Merge branch 'master' into dependabot/pip/pyyaml-6.0.1

CHANGELOG.md

@@ -6,13 +6,15 @@
 
 ### Breaking Changes
 
-### New Rules (1)
+### New Rules (2)
 
 - executable/pe/export/forwarded-export [email protected]
 -
 
 ### Bug Fixes
 
+- Fix binja backend stack string detection. [#1473](https://github.com/mandiant/capa/issues/1473) [@xusheng6](https://github.com/xusheng6)
+
 ### capa explorer IDA Pro plugin
 
 ### Development

capa/features/extractors/binja/basicblock.py

@@ -75,10 +75,11 @@ def get_stack_string_len(f: Function, il: MediumLevelILInstruction) -> int:
         return 0
 
     dest = il.params[0]
-    if dest.operation != MediumLevelILOperation.MLIL_ADDRESS_OF:
+    if dest.operation in [MediumLevelILOperation.MLIL_ADDRESS_OF, MediumLevelILOperation.MLIL_VAR]:
+        var = dest.src
+    else:
         return 0
 
-    var = dest.src
     if var.source_type != VariableSourceType.StackVariableSourceType:
         return 0
 

pyproject.toml

@@ -77,7 +77,7 @@ dev = [
     "flake8-simplify==0.20.0",
     "flake8-use-pathlib==0.3.0",
     "flake8-copyright==0.2.4",
-    "ruff==0.0.278",
+    "ruff==0.0.280",
     "black==23.7.0",
     "isort==5.11.4",
     "mypy==1.4.1",

tests/test_binja_features.py

@@ -40,9 +40,6 @@
     indirect=["sample", "scope"],
 )
 def test_binja_features(sample, scope, feature, expected):
-    if feature == capa.features.common.Characteristic("stack string"):
-        pytest.xfail("skip failing Binja stack string detection temporarily, see #1473")
-
     if isinstance(feature, capa.features.file.Export) and "." in str(feature.value):
         pytest.xfail("skip Binja unsupported forwarded export feature, see #1646")