private Dictionary <int, PruneProcessInstance> ParseWhitelist()
{
Dictionary <int, PruneProcessInstance> newInstances = new Dictionary <int, PruneProcessInstance>();
FileConfiguration whitelistFile = new FileConfiguration(ConfigPath, WhitelistPath);
GpoConfiguration whitelistGPO = new GpoConfiguration();
//Module Only Syntax = 0
//Process and Module Syntax = 1
//Process Only Syntax = 2
int whitelistSyntax = whitelistGPO.WhitelistSupportEnabled();
String[] lines;
if (whitelistSyntax != -1)
{
lines = whitelistGPO.ReadWhitelist();
if (lines == null || lines.Length < 1)
{
lines = whitelistFile.ReadWhitelist();
}
}
else
{
lines = whitelistFile.ReadWhitelist();
}
try
{
//A dictionary so we know which of the currently monitored processes are in the whitelist
Dictionary <string, bool> programFoundInWhitelist = new Dictionary <string, bool>();
//initialize all members of the list to false
foreach (string value in _processIdToWhitelistEntry.Values)
{
if (!programFoundInWhitelist.ContainsKey(value))
{
programFoundInWhitelist.Add(value, false);
}
}
Process[] runningProcesses = Process.GetProcesses(".");
//look at each line of the whitelist
foreach (string line in lines)
{
if (!string.IsNullOrWhiteSpace(line))
{
//remove starting and ending whitespace
string processName = line.Trim();
//the idle and system "processes" should not be monitored, so if they are included they get skipped
if (processName.Equals("0") || processName.Equals("4") ||
processName.Equals("idle", StringComparison.OrdinalIgnoreCase) ||
processName.Equals("system", StringComparison.OrdinalIgnoreCase))
{
PruneEvents.PRUNE_EVENT_PROVIDER.EventWriteDISALLOWED_PROCESS_EVENT();
continue;
}
//if the line isn't a comment
if (processName.ToCharArray()[0] != '#')
{
if ((processName.Contains("module=") || processName.Contains("Module=")) && whitelistSyntax != 2)
{
//Split 'module=' off, then trim white space
string moduleName = processName.Split('.')[0].Trim(); //module=test.dll -> module=test
string moduleFileTemp = processName.Split('=')[1].Trim(); //module=test.dll -> test.dll
string moduleFile = null;
string moduleProcess = null;
if (moduleFileTemp.Contains(","))
{
string[] moduleTempSplit = moduleFileTemp.Split(','); //module=test.dll,svchost -> test.dll,svchost
moduleFile = moduleTempSplit[0].Trim(); //module=test.dll,svchost -> test.dll
moduleProcess = moduleTempSplit[1].Trim(); //module=test.dll,svchost -> svchost
}
else
{
moduleFile = moduleFileTemp;
}
if (_processIdToWhitelistEntry.ContainsValue(moduleName))
{
programFoundInWhitelist[moduleName] = true;
//TODO: Continue here? If it is already in the list, we can skip this
}
foreach (Process proc in runningProcesses)
{
//ensure we don't already monitor this process and that this process is not the system or idle process
if (proc.Id != 4 && proc.Id != 0 && !_processIdToWhitelistEntry.ContainsKey(proc.Id))
{
if (moduleProcess == null || moduleProcess == proc.ProcessName)
{
try
{
//collect the modules from for the process
List <Prune.Module> moduleList =
Prune.NativeMethods.CollectModules(proc);
foreach (Prune.Module module in moduleList)
{
//Check if this module is the one we are looking for
if (module.ModuleName.Equals(moduleFile, StringComparison.OrdinalIgnoreCase))
{
//It is, so add a new instances and log that it was created
newInstances.Add(proc.Id, new PruneProcessInstance(true,
proc.Id, moduleName, _writeCacheInterval, _logInterval, DirectoryPath));
_processIdToWhitelistEntry.Add(proc.Id, moduleName);
PruneEvents.PRUNE_EVENT_PROVIDER.EventWriteCREATING_INSTANCE_EVENT(moduleName + "_" + proc.Id);
//We don't need to look at the rest of the modules
break;
}
}
} catch (Exception) {
//If we fail to get any modules for some reason, we need to keep going
//We also don't need to report the error, because this will happen any time we try for a protected processes,
// which may be often
continue;
}
}
else
{
}
}
}
}
else if (whitelistSyntax != 0)
{
if (_processIdToWhitelistEntry.ContainsValue(processName))
{
programFoundInWhitelist[processName] = true;
}
string tempProcName;
bool nameIsId = false;
//If the name is all digits, it is treated as an ID
if (processName.All(char.IsDigit))
{
nameIsId = true;
//Get the process name from the ID to ensure there is a process tied to this ID currently active
tempProcName = Prune.GetProcessNameFromProcessId(int.Parse(processName));
if (tempProcName == null)
{
//Could not find a name for the given process ID.
// Assume the process is not active and skip it.
continue;
}
}
else //Otherwise it is treated as a process name
{
tempProcName = processName;
}
//Get all system process objects that have the specified name
Process[] processes = Prune.GetProcessesFromProcessName(tempProcName);
if (processes == null || processes.Length == 0)
{
//Could not find any processes that have the provided name.
// Assume the process is not started and skip it.
continue;
}
if (nameIsId)
{
int procId = int.Parse(processName);
processName = Prune.GetProcessNameFromProcessId(procId);
if (!_processIdToWhitelistEntry.ContainsKey(procId))
{
//Because an ID was provided, use the ID for the new instance
newInstances.Add(procId, new PruneProcessInstance(true, procId, processName,
_writeCacheInterval, _logInterval, DirectoryPath));
_processIdToWhitelistEntry.Add(procId, processName);
PruneEvents.PRUNE_EVENT_PROVIDER.EventWriteCREATING_INSTANCE_EVENT(processName + "_" + procId);
}
}
else
{
//We were given a process name, so we create a Prune instance for each process instances
foreach (Process proc in processes)
{
int procId = proc.Id;
if (!_processIdToWhitelistEntry.ContainsKey(procId))
{
newInstances.Add(procId,
new PruneProcessInstance(true, procId, processName,
_writeCacheInterval, _logInterval, DirectoryPath));
_processIdToWhitelistEntry.Add(procId, processName);
PruneEvents.PRUNE_EVENT_PROVIDER.EventWriteCREATING_INSTANCE_EVENT(processName + "_" + procId);
}
}
}
}
}
}
}
//Loop through to see which Prune instances are tied to processes no longer in the whitelist
foreach (string key in programFoundInWhitelist.Keys)
{
if (!programFoundInWhitelist[key])
{
//Make a copy of the list to iterate over so that we can remove elements from the original list
Dictionary <int, string> tempList = new Dictionary <int, string>(_processIdToWhitelistEntry);
lock (_PruneInstances)
{
//loop through the copied list of all elements that we have Prune instances for that are no longer in the whitelist
foreach (KeyValuePair <int, string> entry in tempList)
{
if (entry.Value == key)
{
//call the finish monitoring method to wrap everything up
_PruneInstances[entry.Key].FinishMonitoring();
//Remove the process from the list of processes monitored by ETW
Prune.RemoveEtwCounter(entry.Key);
//remove it form the active Prune instances
_PruneInstances.Remove(entry.Key);
//remove it from the active whitelist entries
_processIdToWhitelistEntry.Remove(entry.Key);
}
}
}
}
}
}
catch (Exception e)
{
Prune.HandleError(true, 1, "Error while parsing the whitelist\n" + e.Message);
}
return(newInstances);
}
//Read the config settings and parse the values it contains
private void ReadConfigSettings()
{
FileConfiguration configFile = new FileConfiguration(ConfigPath, WhitelistPath);
GpoConfiguration configGPO = new GpoConfiguration();
//Retrieve the configuration objects
ServiceConfiguration fileConfig = configFile.ReadConfiguration();
ServiceConfiguration gpoConfig = configGPO.ReadConfiguration();
_logInterval = fileConfig.CalculateStatisticsInterval;
_writeCacheInterval = fileConfig.WriteCacheToFileInterval;
_monitorInterval = fileConfig.DataRecordingInterval;
_whitelistCheckInterval = fileConfig.WhitelistCheckInterval;
_configCheckInterval = fileConfig.ConfigCheckInterval;
//Check if Gropu Policy is configured
if (gpoConfig != null)
{
//GP setting overrides local config file setting
//CalculateStatisticsInterval
if (gpoConfig.CalculateStatisticsInterval != 0)
{
_logInterval = gpoConfig.CalculateStatisticsInterval;
}
//WriteCacheToFileInterval
if (gpoConfig.WriteCacheToFileInterval != 0)
{
_writeCacheInterval = gpoConfig.WriteCacheToFileInterval;
}
//DataRecordingInterval
if (gpoConfig.DataRecordingInterval != 0)
{
_monitorInterval = gpoConfig.DataRecordingInterval;
}
//WhitelistCheckInterval
if (gpoConfig.WhitelistCheckInterval != 0)
{
_whitelistCheckInterval = gpoConfig.WhitelistCheckInterval;
}
//ConfigCheckInterval
if (gpoConfig.ConfigCheckInterval != 0)
{
_configCheckInterval = gpoConfig.ConfigCheckInterval;
}
}
//Bounds checking on input to ensure everything is a valid input
// If something does equal 0, then we set it to the default time
if (_logInterval == 0)
{
_logInterval = 86400;
}
if (_writeCacheInterval == 0)
{
_writeCacheInterval = 3600;
}
if (_monitorInterval == 0)
{
_monitorInterval = 1;
}
try
{
_monitorTimer.Interval = _monitorInterval * 1000;
_whitelistTimer.Interval = _whitelistCheckInterval * 1000;
_configTimer.Interval = _configCheckInterval * 1000;
_logTimer.Interval = 86400 * 1000;
}
catch (Exception e)
{
Prune.HandleError(true, 1, "Error setting timer interval times from the configuration file input\n" + e.Message);
}
}
