-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathprocess.go
121 lines (106 loc) · 3.08 KB
/
process.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
//go:build windows
// +build windows
package winproc
import (
"fmt"
"strings"
"github.com/gentlemanautomaton/winproc/processaccess"
)
// Process holds information about a windows process.
type Process struct {
ID ID
ParentID ID
Name string
Path string
Args []string
CommandLine string
SessionID uint32
User User
Threads int
Times Times
Critical bool
}
// Ref returns a reference to the running process that matches the process
// ID of p.
//
// It is the caller's responsibility to close the reference when finished
// with it.
func (p Process) Ref(rights ...processaccess.Rights) (*Ref, error) {
return Open(p.ID, rights...)
}
// UniqueID returns a unique identifier for the process by combining its
// creation time and process ID.
//
// The process must contain a creation time for this function to return a
// unique value. This can be accomplished by supplying the CollectTimes
// option when collecting processes.
func (p Process) UniqueID() UniqueID {
return UniqueID{
Creation: p.Times.Creation.UnixNano(),
ID: p.ID,
}
}
// Protected returns true if p represents a protected process of some kind:
//
// All processes in session 0
// All processes running as Local System, NT Authority or Network Service
// All processes for which the SID has not been collected
// The process with ID 0
// The process with ID 4
//
// TODO: Skip anything with the CREATE_PROTECTED_PROCESS flag?
func (p Process) Protected() bool {
// https://brianbondy.com/blog/100/understanding-windows-at-a-deeper-level-sessions-window-stations-and-desktops
// Anything in session zero is a system process
if p.SessionID == 0 {
return true
}
// The System Idle Process
if p.ID == 0 {
return true
}
// The System Process
if p.ID == 4 {
return true
}
// All unidentified processes and processes running with system security
// identifiers.
if p.User.SID == "" || p.User.System() {
return true
}
// The Evolution of Protected Processes: http://www.alex-ionescu.com/?p=97
return false
}
// String returns a string representation of the process.
func (p Process) String() string {
var value string
if p.Critical {
value = fmt.Sprintf("[%d] PID %d!", p.SessionID, p.ID)
} else {
value = fmt.Sprintf("[%d] PID %d", p.SessionID, p.ID)
}
if user := p.User.String(); user != "" {
value = fmt.Sprintf("%s (%s)", value, user)
}
if !p.Times.Creation.IsZero() {
if p.Times.Exit.IsZero() {
value = fmt.Sprintf("%s (created %s)", value, p.Times.Creation)
} else {
value = fmt.Sprintf("%s (created %s, exited %s)", value, p.Times.Creation, p.Times.Exit)
}
}
if p.Times.Kernel != 0 || p.Times.User != 0 {
value = fmt.Sprintf("%s (%s user %s kernel)", value, p.Times.Kernel, p.Times.User)
}
switch {
case p.CommandLine != "":
value = fmt.Sprintf("%s: %s", value, p.CommandLine)
case p.Path != "" && len(p.Args) > 0:
value = fmt.Sprintf("%s: %s %s", value, p.Path, strings.Join(p.Args, " "))
case p.Path != "":
value = fmt.Sprintf("%s: %s", value, p.Path)
default:
value = fmt.Sprintf("%s: %s", value, p.Name)
}
return value
}