[CWS] small optimization to the user path computation on windows (Dat…

…aDog#31281)
kkpan11 · Nov 26, 2024 · 798ee9f · 798ee9f
1 parent 04a7d9a
commit 798ee9f
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/pkg/security/probe/probe_kernel_file_windows.go b/pkg/security/probe/probe_kernel_file_windows.go
@@ -758,10 +758,16 @@ func (wp *WindowsProbe) parseNameDeleteArgs(e *etw.DDEventRecord) (*nameDeleteAr
 // nolint: unused
 func (wp *WindowsProbe) convertDrivePath(devicefilename string) (string, error) {
 	// filepath doesn't seem to like the \Device\HarddiskVolume1 format
-	pathchunks := strings.Split(devicefilename, "\\")
+	pathchunks := strings.SplitN(devicefilename, "\\", 4)
 	if len(pathchunks) > 2 {
 		if strings.EqualFold(pathchunks[1], "device") {
-			pathchunks[2] = wp.volumeMap[strings.ToLower(pathchunks[2])]
+			// first try a direct match, to avoid the `strings.ToLower` call
+			replaced, ok := wp.volumeMap[pathchunks[2]]
+			if !ok {
+				// then try a case insensitive match
+				replaced = wp.volumeMap[strings.ToLower(pathchunks[2])]
+			}
+			pathchunks[2] = replaced
 			return filepath.Join(pathchunks[2:]...), nil
 		}
 	}
@@ -823,7 +829,9 @@ func (wp *WindowsProbe) initializeVolumeMap() error {
 				if len(paths) > 2 {
 					// the \Device leads to the first entry being empty
 					if strings.EqualFold(paths[1], "device") {
-						wp.volumeMap[strings.ToLower(paths[2])] = drive
+						device := paths[2]
+						wp.volumeMap[device] = drive                  // device as-is for direct match
+						wp.volumeMap[strings.ToLower(device)] = drive // lower case for slower fallback
 					}
 				}
 			}