emit number(0) for insn like "xor eax, eax"

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## master (unreleased)
 
 ### New Features
+- emit number(0) for instructions like "xor eax,eax" #2622 @v1bh475u
 
 ### Breaking Changes
 

capa/features/extractors/binexport2/arch/arm/insn.py

@@ -53,6 +53,15 @@ def extract_insn_number_features(
 
     mnemonic: str = get_instruction_mnemonic(be2, instruction)
 
+    if mnemonic == "xor":
+        operands: list[BinExport2.Operand] = [be2.operand[operand_index] for operand_index in instruction.operand_index]
+        if operands[1] == operands[2]:
+            # for pattern like:
+            #
+            #   eor x0, x0, x0
+            #
+            yield Number(0), ih.address
+
     if mnemonic in ("add", "sub"):
         assert len(instruction.operand_index) == 3
 

capa/features/extractors/binexport2/arch/intel/insn.py

@@ -81,6 +81,17 @@ def extract_insn_number_features(
 
     match = NUMBER_PATTERNS.match_with_be2(be2, ii.instruction_index)
     if not match:
+        if BinExport2InstructionPatternMatcher.from_str("xor reg, reg").match_with_be2(be2, ii.instruction_index):
+            # for pattern like:
+            #
+            #   xor eax, eax
+            #
+            instruction: BinExport2.Instruction = be2.instruction[ii.instruction_index]
+            operands: list[BinExport2.Operand] = [
+                be2.operand[operand_index] for operand_index in instruction.operand_index
+            ]
+            if operands[0] == operands[1]:
+                yield Number(0), ih.address
         return
 
     value: int = mask_immediate(fhi.arch, match.expression.immediate)
@@ -91,9 +102,9 @@ def extract_insn_number_features(
     yield OperandNumber(match.operand_index, value), ih.address
 
     instruction_index: int = ii.instruction_index
-    instruction: BinExport2.Instruction = be2.instruction[instruction_index]
+    current_instruction: BinExport2.Instruction = be2.instruction[instruction_index]
 
-    mnemonic: str = get_instruction_mnemonic(be2, instruction)
+    mnemonic: str = get_instruction_mnemonic(be2, current_instruction)
     if mnemonic.startswith("add"):
         if 0 < value < MAX_STRUCTURE_SIZE:
             yield Offset(value), ih.address

capa/features/extractors/ghidra/insn.py

@@ -156,6 +156,14 @@ def extract_insn_number_features(fh: FunctionHandle, bb: BBHandle, ih: InsnHandl
         #   .text:00401145 add esp, 0Ch
         return
 
+    if insn.getMnemonicString().startswith("XOR"):
+        # for patern like:
+        #
+        #   xor eax, eax
+        if insn.getNumOperands() == 2:
+            if insn.getOpObjects(0)[-1] == insn.getOpObjects(1)[-1]:
+                yield Number(0), ih.address
+
     for i in range(insn.getNumOperands()):
         # Exceptions for LEA insn:
         # invalid operand encoding, considered numbers instead of offsets

capa/features/extractors/ida/insn.py

@@ -160,6 +160,13 @@ def extract_insn_number_features(
         #   .text:00401145 add esp, 0Ch
         return
 
+    if insn.itype == idaapi.NN_xor:
+        # for pattern like:
+        #
+        #     xor eax, eax
+        if insn.ops[0].type == idaapi.o_reg and insn.ops[1].type == idaapi.o_reg and insn.ops[0].reg == insn.ops[1].reg:
+            yield Number(0), ih.address
+
     for i, op in enumerate(insn.ops):
         if op.type == idaapi.o_void:
             break

capa/features/extractors/viv/helpers.py

@@ -14,6 +14,7 @@
 
 from typing import Optional
 
+import envi
 from vivisect import VivWorkspace
 from vivisect.const import XR_TO, REF_CODE
 
@@ -28,3 +29,18 @@ def get_coderef_from(vw: VivWorkspace, va: int) -> Optional[int]:
         return xrefs[0][XR_TO]
     else:
         return None
+
+
+def is_xor(insn: envi.Opcode):
+    return insn.mnem in ("xor", "xorpd", "xorps", "pxor")
+
+
+def is_operands_equal(insn: envi.Opcode):
+    return insn.opers[0] == insn.opers[1]
+
+
+def is_zxor(insn: envi.Opcode):
+    if is_xor(insn):
+        return is_operands_equal(insn)
+
+    return False

capa/features/extractors/viv/insn.py

@@ -387,10 +387,10 @@ def extract_insn_nzxor_characteristic_features(
     bb: viv_utils.BasicBlock = bbhandle.inner
     f: viv_utils.Function = fh.inner
 
-    if insn.mnem not in ("xor", "xorpd", "xorps", "pxor"):
+    if not capa.features.extractors.viv.helpers.is_xor(insn):
         return
 
-    if insn.opers[0] == insn.opers[1]:
+    if capa.features.extractors.viv.helpers.is_operands_equal(insn):
         return
 
     if is_security_cookie(f, bb, insn):
@@ -594,6 +594,13 @@ def extract_op_number_features(
     insn: envi.Opcode = ih.inner
     f: viv_utils.Function = fh.inner
 
+    if capa.features.extractors.viv.helpers.is_zxor(insn):
+        # for pattern like:
+        #
+        #     xor eax, eax
+        #
+        yield Number(0), ih.address
+
     # this is for both x32 and x64
     if not isinstance(oper, (envi.archs.i386.disasm.i386ImmOper, envi.archs.i386.disasm.i386ImmMemOper)):
         return

tests/fixtures.py

@@ -1021,6 +1021,8 @@ def parametrize(params, values, **kwargs):
         ("7351f.elf", "function=0x408753,bb=0x408781", capa.features.insn.API("open"), True),
         ("79abd...", "function=0x10002385,bb=0x10002385", capa.features.common.Characteristic("call $+5"), True),
         ("946a9...", "function=0x10001510,bb=0x100015c0", capa.features.common.Characteristic("call $+5"), True),
+        ("9324d...", "function=0x40806C,bb=0x40806C,insn=0x40806C", capa.features.insn.Number(0), True),
+        ("mimikatz", "function=0x40105d", capa.features.insn.Number(0), True),
     ],
     # order tests by (file, item)
     # so that our LRU cache is most effective.