fix: do not trim api names that include :: (#1897)

mandiant · Jan 8, 2024 · f37b598 · f37b598
1 parent 7584e4a
commit f37b598
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/capa/rules/__init__.py b/capa/rules/__init__.py
@@ -602,7 +602,9 @@ def trim_dll_part(api: str) -> str:
 
     # kernel32.CreateFileA
     if api.count(".") == 1:
-        api = api.split(".")[1]
+        if "::" not in api:
+            # skip System.Convert::FromBase64String
+            api = api.split(".")[1]
     return api
 
 

diff --git a/tests/test_rules.py b/tests/test_rules.py
@@ -949,6 +949,7 @@ def test_count_api():
             features:
                 - or:
                     - count(api(kernel32.CreateFileA)): 1
+                    - count(api(System.Convert::FromBase64String)): 1
         """
     )
     r = capa.rules.Rule.from_yaml(rule)
@@ -957,6 +958,7 @@ def test_count_api():
     assert bool(r.evaluate({API("kernel32.CreateFile"): set()})) is False
     assert bool(r.evaluate({API("CreateFile"): {ADDR1}})) is False
     assert bool(r.evaluate({API("CreateFileA"): {ADDR1}})) is True
+    assert bool(r.evaluate({API("System.Convert::FromBase64String"): {ADDR1}})) is True
 
 
 def test_invalid_number():