gopsutil icon indicating copy to clipboard operation
gopsutil copied to clipboard

Published 20 hours ago verified publisher icon shirou

Getting process command line fails on ARM64 Windows

Open s-m-martin opened this issue 1 year ago • 1 comments

Describe the bug When compiling for ARM64 Windows and using the process module to compare command line with a running process, then I get the error of: "could not get CommandLine: cannot locate process PEB: could not query PEB address"

To Reproduce I can't share the entirety of the code, but hopefully this snippet helps you understand how it's being used. Basic gist of, we're killing a process but want to verify it's the right process, so we're making a command line comparison.

func commandPathsAreEqual(cmdPath string, killPath string) bool {
	strippedKillPath := strings.TrimSpace(killPath)

	cmdPath = strings.ToLower(cmdPath)
	killPath = strings.ToLower(strippedKillPath)

	if strings.HasPrefix(cmdPath, `"`) {
		re := regexp.MustCompile(`^"(.*?)"`)
		cmdPath = re.FindStringSubmatch(cmdPath)[1]
		return cmdPath == killPath
	}

	// Compare the slices of killPath (from the portal)
	// with the running process slices (cmdSlice)
	// Break the commands on space and check that each of the values in the
	// len(killPath) == cmdSlice to provide equivalent between slices
	killSlice := strings.Split(killPath, " ")
	cmdSlice := strings.Split(cmdPath, " ")
	for i, v := range killSlice {
		if cmdSlice[i] != v {
			return false
		}
	}
	return true
}


// executes killprocess
func (t remediateKillProcess) Process(rc *RunningConfigT) (err error) {
	defer func() {
		t.handleTaskError(err)
	}()

	killTask := struct {
		PID  int    `json:"pid"`
		Path string `json:"path"`
	}{}

	if err = json.Unmarshal(t.Params, &killTask); err != nil {
		return err
	}

	proc, err := process.NewProcess(int32(killTask.PID))
	if err == process.ErrorProcessNotRunning {
		// if pid is not found
		// return success
		t.Results = err.Error()

		// This is not an error. If the PID is not found
		// then the process we are attempting to kill is no longer running
		return nil
	}

	passingPath, err := proc.Cmdline()
	if err != nil && err.Error() != "exit status 1" {
		// Darwin returns "exit status 1" whenever the process can't be found
		// during querying for the full path
		t.err = err
		t.Results = err.Error()
		return nil
	}

	if t.captureAndReturnFailureState(err) != nil {
		return err
	}

	if commandPathsAreEqual(passingPath, killTask.Path) == false {
		// Path does not exist. We assume that the process is now defunct
		// or that the path was not correct. Either way, the process does not exist
		err = fmt.Errorf("Path for process `%q` was not found.", killTask.Path)

		t.Results = err.Error()

		// This is not an error
		return nil
	}

	// if path and pid found, kill
	err = proc.Terminate()

	// Set t.err, t.Results Return at this point
	// if err is still returned
	if t.captureAndReturnFailureState(err) != nil {
		return err
	}

	// Kill successful
	t.Results = fmt.Sprintf("Process %d at %s was successfully killed.", killTask.PID, killTask.Path)
	// No error to return
	return nil
}

Expected behavior No errors are received when trying to get the command line for the process on ARM64 Windows

Environment (please complete the following information):

  • [ ] Windows: ARM64

Additional context I provided this PR with updates that resolve the problem

s-m-martin avatar Mar 21 '23 17:03 s-m-martin

I'm getting the following error when trying to compile for GOOS=windows GOARCH=arm64

C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:679:32: undefined: PROCESS_MEMORY_COUNTERS
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:680:10: undefined: PROCESS_MEMORY_COUNTERS
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:693:50: undefined: PROCESS_MEMORY_COUNTERS
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:794:16: undefined: queryPebAddress
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:800:10: undefined: readProcessMemory
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:807:20: undefined: readProcessMemory
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:820:15: undefined: readProcessMemory
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:828:10: undefined: readProcessMemory
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:836:20: undefined: readProcessMemory
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:851:15: undefined: readProcessMemory
C:\Users\\go\pkg\mod\github.com\shirou\gopsutil\[email protected]\process\process_windows.go:851:15: too many errors

clarkmcc avatar May 08 '23 20:05 clarkmcc