FileEvent DecodeFilterMessage(FilterAPI.MessageSendData messageSend)
{
try
{
string userName = string.Empty;
string processName = string.Empty;
string fileName = messageSend.FileName;
string description = string.Empty;
FileAttributes fileAttributes = (FileAttributes)messageSend.FileAttributes;
DateTime timestamp = DateTime.FromFileTime(messageSend.TransactionTime);
FileEventResult result = (messageSend.Status == (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS) ? FileEventResult.SUCCESS : FileEventResult.FAILURE;
FilterAPI.DecodeUserName(messageSend.Sid, out userName);
FilterAPI.DecodeProcessName(messageSend.ProcessId, out processName);
FilterAPI.EVENTTYPE eventType = (FilterAPI.EVENTTYPE)messageSend.InfoClass;
if ((eventType & FilterAPI.EVENTTYPE.RENAMED) == FilterAPI.EVENTTYPE.RENAMED)
{
description = "file was renamed to " + Encoding.Unicode.GetString(messageSend.DataBuffer);
description = description.Substring(0, description.IndexOf('\0'));
}
if (eventType != FilterAPI.EVENTTYPE.NONE)
{
FileEvent fileEvent = new FileEvent();
fileEvent.User = userName;
fileEvent.Process = processName;
fileEvent.Resource = fileName;
fileEvent.Result = result;
fileEvent.Timestamp = timestamp;
fileEvent.Type = eventType;
fileEvent.Description = description;
fileEvent.Attributes = fileAttributes;
return(fileEvent);
}
}
catch (Exception ex)
{
EventManager.WriteMessage(296, "DecodeFilterMessage", EventLevel.Error, "Decode filter message failed because of error:" + ex.Message);
}
return(null);
}
public FileEvent(string _user,
string _process,
string _fileName,
FileAttributes _fileAttributes,
FilterAPI.EVENTTYPE _type,
DateTime _timestamp,
FileEventResult _result,
string _description)
{
this.user = _user;
this.process = _process;
this.resource = _fileName;
this.fileAttributes = _fileAttributes;
this.type = _type;
this.timestamp = _timestamp;
this.result = _result;
this.description = _description;
}
