internal PMLEvent(XmlReader eventListReader)
{
XmlDocument eventXMLDoc = new XmlDocument();
eventXMLDoc.Load(eventListReader);
ProcessIndex = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_ProcessIndex);
TimeOfDay = XMLUtils.ParseTagContentAsFileTime(eventXMLDoc, ProcMonXMLTagNames.Event_TimeOfDay);
var procName = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Process_Name);
ProcessNameIndex = ProcessNameList.AddProcessNameToList(procName);
PID = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_PID);
TID = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_TID);
var proc = ConvertedXMLProcessor.FindProcessByPID(PID);
var temp = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Integrity);
if (string.IsNullOrEmpty(temp))
{
Integrity = proc.ProcessIntegrity;
}
else
{
Integrity = temp.ToProcessIntegrityLevel();
}
Sequence = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Sequence);
temp = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Virtualized);
if (string.IsNullOrEmpty(temp))
{
Virtualized = proc.IsVirtualized;
}
else
{
Virtualized = temp.StringToBoolean();
}
//Virtualized = XMLUtils.ParseTagContentAsBoolean(eventXMLDoc, ProcMonXMLTagNames.Event_Virtualized);
Operation = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Operation);
pathIndex = FilePathList.AddFilePathToList(XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Path));
Result = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Result);
Detail = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Detail);
CallStack = PMLStackFrame.LoadStackFrames(eventXMLDoc);
#if DEBUG
Console.WriteLine("Stack:\n-------------------------------------------------------------");
foreach (var stackFrame in CallStack)
{
Console.WriteLine(stackFrame);
}
Console.WriteLine("-------------------------------------------------------------\n");
#endif
}
private PMLStackFrame(long address, string path, string location)
{
if (string.IsNullOrWhiteSpace(path))
{
//throw new ArgumentException("A StackFrame cannot have null or empty path.");
path = UnknownStringValue;
}
if (string.IsNullOrWhiteSpace(location))
{
//throw new ArgumentException("A StackFrame cannot have null or empty location.");
location = UnknownStringValue;
}
Address = address;
pathIndex = FilePathList.AddFilePathToList(path);
Location = location;
}
private PMLModule(DateTime timeStamp, long baseAddress, long size, string path, string version, string company, string description)
{
TimeStamp = timeStamp;
BaseAddress = baseAddress;
Size = size;
if (string.IsNullOrWhiteSpace(path))
{
throw new ArgumentException("A module's path cannot be null or empty.");
}
pathIndex = FilePathList.AddFilePathToList(path);
if (string.IsNullOrWhiteSpace(version))
{
Version = PMLModule.UnknownValue;
}
else
{
Version = version;
}
if (string.IsNullOrWhiteSpace(company))
{
Company = PMLModule.UnknownValue;
}
else
{
Company = company;
}
if (string.IsNullOrWhiteSpace(description))
{
Description = PMLModule.UnknownValue;
}
else
{
Description = description;
}
summary =
#if DEBUG
"[PMLModule]:\n" +
#endif
string.Format("Module - [{0}] [Version = {1}; Size {2}], located at \"{3}\", from [{4}], was loaded at [{5}] into address 0x{6}.",
Description, Version, NumberUtils.FormatNumberAsFileSize(Size), Path,
Company, TimeStamp, NumberUtils.LongToHexString(BaseAddress));
}