Get process inventory for Windows avoiding WMIC. #1760
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Added more files to the 'clean-windows' rule in Makefile. - Fixed memory leak after retrieving the raw SMBIOS data structures. - Fixed the SMBIOS signature used with GetSystemFirmwareTable(). - Added hardcoded exceptions for PIDs 0 and 4 in get_process_name() and sys_proc_windows(). - Replaced EnumProcessModules() + GetModuleBaseName() with GetProcessImageFileName() in get_process_name(). - Fixed a memory leak in sys_proc_windows() after getting the name from a process. - Replaced GetModuleFileNameEx() with GetProcessImageFileName() in sys_proc_windows(). A new function, ntpath_to_win32path(), converts the returned Windows kernel device path to a valid Win32 file path. - Both UserModeTime and KernelModeTime values are converted from 100-nanosecond units to seconds before getting stored. - Fixed UserModeTime getting stored with key 'stime' in sys_proc_windows(), overwriting the KernelModeTime value. *** TO DO *** - Find a way to retrieve the virtual size from a process using WinAPI. - Find a way to retrieve more information from PIDs 0 and 4 using WinAPI.
- Calculate virtual size using the data retrieved with GetProcessMemoryInfo(). - Set SeDebugPrivilege token before performing any process-related WinAPI calls.
albertomn86
requested review from
chemamartinez
and removed request for
albertomn86
chemamartinez
suggested changes
Nov 22, 2018
…name under Windows Vista or greater if OpenProcess() fails
chemamartinez
approved these changes
Nov 30, 2018
|
GJ @DarkMatterCore !! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request fixes #557 by replacing the usage of WMIC commands with WinAPI calls in Windows Syscollector. Additionally, the following changes were also made:
Regarding the last point, it's important to highlight that there's a lot of information that can potentially be gathered from SMBIOS data, and that this process could also be performed under other operative systems.