fn: dynamic: "reference analysis tools strings"

[mike-hunhoff]

We should update the dynamic scope from file to call to take advantage of detecting these strings at execution for packed samples.

rule: https://github.com/mandiant/capa-rules/blob/b0b486fe0c94cca8e75bc8ed5b3080b5c3fd432e/anti-analysis/reference-analysis-tools-strings.yml

[mike-hunhoff]

Although, ideally, we'd match against both file and call scope 😬

[vishwaksen-1]

Hi @mike-hunhoff! I'd like to work on this issue. Based on docs I understand:

• call scope detects strings at individual API call sites.
• process scope would check across the entire process.
  For this rule, should I use dynamic: call(as your original suggestion), or would process be better? (since you are suggesting if we ideally match both file and call)
  Thanks for clarifying.

[mike-hunhoff]

Hi @vishwaksen-1 , the intent here is to switch to call scope for dynamic. This enables us to match samples that utilize these strings, but may be packed or obfuscated, for example. I've assigned this issue to you. Please let us know here if you have any questions.