nobur
commented
3 years ago Hi, I made a mistake in my previous code. Here is a correction that seems to be working :
DWORD threadExitcode = 0;
// if we're in simulation mode or we didn't need to block the process, let it run
if (configuration.log_only() || !bBlock) {
if (hThread != INVALID_HANDLE_VALUE && hProcess != INVALID_HANDLE_VALUE) {
ResumeThread(hThread);
WaitForSingleObject(hProcess, INFINITE);
if (GetExitCodeThread(hThread, &threadExitcode) == false)
{
if (configuration.is_debug_mode()) {
wprintf(L"can't get return code. error number: %d\n", GetLastError());
}
}
}
}
else {
if (bBlock) {
utils::killProcess(dwChildPid, 1);
}
}
if (configuration.is_debug_mode()) {
wprintf(L"return code: %d\n", threadExitcode);
}
// Log events
logSend(sListLogs);
return threadExitcode;i've tested it with a simple powershell commandline:
powershell -command exit 123456
then check the available return code :
echo %errorlevel%
with the orignial version the result is :
0
with the modified one :
132456
Neo23x0
Hi,
We recently faced an issue regarding the return code of Raccine. We have a supervision tool that rely on few powershell script return code to raise alerts. The problem is Raccine intercept this return code and always return 0 instead. Due to that, we lost supervision capabilities.
Will it be possible to change this behavior by replacing the current return code
return 0;with the return code of the managed thread:This is a sample code of what can be done. I still didn't test it myself if it is working as excepted.
Regards