vmray: skip processes with invalid PID or missing filename (#2807) (#2845)

Co-authored-by: Mike Hunhoff <mike.hunhoff@gmail.com>

CHANGELOG.md

@@ -23,6 +23,7 @@
 - Fixed insecure deserialization vulnerability in YAML loading @0x1622 (#2770)
 - loader: gracefully handle ELF files with unsupported architectures kamranulhaq2002@gmail.com #2800
 - lint: disable rule caching during linting @Maijin #2817
+- vmray: skip processes with invalid PID or missing filename @EclipseAditya #2807
 
 ### capa Explorer Web
 

capa/features/extractors/vmray/extractor.py

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
+import logging
 from typing import Iterator
 from pathlib import Path
 
@@ -39,6 +39,8 @@ from capa.features.extractors.base_extractor import (
     DynamicFeatureExtractor,
 )
 
+logger = logging.getLogger(__name__)
+
 
 def get_formatted_params(params: ParamList) -> list[str]:
     params_list: list[str] = []
@@ -87,6 +89,16 @@ class VMRayExtractor(DynamicFeatureExtractor):
 
     def get_processes(self) -> Iterator[ProcessHandle]:
         for monitor_process in self.analysis.monitor_processes.values():
+            # skip invalid/incomplete monitor process entries, see #2807
+            if monitor_process.pid == 0 or not monitor_process.filename:
+                logger.debug(
+                    "skipping incomplete process entry: pid=%d, filename=%s, monitor_id=%d",
+                    monitor_process.pid,
+                    monitor_process.filename,
+                    monitor_process.monitor_id,
+                )
+                continue
+
             address: ProcessAddress = ProcessAddress(pid=monitor_process.pid, ppid=monitor_process.ppid)
             yield ProcessHandle(address, inner=monitor_process)