internal PMLProcess(XmlReader processListReader)
{
XmlDocument processXMLDoc = new XmlDocument();
processXMLDoc.Load(processListReader);
string tempString = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_Owner);
// Actual object creation i.e., assigning values to members
ProcessId = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ProcessId);
ParentProcessId = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ParentProcessId);
ProcessIndex = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ProcessIndex);
ParentProcessIndex = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ParentProcessIndex);
AuthenticationId = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_AuthenticationId);
CreateTime = XMLUtils.ParseTagContentAsFileTime(processXMLDoc, ProcMonXMLTagNames.Process_CreateTime);
FinishTime = XMLUtils.ParseTagContentAsFileTime(processXMLDoc, ProcMonXMLTagNames.Process_FinishTime);
IsVirtualized = XMLUtils.ParseTagContentAsBoolean(processXMLDoc, ProcMonXMLTagNames.Process_IsVirtualized);
Is64bit = XMLUtils.ParseTagContentAsBoolean(processXMLDoc, ProcMonXMLTagNames.Process_Is64bit);
ProcessIntegrity = ProcessIntegrityLevelExtensions.ToProcessIntegrityLevel(XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_Integrity));
OwnerIndex = OwnerList.AddOwnerToList(tempString);
ProcessNameIndex = ProcessNameList.AddProcessNameToList(XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_ProcessName));
CommandLine = (XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_CommandLine)).HTMLUnEscape().Trim();
LoadedModuleList = PMLModule.LoadModules(processXMLDoc);
var image = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_ImagePath);
ImageIndex = ModuleList.LocateInOrAddToModuleList(image);
StringBuilder buffer = new StringBuilder(string.Format(
"{0}{1} Process - {2} [{3}] with ID = {4} was created at {5} with {6} integrity, which loaded {7} modules, as a child of {8} by {9}",
(IsVirtualized ? "Virtualized " : ""),
(Is64bit ? "64-Bit" : "32-Bit"),
ProcessNameList.GetProcessName(ProcessNameIndex),
ModuleList.GetModuleDescription(ImageIndex),
ProcessId,
CreateTime,
ProcessIntegrity,
LoadedModuleList.Count,
ParentProcessId,
OwnerList.GetOwnerName(OwnerIndex)
));
if (!string.IsNullOrWhiteSpace(CommandLine))
{
buffer.AppendFormat(", using the command line {0}", CommandLine);
}
buffer.Append(" ");
if (FinishTime <= CreateTime)
{
buffer.Append("and is running.");
}
else
{
buffer.AppendFormat("and ended at {0}.", FinishTime);
}
summary =
#if DEBUG
"[PMLProcess]:\n" +
#endif
buffer.ToString();
}
internal PMLEvent(XmlReader eventListReader)
{
XmlDocument eventXMLDoc = new XmlDocument();
eventXMLDoc.Load(eventListReader);
ProcessIndex = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_ProcessIndex);
TimeOfDay = XMLUtils.ParseTagContentAsFileTime(eventXMLDoc, ProcMonXMLTagNames.Event_TimeOfDay);
var procName = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Process_Name);
ProcessNameIndex = ProcessNameList.AddProcessNameToList(procName);
PID = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_PID);
TID = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_TID);
var proc = ConvertedXMLProcessor.FindProcessByPID(PID);
var temp = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Integrity);
if (string.IsNullOrEmpty(temp))
{
Integrity = proc.ProcessIntegrity;
}
else
{
Integrity = temp.ToProcessIntegrityLevel();
}
Sequence = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Sequence);
temp = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Virtualized);
if (string.IsNullOrEmpty(temp))
{
Virtualized = proc.IsVirtualized;
}
else
{
Virtualized = temp.StringToBoolean();
}
//Virtualized = XMLUtils.ParseTagContentAsBoolean(eventXMLDoc, ProcMonXMLTagNames.Event_Virtualized);
Operation = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Operation);
pathIndex = FilePathList.AddFilePathToList(XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Path));
Result = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Result);
Detail = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Detail);
CallStack = PMLStackFrame.LoadStackFrames(eventXMLDoc);
#if DEBUG
Console.WriteLine("Stack:\n-------------------------------------------------------------");
foreach (var stackFrame in CallStack)
{
Console.WriteLine(stackFrame);
}
Console.WriteLine("-------------------------------------------------------------\n");
#endif
}
public override bool Matches(IPMLEntity pmlEntity)
{
var evt = pmlEntity as PMLEvent;
var proc = ConvertedXMLProcessor.FindProcessByPID(evt.PID);
var actualValue = string.Empty;
switch (PropertyName)
{
case "ProcessName":
actualValue = ProcessNameList.GetProcessName(proc.ProcessNameIndex);
break;
case "ImagePath":
actualValue = ModuleList.GetModulePath(proc.ImageIndex);
break;
case "FinishTime":
if (proc.FinishTime == DateTimeZero)
{
actualValue = "0";
}
else
{
actualValue = proc.FinishTime.ToString();
}
break;
case "Modules":
if (FilterOperator != FilterOperators.Contains)
{
throw new Exception(string.Format("Filter Operator {0} is invalid when PropertyName is \"Modules\"", FilterOperator.ToString()));
}
var sbModules = new StringBuilder();
foreach (var i in proc.LoadedModuleList)
{
sbModules.Append(ModuleList.GetModulePath(i)).Append(Environment.NewLine);
}
actualValue = sbModules.ToString();
break;
case "":
throw new Exception("PropertyName cannot be empty.");
default:
throw new Exception(string.Format("Unidentified PropertyName {0}.", PropertyName));
}
return(CompareStringValuesAsPerFilterOperator(actualValue, this));
}
public override string ToString()
{
return
(#if DEBUG
"[PMLEvent]:\n" +
#endif
string.Format("Thread {0} of Process {1} [PID: {2}] performed {3} at {4} on {5} and result was {6}.{7}Details:{8}{7}",
TID,
ProcessNameList.GetProcessName(ProcessNameIndex),
PID,
Operation,
TimeOfDay,
Path,
Result,
Environment.NewLine,
Detail));
}
private static void SortCollection()
{
ProcessNameList.Clear();
ProcessNameList.AddRange(Processes.Select(x => x.ProcessName).ToList());
ProcessNameList.Sort();
string currentProcessName = String.Empty;
int processNameOccurance = 0;
for (int i = 0; i < ProcessNameList.Count; i++)
{
if (ProcessNameList[i] == currentProcessName)
{
processNameOccurance++;
}
else
{
currentProcessName = ProcessNameList[i];
processNameOccurance = 0;
}
ObservableProcess observableProcess = Processes.Where(x => x.ProcessName == ProcessNameList[i]).ToArray()[processNameOccurance];
Processes.Move(Processes.IndexOf(observableProcess), i);
}
}
