From 95ef6e6ca0d152f56382b75d3d809f896a57636c Mon Sep 17 00:00:00 2001
From: vibhatsu <maulikbarot2915@gmail.com>
Date: Fri, 7 Feb 2025 13:08:31 +0530
Subject: [PATCH 1/3] mod(trim_dll_part): separate paths for all supported
 format

Signed-off-by: vibhatsu <maulikbarot2915@gmail.com>
---
 capa/rules/__init__.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/capa/rules/__init__.py b/capa/rules/__init__.py
index 9fa80a29e..df0c57677 100644
--- a/capa/rules/__init__.py
+++ b/capa/rules/__init__.py
@@ -580,11 +580,13 @@ def trim_dll_part(api: str) -> str:
     if ".#" in api:
         return api
 
+    # .NET namespace, like System.Diagnostics.Debugger::IsLogging, keep the namespace part
+    if "::" in api:
+        return api
+
     # kernel32.CreateFileA
     if api.count(".") == 1:
-        if "::" not in api:
-            # skip System.Convert::FromBase64String
-            api = api.split(".")[1]
+        api = api.split(".")[1]
     return api
 
 

From 7388818577c1189c0c658b4e94bc52fb1c9802ae Mon Sep 17 00:00:00 2001
From: vibhatsu <maulikbarot2915@gmail.com>
Date: Fri, 7 Feb 2025 13:09:14 +0530
Subject: [PATCH 2/3] add unit test for trim_dll_part

Signed-off-by: vibhatsu <maulikbarot2915@gmail.com>
---
 tests/test_rules.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tests/test_rules.py b/tests/test_rules.py
index 0361621cf..847d6ac40 100644
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@@ -1653,3 +1653,15 @@ def test_circular_dependency():
     ]
     with pytest.raises(capa.rules.InvalidRule):
         list(capa.rules.get_rules_and_dependencies(rules, rules[0].name))
+
+
+def test_trim_dll_part():
+    from capa.rules import trim_dll_part
+
+    assert trim_dll_part("GetModuleHandle") == "GetModuleHandle"
+    assert trim_dll_part("kernel32.CreateFileA") == "CreateFileA"
+    assert trim_dll_part("System.Convert::FromBase64String") == "System.Convert::FromBase64String"
+    assert trim_dll_part("System.Diagnostics.Debugger::IsLogging") == "System.Diagnostics.Debugger::IsLogging"
+    assert trim_dll_part("ws2_32.#1") == "ws2_32.#1"
+    assert trim_dll_part("Debugger::IsLogging") == "Debugger::IsLogging"
+    assert trim_dll_part("kernel32.ws2.#1") == "kernel32.ws2.#1"

From 05bd77ec939ba5fab9e14562a229d9ef18cd6458 Mon Sep 17 00:00:00 2001
From: vibhatsu <maulikbarot2915@gmail.com>
Date: Fri, 7 Feb 2025 13:22:35 +0530
Subject: [PATCH 3/3] update CHANGELOG

Signed-off-by: vibhatsu <maulikbarot2915@gmail.com>
---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2f670352f..abc4a1d41 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,7 +11,8 @@
 -
 
 ### Bug Fixes
-
+- separate execution paths for all supported formats of `api` in `trim_dll_part` #1899 @v1bh475u
+- add test for `trim_dll_part` #1899 @v1bh475u
 ### capa Explorer Web
 
 ### capa Explorer IDA Pro plugin