public bool SatisfiesCondition(IPMLEntity pMLEntity)
{
if (pMLEntity == null)
{
throw new ArgumentNullException(nameof(pMLEntity));
}
bool comparisonResult = false;
switch (MixinOperator)
{
case MixinOperators.Only:
return(FiltersList.First().Matches(pMLEntity));
case MixinOperators.And:
var andResult = true;
foreach (var filter in FiltersList)
{
andResult = andResult && filter.Matches(pMLEntity);
if (!andResult)
{
//comparisonResult = false;
break;
}
}
comparisonResult = andResult;
break;
case MixinOperators.Or:
var orResult = false;
foreach (var filter in FiltersList)
{
orResult = orResult || filter.Matches(pMLEntity);
if (orResult)
{
//comparisonResult = true;
break;
}
}
comparisonResult = orResult;
break;
case MixinOperators.None:
throw new Exception("(Mixin) Operator cannot be empty.");
default:
throw new Exception(string.Format("Unidentified MixinOperator {0}.", MixinOperator.ToString()));
}
return(comparisonResult);
}
public bool ShouldInclude(IPMLEntity pMLEntity)
{
// TODO: Right now the Include filter doesn't make sense; But once an "Exclude *" filter is supported, Include will take effect.
//bool include = true;
foreach (var execFilter in ExecFilters)
{
var thisFilterOutput = execFilter.SatisfiesCondition(pMLEntity);
//include = include || thisFilterOutput;
if (thisFilterOutput && execFilter.Inclusion == Inclusions.Exclude)
{
return(false);
}
}
return(true);
}
public override bool Matches(IPMLEntity pmlEntity)
{
var evt = pmlEntity as PMLEvent;
var proc = ConvertedXMLProcessor.FindProcessByPID(evt.PID);
var actualValue = string.Empty;
switch (PropertyName)
{
case "ProcessName":
actualValue = ProcessNameList.GetProcessName(proc.ProcessNameIndex);
break;
case "ImagePath":
actualValue = ModuleList.GetModulePath(proc.ImageIndex);
break;
case "FinishTime":
if (proc.FinishTime == DateTimeZero)
{
actualValue = "0";
}
else
{
actualValue = proc.FinishTime.ToString();
}
break;
case "Modules":
if (FilterOperator != FilterOperators.Contains)
{
throw new Exception(string.Format("Filter Operator {0} is invalid when PropertyName is \"Modules\"", FilterOperator.ToString()));
}
var sbModules = new StringBuilder();
foreach (var i in proc.LoadedModuleList)
{
sbModules.Append(ModuleList.GetModulePath(i)).Append(Environment.NewLine);
}
actualValue = sbModules.ToString();
break;
case "":
throw new Exception("PropertyName cannot be empty.");
default:
throw new Exception(string.Format("Unidentified PropertyName {0}.", PropertyName));
}
return(CompareStringValuesAsPerFilterOperator(actualValue, this));
}
public abstract bool Matches(IPMLEntity pmlEntity);
public override bool Matches(IPMLEntity pmlEntity)
{
var evt = pmlEntity as PMLEvent;
var actualValue = string.Empty;
switch (PropertyName)
{
case "Operation":
actualValue = evt.Operation;
break;
case "Result":
actualValue = evt.Result;
break;
case "PID":
actualValue = evt.PID.ToString();
break;
case "TID":
actualValue = evt.TID.ToString();
break;
//case "Session":
// actualValue = evt.ProcessIndex;
// break;
case "Path":
actualValue = evt.Path;
break;
case "Detail":
actualValue = evt.Detail;
break;
case "StackFramePath":
if (FilterOperator != FilterOperators.Contains)
{
throw new Exception(string.Format("Filter Operator {0} is invalid when PropertyName is \"StackFramePath\"", FilterOperator.ToString()));
}
var sbStackFramePaths = new StringBuilder();
foreach (var frame in evt.CallStack)
{
if (!string.IsNullOrWhiteSpace(frame.Path))
{
sbStackFramePaths.Append(frame.Path).Append(Environment.NewLine);
}
}
actualValue = sbStackFramePaths.ToString();
break;
case "StackFrameLocation":
if (FilterOperator != FilterOperators.Contains)
{
throw new Exception(string.Format("Filter Operator {0} is invalid when PropertyName is \"StackFramePath\"", FilterOperator.ToString()));
}
var sbStackFrameLocations = new StringBuilder();
foreach (var frame in evt.CallStack)
{
if (!string.IsNullOrWhiteSpace(frame.Location))
{
sbStackFrameLocations.Append(frame.Location).Append(Environment.NewLine);
}
}
actualValue = sbStackFrameLocations.ToString();
break;
case "":
throw new Exception("PropertyName cannot be empty.");
default:
throw new Exception(string.Format("Unidentified PropertyName {0}.", PropertyName));
}
return(CompareStringValuesAsPerFilterOperator(actualValue, this));
}