gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-02-04 11:07:53 -08:00
Code Issues Packages Projects Releases Wiki Activity

check for pid and ppid reuse

Browse Source
This commit is contained in:
Yacine Elhamer
2023-10-04 10:28:10 +02:00
parent dd0eadb438
commit 7d9ae57692
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
capa/features/extractors/cape/file.py
View File

@@ -23,10 +23,20 @@ def get_processes(report: CapeReport) -> Iterator[ProcessHandle]:
"""
get all the created processes for a sample
"""
seen_processes = {}
for process in report.behavior.processes:
addr = ProcessAddress(pid=process.process_id, ppid=process.parent_id)
yield ProcessHandle(address=addr, inner=process)
# check for pid and ppid reuse
if addr not in seen_processes:
seen_processes[addr] = [process]
else:
logger.warning(
f"pid and ppid reuse detected between process {process} and process{'es' if len(seen_processes[addr]) > 1 else ''}: {seen_processes[addr]}"
)
seen_processes[addr].append(process)
def extract_import_names(report: CapeReport) -> Iterator[Tuple[Feature, Address]]:
"""