internal PMLEvent(XmlReader eventListReader) { XmlDocument eventXMLDoc = new XmlDocument(); eventXMLDoc.Load(eventListReader); ProcessIndex = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_ProcessIndex); TimeOfDay = XMLUtils.ParseTagContentAsFileTime(eventXMLDoc, ProcMonXMLTagNames.Event_TimeOfDay); var procName = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Process_Name); ProcessNameIndex = ProcessNameList.AddProcessNameToList(procName); PID = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_PID); TID = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_TID); var proc = ConvertedXMLProcessor.FindProcessByPID(PID); var temp = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Integrity); if (string.IsNullOrEmpty(temp)) { Integrity = proc.ProcessIntegrity; } else { Integrity = temp.ToProcessIntegrityLevel(); } Sequence = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Sequence); temp = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Virtualized); if (string.IsNullOrEmpty(temp)) { Virtualized = proc.IsVirtualized; } else { Virtualized = temp.StringToBoolean(); } //Virtualized = XMLUtils.ParseTagContentAsBoolean(eventXMLDoc, ProcMonXMLTagNames.Event_Virtualized); Operation = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Operation); pathIndex = FilePathList.AddFilePathToList(XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Path)); Result = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Result); Detail = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Detail); CallStack = PMLStackFrame.LoadStackFrames(eventXMLDoc); #if DEBUG Console.WriteLine("Stack:\n-------------------------------------------------------------"); foreach (var stackFrame in CallStack) { Console.WriteLine(stackFrame); } Console.WriteLine("-------------------------------------------------------------\n"); #endif }
public override bool Matches(IPMLEntity pmlEntity) { var evt = pmlEntity as PMLEvent; var proc = ConvertedXMLProcessor.FindProcessByPID(evt.PID); var actualValue = string.Empty; switch (PropertyName) { case "ProcessName": actualValue = ProcessNameList.GetProcessName(proc.ProcessNameIndex); break; case "ImagePath": actualValue = ModuleList.GetModulePath(proc.ImageIndex); break; case "FinishTime": if (proc.FinishTime == DateTimeZero) { actualValue = "0"; } else { actualValue = proc.FinishTime.ToString(); } break; case "Modules": if (FilterOperator != FilterOperators.Contains) { throw new Exception(string.Format("Filter Operator {0} is invalid when PropertyName is \"Modules\"", FilterOperator.ToString())); } var sbModules = new StringBuilder(); foreach (var i in proc.LoadedModuleList) { sbModules.Append(ModuleList.GetModulePath(i)).Append(Environment.NewLine); } actualValue = sbModules.ToString(); break; case "": throw new Exception("PropertyName cannot be empty."); default: throw new Exception(string.Format("Unidentified PropertyName {0}.", PropertyName)); } return(CompareStringValuesAsPerFilterOperator(actualValue, this)); }