From bd07273f0b16ad7ed28e82f61fecb0cd526aa44a Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Mon, 14 Oct 2024 21:00:12 +0200 Subject: [PATCH] fix(proc): Spurious conditions when querying process protection attributes --- pkg/ps/snapshotter_windows.go | 10 ++++++---- pkg/sys/process.go | 4 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/pkg/ps/snapshotter_windows.go b/pkg/ps/snapshotter_windows.go index 872b323cc..058af534a 100644 --- a/pkg/ps/snapshotter_windows.go +++ b/pkg/ps/snapshotter_windows.go @@ -549,13 +549,15 @@ func (s *snapshotter) Find(pid uint32) (bool, *pstypes.PS) { // get process creation attributes var isWOW64 bool - if err := windows.IsWow64Process(process, &isWOW64); err != nil && isWOW64 { + if err := windows.IsWow64Process(process, &isWOW64); err == nil && isWOW64 { proc.IsWOW64 = true } - if p, err := sys.QueryInformationProcess[sys.PsProtection](process, sys.ProcessProtectionInformation); err != nil && p != nil { - proc.IsProtected = p.IsProtected() + if isPackaged, err := sys.IsProcessPackaged(process); err == nil && isPackaged { + proc.IsPackaged = true + } + if prot, err := sys.QueryInformationProcess[sys.PsProtection](process, sys.ProcessProtectionInformation); err == nil && prot != nil { + proc.IsProtected = prot.IsProtected() } - proc.IsPackaged = sys.IsProcessPackaged(process) return false, proc } diff --git a/pkg/sys/process.go b/pkg/sys/process.go index 0c80cfd00..22ddf4458 100644 --- a/pkg/sys/process.go +++ b/pkg/sys/process.go @@ -101,14 +101,14 @@ func IsProcessRunning(proc windows.Handle) bool { // IsProcessPackaged determines if the process is packaged by trying // to resolve the package identifier. -func IsProcessPackaged(proc windows.Handle) bool { +func IsProcessPackaged(proc windows.Handle) (bool, error) { var n uint32 err := GetPackageID(proc, &n, 0) if err == windows.ERROR_INSUFFICIENT_BUFFER { b := make([]byte, n) err = GetPackageID(proc, &n, uintptr(unsafe.Pointer(&b[0]))) } - return err == nil + return err == nil, err } // IsWindowsService reports whether the process is currently executing