public void when_values_differ_in_case_iequals_should_match()
{
var data = "Test";
var query = "TEST";
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate = UnicodeString.IEquals(PowerShellEvent.UserData, query);
Assert.IsTrue(predicate.Test(record));
}
public void when_values_are_same_is_should_match()
{
var data = "Test";
var query = data;
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate = UnicodeString.Is(PowerShellEvent.UserData, query);
Assert.IsTrue(predicate.Test(record));
}
public void when_data_contains_query_contains_should_match()
{
var data = "Foo Bar Baz";
var query = "Bar";
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate = UnicodeString.Contains(PowerShellEvent.UserData, query);
Assert.IsTrue(predicate.Test(record));
}
public void when_values_differ_other_than_case_iequals_should_not_match()
{
var data = "Test";
var query = "Foobar";
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate = UnicodeString.Is(PowerShellEvent.UserData, query);
Assert.IsFalse(predicate.Test(record));
}
public void when_data_contains_query_but_differs_in_case_contains_should_not_match()
{
var data = "Foo Bar Baz";
var query = "BAR";
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate = UnicodeString.Contains(PowerShellEvent.UserData, query);
Assert.IsFalse(predicate.Test(record));
}
public void when_data_does_not_start_with_query_istartswith_should_not_match()
{
var data = "Foo Bar Baz";
var query = "Bar";
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate = UnicodeString.IStartsWith(PowerShellEvent.UserData, query);
Assert.IsFalse(predicate.Test(record));
}
public void when_data_starts_with_query_but_differs_in_case_istartswith_should_match()
{
var data = "Foo Bar Baz";
var query = "FOO";
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate = UnicodeString.IStartsWith(PowerShellEvent.UserData, query);
Assert.IsTrue(predicate.Test(record));
}
public void not_operator_predicate_should_not_match_if_predicate_true()
{
var data = "Test";
var query = data;
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate1 = UnicodeString.Is(PowerShellEvent.UserData, query);
var predicate = predicate1.op_LogicalNot();
Assert.IsFalse(predicate.Test(record));
}
public void or_operator_predicate_should_match_if_either_predicate_false()
{
var data = "Test";
var query = data;
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate1 = UnicodeString.Is(PowerShellEvent.UserData, query);
var predicate2 = UnicodeString.Is(PowerShellEvent.UserData, "Not Found");
var predicate = predicate1.op_LogicalOr(predicate2);
Assert.IsTrue(predicate.Test(record));
}
public void and_predicate_should_match_if_both_predicates_true()
{
var data = "Test";
var query = data;
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate1 = UnicodeString.Is(PowerShellEvent.UserData, query);
var predicate2 = UnicodeString.Is(PowerShellEvent.UserData, query);
var predicate = predicate1.And(predicate2);
Assert.IsTrue(predicate.Test(record));
}
public void or_predicate_should_not_match_if_both_predicates_false()
{
var data = "Test";
var query = "Not Found";
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate1 = UnicodeString.Is(PowerShellEvent.UserData, query);
var predicate2 = UnicodeString.Is(PowerShellEvent.UserData, query);
var predicate = predicate1.Or(predicate2);
Assert.IsFalse(predicate.Test(record));
}
public void it_should_not_raise_OnEvent_for_not_matching_event_filter()
{
var called = false;
var filter = new EventFilter(Filter.Not(Filter.AnyEvent()));
var proxy = new Proxy(filter);
filter.OnEvent += e => { called = true; };
proxy.PushEvent(PowerShellEvent.CreateRecord("user data", "context info", "payload"));
Assert.IsFalse(called, "proxy call raised on event");
}
public void it_should_read_event_id()
{
var provider = new Provider(PowerShellEvent.ProviderId);
provider.OnEvent += e =>
{
Assert.AreEqual(PowerShellEvent.EventId, e.Id);
};
trace.Enable(provider);
proxy.PushEvent(PowerShellEvent.CreateRecord(
String.Empty, String.Empty, String.Empty));
}
public void it_should_raise_OnEvent_for_raw_provider_on_user_trace()
{
var called = false;
var trace = new UserTrace();
var proxy = new Proxy(trace);
var provider = new RawProvider(PowerShellEvent.ProviderId);
provider.OnEvent += e => { called = true; };
trace.Enable(provider);
proxy.PushEvent(PowerShellEvent.CreateRecord("user data", "context info", "payload"));
Assert.IsTrue(called, "proxy call raised on event");
}
public void it_should_marshal_user_data()
{
var data = "This is some user data";
var provider = new Provider(PowerShellEvent.ProviderId);
provider.OnEvent += e =>
{
var bytes = e.CopyUserData();
var str = Encoding.Unicode.GetString(bytes);
Assert.IsTrue(str.Contains(data));
Assert.AreEqual(e.UserDataLength, bytes.Length);
};
trace.Enable(provider);
proxy.PushEvent(PowerShellEvent.CreateRecord(
data, String.Empty, String.Empty));
}
public void it_should_parse_unicode_strings()
{
var data = "This is some user data";
var prop = PowerShellEvent.UserData;
var provider = new Provider(PowerShellEvent.ProviderId);
provider.OnEvent += e =>
{
Assert.AreEqual(data, e.GetUnicodeString(prop));
Assert.AreEqual(data, e.GetUnicodeString(prop, String.Empty));
string result;
Assert.IsTrue(e.TryGetUnicodeString(prop, out result));
Assert.AreEqual(data, result);
};
trace.Enable(provider);
proxy.PushEvent(PowerShellEvent.CreateRecord(
data, String.Empty, String.Empty));
}
public void it_should_parse_unicode_strings()
{
var data = "file.exe";
var prop = ImageLoadEvent.FileName;
var provider = new ImageLoadProvider();
provider.OnEvent += e =>
{
Assert.AreEqual(data, e.GetUnicodeString(prop));
Assert.AreEqual(data, e.GetUnicodeString(prop, String.Empty));
string result;
Assert.IsTrue(e.TryGetUnicodeString(prop, out result));
Assert.AreEqual(data, result);
};
trace.Enable(provider);
proxy.PushEvent(PowerShellEvent.CreateRecord(
data, String.Empty, String.Empty));
}
public void schema_not_found_should_raise_onerror_on_event_filter()
{
var onEventCalled = false;
var onErrorCalled = false;
var filter = new EventFilter(Filter.AnyEvent());
var proxy = new Proxy(filter);
filter.OnEvent += e => { onEventCalled = true; };
filter.OnError += e => { onErrorCalled = true; };
var record = PowerShellEvent.CreateRecord("user data", "context info", "payload");
// munge the event so the schema can't be found
record.Id = (ushort)1234;
proxy.PushEvent(record);
Assert.IsFalse(onEventCalled, "schema not found raised OnEvent");
Assert.IsTrue(onErrorCalled, "schema not found raised OnError");
}
public void schema_not_found_should_raise_onerror_on_user_trace()
{
var onEventCalled = false;
var onErrorCalled = false;
var trace = new UserTrace();
var proxy = new Proxy(trace);
var provider = new Provider(PowerShellEvent.ProviderId);
provider.OnEvent += e => { onEventCalled = true; };
provider.OnError += e => { onErrorCalled = true; };
var record = PowerShellEvent.CreateRecord("user data", "context info", "payload");
// munge the event so the schema can't be found
record.Id = (ushort)1234;
trace.Enable(provider);
proxy.PushEvent(record);
Assert.IsFalse(onEventCalled, "schema not found raised OnEvent");
Assert.IsTrue(onErrorCalled, "schema not found raised OnError");
}