capa: ARM support

[HelixY2J]

Greetings @mandiant/flare-gsoc (@williballenthin @mike-hunhoff @mr-tz )

I am keen to contribute to this project involving ARM support for CAPA

Here is a bit about me:
I am familiar with tools such as Ghidra, IDA and GDB as a CTF player with Reverse Engineering domain.I am also working on a research project on malware analysis using system calls, where I learnt about tools like Monkeyrunner and CuckooDroid for extracting system calls in a sandboxed environments.

I recently authored a white paper on Frida, a binary exploitation toolkit, which is yet to be published. In this paper, I worked on a use case to patch both X86 and ARM assembly instructions using Frida's X86Writer and ARM64Writer class to bypass certain checks in an APK

Till now I have went through the a small section of the codebase,tested the tool myself and got a high level understanding about the architecture of CAPA for x86

Please correct me If I am wrong

• The feature extraction engine, where we do code analysis to pull out features such as APIs, string references and the disassembly of a program
• So if it disassembles an entire function, it can group every feature that it finds in that function with that specific code part
• Then comes rule engine that can deduce the capability which is contained in the file if a specific combination of features is present
• Also it build capabilities on top of each other by referencing other capabilities with existing rules

So, we need to tweak the existing backends to parse ARM binaries and also the feature extraction process by identifying and extracting ARM instructions.We then have to extend CAPA rule engine by defining new rule structures for the ARM binaries.

I will love to connect with mentors to discuss more about the project idea, some resources maybe to point me in right direction. I want to know what else I must be doing right now to provide value for this project.

[mr-tz]

Hey, that sounds great and your summary is accurate. Please see the project proposal for initial ideas/tasks and feel free to ask any specific questions subsequently.

[p21nc3]

Hello @mandiant/flare-gsoc (@williballenthin @mike-hunhoff @mr-tz )

I am looking forward to submit my proposal for this project, and have worked on an approach, before completing my proposal there are couple of queries i would like ask.

1. Are there any recommended tools or libraries for parsing ARM binaries that you suggest integrating into capa
2. Could you provide guidance on specific ARM architectures or formats that are commonly encountered in malware analysis

[mike-hunhoff]

Thanks for reaching out @p21nc3 !

1. capa implements multiple "extractors" that extract features from supported file types and architectures where each extractor is powered by an underlying framework/tool. The extractors that are relevant to this project are powered by vivisect, IDA Pro, Ghidra, and Binary Ninja. The vivisect extractor powers capa's standalone tool and extending it to support ARM would be the main focus of this project with potential stretch goals to extend the other relevant extractors mentioned here to support ARM as well. vivisect appears to have some level of support for ARM but testing is needed to identify how robust this support is and if it will be enough to support capa's needs. I'd recommend accounting for this in your project proposal.
2. A good start would be AArch64 ELF files targeting Android.