go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/providers/os/resources/processes/ps1getprocess.go (about) 1 // Copyright (c) Mondoo, Inc. 2 // SPDX-License-Identifier: BUSL-1.1 3 4 package processes 5 6 import ( 7 "encoding/json" 8 "errors" 9 "fmt" 10 "io" 11 12 "github.com/rs/zerolog/log" 13 "go.mondoo.com/cnquery/providers/os/connection/shared" 14 "go.mondoo.com/cnquery/providers/os/resources/powershell" 15 ) 16 17 const ( 18 Ps1GetProcess = "Get-Process -IncludeUserName | Select-Object Name, Description, Id, PriorityClass, PM, NPM, CPU, VirtualMemorySize, Responding, SessionId, StartTime, TotalProcessorTime, UserName, Path | ConvertTo-Json" 19 ) 20 21 // Get-Process -IncludeUserName | Select-Object -Property * 22 // UserName : NT AUTHORITY\SYSTEM 23 // Name : winlogon 24 // Id : 584 25 // PriorityClass : High 26 // FileVersion : 10.0.17763.1 (WinBuild.160101.0800) 27 // HandleCount : 234 28 // WorkingSet : 10424320 29 // PagedMemorySize : 2641920 30 // PrivateMemorySize : 2641920 31 // VirtualMemorySize : 100098048 32 // TotalProcessorTime : 00:00:00.0156250 33 // SI : 1 34 // Handles : 234 35 // VM : 2203418320896 36 // WS : 10424320 37 // PM : 2641920 38 // NPM : 11392 39 // Path : C:\windows\system32\winlogon.exe 40 // Company : Microsoft Corporation 41 // CPU : 0.015625 42 // ProductVersion : 10.0.17763.1 43 // Description : Windows Logon Application 44 // Product : Microsoft® Windows® Operating System 45 // __NounName : Process 46 // BasePriority : 13 47 // ExitCode : 48 // HasExited : False 49 // ExitTime : 50 // Handle : 3492 51 // SafeHandle : Microsoft.Win32.SafeHandles.SafeProcessHandle 52 // MachineName : . 53 // MainWindowHandle : 0 54 // MainWindowTitle : 55 // MainModule : System.Diagnostics.ProcessModule (winlogon.exe) 56 // MaxWorkingSet : 1413120 57 // MinWorkingSet : 204800 58 // Modules : {System.Diagnostics.ProcessModule (winlogon.exe), System.Diagnostics.ProcessModule (ntdll.dll), System.Diagnostics.ProcessModule (KERNEL32.DLL), System.Diagnostics.ProcessModule (KERNELBASE.dll)...} 59 // NonpagedSystemMemorySize : 11392 60 // NonpagedSystemMemorySize64 : 11392 61 // PagedMemorySize64 : 2641920 62 // PagedSystemMemorySize : 135128 63 // PagedSystemMemorySize64 : 135128 64 // PeakPagedMemorySize : 3715072 65 // PeakPagedMemorySize64 : 3715072 66 // PeakWorkingSet : 11091968 67 // PeakWorkingSet64 : 11091968 68 // PeakVirtualMemorySize : 104349696 69 // PeakVirtualMemorySize64 : 2203422572544 70 // PriorityBoostEnabled : True 71 // PrivateMemorySize64 : 2641920 72 // PrivilegedProcessorTime : 00:00:00.0156250 73 // ProcessName : winlogon 74 // ProcessorAffinity : 1 75 // Responding : True 76 // SessionId : 1 77 // StartInfo : System.Diagnostics.ProcessStartInfo 78 // StartTime : 4/16/2020 8:24:41 AM 79 // SynchronizingObject : 80 // Threads : {588, 924, 2788} 81 // UserProcessorTime : 00:00:00 82 // VirtualMemorySize64 : 2203418320896 83 // EnableRaisingEvents : False 84 // StandardInput : 85 // StandardOutput : 86 // StandardError : 87 // WorkingSet64 : 10424320 88 // Site : 89 // Container : 90 type WindowsProcess struct { 91 ID int64 92 Name string 93 Description string 94 PriorityClass int 95 PM int64 96 NPM int64 97 CPU float64 98 VirtualMemorySize int64 99 Responding bool 100 SessionId int 101 StartTime string 102 TotalProcessorTime WindowsTotalProcessorTime 103 UserName string 104 Path string 105 } 106 107 type WindowsTotalProcessorTime struct { 108 Ticks int 109 Days int 110 Hours int 111 Milliseconds int 112 Minutes int 113 Seconds int 114 TotalDays float64 115 TotalHours float64 116 TotalMilliseconds float64 117 TotalMinutes float64 118 TotalSeconds float64 119 } 120 121 func (p WindowsProcess) ToOSProcess() *OSProcess { 122 return &OSProcess{ 123 Pid: p.ID, 124 Command: p.Path, 125 Executable: p.Name, 126 } 127 } 128 129 func ParseWindowsProcesses(r io.Reader) ([]WindowsProcess, error) { 130 data, err := io.ReadAll(r) 131 if err != nil { 132 return nil, err 133 } 134 135 var processes []WindowsProcess 136 err = json.Unmarshal(data, &processes) 137 if err != nil { 138 return nil, err 139 } 140 141 return processes, nil 142 } 143 144 type WindowsProcessManager struct { 145 conn shared.Connection 146 } 147 148 func (wpm *WindowsProcessManager) Name() string { 149 return "Windows Process Manager" 150 } 151 152 func (wpm *WindowsProcessManager) List() ([]*OSProcess, error) { 153 c, err := wpm.conn.RunCommand(powershell.Encode(Ps1GetProcess)) 154 if err != nil { 155 return nil, fmt.Errorf("processes> could not run command") 156 } 157 158 entries, err := ParseWindowsProcesses(c.Stdout) 159 if err != nil { 160 return nil, err 161 } 162 163 log.Debug().Int("processes", len(entries)).Msg("found processes") 164 165 var ps []*OSProcess 166 for i := range entries { 167 ps = append(ps, entries[i].ToOSProcess()) 168 } 169 return ps, nil 170 } 171 172 func (wpm *WindowsProcessManager) Exists(pid int64) (bool, error) { 173 return false, errors.New("not implemented") 174 } 175 176 func (wpm *WindowsProcessManager) Process(pid int64) (*OSProcess, error) { 177 return nil, errors.New("not implemented") 178 }