Processing (Windows): prefers NT APIs

Author: CarterLi

src/common/impl/processing_windows.c

@@ -216,12 +216,14 @@ const char* ffProcessReadOutput(FFProcessHandle* handle, FFstrbuf* buffer)
 
 bool ffProcessGetInfoWindows(uint32_t pid, uint32_t* ppid, FFstrbuf* pname, FFstrbuf* exe, const char** exeName, FFstrbuf* exePath, bool* gui)
 {
-    FF_AUTO_CLOSE_FD HANDLE hProcess = pid == 0
-        ? NtCurrentProcess()
-        : OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
-
-    if (hProcess == NULL)
-        return false;
+    FF_AUTO_CLOSE_FD HANDLE hProcess = NtCurrentProcess();
+    if(pid != 0)
+    {
+        if (!NT_SUCCESS(NtOpenProcess(&hProcess, PROCESS_QUERY_LIMITED_INFORMATION, &(OBJECT_ATTRIBUTES) {
+            .Length = sizeof(OBJECT_ATTRIBUTES),
+        }, &(CLIENT_ID) { .UniqueProcess = (HANDLE)(uintptr_t) pid })))
+            return false;
+    }
 
     if(ppid)
     {

src/common/windows/nt.h

@@ -1098,3 +1098,10 @@ NTSYSAPI NTSTATUS NTAPI NtQueryKey(
     _In_ ULONG Length,
     _Out_ PULONG ResultLength
 );
+
+NTSYSAPI NTSTATUS NTAPI NtOpenProcess(
+    _Out_ PHANDLE ProcessHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ PCOBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ PCLIENT_ID ClientId
+);

src/detection/wm/wm_windows.c

@@ -52,8 +52,10 @@ static bool verifySignature(const wchar_t* filePath)
 
 static bool isProcessTrusted(DWORD processId, FFProcessType processType, UNICODE_STRING* buffer, size_t bufSize)
 {
-    FF_AUTO_CLOSE_FD HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processId);
-    if (!hProcess)
+    FF_AUTO_CLOSE_FD HANDLE hProcess = NULL;
+    if (!NT_SUCCESS(NtOpenProcess(&hProcess, PROCESS_QUERY_LIMITED_INFORMATION, &(OBJECT_ATTRIBUTES) {
+        .Length = sizeof(OBJECT_ATTRIBUTES),
+    }, &(CLIENT_ID) { .UniqueProcess = (HANDLE)(uintptr_t) processId })))
         return false;
 
     ULONG size;