internal PMLProcess(XmlReader processListReader)
{
XmlDocument processXMLDoc = new XmlDocument();
processXMLDoc.Load(processListReader);
string tempString = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_Owner);
// Actual object creation i.e., assigning values to members
ProcessId = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ProcessId);
ParentProcessId = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ParentProcessId);
ProcessIndex = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ProcessIndex);
ParentProcessIndex = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ParentProcessIndex);
AuthenticationId = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_AuthenticationId);
CreateTime = XMLUtils.ParseTagContentAsFileTime(processXMLDoc, ProcMonXMLTagNames.Process_CreateTime);
FinishTime = XMLUtils.ParseTagContentAsFileTime(processXMLDoc, ProcMonXMLTagNames.Process_FinishTime);
IsVirtualized = XMLUtils.ParseTagContentAsBoolean(processXMLDoc, ProcMonXMLTagNames.Process_IsVirtualized);
Is64bit = XMLUtils.ParseTagContentAsBoolean(processXMLDoc, ProcMonXMLTagNames.Process_Is64bit);
ProcessIntegrity = ProcessIntegrityLevelExtensions.ToProcessIntegrityLevel(XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_Integrity));
OwnerIndex = OwnerList.AddOwnerToList(tempString);
ProcessNameIndex = ProcessNameList.AddProcessNameToList(XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_ProcessName));
CommandLine = (XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_CommandLine)).HTMLUnEscape().Trim();
LoadedModuleList = PMLModule.LoadModules(processXMLDoc);
var image = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_ImagePath);
ImageIndex = ModuleList.LocateInOrAddToModuleList(image);
StringBuilder buffer = new StringBuilder(string.Format(
"{0}{1} Process - {2} [{3}] with ID = {4} was created at {5} with {6} integrity, which loaded {7} modules, as a child of {8} by {9}",
(IsVirtualized ? "Virtualized " : ""),
(Is64bit ? "64-Bit" : "32-Bit"),
ProcessNameList.GetProcessName(ProcessNameIndex),
ModuleList.GetModuleDescription(ImageIndex),
ProcessId,
CreateTime,
ProcessIntegrity,
LoadedModuleList.Count,
ParentProcessId,
OwnerList.GetOwnerName(OwnerIndex)
));
if (!string.IsNullOrWhiteSpace(CommandLine))
{
buffer.AppendFormat(", using the command line {0}", CommandLine);
}
buffer.Append(" ");
if (FinishTime <= CreateTime)
{
buffer.Append("and is running.");
}
else
{
buffer.AppendFormat("and ended at {0}.", FinishTime);
}
summary =
#if DEBUG
"[PMLProcess]:\n" +
#endif
buffer.ToString();
}
internal static HashSet <int> LoadModules(XmlDocument processXMLDoc)
{
ModuleList.AddModuleToList(System);
HashSet <int> processModuleList = new HashSet <int>();
var modules = processXMLDoc.SelectNodes(ProcMonXMLTagNames.Module_XPathInXML);
foreach (XmlElement module in modules)
{
string path = module.GetElementsByTagName(ProcMonXMLTagNames.Module_Path)[0].InnerText;
int moduleIndex = ModuleList.LocateModuleInList(path);
if (-1 == moduleIndex)
{
var tempModule = new PMLModule(path, module);
moduleIndex = ModuleList.AddModuleToList(tempModule);
}
if (-1 != moduleIndex)
{
processModuleList.Add(moduleIndex);
}
}
return(processModuleList);
}
