2 مستودعات
Binary analysis that extracts program capabilities by running detection rules through Ghidra's feature extraction engine.
Distinct from Binary Analysis Capabilities: Distinct from Binary Analysis Capabilities: specifically uses Ghidra as the analysis backend rather than general binary inspection tools.
Explore 2 awesome GitHub repositories matching operating systems & systems programming · Ghidra-Based Binary Analysis. Refine with filters or upvote what's useful.
capa is a binary capability scanner that identifies high-level behaviors and actions an executable can perform, such as network communication or file manipulation. It functions as a malware behavior analysis tool and a MITRE ATT&CK mapping framework, scanning PE, ELF, .NET, and shellcode files through both static analysis and dynamic sandbox report processing. The tool distinguishes itself through a YAML-based detection rule engine that defines detection logic in human-readable files, with conditions expressed as feature combinations and logical operators. It integrates with IDA Pro, Ghidra,
Provides a plugin-based abstraction layer that delegates feature extraction to external disassemblers like IDA Pro and Ghidra.
capa is a static analysis tool that scans executable files to identify what a program can do, detecting capabilities such as API calls, byte sequences, and structural patterns without executing the code. It supports multiple file formats including PE, ELF, .NET, and shellcode, and can also process runtime behavior traces from sandbox reports generated by CAPE, DRAKVUF, or VMRay. The tool integrates directly with reverse engineering environments through plugins for IDA Pro and Ghidra, allowing analysts to view capability matches and author detection rules within their disassembler of choice. C
Extracts program capabilities through Ghidra's analysis engine with results viewable in the Ghidra UI.