private void AuditObjectRequestHandle(ref Rec rec, AuditLogonEnv env, string logonId, string username, string userSid, string handleId, string processId, string processName, string objectName, string accessMask, ref int sentItems)
{
var access = (uint)GetPid(accessMask);
AuditHandle handle;
if (!env.Handles.TryGetValue(handleId, out handle))
{
handle = new AuditHandle()
{
Handle = handleId,
Object = new AuditObject()
};
env.Handles[handleId] = handle;
}
if (!string.IsNullOrEmpty(objectName))
{
var kernel = RegKernelPath.Match(objectName);
if (kernel.Success)
objectName = QueryDosPath(kernel.Groups[1].Value, kernel.Groups[2].Value);
}
handle.Object.LogonId = logonId;
handle.Object.Name = objectName;
handle.Object.Owner = user;
handle.Object.OwnerSid = userSid;
handle.OwnerProcess[processId] = processName;
handle.Object.Handles[handleId] = handle;
handle.AccessType = (AccessMask)access;
try
{
AuditHandle lastHandle;
if (env.ProcessLastAudit.TryGetValue(processId, out lastHandle))
{
if (lastHandle.Object.Name == handle.Object.Name)
{
lastHandle.AccessType |= handle.AccessType;
env.Handles.Remove(handle.Handle);
handle = lastHandle;
return;
}
if ((lastHandle.AccessType & AccessMask.Delete) == AccessMask.Delete
&& (handle.AccessType & (AccessMask.WriteOrAddFile | AccessMask.AppendOrAddSubDir)) != AccessMask.None)
{
string customStr2;
if ((handle.AccessType & AccessMask.WriteOrAddFile) == AccessMask.WriteOrAddFile)
customStr2 = "File";
else
customStr2 = "Directory";
env.Handles.Remove(lastHandle.Handle);
int pid = GetPid(processId);
var prevName = lastHandle.Object.Name;
var op = "MOVE";
if (prevName != null)
{
var currName = handle.Object.Name;
if (currName != null)
{
if (!currName.EndsWith("\\"))
currName += "\\";
if (currName.Length < prevName.Length &&
prevName.StartsWith(currName) &&
prevName.IndexOf('\\', currName.Length) < 0)
op = "RENAME";
}
}
SendData(ref rec, op, customStr2, lastHandle.Object.Name, userSid, username, processName,
pid, accessMask, objectName);
sentItems++;
}
}
else if ((handle.AccessType & AccessMask.WriteDac) == AccessMask.WriteDac)
{
int pid = GetPid(processId);
if ((handle.AccessType & FileMask) == FileMask)
{
SendData(ref rec, "NEW", "File", handle.Object.Name, userSid, user, processName, pid, accessMask,
string.Empty);
sentItems++;
}
else if ((handle.AccessType & DirectoryMask) == DirectoryMask)
{
SendData(ref rec, "NEW", "Directory", handle.Object.Name, userSid, user, processName, pid,
accessMask, string.Empty);
sentItems++;
}
}
}
finally
{
env.ProcessLastAudit[processId] = handle;
}
}
private void AuditDuplicateHandle(ref Rec rec, AuditLogonEnv env, string logonId, string user, string userSid, string sourceHandleId, string sourceProcessId, string targetHandleId, string targetProcessId, ref int sentItems)
{
try
{
long pid = GetPid(targetProcessId);
if (pid == 4)
targetProcessId = sourceProcessId;
AuditCloseHandle(ref rec, env, user, userSid, targetHandleId, targetProcessId, string.Empty, ref sentItems, false);
AuditHandle handle;
if (!env.Handles.TryGetValue(sourceHandleId, out handle))
{
handle = new AuditHandle()
{
Handle = sourceHandleId,
Object = new AuditObject() { LogonId = logonId, Owner = user, OwnerSid = userSid }
};
env.Handles[sourceHandleId] = handle;
}
env.Handles[targetHandleId] = handle;
handle.Object.Handles[sourceHandleId] = handle;
handle.Object.Handles[targetHandleId] = handle;
handle.OwnerProcess[sourceProcessId] = sourceProcessId;
if (targetProcessId != sourceProcessId)
handle.OwnerProcess[targetProcessId] = targetProcessId;
}
finally
{
env.ProcessLastAudit.Remove(sourceProcessId);
}
}
