Merge pull request #862 from mxmauro/quick_cmdline_windows

Fixed slow command line retrieval on Windows

internal/common/common_windows.go

@@ -49,6 +49,11 @@ const (
 	PDH_NO_DATA          = 0x800007d5
 )
 
+const (
+	ProcessBasicInformation = 0
+	ProcessWow64Information = 26
+)
+
 var (
 	Modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
 	ModNt       = windows.NewLazySystemDLL("ntdll.dll")
@@ -57,6 +62,13 @@ var (
 
 	ProcGetSystemTimes                   = Modkernel32.NewProc("GetSystemTimes")
 	ProcNtQuerySystemInformation         = ModNt.NewProc("NtQuerySystemInformation")
+	ProcRtlGetNativeSystemInformation    = ModNt.NewProc("RtlGetNativeSystemInformation")
+	ProcRtlNtStatusToDosError            = ModNt.NewProc("RtlNtStatusToDosError")
+	ProcNtQueryInformationProcess        = ModNt.NewProc("NtQueryInformationProcess")
+	ProcNtReadVirtualMemory              = ModNt.NewProc("NtReadVirtualMemory")
+	ProcNtWow64QueryInformationProcess64 = ModNt.NewProc("NtWow64QueryInformationProcess64")
+	ProcNtWow64ReadVirtualMemory64       = ModNt.NewProc("NtWow64ReadVirtualMemory64")
+
 	PdhOpenQuery                         = ModPdh.NewProc("PdhOpenQuery")
 	PdhAddCounter                        = ModPdh.NewProc("PdhAddCounterW")
 	PdhCollectQueryData                  = ModPdh.NewProc("PdhCollectQueryData")

process/process_test.go

@@ -623,3 +623,21 @@ func Test_IsRunning(t *testing.T) {
 		t.Fatalf("process should NOT be found running")
 	}
 }
+
+func Test_AllProcesses_cmdLine(t *testing.T) {
+	procs, err := Processes()
+	if err == nil {
+		for _, proc := range procs {
+			var exeName string
+			var cmdLine string
+
+			exeName, _ = proc.Exe()
+			cmdLine, err = proc.Cmdline()
+			if err != nil {
+				cmdLine = "Error: " + err.Error()
+			}
+
+			t.Logf("Process #%v: Name: %v / CmdLine: %v\n", proc.Pid, exeName, cmdLine)
+		}
+	}
+}

process/process_windows.go

@@ -4,14 +4,13 @@ package process
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"strings"
 	"syscall"
-	"time"
 	"unsafe"
 
-	"github.com/StackExchange/wmi"
 	cpu "github.com/shirou/gopsutil/cpu"
 	"github.com/shirou/gopsutil/internal/common"
 	net "github.com/shirou/gopsutil/net"
@@ -30,6 +29,9 @@ var (
 	procQueryFullProcessImageNameW = common.Modkernel32.NewProc("QueryFullProcessImageNameW")
 	procGetPriorityClass           = common.Modkernel32.NewProc("GetPriorityClass")
 	procGetProcessIoCounters       = common.Modkernel32.NewProc("GetProcessIoCounters")
+	procGetNativeSystemInfo        = common.Modkernel32.NewProc("GetNativeSystemInfo")
+
+	processorArchitecture uint
 )
 
 type SystemProcessInformation struct {
@@ -47,6 +49,28 @@ type SystemProcessInformation struct {
 	Reserved6         [6]uint64
 }
 
+type systemProcessorInformation struct {
+	ProcessorArchitecture uint16
+	ProcessorLevel uint16
+	ProcessorRevision uint16
+	Reserved uint16
+	ProcessorFeatureBits uint16
+}
+
+type systemInfo struct {
+	wProcessorArchitecture      uint16
+	wReserved                   uint16
+	dwPageSize                  uint32
+	lpMinimumApplicationAddress uintptr
+	lpMaximumApplicationAddress uintptr
+	dwActiveProcessorMask       uintptr
+	dwNumberOfProcessors        uint32
+	dwProcessorType             uint32
+	dwAllocationGranularity     uint32
+	wProcessorLevel             uint16
+	wProcessorRevision          uint16
+}
+
 // Memory_info_ex is different between OSes
 type MemoryInfoExStat struct {
 }
@@ -65,43 +89,22 @@ type ioCounters struct {
 	OtherTransferCount  uint64
 }
 
-type Win32_Process struct {
+type processBasicInformation32 struct {
-	Name                  string
+	Reserved1       uint32
-	ExecutablePath        *string
+	PebBaseAddress  uint32
-	CommandLine           *string
+	Reserved2       uint32
-	Priority              uint32
+	Reserved3       uint32
-	CreationDate          *time.Time
+	UniqueProcessId uint32
-	ProcessID             uint32
+	Reserved4       uint32
-	ThreadCount           uint32
+}
-	Status                *string
+
-	ReadOperationCount    uint64
+type processBasicInformation64 struct {
-	ReadTransferCount     uint64
+	Reserved1       uint64
-	WriteOperationCount   uint64
+	PebBaseAddress  uint64
-	WriteTransferCount    uint64
+	Reserved2       uint64
-	CSCreationClassName   string
+	Reserved3       uint64
-	CSName                string
+	UniqueProcessId uint64
-	Caption               *string
+	Reserved4       uint64
-	CreationClassName     string
-	Description           *string
-	ExecutionState        *uint16
-	HandleCount           uint32
-	KernelModeTime        uint64
-	MaximumWorkingSetSize *uint32
-	MinimumWorkingSetSize *uint32
-	OSCreationClassName   string
-	OSName                string
-	OtherOperationCount   uint64
-	OtherTransferCount    uint64
-	PageFaults            uint32
-	PageFileUsage         uint32
-	ParentProcessID       uint32
-	PeakPageFileUsage     uint32
-	PeakVirtualSize       uint64
-	PeakWorkingSetSize    uint32
-	PrivatePageCount      uint64
-	TerminationDate       *time.Time
-	UserModeTime          uint64
-	WorkingSetSize        uint64
 }
 
 type winLUID struct {
@@ -125,7 +128,10 @@ type winLong int32
 type winDWord uint32
 
 func init() {
-	wmi.DefaultClient.AllowMissingFields = true
+	var systemInfo systemInfo
+
+	procGetNativeSystemInfo.Call(uintptr(unsafe.Pointer(&systemInfo)))
+	processorArchitecture = uint(systemInfo.wProcessorArchitecture)
 
 	// enable SeDebugPrivilege https://github.com/midstar/proci/blob/6ec79f57b90ba3d9efa2a7b16ef9c9369d4be875/proci_windows.go#L80-L119
 	handle, err := syscall.GetCurrentProcess()
@@ -237,26 +243,6 @@ func (p *Process) PpidWithContext(ctx context.Context) (int32, error) {
 	return ppid, nil
 }
 
-func GetWin32Proc(pid int32) ([]Win32_Process, error) {
-	return GetWin32ProcWithContext(context.Background(), pid)
-}
-
-func GetWin32ProcWithContext(ctx context.Context, pid int32) ([]Win32_Process, error) {
-	var dst []Win32_Process
-	query := fmt.Sprintf("WHERE ProcessId = %d", pid)
-	q := wmi.CreateQuery(&dst, query)
-	err := common.WMIQueryWithContext(ctx, q, &dst)
-	if err != nil {
-		return []Win32_Process{}, fmt.Errorf("could not get win32Proc: %s", err)
-	}
-
-	if len(dst) == 0 {
-		return []Win32_Process{}, fmt.Errorf("could not get win32Proc: empty")
-	}
-
-	return dst, nil
-}
-
 func (p *Process) Name() (string, error) {
 	return p.NameWithContext(context.Background())
 }
@@ -308,12 +294,12 @@ func (p *Process) Cmdline() (string, error) {
 	return p.CmdlineWithContext(context.Background())
 }
 
-func (p *Process) CmdlineWithContext(ctx context.Context) (string, error) {
+func (p *Process) CmdlineWithContext(_ context.Context) (string, error) {
-	dst, err := GetWin32ProcWithContext(ctx, p.Pid)
+	cmdline, err := getProcessCommandLine(p.Pid)
 	if err != nil {
 		return "", fmt.Errorf("could not get CommandLine: %s", err)
 	}
-	return *dst[0].CommandLine, nil
+	return cmdline, nil
 }
 
 // CmdlineSlice returns the command line arguments of the process as a slice with each
@@ -774,24 +760,6 @@ func ProcessesWithContext(ctx context.Context) ([]*Process, error) {
 	return out, nil
 }
 
-func getProcInfo(pid int32) (*SystemProcessInformation, error) {
-	initialBufferSize := uint64(0x4000)
-	bufferSize := initialBufferSize
-	buffer := make([]byte, bufferSize)
-
-	var sysProcInfo SystemProcessInformation
-	ret, _, _ := common.ProcNtQuerySystemInformation.Call(
-		uintptr(unsafe.Pointer(&sysProcInfo)),
-		uintptr(unsafe.Pointer(&buffer[0])),
-		uintptr(unsafe.Pointer(&bufferSize)),
-		uintptr(unsafe.Pointer(&bufferSize)))
-	if ret != 0 {
-		return nil, windows.GetLastError()
-	}
-
-	return &sysProcInfo, nil
-}
-
 func getRusage(pid int32) (*windows.Rusage, error) {
 	var CPU windows.Rusage
 
@@ -860,3 +828,148 @@ func getProcessCPUTimes(pid int32) (SYSTEM_TIMES, error) {
 
 	return times, err
 }
+
+func is32BitProcess(procHandle syscall.Handle) bool {
+	var wow64 uint
+
+	ret, _, _ := common.ProcNtQueryInformationProcess.Call(
+		uintptr(procHandle),
+		uintptr(common.ProcessWow64Information),
+		uintptr(unsafe.Pointer(&wow64)),
+		uintptr(unsafe.Sizeof(wow64)),
+		uintptr(0),
+	)
+	if int(ret) >= 0 {
+		if wow64 != 0 {
+			return true
+		}
+	} else {
+		//if the OS does not support the call, we fallback into the bitness of the app
+		if unsafe.Sizeof(wow64) == 4 {
+			return true
+		}
+	}
+	return false
+}
+
+func getProcessCommandLine(pid int32) (string, error) {
+	h, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION | windows.PROCESS_VM_READ, false, uint32(pid))
+	if err == windows.ERROR_ACCESS_DENIED || err == windows.ERROR_INVALID_PARAMETER {
+		return "", nil
+	}
+	if err != nil {
+		return "", err
+	}
+	defer syscall.CloseHandle(syscall.Handle(h))
+
+	const (
+		PROCESSOR_ARCHITECTURE_INTEL = 0
+		PROCESSOR_ARCHITECTURE_ARM   = 5
+		PROCESSOR_ARCHITECTURE_ARM64 = 12
+		PROCESSOR_ARCHITECTURE_IA64  = 6
+		PROCESSOR_ARCHITECTURE_AMD64 = 9
+	)
+
+	procIs32Bits := true
+	switch processorArchitecture {
+	case PROCESSOR_ARCHITECTURE_INTEL:
+		fallthrough
+	case PROCESSOR_ARCHITECTURE_ARM:
+		procIs32Bits = true
+
+	case PROCESSOR_ARCHITECTURE_ARM64:
+		fallthrough
+	case PROCESSOR_ARCHITECTURE_IA64:
+		fallthrough
+	case PROCESSOR_ARCHITECTURE_AMD64:
+		procIs32Bits = is32BitProcess(syscall.Handle(h))
+
+	default:
+		//for other unknown platforms, we rely on process platform
+		if unsafe.Sizeof(processorArchitecture) == 8 {
+			procIs32Bits = false
+		}
+	}
+
+	pebAddress := queryPebAddress(syscall.Handle(h), procIs32Bits)
+	if pebAddress == 0 {
+		return "", errors.New("cannot locate process PEB")
+	}
+
+	if procIs32Bits {
+		buf := readProcessMemory(syscall.Handle(h), procIs32Bits, pebAddress + uint64(16), 4)
+		if len(buf) != 4 {
+			return "", errors.New("cannot locate process user parameters")
+		}
+		userProcParams := uint64(buf[0]) | (uint64(buf[1]) << 8) | (uint64(buf[2]) << 16) | (uint64(buf[3]) << 24)
+
+		//read CommandLine field from PRTL_USER_PROCESS_PARAMETERS
+		remoteCmdLine := readProcessMemory(syscall.Handle(h), procIs32Bits, userProcParams + uint64(64), 8)
+		if len(remoteCmdLine) != 8 {
+			return "", errors.New("cannot read cmdline field")
+		}
+
+		//remoteCmdLine is actually a UNICODE_STRING32
+		//the first two bytes has the length
+		cmdLineLength := uint(remoteCmdLine[0]) | (uint(remoteCmdLine[1]) << 8)
+		if cmdLineLength > 0 {
+			//and, at offset 4, is the pointer to the buffer
+			bufferAddress := uint32(remoteCmdLine[4]) | (uint32(remoteCmdLine[5]) << 8) |
+				(uint32(remoteCmdLine[6]) << 16) | (uint32(remoteCmdLine[7]) << 24)
+
+			cmdLine := readProcessMemory(syscall.Handle(h), procIs32Bits, uint64(bufferAddress), cmdLineLength)
+			if len(cmdLine) != int(cmdLineLength) {
+				return "", errors.New("cannot read cmdline")
+			}
+
+			return convertUTF16ToString(cmdLine), nil
+		}
+	} else {
+		buf := readProcessMemory(syscall.Handle(h), procIs32Bits, pebAddress + uint64(32), 8)
+		if len(buf) != 8 {
+			return "", errors.New("cannot locate process user parameters")
+		}
+		userProcParams := uint64(buf[0]) |	(uint64(buf[1]) << 8) | (uint64(buf[2]) << 16) | (uint64(buf[3]) << 24) |
+			(uint64(buf[4]) << 32) | (uint64(buf[5]) << 40) | (uint64(buf[6]) << 48) | (uint64(buf[7]) << 56)
+
+		//read CommandLine field from PRTL_USER_PROCESS_PARAMETERS
+		remoteCmdLine := readProcessMemory(syscall.Handle(h), procIs32Bits, userProcParams + uint64(112), 16)
+		if len(remoteCmdLine) != 16 {
+			return "", errors.New("cannot read cmdline field")
+		}
+
+		//remoteCmdLine is actually a UNICODE_STRING64
+		//the first two bytes has the length
+		cmdLineLength := uint(remoteCmdLine[0]) | (uint(remoteCmdLine[1]) << 8)
+		if cmdLineLength > 0 {
+			//and, at offset 8, is the pointer to the buffer
+			bufferAddress := uint64(remoteCmdLine[8]) | (uint64(remoteCmdLine[9]) << 8) |
+				(uint64(remoteCmdLine[10]) << 16) | (uint64(remoteCmdLine[11]) << 24) |
+				(uint64(remoteCmdLine[12]) << 32) | (uint64(remoteCmdLine[13]) << 40) |
+				(uint64(remoteCmdLine[14]) << 48) | (uint64(remoteCmdLine[15]) << 56)
+
+			cmdLine := readProcessMemory(syscall.Handle(h), procIs32Bits, bufferAddress, cmdLineLength)
+			if len(cmdLine) != int(cmdLineLength) {
+				return "", errors.New("cannot read cmdline")
+			}
+
+			return convertUTF16ToString(cmdLine), nil
+		}
+	}
+
+	//if we reach here, we have no command line
+	return "", nil
+}
+
+func convertUTF16ToString(src []byte) string {
+	srcLen := len(src) / 2
+
+	codePoints := make([]uint16, srcLen)
+
+	srcIdx := 0
+	for i := 0; i < srcLen; i++ {
+		codePoints[i] = uint16(src[srcIdx]) | uint16(src[srcIdx + 1] << 8)
+		srcIdx += 2
+	}
+	return syscall.UTF16ToString(codePoints)
+}

process/process_windows_386.go

@@ -2,6 +2,13 @@
 
 package process
 
+import (
+	"syscall"
+	"unsafe"
+
+	"github.com/shirou/gopsutil/internal/common"
+)
+
 type PROCESS_MEMORY_COUNTERS struct {
 	CB                         uint32
 	PageFaultCount             uint32
@@ -14,3 +21,82 @@ type PROCESS_MEMORY_COUNTERS struct {
 	PagefileUsage              uint32
 	PeakPagefileUsage          uint32
 }
+
+func queryPebAddress(procHandle syscall.Handle, is32BitProcess bool) uint64 {
+	if is32BitProcess {
+		//we are on a 32-bit process reading an external 32-bit process
+		var info processBasicInformation32
+
+		ret, _, _ := common.ProcNtQueryInformationProcess.Call(
+			uintptr(procHandle),
+			uintptr(common.ProcessBasicInformation),
+			uintptr(unsafe.Pointer(&info)),
+			uintptr(unsafe.Sizeof(info)),
+			uintptr(0),
+		)
+		if int(ret) >= 0 {
+			return uint64(info.PebBaseAddress)
+		}
+	} else {
+		//we are on a 32-bit process reading an external 64-bit process
+		if common.ProcNtWow64QueryInformationProcess64.Find() == nil { //avoid panic
+			var info processBasicInformation64
+
+			ret, _, _ := common.ProcNtWow64QueryInformationProcess64.Call(
+				uintptr(procHandle),
+				uintptr(common.ProcessBasicInformation),
+				uintptr(unsafe.Pointer(&info)),
+				uintptr(unsafe.Sizeof(info)),
+				uintptr(0),
+			)
+			if int(ret) >= 0 {
+				return info.PebBaseAddress
+			}
+		}
+	}
+
+	//return 0 on error
+	return 0
+}
+
+func readProcessMemory(h syscall.Handle, is32BitProcess bool, address uint64, size uint) []byte {
+	if is32BitProcess {
+		var read uint
+
+		buffer := make([]byte, size)
+
+		ret, _, _ := common.ProcNtReadVirtualMemory.Call(
+			uintptr(h),
+			uintptr(address),
+			uintptr(unsafe.Pointer(&buffer[0])),
+			uintptr(size),
+			uintptr(unsafe.Pointer(&read)),
+		)
+		if int(ret) >= 0 && read > 0 {
+			return buffer[:read]
+		}
+	} else {
+		//reading a 64-bit process from a 32-bit one
+		if common.ProcNtWow64ReadVirtualMemory64.Find() == nil { //avoid panic
+			var read uint64
+
+			buffer := make([]byte, size)
+
+			ret, _, _ := common.ProcNtWow64ReadVirtualMemory64.Call(
+				uintptr(h),
+				uintptr(address & 0xFFFFFFFF), //the call expects a 64-bit value
+				uintptr(address >> 32),
+				uintptr(unsafe.Pointer(&buffer[0])),
+				uintptr(size), //the call expects a 64-bit value
+				uintptr(0),    //but size is 32-bit so pass zero as the high dword
+				uintptr(unsafe.Pointer(&read)),
+			)
+			if int(ret) >= 0 && read > 0 {
+				return buffer[:uint(read)]
+			}
+		}
+	}
+
+	//if we reach here, an error happened
+	return nil
+}

process/process_windows_amd64.go

@@ -2,6 +2,13 @@
 
 package process
 
+import (
+	"syscall"
+	"unsafe"
+
+	"github.com/shirou/gopsutil/internal/common"
+)
+
 type PROCESS_MEMORY_COUNTERS struct {
 	CB                         uint32
 	PageFaultCount             uint32
@@ -14,3 +21,56 @@ type PROCESS_MEMORY_COUNTERS struct {
 	PagefileUsage              uint64
 	PeakPagefileUsage          uint64
 }
+
+func queryPebAddress(procHandle syscall.Handle, is32BitProcess bool) uint64 {
+	if is32BitProcess {
+		//we are on a 64-bit process reading an external 32-bit process
+		var wow64 uint
+
+		ret, _, _ := common.ProcNtQueryInformationProcess.Call(
+			uintptr(procHandle),
+			uintptr(common.ProcessWow64Information),
+			uintptr(unsafe.Pointer(&wow64)),
+			uintptr(unsafe.Sizeof(wow64)),
+			uintptr(0),
+		)
+		if int(ret) >= 0 {
+			return uint64(wow64)
+		}
+	} else {
+		//we are on a 64-bit process reading an external 64-bit process
+		var info processBasicInformation64
+
+		ret, _, _ := common.ProcNtQueryInformationProcess.Call(
+			uintptr(procHandle),
+			uintptr(common.ProcessBasicInformation),
+			uintptr(unsafe.Pointer(&info)),
+			uintptr(unsafe.Sizeof(info)),
+			uintptr(0),
+		)
+		if int(ret) >= 0 {
+			return info.PebBaseAddress
+		}
+	}
+
+	//return 0 on error
+	return 0
+}
+
+func readProcessMemory(procHandle syscall.Handle, _ bool, address uint64, size uint) []byte {
+	var read uint
+
+	buffer := make([]byte, size)
+
+	ret, _, _ := common.ProcNtReadVirtualMemory.Call(
+		uintptr(procHandle),
+		uintptr(address),
+		uintptr(unsafe.Pointer(&buffer[0])),
+		uintptr(size),
+		uintptr(unsafe.Pointer(&read)),
+	)
+	if int(ret) >= 0 && read > 0 {
+		return buffer[:read]
+	}
+	return nil
+}