{"id":19045477,"url":"https://github.com/marirs/capa-rs","last_synced_at":"2025-07-11T05:04:02.092Z","repository":{"id":41311640,"uuid":"417342273","full_name":"marirs/capa-rs","owner":"marirs","description":"File Capability Extractor","archived":false,"fork":false,"pushed_at":"2025-03-21T11:37:21.000Z","size":6049,"stargazers_count":13,"open_issues_count":0,"forks_count":2,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-23T23:47:43.206Z","etag":null,"topics":["aslr","capa","capabilities","control-flow-graph","file-capabilities","malware-analysis","mbc","mitre","reverse-engineering","rust","rust-lang","rust-library","seh"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/marirs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-10-15T02:14:41.000Z","updated_at":"2025-03-21T11:37:26.000Z","dependencies_parsed_at":"2024-02-15T14:29:48.907Z","dependency_job_id":"de834b14-3d9a-4963-88fd-62384fa1fefb","html_url":"https://github.com/marirs/capa-rs","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/marirs/capa-rs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marirs%2Fcapa-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marirs%2Fcapa-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marirs%2Fcapa-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marirs%2Fcapa-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/marirs","download_url":"https://codeload.github.com/marirs/capa-rs/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marirs%2Fcapa-rs/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264734571,"owners_count":23655695,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aslr","capa","capabilities","control-flow-graph","file-capabilities","malware-analysis","mbc","mitre","reverse-engineering","rust","rust-lang","rust-library","seh"],"created_at":"2024-11-08T22:50:22.073Z","updated_at":"2025-07-11T05:04:02.068Z","avatar_url":"https://github.com/marirs.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# File Capability Extractor\n\n[![Linux Arm7](https://github.com/marirs/capa-rs/actions/workflows/linux_arm7.yml/badge.svg)](https://github.com/marirs/capa-rs/actions/workflows/linux_arm7.yml)\n[![Linux x86_64](https://github.com/marirs/capa-rs/actions/workflows/linux_x86-64.yml/badge.svg)](https://github.com/marirs/capa-rs/actions/workflows/linux_x86-64.yml)\n[![macOS](https://github.com/marirs/capa-rs/actions/workflows/macos.yml/badge.svg)](https://github.com/marirs/capa-rs/actions/workflows/macos.yml)\n[![Windows](https://github.com/marirs/capa-rs/actions/workflows/windows.yml/badge.svg)](https://github.com/marirs/capa-rs/actions/workflows/windows.yml)\n\nTest it online: https://www.analyze.rs/\n\ncapa detects capabilities in executable files. You run it against a PE, ELF, or shellcode file and it tells you what it thinks the program can do. \nFor example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. It also performs a binary security check to see if the binary is compiled with security features enabled.\n\nIt is a port from https://github.com/mandiant/capa without IDA plugins, etc. Its just a capa library that gives out capability information. \nThe Library itself can be used in other applications. The rules are available here: `https://github.com/mandiant/capa-rules`\n\nThe example contains a `CLI` to output the extracted capabilities to `stdout`.\n\n### Requirements\n- Rust 1.56+ (edition 2021)\n\n### Running the example cli\n```\n./capa_cli --rules-path capa-rules data/Demo64.dll\n+--------------+-------------+\n|      File Properties       |\n+==============+=============+\n| arch         | AMD64       |\n+--------------+-------------+\n| base_address | 0x180000000 |\n+--------------+-------------+\n| format       | PE          |\n+--------------+-------------+\n| os           | WINDOWS     |\n+--------------+-------------+\n\n+-----------------------+-------------+\n|           Security Checks           |\n+=======================+=============+\n| ASLR                  | Supported   |\n+-----------------------+-------------+\n| CHECKSUM              | Fail        |\n+-----------------------+-------------+\n| CONSIDER-MANIFEST     | Pass        |\n+-----------------------+-------------+\n| CONTROL-FLOW-GUARD    | Unsupported |\n+-----------------------+-------------+\n| DATA-EXEC-PREVENT     | Pass        |\n+-----------------------+-------------+\n| HANDLES-ADDR-GT-2GB   | Pass        |\n+-----------------------+-------------+\n| RUNS-IN-APP-CONTAINER | Fail        |\n+-----------------------+-------------+\n| SAFE-SEH              | Pass        |\n+-----------------------+-------------+\n| VERIFY-DIGITAL-CERT   | Fail        |\n+-----------------------+-------------+\n\n+---------------+------------------------+\n| ATT\u0026CK Tactic | ATT\u0026CK Technique       |\n+===============+========================+\n| Execution     | Shared Modules [T1129] |\n+---------------+------------------------+\n\n+--------------------------+------------------------------------------------------+\n| MBC Objective            | MBC Behavior                                         |\n+==========================+======================================================+\n| Anti-Behavioral Analysis | Debugger Detection::Software Breakpoints [B0001.025] |\n+--------------------------+------------------------------------------------------+\n| Data                     | Non-Cryptographic Hash::MurmurHash [C0030.001]       |\n|                          | Non-Cryptographic Hash::djb2 [C0030.006]             |\n+--------------------------+------------------------------------------------------+\n\n+-----------------------------------------------+-------------------------------------------------+\n| Capability                                    | Namespace                                       |\n+===============================================+=================================================+\n| check for software breakpoints                | anti-analysis/anti-debugging/debugger-detection |\n+-----------------------------------------------+-------------------------------------------------+\n| contain a thread local storage (.tls) section | executable/pe/section/tls                       |\n+-----------------------------------------------+-------------------------------------------------+\n| contains PDB path                             | executable/pe/pdb                               |\n+-----------------------------------------------+-------------------------------------------------+\n| hash data using djb2                          | data-manipulation/hashing/djb2                  |\n+-----------------------------------------------+-------------------------------------------------+\n| hash data using murmur3                       | data-manipulation/hashing/murmur                |\n+-----------------------------------------------+-------------------------------------------------+\n| match known PlugX module                      | malware-family/plugx                            |\n+-----------------------------------------------+-------------------------------------------------+\n| parse PE header                               | load-code/pe                                    |\n+-----------------------------------------------+-------------------------------------------------+\n| reference Cloudflare DNS server               | communication/dns                               |\n+-----------------------------------------------+-------------------------------------------------+\n\n\nTAGS: [B0001.025, C0030.001, C0030.006, T1129]\n\nTime taken (seconds): 1.227743833s\n```\n\n- With verbose output use\n```bash\n./capa_cli --rules-path capa-rules --verbose data/Demo64.dll\n```\n\n### Features\n- properties (gets the meta information/properties of the file)\n- verbose (gets the verbose information such as: function, address, features, etc...)\n\n### Compiling with or without features\n\n- with properties\n```bash\ncargo b --features=properties\n```\n\n- verbose mode\n```bash\ncarbo b --features=verbose\n```\n\n- verbose \u0026 properties\n```bash\ncargo b --features=verbose,properties\n```\n\n- with default features (default - includes the properties feature)\n```bash\ncargo b\n```\n---\nLICENSE: Apache\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarirs%2Fcapa-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarirs%2Fcapa-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarirs%2Fcapa-rs/lists"}