From 51630fe8ee3b90a8e1fd9936a5dbb2e7b6149e85 Mon Sep 17 00:00:00 2001
From: Aditya Pandey <116456309+EclipseAditya@users.noreply.github.com>
Date: Fri, 30 Jan 2026 23:29:14 +0530
Subject: [PATCH] vmray: skip processes with invalid PID or missing filename
 (#2807)

---
 CHANGELOG.md                                |  1 +
 capa/features/extractors/vmray/extractor.py | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f5487c20b9..dd4670b211 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@
 - Fixed insecure deserialization vulnerability in YAML loading @0x1622 (#2770)
 - loader: gracefully handle ELF files with unsupported architectures kamranulhaq2002@gmail.com #2800
 - lint: disable rule caching during linting @Maijin #2817
+- vmray: skip processes with invalid PID or missing filename @EclipseAditya #2807
 
 ### capa Explorer Web
 
diff --git a/capa/features/extractors/vmray/extractor.py b/capa/features/extractors/vmray/extractor.py
index e1dd197b93..27eeed4819 100644
--- a/capa/features/extractors/vmray/extractor.py
+++ b/capa/features/extractors/vmray/extractor.py
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
+import logging
 from typing import Iterator
 from pathlib import Path
 
@@ -39,6 +39,8 @@
     DynamicFeatureExtractor,
 )
 
+logger = logging.getLogger(__name__)
+
 
 def get_formatted_params(params: ParamList) -> list[str]:
     params_list: list[str] = []
@@ -87,6 +89,16 @@ def extract_global_features(self) -> Iterator[tuple[Feature, Address]]:
 
     def get_processes(self) -> Iterator[ProcessHandle]:
         for monitor_process in self.analysis.monitor_processes.values():
+            # skip invalid/incomplete monitor process entries, see #2807
+            if monitor_process.pid == 0 or not monitor_process.filename:
+                logger.debug(
+                    "skipping incomplete process entry: pid=%d, filename=%s, monitor_id=%d",
+                    monitor_process.pid,
+                    monitor_process.filename,
+                    monitor_process.monitor_id,
+                )
+                continue
+
             address: ProcessAddress = ProcessAddress(pid=monitor_process.pid, ppid=monitor_process.ppid)
             yield ProcessHandle(address, inner=monitor_process)