[process] fix retrieval of full process commandline for MinGW32

* NtWow64QueryInformationProcess64() fails because sizeof(PVOID64) happens to be 4 instead of 8 in MinGW32 (WTF?!?) and therefore sizeof(pbi) is set to 44 instead of 48, resulting in NTSTATUS code 0xC0000004: STATUS_INFO_LENGTH_MISMATCH... => Use an ULONGLONG instead and don't rely on MinGW32's improper definitions. * Also fix an issue whereas, when we find multiple conflicting processes, the first one's path is duplicated to all others...
2019-04-02 12:31:41 +01:00 · 2019-04-02 12:31:41 +01:00 · dd9f9ce1e9
parent 2a1c57c750
commit dd9f9ce1e9
3 changed files with 17 additions and 15 deletions
--- a/src/process.c
+++ b/src/process.c
@ -43,7 +43,7 @@ PF_TYPE_DECL(NTAPI, NTSTATUS, NtQuerySystemInformation, (SYSTEM_INFORMATION_CLAS
 PF_TYPE_DECL(NTAPI, NTSTATUS, NtQueryInformationFile, (HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS));
 PF_TYPE_DECL(NTAPI, NTSTATUS, NtQueryInformationProcess, (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG));
 PF_TYPE_DECL(NTAPI, NTSTATUS, NtWow64QueryInformationProcess64, (HANDLE, ULONG, PVOID, ULONG, PULONG));
-PF_TYPE_DECL(NTAPI, NTSTATUS, NtWow64ReadVirtualMemory64, (HANDLE, PVOID64, PVOID, ULONG64, PULONG64));
+PF_TYPE_DECL(NTAPI, NTSTATUS, NtWow64ReadVirtualMemory64, (HANDLE, ULONGLONG, PVOID, ULONG64, PULONG64));
 PF_TYPE_DECL(NTAPI, NTSTATUS, NtQueryObject, (HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG));
 PF_TYPE_DECL(NTAPI, NTSTATUS, NtDuplicateObject, (HANDLE, HANDLE, HANDLE, PHANDLE, ACCESS_MASK, ULONG, ULONG));
 PF_TYPE_DECL(NTAPI, NTSTATUS, NtOpenProcess, (PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, CLIENT_ID*));
@ -354,22 +354,22 @@ static PWSTR GetProcessCommandLine(HANDLE hProcess)
 	if (wow) {
 		// 32-bit process running on a 64-bit OS
 		PROCESS_BASIC_INFORMATION_WOW64 pbi = { 0 };
-		PVOID64 params;
+		ULONGLONG params;
 		UNICODE_STRING_WOW64* ucmdline;
 		PF_INIT_OR_OUT(NtWow64QueryInformationProcess64, NtDll);
 		PF_INIT_OR_OUT(NtWow64ReadVirtualMemory64, NtDll);
 		status = pfNtWow64QueryInformationProcess64(hProcess, 0, &pbi, sizeof(pbi), NULL);
-		if (!NT_SUCCESS (status))
+		if (!NT_SUCCESS(status))
 			goto out;
 		status = pfNtWow64ReadVirtualMemory64(hProcess, pbi.PebBaseAddress, peb, pp_offset + 8, NULL);
-		if (!NT_SUCCESS (status))
+		if (!NT_SUCCESS(status))
 			goto out;
 		// Read Process Parameters from the 64-bit address space
-		params = (PVOID64) *((PVOID64*)(peb + pp_offset));
+		params = (ULONGLONG) *((ULONGLONG*)(peb + pp_offset));
 		status = pfNtWow64ReadVirtualMemory64(hProcess, params, pp, cmd_offset + 16, NULL);
 		if (!NT_SUCCESS (status))
 			goto out;
@ -379,7 +379,7 @@ static PWSTR GetProcessCommandLine(HANDLE hProcess)
 		if (wcmdline == NULL)
 			goto out;
 		status = pfNtWow64ReadVirtualMemory64(hProcess, ucmdline->Buffer, wcmdline, ucmdline->Length, NULL);
-		if (!NT_SUCCESS (status)) {
+		if (!NT_SUCCESS(status)) {
 			safe_free(wcmdline);
 			goto out;
 		}
@ -392,7 +392,7 @@ static PWSTR GetProcessCommandLine(HANDLE hProcess)
 		PF_INIT_OR_OUT(NtQueryInformationProcess, NtDll);
 		status = pfNtQueryInformationProcess(hProcess, 0, &pbi, sizeof(pbi), NULL);
-		if (!NT_SUCCESS (status))
+		if (!NT_SUCCESS(status))
 			goto out;
 		// Read PEB
@ -435,7 +435,7 @@ static DWORD WINAPI SearchProcessThread(LPVOID param)
 	WCHAR *wHandleName = NULL;
 	HANDLE dupHandle = NULL;
 	HANDLE processHandle = NULL;
-	BOOLEAN bFound = FALSE, bGotCmdLine = FALSE, verbose = !_bQuiet;
+	BOOLEAN bFound = FALSE, bGotCmdLine, verbose = !_bQuiet;
 	ULONG access_rights = 0;
 	DWORD size;
 	char cmdline[MAX_PATH] = { 0 };
@ -598,6 +598,7 @@ static DWORD WINAPI SearchProcessThread(LPVOID param)
 			vuprintf("WARNING: The following process(es) or service(s) are accessing %s:", _HandleName);
 		// Where possible, try to get the full command line
 		bGotCmdLine = FALSE;
 		wcmdline = GetProcessCommandLine(processHandle);
 		if (wcmdline != NULL) {
 			bGotCmdLine = TRUE;
--- a/src/process.h
+++ b/src/process.h
@ -121,7 +121,8 @@ typedef struct _OBJECT_TYPES_INFORMATION
 typedef struct _PROCESS_BASIC_INFORMATION_WOW64
 {
 	PVOID Reserved1[2];
-	PVOID64 PebBaseAddress;
+	// MinGW32 screws us with a sizeof(PVOID64) of 4 instead of 8 => Use an ULONGLONG instead
 	ULONGLONG PebBaseAddress;
 	PVOID Reserved2[4];
 	ULONG_PTR UniqueProcessId[2];
 	PVOID Reserved3[2];
@ -131,7 +132,7 @@ typedef struct _UNICODE_STRING_WOW64
 {
 	USHORT Length;
 	USHORT MaximumLength;
-	PVOID64 Buffer;
+	ULONGLONG Buffer;
 } UNICODE_STRING_WOW64;
 typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION
--- a/src/rufus.rc
+++ b/src/rufus.rc
@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 3.6.1505"
+CAPTION "Rufus 3.6.1506"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
    LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@ -394,8 +394,8 @@ END
 //
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 3,6,1505,0
+ FILEVERSION 3,6,1506,0
- PRODUCTVERSION 3,6,1505,0
+ PRODUCTVERSION 3,6,1506,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -413,13 +413,13 @@ BEGIN
            VALUE "Comments", "https://akeo.ie"
            VALUE "CompanyName", "Akeo Consulting"
            VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "3.6.1505"
+            VALUE "FileVersion", "3.6.1506"
            VALUE "InternalName", "Rufus"
            VALUE "LegalCopyright", "© 2011-2019 Pete Batard (GPL v3)"
            VALUE "LegalTrademarks", "https://www.gnu.org/copyleft/gpl.html"
            VALUE "OriginalFilename", "rufus-3.6.exe"
            VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "3.6.1505"
+            VALUE "ProductVersion", "3.6.1506"
        END
    END
    BLOCK "VarFileInfo"