private static string ValueTypeData(VALUE_DATA_TYPE type, int dataSize, byte[] data)
{
string dataStr = string.Empty;
try
{
switch (type)
{
case VALUE_DATA_TYPE.REG_BINARY:
{
//maximum data size to 256;
for (int i = 0; i < 256; i++)
{
if (i >= dataSize)
{
break;
}
dataStr += string.Format("0x{0:x2}", data[i]);
}
break;
}
case VALUE_DATA_TYPE.REG_DWORD:
{
uint value = BitConverter.ToUInt32(data, 0);
dataStr = string.Format("0x{0:x8}({1})", value, value);
break;
}
case VALUE_DATA_TYPE.REG_DWORD_BIG_ENDIAN:
{
//A 4-byte numerical value whose least significant byte is at the highest address
byte leastByte = data[3];
byte secondByte = data[2];
data[3] = data[0];
data[2] = data[1];
data[1] = secondByte;
data[0] = leastByte;
uint value = BitConverter.ToUInt32(data, 0);
dataStr = string.Format("0x{0:x8}({1})", value, value);
break;
}
case VALUE_DATA_TYPE.REG_EXPAND_SZ:
{
//A null-terminated Unicode string, containing unexpanded references to environment variables, such as "%PATH%"
dataStr = Encoding.Unicode.GetString(data, 0, dataSize).Replace("\0", "");
break;
}
case VALUE_DATA_TYPE.REG_MULTI_SZ:
{
//An array of null-terminated strings, terminated by another zero
dataStr = Encoding.Unicode.GetString(data, 0, dataSize).Replace("\0", "");
break;
}
case VALUE_DATA_TYPE.REG_SZ:
{
//A null-terminated Unicode string
dataStr = Encoding.Unicode.GetString(data, 0, dataSize).Replace("\0", "");
break;
}
case VALUE_DATA_TYPE.REG_QWORD:
{
UInt64 value = BitConverter.ToUInt64(data, 0);
dataStr = string.Format("0x{0:x16}({1})", value, value);
break;
}
default: break;
}
}
catch (Exception ex)
{
dataStr = "get data failed:" + ex.Message;
}
return(dataStr);
}
public static string FormatDescription(FilterAPI.MessageSendData messageSend)
{
string descrption = string.Empty;
FilterAPI.RegCallbackClass regCallbackClass = (FilterAPI.RegCallbackClass)messageSend.Offset;
try
{
if (messageSend.Status != (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS)
{
return("");
}
switch (regCallbackClass)
{
case FilterAPI.RegCallbackClass.Reg_Pre_Delete_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Delete_Key:
{
descrption = "registry key is being deleted.";
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Set_Value_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Set_Value_Key:
{
VALUE_DATA_TYPE valueType = (VALUE_DATA_TYPE)messageSend.InfoClass;
descrption = "Type:" + valueType.ToString();
descrption += " Data:" + ValueTypeData(valueType, (int)messageSend.DataBufferLength, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Delete_Value_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Delete_Value_Key:
{
descrption = "registry key's value is being deleted.";
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_SetInformation_Key:
case FilterAPI.RegCallbackClass.Reg_Post_SetInformation_Key:
{
KEY_SET_INFORMATION_CLASS keySetInformationClass = (KEY_SET_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keySetInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Rename_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Rename_Key:
{
string newName = Encoding.Unicode.GetString(messageSend.DataBuffer);
descrption = "registry key's name is being changed to " + newName;
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Enumerate_Key:
{
KEY_INFORMATION_CLASS keyInformationClass = (KEY_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keyInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Enumerate_Key:
{
KEY_INFORMATION_CLASS keyInformationClass = (KEY_INFORMATION_CLASS)messageSend.InfoClass;
descrption += KeyInformation(keyInformationClass, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Enumerate_Value_Key:
{
KEY_VALUE_INFORMATION_CLASS keyValuseInformationClass = (KEY_VALUE_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keyValuseInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Enumerate_Value_Key:
{
KEY_VALUE_INFORMATION_CLASS keyValuseInformationClass = (KEY_VALUE_INFORMATION_CLASS)messageSend.InfoClass;
descrption += KeyValueInformation(keyValuseInformationClass, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Query_Key:
{
KEY_INFORMATION_CLASS keyInformationClass = (KEY_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keyInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Query_Key:
{
KEY_INFORMATION_CLASS keyInformationClass = (KEY_INFORMATION_CLASS)messageSend.InfoClass;
descrption += KeyInformation(keyInformationClass, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Query_Value_Key:
{
KEY_VALUE_INFORMATION_CLASS keyValuseInformationClass = (KEY_VALUE_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keyValuseInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Query_Value_Key:
{
//for unit test
if (messageSend.FileName.IndexOf("EaseFilter") > 0)
{
//this is our test key.
RegistryUnitTest.postQueryValueKeyPassed = true;
}
KEY_VALUE_INFORMATION_CLASS keyValuseInformationClass = (KEY_VALUE_INFORMATION_CLASS)messageSend.InfoClass;
descrption += KeyValueInformation(keyValuseInformationClass, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Query_Multiple_Value_Key:
{
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Query_Multiple_Value_Key:
{
uint entryCount = messageSend.InfoClass;
MemoryStream ms = new MemoryStream(messageSend.DataBuffer);
BinaryReader br = new BinaryReader(ms);
for (int i = 0; i < entryCount && ms.Position < ms.Length; i++)
{
long currentOffset = ms.Position;
int nextEntryOffset = br.ReadInt32();
int valueNameLength = br.ReadInt32();
int dataType = br.ReadInt32();
int dataLength = br.ReadInt32();
byte[] valueName = br.ReadBytes(valueNameLength);
byte[] data = br.ReadBytes(dataLength);
VALUE_DATA_TYPE type = (VALUE_DATA_TYPE)dataType;
descrption += "Name:" + Encoding.Unicode.GetString(valueName, 0, valueNameLength);
descrption += " Type:" + type.ToString();
descrption += " Data:" + ValueTypeData(type, dataLength, data) + Environment.NewLine;
ms.Position = currentOffset + nextEntryOffset;
}
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Create_KeyEx:
case FilterAPI.RegCallbackClass.Reg_Post_Create_KeyEx:
case FilterAPI.RegCallbackClass.Reg_Pre_Open_KeyEx:
case FilterAPI.RegCallbackClass.Reg_Post_Open_KeyEx:
{
descrption += FormatCreateDescription(messageSend);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Load_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Load_Key:
{
descrption += "SourceFile:" + Encoding.Unicode.GetString(messageSend.DataBuffer, 0, (int)messageSend.DataBufferLength);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Replace_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Replace_Key:
{
descrption += "NewFileName:" + Encoding.Unicode.GetString(messageSend.DataBuffer, 0, (int)messageSend.DataBufferLength);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Query_KeyName:
case FilterAPI.RegCallbackClass.Reg_Post_Query_KeyName:
{
break;
}
default: descrption = "unsupported registry callback class:" + regCallbackClass.ToString(); break;
}
}
catch (Exception ex)
{
descrption = "Format description failed, return error:" + ex.Message;
}
return(descrption);
}
