private void WriteContextFile(Win32Process process) { string szContextPath = RaccineUserContextRootFolder + @"\" + GenerateContextFileName(process); if (Directory.Exists(RaccineUserContextRootFolder)) { using (StreamWriter outputFile = new StreamWriter(szContextPath)) { string szName = "-d Caption"; string szValue = EscapeString(process.Caption); outputFile.Write(" " + szName + "=" + szValue + " "); szName = "-d CommandLine"; szValue = EscapeString(process.CommandLine); outputFile.Write(szName + "=" + szValue + " "); szName = "-d ExecutablePath"; szValue = EscapeString(process.ExecutablePath); outputFile.Write(szName + "=" + szValue + " "); szName = "-d HandleCount"; szValue = process.HandleCount.ToString(); outputFile.Write(szName + "=" + szValue + " "); szName = "-d Name"; szValue = EscapeString(process.Name); outputFile.Write(szName + "=\"" + szValue + "\" "); szName = "-d OSName"; szValue = EscapeString(process.OSName); outputFile.Write(szName + "=" + szValue + " "); szName = "-d Priority"; szValue = process.Priority.ToString(); outputFile.Write(szName + "=" + szValue + " "); szName = "-d SessionId"; szValue = process.SessionId.ToString(); outputFile.Write(szName + "=" + szValue + " "); szName = "-d ThreadCount"; szValue = process.ThreadCount.ToString(); outputFile.Write(szName + "=" + szValue + " "); szName = "-d WindowsVersion"; szValue = process.WindowsVersion; outputFile.Write(szName + "=" + szValue + " "); szName = "-d WriteOperationCount"; szValue = process.WriteOperationCount.ToString(); outputFile.Write(szName + "=" + szValue + " "); szName = "-d WriteTransferCount"; szValue = process.WriteTransferCount.ToString(); outputFile.Write(szName + "=" + szValue + " "); } } }
private static string GenerateContextFileName(Win32Process process) { string szFileName = String.Format("RaccineYaraContext-{0}-{1}-{2}.txt", process.SessionId, process.ProcessId, process.ParentProcessId); return(szFileName); }
public void LogInitialProcesses() { string qry = "SELECT * FROM Win32_Process WHERE SessionId =" + this.SessionId; ManagementObjectSearcher moSearch = new ManagementObjectSearcher(qry); ManagementObjectCollection moCollection = moSearch.Get(); foreach (ManagementObject mo in moCollection) { Win32Process process = new Win32Process(mo); if (process.SessionId == this.SessionId) { WriteContextFile(process); } } }
private static void OnTimedEvent(object source, ElapsedEventArgs e) { uint SessionId = (uint)System.Diagnostics.Process.GetCurrentProcess().SessionId; // only watch processes in this session string qry = "SELECT * FROM Win32_Process WHERE SessionId =" + SessionId; ManagementObjectSearcher moSearch = new ManagementObjectSearcher(qry); ManagementObjectCollection moCollection = moSearch.Get(); List <string> lstFileNames = new List <string>(); foreach (ManagementObject mo in moCollection) { Win32Process process = new Win32Process(mo); if (process.SessionId == SessionId) { lstFileNames.Add(GenerateContextFileName(process)); } } //sweep time // we don't get reliable notification in the current implementation // to avoid excessive saving of context files, we periodically sweep any file not associated with a running process try { var files = Directory.EnumerateFiles(EnvMonitor.RaccineUserContextRootFolder, "RaccineYaraContext*.txt"); foreach (string currentFile in files) { string fileName = Path.GetFileName(currentFile); if (lstFileNames.Contains(fileName)) { ; // keep it as the process is still running } else { ; //File.Delete currentFile; } } } catch (Exception) { } }