fix(proc): Spurious conditions when querying process protection attri…

…butes
rabbitstack · Oct 22, 2024 · bd07273 · bd07273
1 parent aef70db
commit bd07273
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/pkg/ps/snapshotter_windows.go b/pkg/ps/snapshotter_windows.go
@@ -549,13 +549,15 @@ func (s *snapshotter) Find(pid uint32) (bool, *pstypes.PS) {
 
 	// get process creation attributes
 	var isWOW64 bool
-	if err := windows.IsWow64Process(process, &isWOW64); err != nil && isWOW64 {
+	if err := windows.IsWow64Process(process, &isWOW64); err == nil && isWOW64 {
 		proc.IsWOW64 = true
 	}
-	if p, err := sys.QueryInformationProcess[sys.PsProtection](process, sys.ProcessProtectionInformation); err != nil && p != nil {
-		proc.IsProtected = p.IsProtected()
+	if isPackaged, err := sys.IsProcessPackaged(process); err == nil && isPackaged {
+		proc.IsPackaged = true
+	}
+	if prot, err := sys.QueryInformationProcess[sys.PsProtection](process, sys.ProcessProtectionInformation); err == nil && prot != nil {
+		proc.IsProtected = prot.IsProtected()
 	}
-	proc.IsPackaged = sys.IsProcessPackaged(process)
 
 	return false, proc
 }

diff --git a/pkg/sys/process.go b/pkg/sys/process.go
@@ -101,14 +101,14 @@ func IsProcessRunning(proc windows.Handle) bool {
 
 // IsProcessPackaged determines if the process is packaged by trying
 // to resolve the package identifier.
-func IsProcessPackaged(proc windows.Handle) bool {
+func IsProcessPackaged(proc windows.Handle) (bool, error) {
 	var n uint32
 	err := GetPackageID(proc, &n, 0)
 	if err == windows.ERROR_INSUFFICIENT_BUFFER {
 		b := make([]byte, n)
 		err = GetPackageID(proc, &n, uintptr(unsafe.Pointer(&b[0])))
 	}
-	return err == nil
+	return err == nil, err
 }
 
 // IsWindowsService reports whether the process is currently executing