コード例 #1
0
        internal FilterInstance(SafeStructureInOutBuffer <FILTER_INSTANCE_FULL_INFORMATION> buffer)
        {
            var result = buffer.Result;

            Name       = buffer.ReadUnicodeString(result.InstanceNameBufferOffset, result.InstanceNameLength / 2);
            Altitude   = FilterManagerUtils.ParseAltitude(buffer.ReadUnicodeString(result.AltitudeBufferOffset, result.AltitudeLength / 2));
            VolumeName = buffer.ReadUnicodeString(result.VolumeNameBufferOffset, result.VolumeNameLength / 2);
            FilterName = buffer.ReadUnicodeString(result.FilterNameBufferOffset, result.FilterNameLength / 2);
        }
コード例 #2
0
        internal UsnJournalRecord(SafeStructureInOutBuffer <USN_RECORD_V2> buffer, NtFile volume, Dictionary <long, Tuple <string, string> > ref_paths)
        {
            var result = buffer.Result;

            FileReferenceNumber       = result.FileReferenceNumber;
            ParentFileReferenceNumber = result.ParentFileReferenceNumber;
            Usn            = result.Usn;
            TimeStamp      = result.TimeStamp.ToDateTime();
            Reason         = result.Reason;
            SourceInfo     = result.SourceInfo;
            SecurityId     = result.SecurityId;
            FileAttributes = result.FileAttributes;
            if (result.FileNameLength > 0)
            {
                FileName = buffer.ReadUnicodeString(result.FileNameOffset, result.FileNameLength / 2);
                var paths = GetFilePath(volume, ParentFileReferenceNumber, ref_paths);
                if (paths.Item1 != string.Empty)
                {
                    FullPath  = paths.Item1 + @"\" + FileName;
                    Win32Path = paths.Item2 + @"\" + FileName;
                }
                else
                {
                    FullPath  = FileName;
                    Win32Path = FileName;
                }
            }
            else
            {
                var paths = GetFilePath(volume, FileReferenceNumber, ref_paths);
                FullPath  = paths.Item1;
                Win32Path = paths.Item2;
                FileName  = Path.GetFileName(FullPath);
            }
        }
コード例 #3
0
        internal FilterDriver(SafeStructureInOutBuffer <FILTER_AGGREGATE_STANDARD_INFORMATION> buffer)
        {
            var result = buffer.Result;

            if (result.Flags.HasFlagSet(FILTER_AGGREGATE_STANDARD_INFORMATION_FLAGS.FLTFL_ASI_IS_LEGACYFILTER))
            {
                Flags    = result.LegacyFilter.Flags;
                Name     = buffer.ReadUnicodeString(result.LegacyFilter.FilterNameBufferOffset, result.LegacyFilter.FilterNameLength / 2);
                Altitude = FilterManagerUtils.ParseAltitude(buffer.ReadUnicodeString(result.LegacyFilter.FilterAltitudeBufferOffset, result.LegacyFilter.FilterAltitudeLength / 2));
            }
            else
            {
                MiniFilter        = true;
                Flags             = result.MiniFilter.Flags;
                FrameID           = result.MiniFilter.FrameID;
                NumberOfInstances = result.MiniFilter.NumberOfInstances;
                Name     = buffer.ReadUnicodeString(result.MiniFilter.FilterNameBufferOffset, result.MiniFilter.FilterNameLength / 2);
                Altitude = FilterManagerUtils.ParseAltitude(buffer.ReadUnicodeString(result.MiniFilter.FilterAltitudeBufferOffset, result.MiniFilter.FilterAltitudeLength / 2));
            }
        }