public bool IsSystem()
{
if (Type == ProgramID.Types.System || Type == ProgramID.Types.Global || Type == ProgramID.Types.Service)
{
return(true);
}
if (WindowsBinary == null)
{
WindowsBinary = NtUtilities.IsWindowsBinary(Path);
}
return(WindowsBinary.Value);
}
protected string GetDescription()
{
string Name = "";
string Info = null;
switch (ID.Type)
{
case ProgramID.Types.System:
Name = "Windows NT-Kernel/System"; // Translate.fmt("name_system");
break;
case ProgramID.Types.Global:
Name = "All Processes"; // Translate.fmt("name_global");
break;
case ProgramID.Types.Program:
Name = System.IO.Path.GetFileName(ID.Path);
Info = NtUtilities.GetExeDescription(ID.Path);
break;
case ProgramID.Types.Service:
Name = ID.GetServiceId();
Info = ProcessMonitor.GetServiceName(Name);
break;
case ProgramID.Types.App:
var SID = ID.GetPackageSID();
var AppPkg = App.engine.FirewallManager.GetAppPkgBySid(SID);
if (AppPkg != null)
{
Name = AppPkg.ID;
Info = App.GetResourceStr(AppPkg.Name);
}
else
{
Name = SID;
}
break;
}
if (Info != null && Info.Length > 0)
{
return(Info + " (" + Name + ")");
}
return(Name);
}
protected FirewallEvent ReadFirewallEvent(EventRecord record)
{
try
{
var PropertyValues = ((EventLogRecord)record).GetPropertyValues(eventPropertySelector);
FirewallEvent args = new FirewallEvent();
args.ProcessId = (int)(UInt64)PropertyValues[(int)EventProperties.ProcessID];
string fileName = PropertyValues[(int)EventProperties.ProcessFileName].ToString();
args.ProcessFileName = fileName.Equals("System", StringComparison.OrdinalIgnoreCase) ? "System" : NtUtilities.parsePath(fileName);
args.Action = FirewallRule.Actions.Undefined;
switch ((UInt16)PropertyValues[(int)EventProperties.EventID])
{
case (UInt16)EventIDs.Blocked: args.Action = FirewallRule.Actions.Block; break;
case (UInt16)EventIDs.Allowed: args.Action = FirewallRule.Actions.Allow; break;
default: return(null);
}
args.Protocol = (UInt32)PropertyValues[(int)EventProperties.Protocol];
args.Direction = FirewallRule.Directions.Unknown;
if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14592")
{
args.Direction = FirewallRule.Directions.Inbound;
args.LocalAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
args.LocalPort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
args.RemotePort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
}
else if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14593")
{
args.Direction = FirewallRule.Directions.Outbound;
args.LocalAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
args.LocalPort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
args.RemotePort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
}
else
{
return(null); // todo log error
}
args.TimeStamp = record.TimeCreated != null ? (DateTime)record.TimeCreated : DateTime.Now;
// for debug only
//if(!FirewallRule.MatchAddress(args.RemoteAddress, "LocalSubnet") && !NetFunc.IsMultiCast(args.RemoteAddress))
// AppLog.Debug("Firewall Event: {0}({1}) -> {2}", args.ProcessFileName, args.ProcessId, args.RemoteAddress);
return(args);
}
catch (Exception err)
{
AppLog.Exception(err);
}
return(null);
}
