private void HandleRegistryTraceData(RegistryTraceData data)
{
if (data.ProcessID == pid)
{
ulong keyHandle = data.KeyHandle;
string valueName = data.ValueName;
string keyName = data.KeyName;
string value;
if (!string.IsNullOrEmpty(keyName) && !string.IsNullOrEmpty(valueName))
{
value = $"{keyName}\\{valueName}";
}
else if (!string.IsNullOrEmpty(keyName))
{
value = keyName;
}
else if (!string.IsNullOrEmpty(valueName))
{
value = valueName;
}
else
{
value = null;
}
traceOutput.Write(data.TimeStampRelativeMSec, data.ProcessID, data.ThreadID,
data.EventName, value != null ? $"'{value}' (0x{keyHandle:X})" : $"(0x{keyHandle:X})");
}
}
private static void Dump(RegistryTraceData registryTraceData, [CallerMemberName] string memberName = null)
{
string fullKeyName;
if (registryTraceData.KeyHandle == 0)
{
fullKeyName = registryTraceData.KeyName;
}
else
{
if (kcbDictionary.TryGetValue(registryTraceData.KeyHandle, out var baseKeyName))
{
fullKeyName = $"{baseKeyName}\\{registryTraceData.KeyName}";
}
else
{
fullKeyName = $"...\\{registryTraceData.KeyName}";
}
}
if (!string.IsNullOrWhiteSpace(memberName))
{
Console.WriteLine($"{memberName} {{");
}
Out.WriteLine($"\tProcess: {registryTraceData.ProcessName}, Key Name: {fullKeyName}, Value Name: {registryTraceData.ValueName}");
//Console.WriteLine($"\t{registryTraceData.Dump()}");
if (!string.IsNullOrWhiteSpace(memberName))
{
Console.WriteLine("}");
}
}
private static void KernelParser_RegistryKCBDelete(RegistryTraceData obj)
{
if (kcbDictionary.ContainsKey(obj.KeyHandle))
{
kcbDictionary.Remove(obj.KeyHandle);
}
}
private static void Kernel_RegistryKCBRundownEnd(RegistryTraceData obj)
{
Out.WriteLine($"RundownEnd {obj.KeyHandle}, {obj.KeyName}");
if (kcbDictionary.ContainsKey(obj.KeyHandle))
{
kcbDictionary.Remove(obj.KeyHandle);
}
}
public void LogEvent(RegistryTraceData data)
{
LogRow text = new LogRow();
_registryWriter.WriteHeader(data, text);
text.Add(data.KeyName);
text.Add(data.ValueName);
_registryWriter.WriteRow(text);
}
private static void processEvent(RegistryTraceData evt)
{
Console.WriteLine(evt);
/*String[] output = new String[] {
* evt.TimeStamp.ToLongTimeString(),
* evt.EventName.Substring(9, evt.EventName.Length - 9),
* getPath(evt.ProcessID),
* evt.PayloadByName("KeyName").ToString(),
* evt.ProcessID.ToString(),
* //getStatus(int.Parse(evt.PayloadByName("Status").ToString())),
* //getMemUsage(evt.ProcessID).ToString()
* };
*
* ReplaceAll(output, "", "null");
*
* String line = String.Join(",", output);
* Console.Out.WriteLine(line);*/
}
private static void Kernel_RegistryKCBRundownBegin(RegistryTraceData obj)
{
Out.WriteLine($"RundownBegin {obj.KeyHandle}, {obj.KeyName}");
kcbDictionary.TryAdd(obj.KeyHandle, obj.KeyName);
}
private static void KernelParser_RegistrySetValue(RegistryTraceData obj)
{
Dump(obj);
}
private static void KernelParser_RegistryDelete(RegistryTraceData obj)
{
Dump(obj);
}
private static void KernelParser_RegistryKCBCreate(RegistryTraceData obj)
{
kcbDictionary.TryAdd(obj.KeyHandle, obj.KeyName);
}
private void OnRegistryCreate(RegistryTraceData obj)
{
RegistryTrace?.Invoke((RegistryTraceData)obj.Clone(), EventType.RegistryCreateKey);
}
private static void _regCreate(RegistryTraceData rData)
{
Console.WriteLine("Registry operasyonu:\tProcessName: {0}\tKey adı: {1}\tValueName: {2}", rData.ProcessName, rData.KeyName, rData.ValueName);
}
