internal PMLProcess(XmlReader processListReader) { XmlDocument processXMLDoc = new XmlDocument(); processXMLDoc.Load(processListReader); string tempString = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_Owner); // Actual object creation i.e., assigning values to members ProcessId = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ProcessId); ParentProcessId = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ParentProcessId); ProcessIndex = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ProcessIndex); ParentProcessIndex = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ParentProcessIndex); AuthenticationId = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_AuthenticationId); CreateTime = XMLUtils.ParseTagContentAsFileTime(processXMLDoc, ProcMonXMLTagNames.Process_CreateTime); FinishTime = XMLUtils.ParseTagContentAsFileTime(processXMLDoc, ProcMonXMLTagNames.Process_FinishTime); IsVirtualized = XMLUtils.ParseTagContentAsBoolean(processXMLDoc, ProcMonXMLTagNames.Process_IsVirtualized); Is64bit = XMLUtils.ParseTagContentAsBoolean(processXMLDoc, ProcMonXMLTagNames.Process_Is64bit); ProcessIntegrity = ProcessIntegrityLevelExtensions.ToProcessIntegrityLevel(XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_Integrity)); OwnerIndex = OwnerList.AddOwnerToList(tempString); ProcessNameIndex = ProcessNameList.AddProcessNameToList(XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_ProcessName)); CommandLine = (XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_CommandLine)).HTMLUnEscape().Trim(); LoadedModuleList = PMLModule.LoadModules(processXMLDoc); var image = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_ImagePath); ImageIndex = ModuleList.LocateInOrAddToModuleList(image); StringBuilder buffer = new StringBuilder(string.Format( "{0}{1} Process - {2} [{3}] with ID = {4} was created at {5} with {6} integrity, which loaded {7} modules, as a child of {8} by {9}", (IsVirtualized ? "Virtualized " : ""), (Is64bit ? "64-Bit" : "32-Bit"), ProcessNameList.GetProcessName(ProcessNameIndex), ModuleList.GetModuleDescription(ImageIndex), ProcessId, CreateTime, ProcessIntegrity, LoadedModuleList.Count, ParentProcessId, OwnerList.GetOwnerName(OwnerIndex) )); if (!string.IsNullOrWhiteSpace(CommandLine)) { buffer.AppendFormat(", using the command line {0}", CommandLine); } buffer.Append(" "); if (FinishTime <= CreateTime) { buffer.Append("and is running."); } else { buffer.AppendFormat("and ended at {0}.", FinishTime); } summary = #if DEBUG "[PMLProcess]:\n" + #endif buffer.ToString(); }
internal static HashSet <int> LoadModules(XmlDocument processXMLDoc) { ModuleList.AddModuleToList(System); HashSet <int> processModuleList = new HashSet <int>(); var modules = processXMLDoc.SelectNodes(ProcMonXMLTagNames.Module_XPathInXML); foreach (XmlElement module in modules) { string path = module.GetElementsByTagName(ProcMonXMLTagNames.Module_Path)[0].InnerText; int moduleIndex = ModuleList.LocateModuleInList(path); if (-1 == moduleIndex) { var tempModule = new PMLModule(path, module); moduleIndex = ModuleList.AddModuleToList(tempModule); } if (-1 != moduleIndex) { processModuleList.Add(moduleIndex); } } return(processModuleList); }