VMRay extractor: get_processes() yields invalid entries for PID 0 or missing filename

[secresearch00]

Description

VMRayExtractor.get_processes() yields monitor process entries where:

• pid == 0, or
• the monitor process object does not have a valid filename attribute

These entries are not real user processes and appear to be incomplete VMRay monitor records. Passing them through causes downstream logic to run on invalid processes.

A minimal guard resolves the issue:

if monitor_process.pid == 0 or not getattr(monitor_process, "filename", None):
    continue

Steps to Reproduce

1. Run capa on a VMRay analysis JSON containing monitor entries with pid = 0 or missing filename

2. Observe that get_processes() yields these entries as valid processes

Expected behavior:

Invalid or incomplete monitor process entries are ignored.

Actual behavior:

They are yielded as valid processes.

Versions

• Capa version v9.3.1
• Python 3.12
• OS: Debian Bookworm (slim)
• Base image: python:3.12-slim-bookworm
• Component: /capa/features/extractors/vmray/extractor.py

Additional Information

Tested using the VMray analysis archive from running sample 1ecebdf9dfc8fb0997c4d68fb810182fa3582fc592336e8be071be3ab61daccc (available on VT) in a Windows 10 VM.

[mr-tz]

Thanks for the details. Would you be interested in submitting a PR to be acknowledged fully for this? If not we can tackle this in the upcoming weeks.

[secresearch00]

Feel free to tackle in the next few weeks, just wanted to get it on your radar.

[mike-hunhoff]

Thank you for reporting @secresearch00 . Regarding the VMRay archive, do you believe this is intended behavior or a potential bug in the analysis completed by VMRay? And to clarify, by process "pid" of 0, are you referring to the monitor ID assigned by VMRay or the OS process ID?

[secresearch00]

I believe this is expected behavior in terms of VMRay output. Referring to the OS process ID in this case.