/// <summary>
/// Creates a details window for the given EventEntry
/// </summary>
/// <param name="ee">The EventEntry for this window</param>
public Details(EventEntry ee)
{
InitializeComponent();
textBox_machine.Text = ee.Machine;
textBox_objname.Text = ee.fileName;
textBox_time.Text = ee.timestamp.ToString();
textBox_user.Text = ee.userName;
textBox_cat.Text = ee.fileType;
textBox_action.Text = ee.action;
if (ee.result.Equals("Success"))
{
textBox_message.Text = "The action was successful";
}
else
{
textBox_message.Text = "The action failed";
}
this.Show();
}
private bool IgnoreFile(FileAttributes attr, EventEntry e)
{
bool ignore = false;
string filename = e.fileName.Substring(e.fileName.LastIndexOf('\\')+1);
CLogger.WriteLog(ELogLevel.DEBUG, "IgnoreFile: The filename is " + filename +" imagePath: " + e.imagePath);
string dbTempFile = @"[^\.]+\.laccdb";
string db2k3TempFile = @"[^\.]+\.ldb";
if (( ((attr & FileAttributes.Hidden) == FileAttributes.Hidden)
&& IsTempFile(filename)
&& IsProcessPartOfMSOffice(e.imagePath))
|| (System.Text.RegularExpressions.Regex.IsMatch(
filename, dbTempFile, System.Text.RegularExpressions.RegexOptions.IgnoreCase))
|| (System.Text.RegularExpressions.Regex.IsMatch(
filename, db2k3TempFile, System.Text.RegularExpressions.RegexOptions.IgnoreCase))
|| (e.fileName.Contains("$Recycle.Bin")) )
{
CLogger.WriteLog(ELogLevel.DEBUG, "IgnoreFile1");
ignore = true;
}
return ignore;
}
private void HandleDeletion(EventEntry e)
{
using (SQLiteCommand checkRenameCmd = new SQLiteCommand())
{
checkRenameCmd.Connection = conn;
checkRenameCmd.CommandText = "SELECT * FROM FAM WHERE pid = " + e.processID +
" AND filehandle = " + e.handleID +
" AND action = 'Rename'";
SQLiteDataReader checkRenameReader = checkRenameCmd.ExecuteReader();
if (checkRenameReader.HasRows)
{
using (SQLiteCommand updateCmd = new SQLiteCommand())
{
updateCmd.Connection = conn;
updateCmd.CommandText = "UPDATE FAM set action = 'Delete' WHERE timestamp = " +
"(SELECT max(timestamp) FROM FAM WHERE pid =" +
e.processID + " AND filehandle = " + e.handleID +
" AND action = 'Rename')";
int rows = updateCmd.ExecuteNonQuery();
if (rows != 1)
CLogger.WriteLog(ELogLevel.ERROR, "Updation for Delete affected more than one row");
}
}
}
}
/// <summary>
/// Process WMI event of Win32_PrintJob instance
/// </summary>
/// <param name="managementObject"></param>
/// <returns></returns>
private static EventEntry processPrintJobEvent(ManagementBaseObject managementObject)
{
EventEntry evt = null;
try
{
string fileName = managementObject.Properties["Document"].Value.ToString();
string userName = managementObject.Properties["Owner"].Value.ToString();
string printerName = managementObject.Properties["Name"].Value.ToString();
string eventTimeGeneratedString = managementObject.Properties["TimeSubmitted"].Value.ToString();
DateTime eventTimeGenerated = convertFromWMIDateTime(eventTimeGeneratedString);
evt = new EventEntry();
// set the fields for Print Job event
evt.eventCode = OBJ_PRINT_EVENT;
evt.userName = userName;
evt.fileName = fileName;
evt.fileType = printerName; // storing the printer name in fileType field
evt.action = "Print";
evt.timestamp = eventTimeGenerated;
evt.processID = INVALID;
evt.handleID = INVALID;
evt.accessMask = INVALID;
evt.result = "Queued";
}
catch (Exception ex)
{
CLogger.WriteLog(ELogLevel.ERROR, ex.Message + "\n" + ex.StackTrace);
evt = null;
}
return evt;
}
/// <summary>
/// Process WMI event of Win32_NtLogEvent instance
/// </summary>
/// <param name="managementObject"></param>
/// <returns></returns>
private static EventEntry processEventLogEvent(ManagementBaseObject managementObject)
{
EventEntry evt = null;
UInt32 recordID = 0;
try
{
recordID = Convert.ToUInt32(managementObject.Properties["RecordNumber"].Value.ToString());
//Console.WriteLine("Event arrived ");
int eventID = Convert.ToInt32(managementObject.Properties["EventCode"].Value.ToString());
string[] eventStrings = (string[])managementObject.Properties["InsertionStrings"].Value;
string eventTimeGeneratedString = managementObject.Properties["TimeGenerated"].Value.ToString();
string result = managementObject.Properties["Type"].Value.ToString();
Byte eventType = Convert.ToByte(managementObject.Properties["EventType"].Value.ToString());
DateTime eventTimeGenerated = convertFromWMIDateTime(eventTimeGeneratedString);
evt = new EventEntry();
// set the fields which are same for all event codes
evt.eventCode = eventID;
evt.timestamp = eventTimeGenerated;
if (eventType == SECURITY_AUDIT_SUCCESS)
{
evt.result = "Success";
}
else
{
evt.result = "Failure";
}
if (osInfo.Version.Major == OS_VER_WIN_SERVER_2003)
{
string eventUser = managementObject.Properties["User"].Value.ToString();
evt.userName = eventUser;
populateEventSpecificStrings(evt, eventStrings);
}
else
populateEventSpecificStrings_Win2008(evt, eventStrings);
// now that we have all the information, let us see if this
// event can be ignored
if (ignoreEvent(evt) == true)
{
CLogger.WriteLog(ELogLevel.DEBUG, "Ignoring event: " + recordID);
return null;
}
// For file open events, get the file type
if (evt.eventCode == OBJ_OPEN_EVENT)
{
populateFileType(evt);
}
}
catch (Exception ex)
{
CLogger.WriteLog(ELogLevel.ERROR, "Exception for event: " + recordID + "\n" + ex.Message + "\n" + ex.StackTrace);
evt = null;
}
return evt;
}
private static void populateFileType(EventEntry evt)
{
try
{
FileAttributes attr = File.GetAttributes(evt.fileName);
if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
evt.fileType = "Directory";
else
evt.fileType = "File";
// CLogger.WriteLog(ELogLevel.INFO, "Populating file type: " + evt.fileType + "for filename :"+evt.fileName);
}
catch (FileNotFoundException)
{
// This is an expected exception for delete and rename cases
CLogger.WriteLog(ELogLevel.INFO, "Expected exc for Rename/delete case File not found: " + evt.fileName);
evt.fileType = "File";
}
catch (Exception exc)
{
CLogger.WriteLog(ELogLevel.ERROR, exc.Message + "\n" + exc.StackTrace);
evt.fileType = "File";
}
}
private static void populateEventSpecificStrings_Win2008(EventEntry evt, string[]eventStrings)
{
int eventIndex = INVALID;
if (evt.eventCode == OBJ_OPEN_EVENT)
//560 || evt.eventCode == OBJECT_OPEN_EVENT_WIN_2008)
{
eventIndex = EVENT_ID_560_INDEX;
}
else if (evt.eventCode == OBJ_ACCESS_EVENT)
//567)
{
eventIndex = EVENT_ID_567_INDEX;
}
else if (evt.eventCode == OBJ_DELETE_EVENT)
//564)
{
eventIndex = EVENT_ID_564_INDEX;
}
else if (evt.eventCode == OBJ_DUPLICATE_EVENT)
{
CLogger.WriteLog(ELogLevel.ERROR, "Event specific string eventcode : " + evt.eventCode);
eventIndex = EVENT_ID_590_INDEX;
}
try
{
evt.userName = eventStrings[1]; // Username
if (eventArray[eventIndex, OBJ_NAME_INDEX] != INVALID)
{
evt.fileName = eventStrings[eventArray[eventIndex, OBJ_NAME_INDEX]];
}
if (eventArray[eventIndex, HANDLE_ID_INDEX] != INVALID && evt.result.Equals("Success"))
{
// CLogger.WriteLog(ELogLevel.DEBUG, "Handle in Insertion string" + eventStrings[eventArray[eventIndex, HANDLE_ID_INDEX]]);
evt.handleID = Convert.ToInt32(eventStrings[eventArray[eventIndex, HANDLE_ID_INDEX]].Substring(2), 16);
}
if (eventArray[eventIndex, PROCESS_ID_INDEX] != INVALID)
{
evt.processID = Convert.ToInt32(eventStrings[eventArray[eventIndex, PROCESS_ID_INDEX]].Substring(2), 16);
}
if (eventArray[eventIndex, ACCESS_MASK_INDEX] != INVALID)
{
string hexString = eventStrings[eventArray[eventIndex, ACCESS_MASK_INDEX]];
evt.accessMask = Int32.Parse(hexString.Substring(2), System.Globalization.NumberStyles.HexNumber);
}
if (eventArray[eventIndex, OBJ_TYPE_INDEX] != INVALID)
{
evt.objType = eventStrings[eventArray[eventIndex, OBJ_TYPE_INDEX]];
}
if (eventArray[eventIndex, IMAGE_PATH_INDEX] != INVALID)
{
evt.imagePath = eventStrings[eventArray[eventIndex, IMAGE_PATH_INDEX]];
}
if (evt.eventCode == OBJ_OPEN_EVENT)
{
evt.action = "Open";
}
else if (evt.eventCode == OBJ_DELETE_EVENT)
{
evt.action = "Delete";
}
else if (evt.eventCode == OBJ_ACCESS_EVENT)
{
// OBJ_ACCESS_EVENT will only have one access permission
if ((evt.accessMask & AccessCodes.FILE_READ_DATA) != 0)
{
evt.action = "Read";
}
else if ((evt.accessMask & AccessCodes.FILE_WRITE_DATA) != 0)
{
evt.action = "Write";
}
else if ((evt.accessMask & AccessCodes.DELETE) != 0)
{
evt.action = "Rename";
}
else if ((evt.accessMask & AccessCodes.FILE_READ_ATTRIBUTES) != 0)
{
evt.action = "ReadAttribute";
}
else if ((evt.accessMask & AccessCodes.FILE_WRITE_ATTRIBUTES) != 0)
{
evt.action = "WriteAttribute";
}
else if ((evt.accessMask & AccessCodes.READ_CONTROL) != 0)
{
evt.action = "ReadControl";
}
else if ((evt.accessMask & AccessCodes.FILE_APPEND_DATA) != 0)
{
evt.action = "Write";
}
else if ((evt.accessMask & AccessCodes.WRITE_DAC) != 0)
{
evt.action = "WriteAttribute";
}
else if ((evt.accessMask & AccessCodes.FILE_EXECUTE) != 0)
{
evt.action = "Execute/Traverse";
}
else
{
evt.action = "Unknown";
}
}
else if (evt.eventCode == OBJ_DUPLICATE_EVENT)
{
evt.action = "Open";
evt.objType = "File";
if (eventArray[eventIndex, DUPLICATE_HANDLE_INDEX] != INVALID && evt.result.Equals("Success"))
{
// CLogger.WriteLog(ELogLevel.DEBUG, "Handle in Insertion string" + eventStrings[eventArray[eventIndex, HANDLE_ID_INDEX]]);
evt.dupHandleID = Convert.ToInt32(eventStrings[eventArray[eventIndex, DUPLICATE_HANDLE_INDEX]].Substring(2), 16);
}
}
}
catch (Exception e)
{
CLogger.WriteLog(ELogLevel.ERROR, e.Message + "\n" + e.StackTrace);
throw (e);
}
}
/// <summary>
/// Adds one element to the grid
/// </summary>
/// <param name="ev">The element to be added</param>
public void AddElementToGrid(EventEntry ev)
{
if (this.grid.InvokeRequired)
{
SetGridCallbackOne d = new SetGridCallbackOne(AddElementToGrid);
this.Invoke(d, new object[] { ev });
}
else
{
//TODO: remove un necessary ?
int row = grid.Rows.Count - 1;
grid.Rows.Add(this.GetAllAttribsForGrid(ev));
}
}
private void UpdateEntryInOpenAccess(EventEntry e)
{
using (SQLiteCommand updateCmd = new SQLiteCommand())
{
updateCmd.Connection = conn;
updateCmd.CommandText = "UPDATE OPENACCESS set filename = '" + e.fileName +"'" +
", filetype ='" + e.fileType +"'" +
", accessmask ='" + e.accessMask + "'" +
", user ='******'" +
" WHERE pid =" + e.processID +
" AND filehandle = " + e.handleID;
int rows = updateCmd.ExecuteNonQuery();
if (rows != 1)
CLogger.WriteLog(ELogLevel.ERROR, "Updation for Open Access affected more than one row");
}
}
/// <summary>
///
/// </summary>
/// <param name="e"></param>
private void ProcessPrintJobEventEntry(EventEntry e)
{
InsertEntryToFAM(e);
}
/// <summary>
///
/// </summary>
/// <param name="e"></param>
private void ProcessEventLogEventEntry(EventEntry e)
{
if (e.eventCode == OBJ_OPEN_EVENT) /*Check if EventID is 560 i.e. OPEN */
{
if (e.result.Equals("Failure"))
{
if(IsProcessPartOfMSOffice(e.imagePath) == false)
InsertEntryToFAM(e);
}
else if (IsOpenTableEntryExist(e.processID, e.handleID))
{
UpdateEntryInOpenAccess(e);
}
else
InsertEntryToOpenAccess(e);
CLogger.WriteLog(ELogLevel.DEBUG, "Open FIle operation , Handle ID : " + e.handleID +
" File Name : " + e.fileName);
}
else if (e.eventCode == OBJ_DUPLICATE_EVENT)
{
SQLiteDataReader reader = GetFileOpenRecords(e.processID, e.handleID);
CLogger.WriteLog(ELogLevel.DEBUG, "Duplicate Operation, Handle ID : " + e.handleID +
" Duplicate Id : " + e.dupHandleID);
if (reader.HasRows && reader.Read())
{
String temp = reader.GetString(OPENACCESS_FILENAME_INDEX);//FILENAME_COLUMN 0
e.fileName = temp;
temp = reader.GetString(OPENACCESS_FILETYPE_INDEX); // FILETYPE_COLUMN 1
e.fileType = temp;
int openAccessMask = reader.GetInt32(OPENACCESS_ACCESSMASK_INDEX); //ACCESMASK 2
e.accessMask = openAccessMask;
e.handleID = e.dupHandleID;
CLogger.WriteLog(ELogLevel.DEBUG, "File Name found for Duplicate: " + e.fileName);
if (IsOpenTableEntryExist(e.processID, e.handleID))
{
UpdateEntryInOpenAccess(e);
}
else
InsertEntryToOpenAccess(e);
}
}
else
{
SQLiteDataReader reader = GetFileOpenRecords(e.processID, e.handleID);
if (reader.HasRows && reader.Read())
{
String temp = reader.GetString(OPENACCESS_FILENAME_INDEX);//FILENAME_COLUMN 0
e.fileName = temp;
temp = reader.GetString(OPENACCESS_FILETYPE_INDEX); // FILETYPE_COLUMN 1
e.fileType = temp;
int openAccessMask = reader.GetInt32(OPENACCESS_ACCESSMASK_INDEX); //ACCESMASK 2
{
FileAttributes attr = FileAttributes.Normal;
try
{
attr = File.GetAttributes(e.fileName);
}
catch (FileNotFoundException exc)
{
CLogger.WriteLog(ELogLevel.DEBUG, "File Not Found Exception while getting attributes " + exc.Message);
attr = FileAttributes.Hidden;
}
catch (Exception exc)
{
CLogger.WriteLog(ELogLevel.DEBUG, " Exception while getting attributes " + exc.Message);
}
if (IgnoreFile(attr, e) == false)
{
if (e.userName == "NT AUTHORITY\\SYSTEM")
{
CLogger.WriteLog(ELogLevel.DEBUG, "Replacing SYSTEM username with actual username for folder delete");
temp = reader.GetString(OPENACCESS_USERNAME_INDEX);
e.userName = temp;
}
/* Special Handling for Deletion */
if (e.eventCode == OBJ_DELETE_EVENT)
{
InsertEntryToFAM(e);
}
else
{
// Handle OBJ_ACCESS_EVENT
if (e.action.Equals("Rename"))
{
if (((openAccessMask & AccessCodes.READ_CONTROL) != 0)
&& ((openAccessMask & AccessCodes.SYNCHRONIZE) == 0))
{
CLogger.WriteLog(ELogLevel.DEBUG, "Ignoring 567 delete access before 564");
}
else if ((openAccessMask & AccessCodes.SYNCHRONIZE) != 0)
{
if (isRenamePartOfDelete(e) == false)
{
if (IsProcessPartOfMSOffice(e.imagePath) == true)
{
/* This is done to handle stupid MS OFFICE suite.
* which first creates a temporary file and then renames it to the original file
* during a file write. This is ofcourse good for stability and reliability but
* bad from a logging perspective
*/
e.action = "Write";
}
CLogger.WriteLog(ELogLevel.DEBUG, "Rename operation being Logged , Handle ID : " +
e.handleID);
InsertEntryToFAM(e);
}
}
}
else if (((e.action.Equals("Read")) || (e.action.Equals("Write")))
&& (e.fileType.Equals("Directory")))
{
CLogger.WriteLog(ELogLevel.DEBUG, "Ignoring dir reads");
}
else if (e.action.Equals("WriteAttribute")
|| e.action.Equals("ReadAttribute")) //(osInfo.Version.Major == OS_VER_WIN_SERVER_2008 )
{
CLogger.WriteLog(ELogLevel.DEBUG, "Action equals WriteAttribute");
if ((openAccessMask == AccessCodes.FILE_CREATE) ||
(openAccessMask == AccessCodes.FILE_CREATE_WIN_2008) ||
(openAccessMask == AccessCodes.FILE_COPY) ||
(openAccessMask == AccessCodes.FILE_REMOTE_COPY) ||
(openAccessMask == AccessCodes.DIR_REMOTE_COPY))
{
e.action = "Create";
if (IsProcessPartOfMSOffice(e.imagePath) == false)
InsertEntryToFAM(e);
}
if (e.action.Equals("WriteAttribute"))
InsertEntryToFAM(e);
}
else if (e.action.Equals("ReadControl"))
{
CLogger.WriteLog(ELogLevel.DEBUG, "Action equals ReadControl");
if ((openAccessMask == AccessCodes.DIR_REMOTE_COPY) ||
(openAccessMask == AccessCodes.FILE_CREATE_WIN_2008) ||
(openAccessMask == AccessCodes.FILE_REMOTE_COPY) ||
(openAccessMask == AccessCodes.FILE_CREATE_WIN_XP) ||
(openAccessMask == AccessCodes.FILE_COPY_WIN_XP))
{
e.action = "Create";
InsertEntryToFAM(e);
}
}
else
{
InsertEntryToFAM(e);
}
}
// end if (reader.hasRows ....)
}// end if(fileName.Contains(".tmp"))
}// end if(action.Equals
}
}
}
/// <summary>
///
/// </summary>
/// <param name="e"></param>
/// <returns></returns>
private bool isRenamePartOfDelete(EventEntry e)
{
try
{
using (SQLiteCommand cmd = new SQLiteCommand())
{
cmd.Connection = conn;
cmd.CommandText = "SELECT * FROM FAM WHERE pid = " + e.processID +
" AND filename = '" + e.fileName + "'" +
" AND user = '******'" +
" AND timestamp > @TS" +
" AND action = 'Delete' ";
SQLiteParameter param = cmd.CreateParameter();
param.ParameterName = "@TS";
param.DbType = DbType.DateTime;
DateTime timestamp = e.timestamp.AddSeconds(-1);
param.Value = timestamp;
cmd.Parameters.Add(param);
CLogger.WriteLog(ELogLevel.DEBUG, cmd.CommandText);
SQLiteDataReader reader = cmd.ExecuteReader();
if (reader.HasRows && reader.Read())
return true;
}
}
catch (SQLiteException ex)
{
CLogger.WriteLog(ELogLevel.ERROR, ex.Message + "\n" + ex.StackTrace);
}
return false;
}
public static BinarySearchTree<EventEntry> getEventsForFilters(List<InternalFilter> allFilters, Byte requestedDataType,
IPAddress reqIP, ref String lastTime, string dbPath)
{
SQLiteConnection conn = null;
BinarySearchTree<EventEntry> resultTree = null;
try
{
using (conn = new SQLiteConnection(dbPath))
{
conn.Open();
using (SQLiteCommand myCommand = new SQLiteCommand())
{
string query = getQueryForFilters(myCommand, allFilters, requestedDataType, reqIP, lastTime);
if (query == null)
{
CLogger.WriteLog(ELogLevel.ERROR, "Null query returned");
return null;
}
myCommand.CommandText = query;
myCommand.Connection = conn;
SQLiteDataReader reader = myCommand.ExecuteReader();
resultTree = new BinarySearchTree<EventEntry>();
EventEntry entry;
bool firstRecord = true;
if (reader.HasRows)
{
while (reader.Read())
{
entry = new EventEntry();
try
{
entry.timestamp = DateTime.Parse(reader.GetString(0));
if (firstRecord == true)
{
if (requestedDataType == Common.INITIAL || requestedDataType == Common.UPDATE)
{
lastTime = reader.GetString(0);
OperatingSystem osInfo = Environment.OSVersion;
if (osInfo.Version.Major == 5) /* WIN_SERVER_2003 */
lastTime += ".000";
}
else
{
lastTime = Common.DEFAULT;
}
firstRecord = false;
}
}
catch (Exception ex)
{
CLogger.WriteLog(ELogLevel.ERROR, ex.Message + "\n" + ex.StackTrace);
entry.timestamp = new DateTime();
}
entry.fileName = reader.GetString(1);
entry.userName = reader.GetString(2);
entry.action = reader.GetString(3);
entry.fileType = reader.GetString(4);
entry.result = reader.GetString(5);
entry.Machine = System.Environment.MachineName;
resultTree.Add(entry);
}
}
else //if(reader.HasRoes)
{
if (requestedDataType == Common.INITIAL)
{
CLogger.WriteLog(ELogLevel.DEBUG, " Data Type is Initial, so setting Time to Default ");
lastTime = Common.DEFAULT;
}
}
conn.Close();
}
}
}
catch (Exception ex)
{
CLogger.WriteLog(ELogLevel.ERROR, ex.Message + "\n" + ex.StackTrace);
//throw(ex);
}
finally
{
if (conn != null)
((IDisposable)conn).Dispose();
}
return resultTree;
}
/// <summary>
/// Gets all information of an element in an array in the order the columns are there.
/// </summary>
/// <param name="ev">The evententry which we want to get information from</param>
/// <returns>All needed information in the columns order</returns>
public object[] GetAllAttribsForGrid(EventEntry ev)
{
object[] retVal = new object[grid.Columns.Count];
for (int i = 0; i < grid.Columns.Count; i++)
{
if (grid.Columns[i].Name.Equals(MACHINE))
retVal[i] = ev.Machine;
//if (grid.Columns[i].Name.Equals(MSGSRC))
// retVal[i] = ev.MsgSource;
//if (grid.Columns[i].Name.Equals(INDEX))
//retVal[i] = ev.Index;
if (grid.Columns[i].Name.Equals(CAT))
retVal[i] = ev.fileType;
//if (grid.Columns[i].Name.Equals(CATNUM))
// retVal[i] = ev.Catnum;
if (grid.Columns[i].Name.Equals(ENTRYTYPE))
retVal[i] = ev.result;
/*
if (grid.Columns[i].Name.Equals(SRC))
retVal[i] = ev.Src;
if (grid.Columns[i].Name.Equals(IID))
retVal[i] = ev.IID;
*/
if (grid.Columns[i].Name.Equals(TGEN))
retVal[i] = ev.timestamp;
//if (grid.Columns[i].Name.Equals(TWRITTEN))
// retVal[i] = ev.TWritten;
/*
if (grid.Columns[i].Name.Equals(MSG))
retVal[i] = ev.Msg;
* */
if (grid.Columns[i].Name.Equals(USER))
retVal[i] = ev.userName;
//TODO: add sec user
//if (grid.Columns[i].Name.Equals(SEC_USER))
// retVal[i] = ev.CallerDomain + "\\" + ev.CallerUserName;
if (grid.Columns[i].Name.Equals(FILE))
retVal[i] = ev.fileName;
if (grid.Columns[i].Name.Equals(ACTION))
retVal[i] = ev.action;
}
return retVal;
}
private void InsertEntryToFAM(EventEntry e)
{
try
{
using (SQLiteCommand cmd = new SQLiteCommand())
{
cmd.Connection = conn;
cmd.CommandText = @"INSERT INTO FAM values
(@timestamp, @pid, @filehandle, @filename, @user, @action, @accessmask, @filetype, @result)";
SQLiteParameter param = cmd.CreateParameter();
param.ParameterName = "timestamp";
param.DbType = DbType.DateTime;
param.Value = e.timestamp;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "pid";
param.DbType = DbType.Int32;
param.Value = e.processID;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "filehandle";
param.DbType = DbType.Int32;
param.Value = e.handleID;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "filename";
param.DbType = DbType.String;
param.Value = e.fileName;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "user";
param.DbType = DbType.String;
param.Value = e.userName;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "action";
param.DbType = DbType.String;
param.Value = e.action;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "accessmask";
param.DbType = DbType.Int32;
param.Value = e.accessMask;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "filetype";
param.DbType = DbType.String;
param.Value = e.fileType;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "result";
param.DbType = DbType.String;
param.Value = e.result;
cmd.Parameters.Add(param);
cmd.ExecuteNonQuery();
}
}
catch (SQLiteException ex)
{
CLogger.WriteLog(ELogLevel.ERROR,"INSERT INTO FAM exception " + ex.Message + "\n" + ex.StackTrace);
}
}
/// <summary>
/// Apply filtering rules
/// </summary>
/// <param name="evt"></param>
/// <returns></returns>
private static bool ignoreEvent(EventEntry evt)
{
int eventIndex = INVALID;
bool ignore = false;
// Order of checking is very important
if (evt.eventCode == OBJ_DELETE_EVENT)
{
ignore = false;
}
else if (evt.userName == "NT AUTHORITY\\SYSTEM"
&& (evt.accessMask != AccessCodes.READ_CONTROL))
{
ignore = true;
}
else if (evt.objType.ToLower().Contains("file") == false)
{
ignore = true;
}
else if (evt.eventCode == OBJ_ACCESS_EVENT)
{
if (evt.action.Equals("Execute/Traverse"))
{
ignore = true;
}
else if (evt.action.Equals("Read"))
{
/* Ignore reads, if the image path is windows\explorer.exe
* Being pessimistic here when comparing explorer.exe
* Better to report extra events than dropping
*/
if (evt.imagePath.ToLower().Contains("windows\\explorer.exe"))
{
ignore = true;
CLogger.WriteLog(ELogLevel.DEBUG, "Ignoring reads by process: " + evt.imagePath);
}
}
}
return ignore;
}
private void InsertEntryToOpenAccess(EventEntry e)
{
using (SQLiteCommand cmd = new SQLiteCommand())
{
cmd.Connection = conn;
cmd.CommandText = @"INSERT OR IGNORE INTO OPENACCESS values
(@timestamp, @pid, @filehandle, @filename, @filetype, @accessmask, @user)";
SQLiteParameter param = cmd.CreateParameter();
param.ParameterName = "timestamp";
param.DbType = DbType.DateTime;
param.Value = e.timestamp;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "pid";
param.DbType = DbType.Int32;
param.Value = e.processID;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "filehandle";
param.DbType = DbType.Int32;
param.Value = e.handleID;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "filename";
param.DbType = DbType.String;
param.Value = e.fileName;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "filetype";
param.DbType = DbType.String;
param.Value = e.fileType;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "accessmask";
param.DbType = DbType.Int32;
param.Value = e.accessMask;
cmd.Parameters.Add(param);
param = cmd.CreateParameter();
param.ParameterName = "user";
param.DbType = DbType.String;
param.Value = e.userName;
cmd.Parameters.Add(param);
cmd.ExecuteNonQuery();
}
}
/// <summary>
/// Gets triggered, whenever the grid gets doubleclicked. the doubleclicked element is taken and shown in a seperate window.
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void grid_CellDoubleClick(object sender, DataGridViewCellEventArgs e)
{
//int index = grid.SelectedRows[0].Index;
int index = e.RowIndex;
if (index == -1)
return;
EventEntry ee = new EventEntry();
ee.timestamp = (DateTime)grid[TGEN, index].Value;
ee.fileName = grid[FILE, index].Value.ToString();
ee.Machine = grid[MACHINE, index].Value.ToString();
ee.userName = grid[USER, index].Value.ToString();
ee.action = grid[ACTION, index].Value.ToString();
ee.fileType = grid[CAT, index].Value.ToString();
ee.result = grid[ENTRYTYPE, index].Value.ToString();
new Details(ee);
}