file_capabilities) - if found_file_limitation: - # bail if capa encountered file limitation e.g. a packed binary - # do show the output in verbose mode, though. - if not (args.verbose or args.vverbose or args.json): - logger.debug("file limitation short circuit, won't analyze fully.") - raise ShouldExitError(E_FILE_LIMITATION) return found_file_limitation @@ -804,7 +798,7 @@ def main(argv: Optional[List[str]] = None): input_format = get_input_format_from_cli(args) rules = get_rules_from_cli(args) file_extractors = get_file_extractors_from_cli(args, input_format) - found_file_limitation = find_file_limitations_from_cli(args, rules, file_extractors) + _ = find_file_limitations_from_cli(args, rules, file_extractors) except ShouldExitError as e: return e.status_code @@ -837,12 +831,6 @@ def main(argv: Optional[List[str]] = None): meta = capa.loader.collect_metadata(argv, args.input_file, input_format, os_, args.rules, extractor, counts) meta.analysis.layout = capa.loader.compute_layout(rules, extractor, capabilities) - if isinstance(extractor, StaticFeatureExtractor) and found_file_limitation: - # bail if capa's static feature extractor encountered file limitation e.g. a packed binary - # do show the output in verbose mode, though. - if not (args.verbose or args.vverbose or args.json): - return E_FILE_LIMITATION - if args.json: print(capa.render.json.render(meta, rules, capabilities)) elif args.vverbose: @@ -893,7 +881,7 @@ def ida_main(): meta.analysis.apicall_count = counts["apicall_count"] meta.analysis.import_count = counts["import_count"] - if has_file_limitation(rules, capabilities, is_standalone=False): + if has_file_limitation(rules, capabilities): capa.ida.helpers.inform_user_ida_ui("capa encountered warnings during analysis") colorama.init(strip=True) @@ -933,7 +921,7 @@ def ghidra_main(): meta.analysis.apicall_count = counts["apicall_count"] meta.analysis.import_count = counts["import_count"] - if has_file_limitation(rules, capabilities, is_standalone=False): + if has_file_limitation(rules, capabilities): logger.info("capa encountered warnings during analysis") print(capa.render.default.render(meta, rules, capabilities)) From 64565da5681fad7263faf962d66f243a663e7f47 Mon Sep 17 00:00:00 2001 From: Soufiane Fariss Date: Mon, 10 Jun 2024 01:17:31 +0200 Subject: [PATCH 3/6] minor fix: use rutils.bold Note, when using rutils.warn(), flake8 raises an error. So using rutils.bold() for now. --- capa/render/default.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/capa/render/default.py b/capa/render/default.py index a216a9243..191c67c22 100644 --- a/capa/render/default.py +++ b/capa/render/default.py @@ -36,7 +36,7 @@ def render_meta(doc: rd.ResultDocument, ostream: StringIO): if doc.meta.analysis.apicall_count < MIN_API_CALLS: ostream.write( - rutils.warn( + rutils.bold( "The analyzed sample reports very few API calls, this could indicate that it is packed, encrypted, corrupted, or tiny\n" ) ) @@ -47,7 +47,7 @@ def render_meta(doc: rd.ResultDocument, ostream: StringIO): if lib_ratio < MIN_LIBFUNCS_RATIO: ostream.write( - rutils.warn( + rutils.bold( "Few library functions (%.2f%% of all functions) recognized by FLIRT signatures, results may contain false positives\n" ) % (100 * lib_ratio) From 5d75052006ce3fe7ae4a9326be6fe155300dbd49 Mon Sep 17 00:00:00 2001 From: Soufiane Fariss Date: Mon, 10 Jun 2024 02:06:51 +0200 Subject: [PATCH 4/6] changelog: display analysis information --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index da9482f0d..0198d3864 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ - render maec/* fields #843 @s-ff - replace Halo spinner with Rich #2086 @s-ff - optimize rule matching #2080 @williballenthin +- display analysis information to users #857 @s-ff ### Breaking Changes From 04c93dca0fc76ed3d0da46580bf3d69a6c6d5972 Mon Sep 17 00:00:00 2001 From: Soufiane Fariss Date: Mon, 10 Jun 2024 16:55:10 +0200 Subject: [PATCH 5/6] remove unwanted whitespace --- capa/render/proto/capa.proto | 1 - 1 file changed, 1 deletion(-) diff --git a/capa/render/proto/capa.proto b/capa/render/proto/capa.proto index 6fc29db14..937b2f33d 100644 --- a/capa/render/proto/capa.proto +++ b/capa/render/proto/capa.proto @@ -405,7 +405,6 @@ message StaticAnalysis { repeated LibraryFunction library_functions = 9; uint64 apicall_count = 10; uint64 import_count = 11; - } message StaticFeatureCounts { From 3a1504a3106bc98c4f48191f7db5302d7d24849f Mon Sep 17 00:00:00 2001 From: Soufiane Fariss Date: Mon, 10 Jun 2024 20:17:40 +0200 Subject: [PATCH 6/6] fix: missing metadata fields --- capa/render/proto/__init__.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/capa/render/proto/__init__.py b/capa/render/proto/__init__.py index 3acdcfcfc..ae230427e 100644 --- a/capa/render/proto/__init__.py +++ b/capa/render/proto/__init__.py @@ -210,6 +210,8 @@ def static_analysis_to_pb2(analysis: rd.StaticAnalysis) -> capa_pb2.StaticAnalys library_functions=[ capa_pb2.LibraryFunction(address=addr_to_pb2(lf.address), name=lf.name) for lf in analysis.library_functions ], + apicall_count=analysis.apicall_count, + import_count=analysis.import_count, )