New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get process inventory for Windows avoiding WMIC. #1760

Merged
merged 13 commits into from Nov 30, 2018

Conversation

Projects
4 participants
@DarkMatterCore
Copy link
Contributor

DarkMatterCore commented Oct 30, 2018

This pull request fixes #557 by replacing the usage of WMIC commands with WinAPI calls in Windows Syscollector. Additionally, the following changes were also made:

  • Added more files to the 'clean-windows' rule in Makefile.
  • Added hardcoded exceptions for PIDs 0 and 4 in get_process_name() and sys_proc_windows().
  • Both UserModeTime and KernelModeTime values are converted from 100-nanosecond units to seconds before getting stored.
  • Fixed UserModeTime getting stored with key 'stime' in sys_proc_windows(), overwriting the KernelModeTime value.
  • Set SeDebugPrivilege token before performing any process-related WinAPI calls.
  • Base Board serial number is now parsed directly from the raw SMBIOS data structures.

Regarding the last point, it's important to highlight that there's a lot of information that can potentially be gathered from SMBIOS data, and that this process could also be performed under other operative systems.

DarkMatterCore added some commits Oct 26, 2018

Improved WinAPI compatibility
- Added more files to the 'clean-windows' rule in Makefile.
- Fixed memory leak after retrieving the raw SMBIOS data structures.
- Fixed the SMBIOS signature used with GetSystemFirmwareTable().
- Added hardcoded exceptions for PIDs 0 and 4 in get_process_name() and sys_proc_windows().
- Replaced EnumProcessModules() + GetModuleBaseName() with GetProcessImageFileName() in get_process_name().
- Fixed a memory leak in sys_proc_windows() after getting the name from a process.
- Replaced GetModuleFileNameEx() with GetProcessImageFileName() in sys_proc_windows(). A new function, ntpath_to_win32path(), converts the returned Windows kernel device path to a valid Win32 file path.
- Both UserModeTime and KernelModeTime values are converted from 100-nanosecond units to seconds before getting stored.
- Fixed UserModeTime getting stored with key 'stime' in sys_proc_windows(), overwriting the KernelModeTime value.

*** TO DO ***

- Find a way to retrieve the virtual size from a process using WinAPI.
- Find a way to retrieve more information from PIDs 0 and 4 using WinAPI.
More Syscollector + WinAPI changes
- Calculate virtual size using the data retrieved with GetProcessMemoryInfo().
- Set SeDebugPrivilege token before performing any process-related WinAPI calls.

@albertomn86 albertomn86 added this to In review in Wazuh TBD via automation Oct 30, 2018

@albertomn86 albertomn86 self-requested a review Oct 30, 2018

@albertomn86 albertomn86 self-assigned this Oct 30, 2018

@vikman90 vikman90 modified the milestone: Weekly sprint - 47th Nov 19, 2018

@albertomn86 albertomn86 requested review from chemamartinez and removed request for albertomn86 Nov 20, 2018

@chemamartinez chemamartinez removed this from In review in Wazuh TBD Nov 20, 2018

@chemamartinez chemamartinez added this to Needs review in Wazuh 3.8.0 via automation Nov 20, 2018

@chemamartinez chemamartinez changed the base branch from 3.7 to 3.8 Nov 26, 2018

@chemamartinez chemamartinez merged commit 8c02adc into 3.8 Nov 30, 2018

Wazuh 3.8.0 automation moved this from Needs review to Done Nov 30, 2018

@chemamartinez chemamartinez deleted the 3.7-syscollector-winapi branch Nov 30, 2018

@chemamartinez

This comment has been minimized.

Copy link
Member

chemamartinez commented Nov 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment