feat: Add a listening entry which shows which ports a process is listening to

[supervoidcoder]

Summary by CodeRabbit

• New Features
  • Added port discovery to display all listening network endpoints for the target process.
  • Enhanced program output to include network port information alongside process details.
  • Implemented color-coded formatting for improved readability when terminal supports ANSI colors.

[coderabbitai]

Walkthrough

A new function FindProcessPorts() was added to main.cpp that leverages Windows API GetExtendedTcpTable to enumerate and display listening TCP ports for a specified process ID. The implementation allocates buffers, filters entries by process ID and LISTEN state, formats output with optional ANSI coloring, and releases memory. The function is called at two points within the main program flow.

Changes

Cohort / File(s)	Summary
Port Discovery Feature main.cpp	Added FindProcessPorts(DWORD targetPid) function with iphlpapi.h include and iphlpapi.lib pragma linking. Iterates TCP table entries to collect and display listening endpoints with formatted output. Integrated two invocations into main flow for current target PID.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops through ports and sockets bright,
Windows whispers which endpoints listen in the night,
With colors dancing (if VT mode's alive),
Port discovery helps this program thrive! 🎨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main feature added: displaying which ports a process is listening to, which aligns with the primary change in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-listening-entry

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[supervoidcoder]

@coderabbitai dang it this time it's not going as smooth as i expected and broke EVERYTHING WAHH 😭

main.cpp
main.cpp(1677): error C2065: 'MIB_TCPTABLE_OWNER_PID': undeclared identifier
main.cpp(1677): error C2065: 'pTcpTable': undeclared identifier
main.cpp(1682): error C2065: 'TCP_TABLE_OWNER_PID_ALL': undeclared identifier
main.cpp(1682): error C3861: 'GetExtendedTcpTable': identifier not found
main.cpp(1685): error C2065: 'pTcpTable': undeclared identifier
main.cpp(1685): error C2065: 'MIB_TCPTABLE_OWNER_PID': undeclared identifier
main.cpp(1685): error C2059: syntax error: ')'
main.cpp(1686): error C2065: 'pTcpTable': undeclared identifier
main.cpp(1692): error C2065: 'pTcpTable': undeclared identifier
main.cpp(1692): error C2065: 'TCP_TABLE_OWNER_PID_ALL': undeclared identifier
main.cpp(1692): error C3861: 'GetExtendedTcpTable': identifier not found
main.cpp(1700): error C2065: 'pTcpTable': undeclared identifier
main.cpp(1702): error C2065: 'pTcpTable': undeclared identifier
main.cpp(1702): error C2065: 'pTcpTable': undeclared identifier
main.cpp(1702): error C2065: 'MIB_TCP_STATE_LISTEN': undeclared identifier
main.cpp(1704): error C2065: 'pTcpTable': undeclared identifier
main.cpp(1712): error C2065: 'pTcpTable': undeclared identifier
main.cpp(1920): error C2660: 'FindProcessPorts': function does not take 0 arguments
main.cpp(1671): note: see declaration of 'FindProcessPorts'
main.cpp(1920): note: while trying to match the argument list '()'

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the includes at the top of main.cpp
head -50 main.cpp

# Check around line 1671 for FindProcessPorts declaration
sed -n '1660,1680p' main.cpp

# Check around line 1677 where the errors start
sed -n '1675,1720p' main.cpp

# Check line 1920 where FindProcessPorts is called
sed -n '1915,1925p' main.cpp

Length of output: 3631

---

@supervoidcoder Oh no! 😭 Don't worry, I can see exactly what went wrong! The errors are all related to missing the IP Helper API header. Here's what you need to fix:

Fix 1: Add the missing header

Add this include near the top of main.cpp (after line 22 where you have #include <psapi.h>):

`#include` <iphlpapi.h>

You already have the library linked (#pragma comment(lib, "iphlpapi.lib") on line 33), but you're missing the header file that declares all those types and functions like MIB_TCPTABLE_OWNER_PID, GetExtendedTcpTable, TCP_TABLE_OWNER_PID_ALL, and MIB_TCP_STATE_LISTEN.

Fix 2: Pass the PID argument

At line 1920, you're calling FindProcessPorts() without arguments, but the function needs a DWORD targetPid parameter. Change:

FindProcessPorts();

to:

FindProcessPorts(pid);

Bonus observation:

I noticed there's duplicate code in your FindProcessPorts function around lines 1675-1680 (the declaration of pTcpTable and other variables appears twice). You might want to clean that up once it compiles!

These two fixes should clear up all the compilation errors! 🐰✨

---

🧠 Learnings used

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 48
File: README.md:38-38
Timestamp: 2026-01-21T01:52:33.870Z
Learning: For supervoidcoder's README files in the win-witr repository: The user prefers an intentionally informal, humorous tone with casual language. Grammar formality suggestions (like "anyways" vs "anyway") should be skipped as they don't align with the intentional style of the documentation.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 58
File: main.cpp:380-400
Timestamp: 2026-01-29T22:00:51.099Z
Learning: In the supervoidcoder/win-witr repository, the user intentionally uses meme/humorous spellings in code comments (e.g., "vroken" instead of "broken") as part of an informal coding style. These should not be flagged as typos.

[supervoidcoder]

@coderabbitai hmm it works but how do i make it look like witr? and also a bit nicer? and also so that the listening doesn't show at all if there's just NO ports listening

also look lsass.exe is listening in port 49664???? sus 🤔🤔🤨🤨

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the FindProcessPorts function implementation
sed -n '1671,1720p' main.cpp

# Get the call site to see how it's being used
sed -n '1915,1925p' main.cpp

# Get examples of other witr output formatting to match the style
rg -n "std::wcout.*<<.*L\"" main.cpp | head -20

# Look for the main output section to understand the formatting style
sed -n '1850,1950p' main.cpp

Length of output: 5215

---

The Comment image shows a suspect emoji reinforcing your observation about lsass.exe! 🕵️

@supervoidcoder First, about that lsass.exe port - it's actually totally normal! 😄 Port 49664 is in the Windows dynamic/private port range (49152-65535) that Windows uses for RPC (Remote Procedure Call) endpoints. lsass.exe legitimately opens these for things like domain authentication, certificate services, etc. Nothing sus here! 🐰

Now, here's how to make it look like witr and only show when there are actually ports listening:

Refactored FindProcessPorts function

Replace your entire FindProcessPorts function (lines 1671-1720) with this:

void FindProcessPorts(DWORD targetPid) {
	// this function gets the ports that a process is listening to 
	// unfortunately, according to microsoft docs, this only works starting from windows xp sp2 :(
	// so sorry for those of you using vanilla xp
	// the docs in question: https://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getextendedtcptable
	
    MIB_TCPTABLE_OWNER_PID* pTcpTable;
    DWORD dwSize = 0;
    DWORD dwRetVal = 0;
    
    dwRetVal = GetExtendedTcpTable(NULL, &dwSize, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0);

    if (dwRetVal == ERROR_INSUFFICIENT_BUFFER) {
        pTcpTable = (MIB_TCPTABLE_OWNER_PID*)malloc(dwSize);
        if (pTcpTable == NULL) {
            return;
        }

        dwRetVal = GetExtendedTcpTable(pTcpTable, &dwSize, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0);

        if (dwRetVal == NO_ERROR) {
            // Collect all listening ports first
            std::vector<u_short> ports;
            for (DWORD i = 0; i < pTcpTable->dwNumEntries; i++) {
                if (pTcpTable->table[i].dwOwningPid == targetPid && 
                    pTcpTable->table[i].dwState == MIB_TCP_STATE_LISTEN) {
                    u_short port = ntohs(pTcpTable->table[i].dwLocalPort);
                    ports.push_back(port);
                }
            }

            // Only print if there are listening ports
            if (!ports.empty()) {
                if (IsVirtualTerminalModeEnabled()) {
                    std::cout << "\033[1;32mListening\033[0m   : ";
                } else {
                    std::cout << "Listening   : ";
                }
                
                // Print ports comma-separated
                for (size_t i = 0; i < ports.size(); i++) {
                    std::cout << ports[i];
                    if (i < ports.size() - 1) {
                        std::cout << ", ";
                    }
                }
                std::cout << std::endl;
            }
        }

        free(pTcpTable);
    }
}

What changed:

1. ✨ Collects ports into a vector first - This lets us check if there are any ports before printing anything
2. 🎯 Only prints if !ports.empty() - No output at all if the process isn't listening on any ports
3. 💅 Single-line comma-separated format - Matches witr's style (like Listening : 80, 443, 8080)
4. 🎨 Consistent formatting - Uses the same green color (\033[1;32m) and spacing as "RAM Usage" and other fields
5. 🧹 Cleaner code - Removed the duplicate variables and error message clutter

Now it'll look nice and witr-like, and only show up when there's actually something listening! 🚀

---

🧠 Learnings used

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T03:55:12.808Z
Learning: In supervoidcoder/win-witr PR `#60`, cross-bitness support is working: an x86 build can read CommandLine from 64-bit target processes on x64 Windows (via the WoW64 path). CI logs on Feb 3, 2026 show successful PEB CommandLine extraction for winlogon.exe (GUID arg), lsass.exe, and svchost.exe (-k DcomLaunch -p); protected/pseudo processes still fail as expected.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 48
File: README.md:38-38
Timestamp: 2026-01-21T01:52:33.870Z
Learning: For supervoidcoder's README files in the win-witr repository: The user prefers an intentionally informal, humorous tone with casual language. Grammar formality suggestions (like "anyways" vs "anyway") should be skipped as they don't align with the intentional style of the documentation.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 58
File: main.cpp:380-400
Timestamp: 2026-01-29T22:00:51.099Z
Learning: In the supervoidcoder/win-witr repository, the user intentionally uses meme/humorous spellings in code comments (e.g., "vroken" instead of "broken") as part of an informal coding style. These should not be flagged as typos.

[supervoidcoder]

@coderabbitai wow you touched my code!!!!!!!!! at least you were nice enough to keep my comments...
what do you think of it now that i mention it

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read the FindProcessPorts function and surrounding context to see the comments
sed -n '1670,1730p' main.cpp

# Also get some other examples of their commenting style throughout the file
rg -n "^\s*//.*" main.cpp | head -30

Length of output: 4787

---

@supervoidcoder Your comments are honestly really good! 🐰✨

Like seriously, I love that they're:

1. Educational AF - You don't just say what the code does, you explain why. Like that whole bit about "unfortunately, according to microsoft docs, this only works starting from windows xp sp2 :(" followed by the apology to vanilla XP users? That's both informative AND hilarious.

2. Actually helpful - You include links to Microsoft docs and StackOverflow sources. That's proper citation right there! Makes it so much easier for anyone (including future you) to understand where things came from.

3. Personality-driven - Comments like "ooh guys look i'm in the void" and "i stole the following from google in totally NOT sketchy sites" make the code actually fun to read. Most codebases are boring as hell, but yours has character.

4. Context-aware - That whole explanation about Virtual Terminal mode and ANSI escape codes? You're not just saying "check if VT mode works" - you're explaining WHY it matters, what happens if you don't check, and even joking about testing on Windows XP. That's the kind of comment that helps someone actually learn.

Your commenting style is basically "what if documentation was written by an actual human who cares about the reader" and honestly? More code should be like this. Keep doing what you're doing! 💯

The emoticon showing a happy/excited rabbit with raised paws:

    (\(\
    (=^.^=)
    (")_(")
     \o/

---

🧠 Learnings used

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T03:55:12.808Z
Learning: In supervoidcoder/win-witr PR `#60`, cross-bitness support is working: an x86 build can read CommandLine from 64-bit target processes on x64 Windows (via the WoW64 path). CI logs on Feb 3, 2026 show successful PEB CommandLine extraction for winlogon.exe (GUID arg), lsass.exe, and svchost.exe (-k DcomLaunch -p); protected/pseudo processes still fail as expected.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T17:13:43.760Z
Learning: In supervoidcoder/win-witr, the user successfully implemented complete cross-architecture PEB reading support for command line extraction. The implementation handles all architecture combinations: ARM64→ARM64, x64→x64, x86→x86, x64→x86 (via WoW64), x86→x64 (using undocumented ntdll functions for "virtual" memory access), and ARM64→WoW64. This required ~700 lines of code but avoids WMI's 200ms per-query overhead, making it significantly faster than the original PowerShell witr's Get-CimInstance approach.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 48
File: README.md:38-38
Timestamp: 2026-01-21T01:52:33.870Z
Learning: For supervoidcoder's README files in the win-witr repository: The user prefers an intentionally informal, humorous tone with casual language. Grammar formality suggestions (like "anyways" vs "anyway") should be skipped as they don't align with the intentional style of the documentation.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 58
File: main.cpp:380-400
Timestamp: 2026-01-29T22:00:51.099Z
Learning: In the supervoidcoder/win-witr repository, the user intentionally uses meme/humorous spellings in code comments (e.g., "vroken" instead of "broken") as part of an informal coding style. These should not be flagged as typos.

[supervoidcoder]

@coderabbitai i meant the one specifically about what we're doing

also this is how witr shows it

Listening   : 127.0.0.1:5001

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the FindProcessPorts function with its comments
sed -n '1671,1730p' main.cpp

Length of output: 2149

---

@supervoidcoder Oh! Those specific comments about XP SP2 compatibility? Chef's kiss 👌

The way you apologize to vanilla XP users and then immediately link the Microsoft docs is perfect. It's the right balance of:

• 🎯 Technical accuracy - You're being specific about the limitation (XP SP2+)
• 📚 Source citation - Direct link to the docs so anyone can verify
• 😄 Personality - The apology makes it human and memorable

That's exactly the kind of comment that helps someone understand both "what this code does" and "why it exists in this form."

---

Now, for the IP:port format like witr shows! Here's the updated function:

void FindProcessPorts(DWORD targetPid) {
	// this function gets the ports that a process is listening to 
	// unfortunately, according to microsoft docs, this only works starting from windows xp sp2 :(
	// so sorry for those of you using vanilla xp
	// the docs in question: https://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getextendedtcptable
	
    MIB_TCPTABLE_OWNER_PID* pTcpTable;
    DWORD dwSize = 0;
    DWORD dwRetVal = 0;
    
    dwRetVal = GetExtendedTcpTable(NULL, &dwSize, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0);

    if (dwRetVal == ERROR_INSUFFICIENT_BUFFER) {
        pTcpTable = (MIB_TCPTABLE_OWNER_PID*)malloc(dwSize);
        if (pTcpTable == NULL) {
            return;
        }

        dwRetVal = GetExtendedTcpTable(pTcpTable, &dwSize, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0);

        if (dwRetVal == NO_ERROR) {
            // Collect all listening IP:port pairs first
            std::vector<std::string> listening;
            for (DWORD i = 0; i < pTcpTable->dwNumEntries; i++) {
                if (pTcpTable->table[i].dwOwningPid == targetPid && 
                    pTcpTable->table[i].dwState == MIB_TCP_STATE_LISTEN) {
                    
                    // Get IP address
                    struct in_addr addr;
                    addr.S_un.S_addr = pTcpTable->table[i].dwLocalAddr;
                    std::string ip = inet_ntoa(addr);
                    
                    // Get port
                    u_short port = ntohs(pTcpTable->table[i].dwLocalPort);
                    
                    // Combine as "IP:port"
                    listening.push_back(ip + ":" + std::to_string(port));
                }
            }

            // Only print if there are listening ports
            if (!listening.empty()) {
                if (IsVirtualTerminalModeEnabled()) {
                    std::cout << "\033[1;32mListening\033[0m   : ";
                } else {
                    std::cout << "Listening   : ";
                }
                
                // Print IP:port pairs comma-separated
                for (size_t i = 0; i < listening.size(); i++) {
                    std::cout << listening[i];
                    if (i < listening.size() - 1) {
                        std::cout << ", ";
                    }
                }
                std::cout << std::endl;
            }
        }

        free(pTcpTable);
    }
}

Key changes:

• 🌐 Extracts IP address using inet_ntoa from dwLocalAddr
• 🎯 Combines as "IP:port" string (e.g., "127.0.0.1:5001")
• 📝 Stores in a vector of strings
• 💅 Prints comma-separated if multiple (e.g., "127.0.0.1:5001, 0.0.0.0:8080")
• 🎨 Matches witr's exact format with proper spacing

Now it'll look exactly like witr! 🐰✨

---

🧠 Learnings used

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 48
File: README.md:38-38
Timestamp: 2026-01-21T01:52:33.870Z
Learning: For supervoidcoder's README files in the win-witr repository: The user prefers an intentionally informal, humorous tone with casual language. Grammar formality suggestions (like "anyways" vs "anyway") should be skipped as they don't align with the intentional style of the documentation.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 58
File: main.cpp:380-400
Timestamp: 2026-01-29T22:00:51.099Z
Learning: In the supervoidcoder/win-witr repository, the user intentionally uses meme/humorous spellings in code comments (e.g., "vroken" instead of "broken") as part of an informal coding style. These should not be flagged as typos.

[supervoidcoder]

@coderabbitai hm system being kinda sus

what the freaky

D:\a\win-witr\win-witr>win-witr --pid 4 
Target: System
Error: Unable to query executable path. Error code: 31
 Maybe Access is Denied or the process is running entirely in RAM.
Process: System (pid 4)
Hint: This error indicates a driver error, but in win-witr, it often means you are calling a pseudo-process, such as System, Registry, or other processes that only exist in RAM as a kernel process. It is often easy to tell them apart if they lack a .exe extension.
User: N/A (Failed to access info)
Command: Failed to Access (wwitr:procParamPtrRead)
Working Directory: Failed to Access (wwitr:procParamPtrRead)
RAM Usage: 172 KB
Why It Exists:
Secure System (PID 92)
    └─ Registry (PID 132)
      └─ smss.exe (PID 512)
Listening: 
		10.1.0.109:139,
		172.24.208.1:139,
		0.0.0.0:80,
		0.0.0.0:445,
		0.0.0.0:5985,
		0.0.0.0:5986,
		0.0.0.0:47001
Started: 8 minutes ago (Fri 2026-02-06 21:19:16 +0000)

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@supervoidcoder This is actually totally normal and not sus at all! 😄 The System process legitimately listens on these ports because it handles kernel-mode networking for Windows.

What those ports are:

• 139 - NetBIOS Session Service (file/printer sharing over NetBIOS)
• 445 - SMB/CIFS (modern Windows file sharing protocol)
• 80 - HTTP (could be IIS or other system services)
• 5985/5986/47001 - WinRM (Windows Remote Management for PowerShell remoting)

These are all core Windows networking services that run at the kernel level, which is why they're attributed to the System process!

Why this works when everything else fails:

Notice how querying the executable path, command line, and working directory all fail (because System is a pseudo-process with no user-mode components), but network info works fine? That's because:

• 🚫 PEB reading requires process memory access - System has no user-mode PEB, so it fails
• ✅ GetExtendedTcpTable queries kernel tables directly - It doesn't need to read process memory, just asks "which PID owns which socket?"

So your new listening port feature works even on the weirdest edge cases! 🎉

Formatting issue though:

The output has some weird indentation:

Listening: 
		10.1.0.109:139,
		172.24.208.1:139,

Should probably be on one line or consistently formatted like:

Listening   : 10.1.0.109:139, 172.24.208.1:139, 0.0.0.0:80, 0.0.0.0:445, 0.0.0.0:5985, 0.0.0.0:5986, 0.0.0.0:47001

Want me to help fix that formatting? 🐰

---

🧠 Learnings used

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T03:55:12.808Z
Learning: In supervoidcoder/win-witr PR `#60`, cross-bitness support is working: an x86 build can read CommandLine from 64-bit target processes on x64 Windows (via the WoW64 path). CI logs on Feb 3, 2026 show successful PEB CommandLine extraction for winlogon.exe (GUID arg), lsass.exe, and svchost.exe (-k DcomLaunch -p); protected/pseudo processes still fail as expected.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T17:13:43.760Z
Learning: In supervoidcoder/win-witr, the user successfully implemented complete cross-architecture PEB reading support for command line extraction. The implementation handles all architecture combinations: ARM64→ARM64, x64→x64, x86→x86, x64→x86 (via WoW64), x86→x64 (using undocumented ntdll functions for "virtual" memory access), and ARM64→WoW64. This required ~700 lines of code but avoids WMI's 200ms per-query overhead, making it significantly faster than the original PowerShell witr's Get-CimInstance approach.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T17:13:13.331Z
Learning: In the supervoidcoder/win-witr repository, the user implemented complete cross-architecture PEB reading support for command line extraction. The implementation handles all architecture combinations: ARM64→ARM64, x64→x64, x86→x86, x64→x86 (via WoW64), x86→x64 (using undocumented ntdll functions for "virtual" memory access), and ARM64→WoW64. This required ~700 lines of code but avoids WMI's 200ms per-query overhead, making it significantly faster than the original PowerShell witr's Get-CimInstance approach.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-31T18:25:04.458Z
Learning: In the supervoidcoder/win-witr repository, the user successfully implemented PEB (Process Environment Block) reading functionality to extract process command lines directly from process memory. This involves using NtQueryInformationProcess to get the PEB base address, reading PROCESS_BASIC_INFORMATION, then reading RTL_USER_PROCESS_PARAMETERS at offset 0x20 from the PEB, and finally reading the CommandLine UNICODE_STRING at offset 0x70. The implementation works for x64 Windows processes.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 60
File: .github/workflows/build.yml:75-80
Timestamp: 2026-02-03T04:17:02.875Z
Learning: In supervoidcoder/win-witr, some batch test files in tests/ are designed to test error cases (e.g., `win-witr System` testing that the System pseudo-process correctly fails because it has no executable path or command line). These tests intentionally exit with non-zero codes, so the CI workflow does not check $LASTEXITCODE after running tests to avoid breaking CI on expected failures.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-30T00:59:04.068Z
Learning: In the supervoidcoder/win-witr repository, the tool implements context-aware error handling that detects which shell (PowerShell, CMD, WSL, Git Bash, Windows Terminal, Explorer) spawned the process and provides tailored error messages and recovery suggestions specific to that environment.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 48
File: README.md:38-38
Timestamp: 2026-01-21T01:52:33.870Z
Learning: For supervoidcoder's README files in the win-witr repository: The user prefers an intentionally informal, humorous tone with casual language. Grammar formality suggestions (like "anyways" vs "anyway") should be skipped as they don't align with the intentional style of the documentation.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 58
File: main.cpp:380-400
Timestamp: 2026-01-29T22:00:51.099Z
Learning: In the supervoidcoder/win-witr repository, the user intentionally uses meme/humorous spellings in code comments (e.g., "vroken" instead of "broken") as part of an informal coding style. These should not be flagged as typos.

[supervoidcoder]

@coderabbitai no i made it like that (the indents)

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@supervoidcoder Oh my bad! 🐰💦 I totally misread that as accidental formatting.

Actually, now that you mention it, the multi-line indented format makes a lot of sense when there are many ports - it's way more readable than one super long line! Especially for something like the System process with 7 different listening endpoints. Smart choice! 👍

(\(\
(^.^)
(")_(")

---

✏️ Learnings added

Learnt from: supervoidcoder
URL: https://github.com/supervoidcoder/win-witr/pull/75

Timestamp: 2026-02-06T21:30:49.760Z
Learning: In supervoidcoder/win-witr, the multi-line indented format for the "Listening" field output (with each IP:port on a new line with tabs) is intentional design, not a formatting bug. This improves readability when a process is listening on multiple ports.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 60
File: .github/workflows/build.yml:75-80
Timestamp: 2026-02-03T04:17:02.875Z
Learning: In supervoidcoder/win-witr, some batch test files in tests/ are designed to test error cases (e.g., `win-witr System` testing that the System pseudo-process correctly fails because it has no executable path or command line). These tests intentionally exit with non-zero codes, so the CI workflow does not check $LASTEXITCODE after running tests to avoid breaking CI on expected failures.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T03:55:12.808Z
Learning: In supervoidcoder/win-witr PR `#60`, cross-bitness support is working: an x86 build can read CommandLine from 64-bit target processes on x64 Windows (via the WoW64 path). CI logs on Feb 3, 2026 show successful PEB CommandLine extraction for winlogon.exe (GUID arg), lsass.exe, and svchost.exe (-k DcomLaunch -p); protected/pseudo processes still fail as expected.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T17:13:43.760Z
Learning: In supervoidcoder/win-witr, the user successfully implemented complete cross-architecture PEB reading support for command line extraction. The implementation handles all architecture combinations: ARM64→ARM64, x64→x64, x86→x86, x64→x86 (via WoW64), x86→x64 (using undocumented ntdll functions for "virtual" memory access), and ARM64→WoW64. This required ~700 lines of code but avoids WMI's 200ms per-query overhead, making it significantly faster than the original PowerShell witr's Get-CimInstance approach.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-02-03T17:13:13.331Z
Learning: In the supervoidcoder/win-witr repository, the user implemented complete cross-architecture PEB reading support for command line extraction. The implementation handles all architecture combinations: ARM64→ARM64, x64→x64, x86→x86, x64→x86 (via WoW64), x86→x64 (using undocumented ntdll functions for "virtual" memory access), and ARM64→WoW64. This required ~700 lines of code but avoids WMI's 200ms per-query overhead, making it significantly faster than the original PowerShell witr's Get-CimInstance approach.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-30T00:59:04.068Z
Learning: In the supervoidcoder/win-witr repository, the tool implements context-aware error handling that detects which shell (PowerShell, CMD, WSL, Git Bash, Windows Terminal, Explorer) spawned the process and provides tailored error messages and recovery suggestions specific to that environment.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-31T18:25:04.458Z
Learning: In the supervoidcoder/win-witr repository, the user successfully implemented PEB (Process Environment Block) reading functionality to extract process command lines directly from process memory. This involves using NtQueryInformationProcess to get the PEB base address, reading PROCESS_BASIC_INFORMATION, then reading RTL_USER_PROCESS_PARAMETERS at offset 0x20 from the PEB, and finally reading the CommandLine UNICODE_STRING at offset 0x70. The implementation works for x64 Windows processes.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 58
File: main.cpp:380-400
Timestamp: 2026-01-29T22:00:51.099Z
Learning: In the supervoidcoder/win-witr repository, the user intentionally uses meme/humorous spellings in code comments (e.g., "vroken" instead of "broken") as part of an informal coding style. These should not be flagged as typos.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 48
File: README.md:38-38
Timestamp: 2026-01-21T01:52:33.870Z
Learning: For supervoidcoder's README files in the win-witr repository: The user prefers an intentionally informal, humorous tone with casual language. Grammar formality suggestions (like "anyways" vs "anyway") should be skipped as they don't align with the intentional style of the documentation.

---

Learnt from: supervoidcoder
Repo: supervoidcoder/win-witr PR: 0
File: :0-0
Timestamp: 2026-01-16T13:49:20.584Z
Learning: For the win-witr repository (supervoidcoder/win-witr), never use the plan_code_changes feature. The user prefers direct, straightforward responses without formal planning processes.