vverbose: don't render full ppid/pid/tid in nested blocks, only callid

mandiant · Jan 28, 2025 · e8de7aa · e8de7aa
1 parent b776b62
commit e8de7aa
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 4 deletions.
diff --git a/capa/render/verbose.py b/capa/render/verbose.py
@@ -164,6 +164,25 @@ def render_call(layout: rd.DynamicLayout, addr: frz.Address) -> str:
     )
 
 
+def render_short_call(layout: rd.DynamicLayout, addr: frz.Address) -> str:
+    call = addr.to_capa()
+    assert isinstance(call, capa.features.address.DynamicCallAddress)
+
+    cname = _get_call_name(layout, addr)
+
+    fname, _, rest = cname.partition("(")
+    args, _, rest = rest.rpartition(")")
+
+    s = []
+    s.append(f"{fname}(")
+    for arg in args.split(", "):
+        s.append(f"  {arg},")
+    s.append(f"){rest}")
+
+    newline = "\n"
+    return f"call:{call.id}\n{rutils.mute(newline.join(s))}"
+
+
 def render_static_meta(console: Console, meta: rd.StaticMetadata):
     """
     like:

diff --git a/capa/render/vverbose.py b/capa/render/vverbose.py
@@ -54,7 +54,19 @@ def hanging_indent(s: str, indent: int) -> str:
     return textwrap.indent(s, prefix=prefix)[len(prefix) :]
 
 
-def render_locations(console: Console, layout: rd.Layout, locations: Iterable[frz.Address], indent: int):
+def render_locations(
+    console: Console, layout: rd.Layout, locations: Iterable[frz.Address], indent: int, use_short_format: bool = False
+):
+    """
+    Render the given locations, such as virtual address or pid/tid/callid with process name.
+
+    If `use_short_format` is True:
+    render a small representation of the given locations, such as just the call id,
+    assuming another region of output specified the full location details (like pid/tid).
+
+    In effect, rather than rendering ppid/pid/tid/callid everywhere,
+    describe ppid/pid/tid once, and then refer to just callid in the subsequent blocklin the subsequent block.
+    """
     import capa.render.verbose as v
 
     # it's possible to have an empty locations array here,
@@ -73,14 +85,22 @@ def render_locations(console: Console, layout: rd.Layout, locations: Iterable[fr
 
         if location.type == frz.AddressType.CALL:
             assert isinstance(layout, rd.DynamicLayout)
-            console.write(hanging_indent(v.render_call(layout, location), indent + 1))
+            if use_short_format:
+                render_call = v.render_short_call
+            else:
+                render_call = v.render_call
+            console.write(hanging_indent(render_call(layout, location), indent + 1))
         else:
             console.write(v.format_address(locations[0]))
 
     elif location0.type == frz.AddressType.CALL and len(locations) > 1:
         location = locations[0]
 
         assert isinstance(layout, rd.DynamicLayout)
+        if use_short_format:
+            render_call = v.render_short_call
+        else:
+            render_call = v.render_call
         s = f"{v.render_call(layout, location)}\nand {(len(locations) - 1)} more..."
         console.write(hanging_indent(s, indent + 1))
 
@@ -234,7 +254,7 @@ def render_feature(
             # don't render copies of the span of calls address for submatches
             pass
         else:
-            render_locations(console, layout, match.locations, indent)
+            render_locations(console, layout, match.locations, indent, use_short_format=True)
         console.writeln()
     else:
         # like:
@@ -251,7 +271,7 @@ def render_feature(
                 # like above, don't re-render calls when in call scope.
                 pass
             else:
-                render_locations(console, layout, locations, indent=indent)
+                render_locations(console, layout, locations, indent=indent + 1, use_short_format=True)
             console.writeln()