capa: Capabilities from Dynamic Analysis

capa is an open-source tool that identifies program capabilities using an extensible rule set. Currently, the project relies purely on static analysis of code structures to identify patterns. This project extends capa to work on dynamic execution data such as sandbox run traces or code emulation analysis. The introduction of dynamic analysis to capa is set to make analyzing samples that feature anti-analysis techniques a much easier task. This is an issue of concern since a large number of distributed software nowadays gets packed with commercial or private packers, which means that capa would fail to profile these executables' capabilities successfully. However, this can be circumvented by introducing dynamic analysis to the problem, which it would enable capa to get a view of the program after it had been unpacked in memory, thereby making it possible to extract the capabilities from the executable at hand. Deliverables: 1. Add support for the future integration of several sandbox solutions by means of an associated feature extractor. 2. Implement a feature extractor for the Cuckoo-based CAPE Malware Configuration and Payload Extractor. 3. Introduce capa features that are specific to dynamic analysis (such as captured network traffic). 4. Add dynamic-based support for function call arguments. 5. Write novel rules that make use of the newly introduced dynamic capability extraction.