Add APIs to fetch processes information #6
Conversation
adriansr
force-pushed
the
feature/process_info
branch
3 times, most recently
from
c66d478
to
5f20f19
Compare
kernel32.go
Outdated
| @@ -33,6 +33,7 @@ import ( | |||
| //sys _GetTickCount64() (millis uint64, err error) = kernel32.GetTickCount64 | |||
| //sys _GetSystemTimes(idleTime *syscall.Filetime, kernelTime *syscall.Filetime, userTime *syscall.Filetime) (err error) = kernel32.GetSystemTimes | |||
| //sys _GlobalMemoryStatusEx(buffer *MemoryStatusEx) (err error) = kernel32.GlobalMemoryStatusEx | |||
| //sys _ReadProcessMemory(handle syscall.Handle, baseAddress uintptr, buffer uintptr, size uintptr, numRead *uintptr) (s bool) = kernel32.ReadProcessMemory | |||
There was a problem hiding this comment.
Rather than returning a bool, why not return err error and pass that back to the caller? I think this would be more meaning than ErrReadFailed.
| @@ -67,6 +68,9 @@ const ( | |||
| ProcessorArchitectureUnknown ProcessorArchitecture = 0xFFFF | |||
| ) | |||
|
|
|||
| // ErrReadFailed is returned by ReadProcessMemory on failure | |||
There was a problem hiding this comment.
nit: add a period to end the sentence.
|
|
||
| // Syscalls | ||
| // Warning: NtQueryInformationProcess is an unsupported API that can change | ||
| // in future versions of Windows. Available from XP to Windows 10. |
There was a problem hiding this comment.
Yes, that's one of the systems I used for testing. It works in XP and everything after it.
|
|
||
| // NtQueryInformationProcess is a wrapper for ntdll.NtQueryInformationProcess. | ||
| // The handle must have the PROCESS_QUERY_INFORMATION access right. | ||
| // Returns an error that can be cast to a NTStatus type. |
There was a problem hiding this comment.
I think this is just semantics, but how about directly stating that the error type is NTStatus.
| const ( | ||
| // PROCESS_BASIC_INFORMATION ProcessInformationClass parameter for | ||
| // NtQueryInformationProcess. | ||
| ProcessBasicInformation = 0 |
There was a problem hiding this comment.
WDYT about making a type ProcessInformationClass uint32 and define constants for the known values?
I think this would make the infoClass param in NtQueryInformationProcess slightly more clear.
| // NtQueryInformationProcess is a wrapper for ntdll.NtQueryInformationProcess. | ||
| // The handle must have the PROCESS_QUERY_INFORMATION access right. | ||
| // Returns an error that can be cast to a NTStatus type. | ||
| func NtQueryInformationProcess(handle syscall.Handle, infoClass uint32, info unsafe.Pointer, infoLen uint32, returnLen *uint32) error { |
There was a problem hiding this comment.
I'd prefer having the function return the returnLen rather than using an out param.
| // RtlUserProcessParameters is Go's equivalent for the | ||
| // _RTL_USER_PROCESS_PARAMETERS struct. | ||
| // A few undocumented fields are exposed. | ||
| type RtlUserProcessParameters struct { |
There was a problem hiding this comment.
How / where / for what will this be used? Just curious.
There was a problem hiding this comment.
Is this passed to NtQueryInformationProcess depending on the OS version? :guessing:
There was a problem hiding this comment.
Get the command-line and cwd for a running process, in go-sysinfo
There was a problem hiding this comment.
So, to make it clear, to get the command-line arguments for another process:
Get process handle -> NtQueryInformationProcess(PROCESS_BASIC_INFORMATION) -> ReadProcessMemory() to read PEB -> ReadProcessMemory() to read RtlUserProcessParameters (pointer in PEB)
- ntdll.NtQueryInformationProcess (internal/unsupported API!) PROCESS_BASIC_INFORMATION struct UNICODE_STRING struct RTL_USER_PROCESS_PARAMETERS struct - kernel32.ReadProcessMemory - psapi.GetProcessImageFileNameA - psapi.EnumProcesses
adriansr
force-pushed
the
feature/process_info
branch
from
859aef3
to
8d35ed7
Compare
|
Added CHANGELOG and squashed |
PROCESS_BASIC_INFORMATION struct
UNICODE_STRING struct
RTL_USER_PROCESS_PARAMETERS struct