private void HandleRegistryTraceData(RegistryTraceData data) { if (data.ProcessID == pid) { ulong keyHandle = data.KeyHandle; string valueName = data.ValueName; string keyName = data.KeyName; string value; if (!string.IsNullOrEmpty(keyName) && !string.IsNullOrEmpty(valueName)) { value = $"{keyName}\\{valueName}"; } else if (!string.IsNullOrEmpty(keyName)) { value = keyName; } else if (!string.IsNullOrEmpty(valueName)) { value = valueName; } else { value = null; } traceOutput.Write(data.TimeStampRelativeMSec, data.ProcessID, data.ThreadID, data.EventName, value != null ? $"'{value}' (0x{keyHandle:X})" : $"(0x{keyHandle:X})"); } }
private static void Dump(RegistryTraceData registryTraceData, [CallerMemberName] string memberName = null) { string fullKeyName; if (registryTraceData.KeyHandle == 0) { fullKeyName = registryTraceData.KeyName; } else { if (kcbDictionary.TryGetValue(registryTraceData.KeyHandle, out var baseKeyName)) { fullKeyName = $"{baseKeyName}\\{registryTraceData.KeyName}"; } else { fullKeyName = $"...\\{registryTraceData.KeyName}"; } } if (!string.IsNullOrWhiteSpace(memberName)) { Console.WriteLine($"{memberName} {{"); } Out.WriteLine($"\tProcess: {registryTraceData.ProcessName}, Key Name: {fullKeyName}, Value Name: {registryTraceData.ValueName}"); //Console.WriteLine($"\t{registryTraceData.Dump()}"); if (!string.IsNullOrWhiteSpace(memberName)) { Console.WriteLine("}"); } }
private static void KernelParser_RegistryKCBDelete(RegistryTraceData obj) { if (kcbDictionary.ContainsKey(obj.KeyHandle)) { kcbDictionary.Remove(obj.KeyHandle); } }
private static void Kernel_RegistryKCBRundownEnd(RegistryTraceData obj) { Out.WriteLine($"RundownEnd {obj.KeyHandle}, {obj.KeyName}"); if (kcbDictionary.ContainsKey(obj.KeyHandle)) { kcbDictionary.Remove(obj.KeyHandle); } }
public void LogEvent(RegistryTraceData data) { LogRow text = new LogRow(); _registryWriter.WriteHeader(data, text); text.Add(data.KeyName); text.Add(data.ValueName); _registryWriter.WriteRow(text); }
private static void processEvent(RegistryTraceData evt) { Console.WriteLine(evt); /*String[] output = new String[] { * evt.TimeStamp.ToLongTimeString(), * evt.EventName.Substring(9, evt.EventName.Length - 9), * getPath(evt.ProcessID), * evt.PayloadByName("KeyName").ToString(), * evt.ProcessID.ToString(), * //getStatus(int.Parse(evt.PayloadByName("Status").ToString())), * //getMemUsage(evt.ProcessID).ToString() * }; * * ReplaceAll(output, "", "null"); * * String line = String.Join(",", output); * Console.Out.WriteLine(line);*/ }
private static void Kernel_RegistryKCBRundownBegin(RegistryTraceData obj) { Out.WriteLine($"RundownBegin {obj.KeyHandle}, {obj.KeyName}"); kcbDictionary.TryAdd(obj.KeyHandle, obj.KeyName); }
private static void KernelParser_RegistrySetValue(RegistryTraceData obj) { Dump(obj); }
private static void KernelParser_RegistryDelete(RegistryTraceData obj) { Dump(obj); }
private static void KernelParser_RegistryKCBCreate(RegistryTraceData obj) { kcbDictionary.TryAdd(obj.KeyHandle, obj.KeyName); }
private void OnRegistryCreate(RegistryTraceData obj) { RegistryTrace?.Invoke((RegistryTraceData)obj.Clone(), EventType.RegistryCreateKey); }
private static void _regCreate(RegistryTraceData rData) { Console.WriteLine("Registry operasyonu:\tProcessName: {0}\tKey adı: {1}\tValueName: {2}", rData.ProcessName, rData.KeyName, rData.ValueName); }