Prepare for release 0.5.8 RC1 (Velocidex#997)

constants/constants.go

@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	VERSION                    = "0.5.7"
+	VERSION                    = "0.5.8-rc1"
 	ENROLLMENT_WELL_KNOWN_FLOW = "E:Enrol"
 	MONITORING_WELL_KNOWN_FLOW = FLOW_PREFIX + "Monitoring"
 

gui/velociraptor/package.json

@@ -51,7 +51,8 @@
         "react-step-wizard": "^5.3.5",
         "react-treebeard": "^3.2.4",
         "recharts": "^1.8.5",
-        "styled-components": "^5.2.0"
+        "styled-components": "^5.2.0",
+        "y18n": "^4.0.1"
     },
     "homepage": ".",
     "scripts": {

gui/velociraptor/yarn.lock

@@ -13504,7 +13504,7 @@
   "resolved" "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz"
   "version" "4.0.2"
 
-"y18n@^4.0.0":
+"y18n@^4.0.0", "y18n@^4.0.1":
   "integrity" "sha512-wNcy4NvjMYL8gogWWYAO7ZFWFfHcbdbE57tZO8e4cbpj8tfUcwrwqSl3ad8HxpYWCdXcJUCeKKZS62Av1affwQ=="
   "resolved" "https://registry.npmjs.org/y18n/-/y18n-4.0.1.tgz"
   "version" "4.0.1"

vql/windows/processes.go

@@ -22,6 +22,7 @@ package windows
 
 import (
 	"context"
+	"debug/pe"
 	"runtime"
 	"syscall"
 	"time"
@@ -54,6 +55,7 @@ type Win32_Process struct {
 	IoCounters      *IO_COUNTERS
 	Memory          *PROCESS_MEMORY_COUNTERS
 	PebBaseAddress  uint64
+	IsWow64         bool
 }
 
 type MemoryInfoStat struct {
@@ -127,6 +129,14 @@ func (self *Win32_Process) getCmdLine(handle syscall.Handle) {
 func (self *Win32_Process) getProcessInfo(handle syscall.Handle) {
 	handle_info := PROCESS_BASIC_INFORMATION{}
 	var length uint32
+	var processMachine, nativeMachine uint16
+	err := windows.IsWow64Process2(
+		windows.Handle(handle), &processMachine, &nativeMachine)
+	if err == nil {
+		if processMachine == pe.IMAGE_FILE_MACHINE_I386 {
+			self.IsWow64 = true
+		}
+	}
 
 	status := NtQueryInformationProcess(handle, ProcessBasicInformation,
 		(*byte)(unsafe.Pointer(&handle_info)),