/// <summary> /// Records process event info in the DB /// </summary> /// <param name="processInfo"></param> /// <param name="ExecutableId"></param> /// <param name="state"></param> public static void LogProcessEvent(SRSvc.PROCESS_INFO processInfo, long ExecutableId, ProcessState state) { Log.Info("Saving info for exe {0}", ExecutableId); var sessionFactory = Database.getSessionFactory(); using (var session = sessionFactory.OpenSession()) { using (var transaction = session.BeginTransaction()) { var processEvent = new ProcessEvent { ExecutableId = ExecutableId, Pid = processInfo.pid, Ppid = processInfo.ppid, CommandLine = processInfo.CommandLine, EventTime = DateTime.UtcNow, State = (uint)state }; session.Save(processEvent); transaction.Commit(); } } }
/// <summary> /// Sends info about a process event to the server, returns true on having successful informed the server /// </summary> /// <param name="processEvent"></param> /// <returns></returns> public static bool PostProcessEvent(ProcessEvent processEvent, Executable executable) { ProcessEventPost processEventPost = new ProcessEventPost(); processEventPost.TimeOfEvent = Helpers.ConvertToUnixTime(processEvent.EventTime); processEventPost.Type = (Int32)processEvent.State; processEventPost.PID = processEvent.Pid; processEventPost.PPID = processEvent.Ppid; processEventPost.Path = executable.Path; processEventPost.CommandLine = processEvent.CommandLine; processEventPost.Md5 = Helpers.ByteArrayToHexString(executable.Md5); processEventPost.Sha1 = Helpers.ByteArrayToHexString(executable.Sha1); processEventPost.Sha256 = Helpers.ByteArrayToHexString(executable.Sha256); processEventPost.Size = (int)(new System.IO.FileInfo(executable.Path).Length); processEventPost.IsSigned = executable.Signed; string postMessage = Helpers.SerializeToJson(processEventPost, typeof(ProcessEventPost)); string response = Beacon.PostToServer(postMessage, "/api/v1/ProcessEvent"); if (response == "") { // Remote server could not be reached or encountered an error return(false); } ProcessEventResponse processEventResponse = (ProcessEventResponse)Helpers.DeserializeFromJson(response, typeof(ProcessEventResponse)); return(true); }