Error getting memory usage for protected processes

[RichardCos]

The following function opens a handle to a process with desired access PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ, in order to call GetProcessMemoryInfo. If the Windows version is not Vista or greater, PROCESS_QUERY_INFORMATION is used instead of PROCESS_QUERY_LIMITED_INFORMATION.

gosigar/sigar_windows.go

Lines 289 to 304 in 9d6c926

	func (self *ProcMem) Get(pid int) error {
	handle, err := syscall.OpenProcess(processQueryLimitedInfoAccess|windows.PROCESS_VM_READ, false, uint32(pid))
	if err != nil {
	return errors.Wrapf(err, "OpenProcess failed for pid=%v", pid)
	}
	defer syscall.CloseHandle(handle)
	counters, err := windows.GetProcessMemoryInfo(handle)
	if err != nil {
	return errors.Wrapf(err, "GetProcessMemoryInfo failed for pid=%v", pid)
	}
	self.Resident = uint64(counters.WorkingSetSize)
	self.Size = uint64(counters.PrivateUsage)
	return nil
	}

As stated at https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getprocessmemoryinfo PROCESS_VM_READ is only necessary on Server 2003 / Windows XP. It is not necessary for Vista or greater.

This is problematic for protected processes, including anti-malware PPL processes. It is documented at https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights#protected-processes that a process is forbidden from opening a handle to a protected process with PROCESS_VM_READ. Therefore, the call to OpenProcess will fail. Running with SeDebugPrivilege in the process token does not bypass this restriction.

PROCESS_QUERY_LIMITED_INFORMATION is allowed, and therefore the solution is to modify this function to not request PROCESS_VM_READ if running on Vista or greater (or just remove it, if XP is no longer supported). It will then be possible to retrieve memory usage information for protected processes, including many anti-malware processes.

Further reading on AM-PPL: https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-