fix: correct wrong dict key in VMRay _compute_monitor_threads assertion

In `_compute_monitor_threads`, the uniqueness assertion indexed `monitor_threads_by_monitor_process` by `thread_id` instead of `process_id`. Because the dict is a `defaultdict(list)`, each lookup on a novel thread ID creates a fresh empty list, making the assertion vacuously true. Duplicate thread IDs within a process are never caught. Line 242 immediately below uses the correct key `process_id` when appending, so the data structure is populated correctly; only the guard was broken. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-28 11:53:20 -07:00 · 2026-04-22 18:53:41 +03:00
parent 183a26afb0
commit 0fdfc7734c
2 changed files with 2 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@
 - fix: remove unreachable backports.functools_lru_cache fallback and dead dependency @williballenthin
 - fix: add missing ELF branch in get_format_from_extension for .elf_ files @williballenthin #3031
 - fix: Scopes.from_dict uses cls instead of self so subclasses return the correct type @williballenthin
+- fix: correct wrong dict key in VMRay _compute_monitor_threads assertion (used thread_id instead of process_id) @williballenthin

 ### capa Explorer Web

--- a/capa/features/extractors/vmray/init.py
+++ b/capa/features/extractors/vmray/init.py
@@ -237,7 +237,7 @@ class VMRayAnalysis:

            # we expect each monitor thread ID to be unique for its associated monitor process ID e.g. monitor
            # thread ID 10 should not be captured twice for monitor process ID 1
-            assert monitor_thread.thread_id not in self.monitor_threads_by_monitor_process[monitor_thread.thread_id]
+            assert monitor_thread.thread_id not in self.monitor_threads_by_monitor_process[monitor_thread.process_id]

            self.monitor_threads_by_monitor_process[monitor_thread.process_id].append(monitor_thread.thread_id)