package mandiant.capa

Get desktop application:
View/edit binary Protocol Buffers messages

Used in: FeatureNode

• string type = 1

• string api = 2

• optional string description = 3

Used in: Addresses, Analysis, BasicBlockLayout, CallLayout, FunctionFeatureCount, FunctionLayout, LibraryFunction, Match, Pair_Address_Match, ProcessFeatureCount, ProcessLayout, StaticAnalysis, ThreadLayout

• AddressType type = 1

• oneof value

  • Integer v = 2

  • Token_Offset token_offset = 3

  • Ppid_Pid ppid_pid = 4

  • Ppid_Pid_Tid ppid_pid_tid = 5

  • Ppid_Pid_Tid_Id ppid_pid_tid_id = 6

Used in: Address

• ADDRESSTYPE_UNSPECIFIED = 0

• ADDRESSTYPE_ABSOLUTE = 1

• ADDRESSTYPE_RELATIVE = 2

• ADDRESSTYPE_FILE = 3

• ADDRESSTYPE_DN_TOKEN = 4

• ADDRESSTYPE_DN_TOKEN_OFFSET = 5

• ADDRESSTYPE_NO_ADDRESS = 6

• ADDRESSTYPE_PROCESS = 7

• ADDRESSTYPE_THREAD = 8

• ADDRESSTYPE_CALL = 9

Used in: Match

• repeated Address address = 1

Used in: Metadata

• string format = 1

• string arch = 2

• string os = 3

• string extractor = 4

• repeated string rules = 5

• optional Address base_address = 6

• optional Layout layout = 7

• optional FeatureCounts feature_counts = 8

• repeated LibraryFunction library_functions = 9

Used in: FeatureNode

• string type = 1

• string arch = 2

• optional string description = 3

Used in: RuleMetadata

• repeated string parts = 1

• string tactic = 2

• string technique = 3

• string subtechnique = 4

• string id = 5

Used in: FeatureNode

• string type = 1

• optional string description = 2

Used in: FunctionLayout

• optional Address address = 1

Used in: FeatureNode

• string type = 1

• string bytes = 2

• optional string description = 3

Used in: ThreadLayout

• optional Address address = 1

• string name = 2

Used in: FeatureNode

• string type = 1

• string characteristic = 2

• optional string description = 3

Used in: FeatureNode

• string type = 1

• string class_ = 2

  class is protected Python keyword

• optional string description = 3

Used in: StatementNode

• string type = 1

• optional string description = 2

Used in: Metadata

• string format = 1

• string arch = 2

• string os = 3

• string extractor = 4

• repeated string rules = 5

• optional DynamicLayout layout = 6

• optional DynamicFeatureCounts feature_counts = 7

Used in: DynamicAnalysis

• uint64 file = 1

• repeated ProcessFeatureCount processes = 2

Used in: DynamicAnalysis

• repeated ProcessLayout processes = 1

Used in: FeatureNode

• string type = 1

• string export = 2

• optional string description = 3

Used in: Analysis

• uint64 file = 1

• repeated FunctionFeatureCount functions = 2

Used in: Match, RangeStatement

• string type = 1

• oneof feature

  • OSFeature os = 2

  • ArchFeature arch = 3

  • FormatFeature format = 4

  • MatchFeature match = 5

  • CharacteristicFeature characteristic = 6

  • ExportFeature export = 7

  • ImportFeature import_ = 8

    import is Python keyword

  • SectionFeature section = 9

  • FunctionNameFeature function_name = 10

  • SubstringFeature substring = 11

  • RegexFeature regex = 12

  • StringFeature string = 13

  • ClassFeature class_ = 14

  • NamespaceFeature namespace = 15

  • APIFeature api = 16

  • PropertyFeature property_ = 17

    property is a Python top-level decorator name

  • NumberFeature number = 18

  • BytesFeature bytes = 19

  • OffsetFeature offset = 20

  • MnemonicFeature mnemonic = 21

  • OperandNumberFeature operand_number = 22

  • OperandOffsetFeature operand_offset = 23

  • BasicBlockFeature basic_block = 24

Used in: Metadata

• FLAVOR_UNSPECIFIED = 0

• FLAVOR_STATIC = 1

• FLAVOR_DYNAMIC = 2

Used in: FeatureNode

• string type = 1

• string format = 2

• optional string description = 3

Used in: FeatureCounts, StaticFeatureCounts

• optional Address address = 1

• uint64 count = 2

Used in: Layout, StaticLayout

• optional Address address = 1

• repeated BasicBlockLayout matched_basic_blocks = 2

Used in: FeatureNode

• string type = 1

• string function_name = 2

• optional string description = 3

Used in: FeatureNode

• string type = 1

• string import_ = 2

• optional string description = 3

Used in: Address, OffsetFeature, OperandNumberFeature, OperandOffsetFeature, Ppid_Pid, Ppid_Pid_Tid, Ppid_Pid_Tid_Id, Token_Offset

• oneof value

  • uint64 u = 1

  • sint64 i = 2

Used in: Analysis

• repeated FunctionLayout functions = 1

Used in: Analysis, StaticAnalysis

• optional Address address = 1

• string name = 2

Used in: RuleMetadata

• repeated string parts = 1

• string objective = 2

• string behavior = 3

• string method = 4

• string id = 5

Used in: RuleMetadata

• string analysis_conclusion = 1

• string analysis_conclusion_ov = 2

• string malware_family = 3

• string malware_category = 4

• string malware_category_ov = 5

Used in: Pair_Address_Match

• bool success = 1

• oneof node

  • StatementNode statement = 2

  • FeatureNode feature = 3

• repeated Match children = 5

• repeated Address locations = 6

• map<string, Addresses> captures = 7

Used in: FeatureNode

• string type = 1

• string match = 2

• optional string description = 3

Used in: ResultDocument

• string timestamp = 1

  iso8601 format, like: 2019-01-01T00:00:00Z

• string version = 2

• repeated string argv = 3

• optional Sample sample = 4

• optional Analysis analysis = 5

  deprecated in v7.0. use analysis2 instead.

• Flavor flavor = 6

• oneof analysis2

  • StaticAnalysis static_analysis = 7

    use analysis2 instead of analysis (deprecated in v7.0).

  • DynamicAnalysis dynamic_analysis = 8

Used in: FeatureNode

• string type = 1

• string mnemonic = 2

• optional string description = 3

Used in: FeatureNode

• string type = 1

• string namespace = 2

• optional string description = 3

Used in: NumberFeature

• oneof value

  • uint64 u = 1

  • sint64 i = 2

  • double f = 3

Used in: FeatureNode

• string type = 1

• optional Number number = 2

  this can be positive (range: u64), negative (range: i64), or a double.

• optional string description = 5

Used in: FeatureNode

• string type = 1

• string os = 2

• optional string description = 3

Used in: FeatureNode

• string type = 1

• optional Integer offset = 2

  offset can be negative

• optional string description = 3

Used in: FeatureNode

• string type = 1

• uint32 index = 2

• optional Integer operand_number = 3

  this can be positive (range: u64), negative (range: i64), or a double.

• optional string description = 4

Used in: FeatureNode

• string type = 1

• uint32 index = 2

• optional Integer operand_offset = 3

• optional string description = 4

Used in: RuleMatches

• optional Address address = 1

• optional Match match = 2

Used in: Address

• optional Integer ppid = 1

• optional Integer pid = 2

Used in: Address

• optional Integer ppid = 1

• optional Integer pid = 2

• optional Integer tid = 3

Used in: Address

• optional Integer ppid = 1

• optional Integer pid = 2

• optional Integer tid = 3

• optional Integer id = 4

Used in: DynamicFeatureCounts

• optional Address address = 1

• uint64 count = 2

Used in: DynamicLayout

• optional Address address = 1

• repeated ThreadLayout matched_threads = 2

• string name = 3

Used in: FeatureNode

• string type = 1

• string property_ = 2

  property is a Python top-level decorator name

• optional string access = 3

• optional string description = 4

Used in: StatementNode

• string type = 1

• uint64 min = 2

• uint64 max = 3

• optional FeatureNode child = 4

  reusing FeatureNode here to avoid duplication and list all features OSFeature, ArchFeature, ... again.

• optional string description = 5

Used in: FeatureNode

• string type = 1

• string regex = 2

• optional string description = 3

• optional Metadata meta = 1

• map<string, RuleMatches> rules = 2

Used in: ResultDocument

• optional RuleMetadata meta = 1

• string source = 2

• repeated Pair_Address_Match matches = 3

Used in: RuleMatches

• string name = 1

• string namespace = 2

• repeated string authors = 3

• Scope scope = 4

  deprecated in v7.0. use scopes instead.

• repeated AttackSpec attack = 5

• repeated MBCSpec mbc = 6

• repeated string references = 7

• repeated string examples = 8

• string description = 9

• bool lib = 10

• optional MaecMetadata maec = 11

• bool is_subscope_rule = 12

• optional Scopes scopes = 13

  use scopes over scope (deprecated in v7.0).

Used in: Metadata

• string md5 = 1

• string sha1 = 2

• string sha256 = 3

• string path = 4

Used in: RuleMetadata, Scopes, SubscopeStatement

• SCOPE_UNSPECIFIED = 0

• SCOPE_FILE = 1

• SCOPE_FUNCTION = 2

• SCOPE_BASIC_BLOCK = 3

• SCOPE_INSTRUCTION = 4

• SCOPE_PROCESS = 5

• SCOPE_THREAD = 6

• SCOPE_CALL = 7

• SCOPE_SPAN_OF_CALLS = 8

Used in: RuleMetadata

• optional Scope static = 1

• optional Scope dynamic = 2

Used in: FeatureNode

• string type = 1

• string section = 2

• optional string description = 3

Used in: StatementNode

• string type = 1

• uint32 count = 2

• optional string description = 3

Used in: Match

• string type = 1

• oneof statement

  • RangeStatement range = 2

  • SomeStatement some = 3

  • SubscopeStatement subscope = 4

  • CompoundStatement compound = 5

Used in: Metadata

• string format = 1

• string arch = 2

• string os = 3

• string extractor = 4

• repeated string rules = 5

• optional Address base_address = 6

• optional StaticLayout layout = 7

• optional StaticFeatureCounts feature_counts = 8

• repeated LibraryFunction library_functions = 9

Used in: StaticAnalysis

• uint64 file = 1

• repeated FunctionFeatureCount functions = 2

Used in: StaticAnalysis

• repeated FunctionLayout functions = 1

Used in: FeatureNode

• string type = 1

• string string = 2

• optional string description = 3

Used in: StatementNode

• string type = 1

• Scope scope = 2

• optional string description = 3

Used in: FeatureNode

• string type = 1

• string substring = 2

• optional string description = 3

Used in: ProcessLayout

• optional Address address = 1

• repeated CallLayout matched_calls = 2

Used in: Address

• optional Integer token = 1

• uint64 offset = 2

  offset is always >= 0