FileEvent DecodeFilterMessage(FilterAPI.MessageSendData messageSend) { try { string userName = string.Empty; string processName = string.Empty; string fileName = messageSend.FileName; string description = string.Empty; FileAttributes fileAttributes = (FileAttributes)messageSend.FileAttributes; DateTime timestamp = DateTime.FromFileTime(messageSend.TransactionTime); FileEventResult result = (messageSend.Status == (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS) ? FileEventResult.SUCCESS : FileEventResult.FAILURE; FilterAPI.DecodeUserName(messageSend.Sid, out userName); FilterAPI.DecodeProcessName(messageSend.ProcessId, out processName); FilterAPI.EVENTTYPE eventType = (FilterAPI.EVENTTYPE)messageSend.InfoClass; if ((eventType & FilterAPI.EVENTTYPE.RENAMED) == FilterAPI.EVENTTYPE.RENAMED) { description = "file was renamed to " + Encoding.Unicode.GetString(messageSend.DataBuffer); description = description.Substring(0, description.IndexOf('\0')); } if (eventType != FilterAPI.EVENTTYPE.NONE) { FileEvent fileEvent = new FileEvent(); fileEvent.User = userName; fileEvent.Process = processName; fileEvent.Resource = fileName; fileEvent.Result = result; fileEvent.Timestamp = timestamp; fileEvent.Type = eventType; fileEvent.Description = description; fileEvent.Attributes = fileAttributes; return(fileEvent); } } catch (Exception ex) { EventManager.WriteMessage(296, "DecodeFilterMessage", EventLevel.Error, "Decode filter message failed because of error:" + ex.Message); } return(null); }
public FileEvent(string _user, string _process, string _fileName, FileAttributes _fileAttributes, FilterAPI.EVENTTYPE _type, DateTime _timestamp, FileEventResult _result, string _description) { this.user = _user; this.process = _process; this.resource = _fileName; this.fileAttributes = _fileAttributes; this.type = _type; this.timestamp = _timestamp; this.result = _result; this.description = _description; }