Capa-scripts: how to match imported classes and static methods in source code

[adamstorek]

Ideally, we would like to match process creation in any of the following scenarios:

using System;
using System.IO;
using System.Diagnostics;

my_ps0 = Process();
my_ps1 = Diagnostics.Process();
my_ps2 = System.Diagnostics.Process();

This would be trivial if we knew what we are looking for before feature extraction. However, capa does not. Another alternative would be to extract all possible combinations as features, leading to the extraction of the correct feature but also to many very wrong features being extracted, such as: System.IO.Process etc. Potentially, a way out of this dilemma would be to maintain a list of classes etc. we are interested (e.g. System.Diagnostics.Process) and with each new object instantiation etc. iterate through all imported namespaces and check whether this combination is a known "signature" or not.

[mr-tz]

I think "over-reporting" features would work as a good first solution. If we notice accuracy or performance hits, we could then add a solution like the proposed target list.

[adamstorek]

That makes sense. Also consider that the default namespaces imported into every ASPX are:

System
System.Collections
System.Collections.Specialized
System.Configuration
System.Text
System.Text.RegularExpressions
System.Web
System.Web.Caching
System.Web.Profile
System.Web.Security
System.Web.SessionState
System.Web.UI
System.Web.UI.HtmlControls
System.Web.UI.WebControls
System.Web.UI.WebControls.WebParts

So, the minimum over-reporting multiplier for ASPX will be 15.

[mr-tz]

That's a good point. Let's definitely keep the feature count and performance in mind for future improvements!