From fa8f55ad83e21585a510e7eaa32687344eb8e9a0 Mon Sep 17 00:00:00 2001
From: nikaiw <nk@nikaiw.io>
Date: Thu, 2 Nov 2023 22:04:24 -0500
Subject: [PATCH] Fix lsass pid retrieval

use MAXIMUM_ALLOWED instead of PROCESS_QUERY_INFORMATION
---
 EDRSandblast/Utils/SyscallProcessUtils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/EDRSandblast/Utils/SyscallProcessUtils.c b/EDRSandblast/Utils/SyscallProcessUtils.c
index 851e71c..ac90fda 100644
--- a/EDRSandblast/Utils/SyscallProcessUtils.c
+++ b/EDRSandblast/Utils/SyscallProcessUtils.c
@@ -87,7 +87,7 @@ DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid) {
     *pPid = 0;
 
     while (*pPid == 0) {
-        status = NtGetNextProcess(hProcess, PROCESS_QUERY_INFORMATION, 0, 0, &hProcess);
+        status = NtGetNextProcess(hProcess, MAXIMUM_ALLOWED, 0, 0, &hProcess);
 
         if (status == STATUS_NO_MORE_ENTRIES) {
             _tprintf_or_not(TEXT("[-] The process '%s' was not found\n"), targetProcessName);