private void WriteContextFile(Win32Process process)
{
string szContextPath = RaccineUserContextRootFolder + @"\" + GenerateContextFileName(process);
if (Directory.Exists(RaccineUserContextRootFolder))
{
using (StreamWriter outputFile = new StreamWriter(szContextPath))
{
string szName = "-d Caption";
string szValue = EscapeString(process.Caption);
outputFile.Write(" " + szName + "=" + szValue + " ");
szName = "-d CommandLine";
szValue = EscapeString(process.CommandLine);
outputFile.Write(szName + "=" + szValue + " ");
szName = "-d ExecutablePath";
szValue = EscapeString(process.ExecutablePath);
outputFile.Write(szName + "=" + szValue + " ");
szName = "-d HandleCount";
szValue = process.HandleCount.ToString();
outputFile.Write(szName + "=" + szValue + " ");
szName = "-d Name";
szValue = EscapeString(process.Name);
outputFile.Write(szName + "=\"" + szValue + "\" ");
szName = "-d OSName";
szValue = EscapeString(process.OSName);
outputFile.Write(szName + "=" + szValue + " ");
szName = "-d Priority";
szValue = process.Priority.ToString();
outputFile.Write(szName + "=" + szValue + " ");
szName = "-d SessionId";
szValue = process.SessionId.ToString();
outputFile.Write(szName + "=" + szValue + " ");
szName = "-d ThreadCount";
szValue = process.ThreadCount.ToString();
outputFile.Write(szName + "=" + szValue + " ");
szName = "-d WindowsVersion";
szValue = process.WindowsVersion;
outputFile.Write(szName + "=" + szValue + " ");
szName = "-d WriteOperationCount";
szValue = process.WriteOperationCount.ToString();
outputFile.Write(szName + "=" + szValue + " ");
szName = "-d WriteTransferCount";
szValue = process.WriteTransferCount.ToString();
outputFile.Write(szName + "=" + szValue + " ");
}
}
}
private static string GenerateContextFileName(Win32Process process)
{
string szFileName = String.Format("RaccineYaraContext-{0}-{1}-{2}.txt",
process.SessionId,
process.ProcessId,
process.ParentProcessId);
return(szFileName);
}
public void LogInitialProcesses()
{
string qry = "SELECT * FROM Win32_Process WHERE SessionId =" + this.SessionId;
ManagementObjectSearcher moSearch = new ManagementObjectSearcher(qry);
ManagementObjectCollection moCollection = moSearch.Get();
foreach (ManagementObject mo in moCollection)
{
Win32Process process = new Win32Process(mo);
if (process.SessionId == this.SessionId)
{
WriteContextFile(process);
}
}
}
private static void OnTimedEvent(object source, ElapsedEventArgs e)
{
uint SessionId = (uint)System.Diagnostics.Process.GetCurrentProcess().SessionId; // only watch processes in this session
string qry = "SELECT * FROM Win32_Process WHERE SessionId =" + SessionId;
ManagementObjectSearcher moSearch = new ManagementObjectSearcher(qry);
ManagementObjectCollection moCollection = moSearch.Get();
List <string> lstFileNames = new List <string>();
foreach (ManagementObject mo in moCollection)
{
Win32Process process = new Win32Process(mo);
if (process.SessionId == SessionId)
{
lstFileNames.Add(GenerateContextFileName(process));
}
}
//sweep time
// we don't get reliable notification in the current implementation
// to avoid excessive saving of context files, we periodically sweep any file not associated with a running process
try
{
var files = Directory.EnumerateFiles(EnvMonitor.RaccineUserContextRootFolder, "RaccineYaraContext*.txt");
foreach (string currentFile in files)
{
string fileName = Path.GetFileName(currentFile);
if (lstFileNames.Contains(fileName))
{
; // keep it as the process is still running
}
else
{
;
//File.Delete currentFile;
}
}
}
catch (Exception)
{
}
}
