def collect_metadata():
md5 = idautils.GetInputFileMD5()
if not isinstance(md5, six.string_types):
md5 = capa.features.bytes_to_str(md5)
sha256 = idaapi.retrieve_input_file_sha256()
if not isinstance(sha256, six.string_types):
sha256 = capa.features.bytes_to_str(sha256)
return {
"timestamp": datetime.datetime.now().isoformat(),
# "argv" is not relevant here
"sample": {
"md5": md5,
"sha1": "", # not easily accessible
"sha256": sha256,
"path": idaapi.get_input_file_path(),
},
"analysis": {
"format": idaapi.get_file_type_name(),
"extractor": "ida",
"base_address": idaapi.get_imagebase(),
},
"version": capa.version.__version__,
}
def collect_metadata():
return {
"timestamp": datetime.datetime.now().isoformat(),
# "argv" is not relevant here
"sample": {
"md5": capa.features.bytes_to_str(idautils.GetInputFileMD5()),
# "sha1" not easily accessible
"sha256": capa.features.bytes_to_str(idaapi.retrieve_input_file_sha256()),
"path": idaapi.get_input_file_path(),
},
"analysis": {"format": idaapi.get_file_type_name(), "extractor": "ida",},
"version": capa.version.__version__,
}
def get_upload_func_info(ea):
"""
get function upload info by IDA Pro
Args:
ea(ea_t): function address
Returns:
func_info(dict): function info
"""
func_info = {}
try:
hf = idaapi.hexrays_failure_t()
if idaapi.IDA_SDK_VERSION >= 730:
cfunc = idaapi.decompile(ea, hf, idaapi.DECOMP_NO_WAIT)
else:
cfunc = idaapi.decompile(ea, hf)
func_info['feature'] = str(cfunc)
func_info['pseudo_code'] = str(cfunc)
except Exception as e:
print(str(e))
return None
func_info['binary_file'] = idaapi.get_root_filename()
binary_sha256 = idaapi.retrieve_input_file_sha256()
binary_sha256 = binary_sha256.hex() if isinstance(binary_sha256,
bytes) else binary_sha256
func_info['binary_sha256'] = binary_sha256
func_info['binary_offset'] = idaapi.get_fileregion_offset(ea)
func_info['platform'] = get_platform_info()
func_info['name'] = idaapi.get_func_name(ea)
func_bytes = b''
for start, end in idautils.Chunks(idaapi.get_func(ea).start_ea):
fb = idaapi.get_bytes(start, end - start)
func_bytes += fb
func_bytes = func_bytes.hex() if isinstance(func_bytes,
bytes) else func_bytes
func_info['func_bytes'] = func_bytes
return func_info
def get_file_sha256():
""" """
sha256 = idaapi.retrieve_input_file_sha256()
if not isinstance(sha256, str):
sha256 = capa.features.bytes_to_str(sha256)
return sha256