/// <inheritdoc/>
public override void HandleFileAccess(FileAccessData fileAccessData)
{
if (AbsolutePath.TryCreate(m_pathTable, fileAccessData.Path, out AbsolutePath absolutePath))
{
m_fileAccessPaths.Add(absolutePath);
}
m_allFileAccessPaths.Add(fileAccessData.Path);
}
public void VerifyCorrelation(params VerifiedCorrelation[] correlationsToVerify)
{
if (!HasCorrelatedFileOperations)
{
string allReportedOperations = string.Join(
Environment.NewLine,
m_reportedFileAccesses.Select(r => $"'{r.Value.Path}' ({r.Value.Operation}) id: {r.Value.Id}, correlation id: {r.Value.CorrelationId}"));
XAssert.Fail($"No correlated file accesses are found. Reported file accesses are {Environment.NewLine}{allReportedOperations}");
}
foreach (var correlationToVerify in correlationsToVerify)
{
bool found = false;
foreach (var correlation in m_correlatedFileOperations)
{
FileAccessData otherAccess = default;
if (OperatingSystemHelper.PathComparer.Equals(correlationToVerify.File, correlation.Item1.Path) &&
correlationToVerify.Operation == correlation.Item1.Operation)
{
found = true;
otherAccess = correlation.Item2;
}
else if (OperatingSystemHelper.PathComparer.Equals(correlationToVerify.File, correlation.Item2.Path) &&
correlationToVerify.Operation == correlation.Item2.Operation)
{
found = true;
otherAccess = correlation.Item1;
}
if (found)
{
string otherPath = AbsolutePath.Create(m_pathTable, otherAccess.Path).ToString(m_pathTable); // To normalize the path from Nt prefixes.
XAssert.IsTrue(
OperatingSystemHelper.PathComparer.Equals(correlationToVerify.CorrelatedFile, otherPath),
$"Mismatched correlated file for '{correlationToVerify.File}' ({correlationToVerify.Operation}) {Environment.NewLine}Expected: '{correlationToVerify.CorrelatedFile}'. Actual: '{otherPath}'");
XAssert.AreEqual(
correlationToVerify.CorrelatedOperation,
otherAccess.Operation,
$"Mismatched operations for '{correlationToVerify.File}' ({correlationToVerify.Operation}) {Environment.NewLine}Expected: '{correlationToVerify.CorrelatedFile}' ({correlationToVerify.CorrelatedOperation}). Actual: '{otherAccess.Path}' ({otherAccess.Operation})");
break;
}
}
if (!found)
{
var allCorrelations = string.Join(
Environment.NewLine,
m_correlatedFileOperations.Select(c => $"[ '{c.Item1.Path}' ({c.Item1.Operation}), '{c.Item2.Path}' ({c.Item2.Operation}) ]"));
XAssert.Fail($"Correlation for '{correlationToVerify.File}' ({correlationToVerify.Operation}) not found {Environment.NewLine}{allCorrelations}");
}
}
}
public override void HandleFileAccess(FileAccessData fileAccessData)
{
// id must exist when report comes from Detours.
XAssert.AreNotEqual(SandboxedProcessReports.FileAccessNoId, fileAccessData.Id);
// id must be unique.
XAssert.IsTrue(m_reportedFileAccesses.TryAdd(fileAccessData.Id, fileAccessData));
if (fileAccessData.CorrelationId != SandboxedProcessReports.FileAccessNoId)
{
// The correlated id must have been reported beforehand.
XAssert.IsTrue(m_reportedFileAccesses.TryGetValue(fileAccessData.CorrelationId, out var correlatedAccess));
m_correlatedFileOperations.Enqueue((correlatedAccess, fileAccessData));
}
}
/// <summary> /// Called to handle FileAccess message. /// </summary> /// <param name="fileAccessData">File access data.</param> public abstract void HandleFileAccess(FileAccessData fileAccessData);
