Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix VMRay missing process data #2396

Merged
merged 13 commits into from
Sep 26, 2024
Merged

Fix VMRay missing process data #2396

merged 13 commits into from
Sep 26, 2024

Conversation

mr-tz
Copy link
Collaborator

@mr-tz mr-tz commented Sep 24, 2024

closes #2394

Checklist

  • No CHANGELOG update needed
  • No new tests needed
  • No documentation update needed

@williballenthin
Copy link
Collaborator

looks reasonable, i'll trust the tests.

@mr-tz mr-tz requested a review from mike-hunhoff September 24, 2024 11:30
@mike-hunhoff
Copy link
Collaborator

@mr-tz thanks for the initial fix. This made me realize that we should be using VMRay's thread and process monitor IDs instead of tid, pid, and ppid combinations as we can't guarantee these combinations are unique, e.g. reused ppid and pid combination, while it appears that the thread and process monitor IDs are unique, and thus combinations of these should be unique, e.g. for extracting function calls.

capa/features/extractors/vmray/__init__.py Outdated Show resolved Hide resolved
capa/features/extractors/vmray/__init__.py Outdated Show resolved Hide resolved
capa/features/extractors/vmray/__init__.py Outdated Show resolved Hide resolved
capa/features/extractors/vmray/__init__.py Outdated Show resolved Hide resolved
capa/features/extractors/vmray/__init__.py Show resolved Hide resolved
@mr-tz
Copy link
Collaborator Author

mr-tz commented Sep 26, 2024

I ran this on a few random private analysis archives and didn't encounter any failures. We should find more public samples to add to the test corpus.

Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we address #2361 (add fields to unique pid/ppid) here, while we're at it? or leave that for a PR immediately following this?

CHANGELOG.md Outdated Show resolved Hide resolved
capa/features/extractors/vmray/__init__.py Show resolved Hide resolved
@mike-hunhoff
Copy link
Collaborator

should we address #2361 (add fields to unique pid/ppid) here, while we're at it? or leave that for a PR immediately following this?

We should address #2361 in a separate PR

@mike-hunhoff mike-hunhoff merged commit 06271a8 into master Sep 26, 2024
28 checks passed
@mike-hunhoff mike-hunhoff deleted the fix/vmray-procs branch September 26, 2024 19:57
@mr-tz
Copy link
Collaborator Author

mr-tz commented Sep 26, 2024

Thanks for the additions, @mike-hunhoff!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

KeyError:3 while running capa on VMRay analysis archive
3 participants