From 7d9ae57692db0dd0df998b38fac8a837e800a6a4 Mon Sep 17 00:00:00 2001
From: Yacine Elhamer <elhamer.yacine@gmail.com>
Date: Wed, 4 Oct 2023 10:28:10 +0200
Subject: [PATCH] check for pid and ppid reuse

---
 capa/features/extractors/cape/file.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/capa/features/extractors/cape/file.py b/capa/features/extractors/cape/file.py
index 35757b3a..e2d40cba 100644
--- a/capa/features/extractors/cape/file.py
+++ b/capa/features/extractors/cape/file.py
@@ -23,10 +23,20 @@ def get_processes(report: CapeReport) -> Iterator[ProcessHandle]:
     """
     get all the created processes for a sample
     """
+    seen_processes = {}
     for process in report.behavior.processes:
         addr = ProcessAddress(pid=process.process_id, ppid=process.parent_id)
         yield ProcessHandle(address=addr, inner=process)
 
+        # check for pid and ppid reuse
+        if addr not in seen_processes:
+            seen_processes[addr] = [process]
+        else:
+            logger.warning(
+                f"pid and ppid reuse detected between process {process} and process{'es' if len(seen_processes[addr]) > 1 else ''}: {seen_processes[addr]}"
+            )
+            seen_processes[addr].append(process)
+
 
 def extract_import_names(report: CapeReport) -> Iterator[Tuple[Feature, Address]]:
     """