/// <inheritdoc/> public override void HandleFileAccess(FileAccessData fileAccessData) { if (AbsolutePath.TryCreate(m_pathTable, fileAccessData.Path, out AbsolutePath absolutePath)) { m_fileAccessPaths.Add(absolutePath); } m_allFileAccessPaths.Add(fileAccessData.Path); }
public void VerifyCorrelation(params VerifiedCorrelation[] correlationsToVerify) { if (!HasCorrelatedFileOperations) { string allReportedOperations = string.Join( Environment.NewLine, m_reportedFileAccesses.Select(r => $"'{r.Value.Path}' ({r.Value.Operation}) id: {r.Value.Id}, correlation id: {r.Value.CorrelationId}")); XAssert.Fail($"No correlated file accesses are found. Reported file accesses are {Environment.NewLine}{allReportedOperations}"); } foreach (var correlationToVerify in correlationsToVerify) { bool found = false; foreach (var correlation in m_correlatedFileOperations) { FileAccessData otherAccess = default; if (OperatingSystemHelper.PathComparer.Equals(correlationToVerify.File, correlation.Item1.Path) && correlationToVerify.Operation == correlation.Item1.Operation) { found = true; otherAccess = correlation.Item2; } else if (OperatingSystemHelper.PathComparer.Equals(correlationToVerify.File, correlation.Item2.Path) && correlationToVerify.Operation == correlation.Item2.Operation) { found = true; otherAccess = correlation.Item1; } if (found) { string otherPath = AbsolutePath.Create(m_pathTable, otherAccess.Path).ToString(m_pathTable); // To normalize the path from Nt prefixes. XAssert.IsTrue( OperatingSystemHelper.PathComparer.Equals(correlationToVerify.CorrelatedFile, otherPath), $"Mismatched correlated file for '{correlationToVerify.File}' ({correlationToVerify.Operation}) {Environment.NewLine}Expected: '{correlationToVerify.CorrelatedFile}'. Actual: '{otherPath}'"); XAssert.AreEqual( correlationToVerify.CorrelatedOperation, otherAccess.Operation, $"Mismatched operations for '{correlationToVerify.File}' ({correlationToVerify.Operation}) {Environment.NewLine}Expected: '{correlationToVerify.CorrelatedFile}' ({correlationToVerify.CorrelatedOperation}). Actual: '{otherAccess.Path}' ({otherAccess.Operation})"); break; } } if (!found) { var allCorrelations = string.Join( Environment.NewLine, m_correlatedFileOperations.Select(c => $"[ '{c.Item1.Path}' ({c.Item1.Operation}), '{c.Item2.Path}' ({c.Item2.Operation}) ]")); XAssert.Fail($"Correlation for '{correlationToVerify.File}' ({correlationToVerify.Operation}) not found {Environment.NewLine}{allCorrelations}"); } } }
public override void HandleFileAccess(FileAccessData fileAccessData) { // id must exist when report comes from Detours. XAssert.AreNotEqual(SandboxedProcessReports.FileAccessNoId, fileAccessData.Id); // id must be unique. XAssert.IsTrue(m_reportedFileAccesses.TryAdd(fileAccessData.Id, fileAccessData)); if (fileAccessData.CorrelationId != SandboxedProcessReports.FileAccessNoId) { // The correlated id must have been reported beforehand. XAssert.IsTrue(m_reportedFileAccesses.TryGetValue(fileAccessData.CorrelationId, out var correlatedAccess)); m_correlatedFileOperations.Enqueue((correlatedAccess, fileAccessData)); } }
/// <summary> /// Called to handle FileAccess message. /// </summary> /// <param name="fileAccessData">File access data.</param> public abstract void HandleFileAccess(FileAccessData fileAccessData);