/// <summary>
/// Callback is called when a new process is created so we can log it and decide to block it.
/// </summary>
/// <param name="createProc"></param>
/// <returns></returns>
public static UInt32 ProcessMonitorCallback(ref COMM_CREATE_PROC createProc)
{
try
{
string imageFileName = new string(createProc.ImageFileNameBuf, 0, createProc.ImageFileNameLength / 2);
string cmdLine = new string(createProc.CommandLineBuf, 0, createProc.CommandLineLength / 2);
Log.Info("New process: {0}", imageFileName);
Log.Info(" Cmd line: {0}", new string(createProc.CommandLineBuf));
long ExecutableId;
Decision decision = Arbiter.DecideOnProcess(imageFileName, out ExecutableId);
PROCESS_INFO processInfo = new PROCESS_INFO(createProc);
Database.LogProcessEvent(processInfo, ExecutableId, Database.ProcessState.Started);
CommunicateProcessDecision(decision, ref createProc, imageFileName);
}
catch (Exception e)
{
Log.Exception(e, "Exception in ProcessMonitorCallback");
}
return(0);
}
public PROCESS_INFO(COMM_CREATE_PROC comm_Create_Proc)
{
pid = comm_Create_Proc.pid;
ppid = comm_Create_Proc.ppid;
CommandLine = new string(comm_Create_Proc.CommandLineBuf, 0, comm_Create_Proc.CommandLineLength / 2);
ImageFileName = new string(comm_Create_Proc.ImageFileNameBuf, 0, comm_Create_Proc.ImageFileNameLength / 2);
}
static processMonitorCallbackDelegate processMonitorCallback; // Ensure it doesn't get garbage collected
/// <summary>
/// Tell the driver to not run the process. Also tell the UI to inform the UI a process was blocked.
/// </summary>
/// <param name="d"></param>
/// <param name="createProc"></param>
/// <param name="filePath"></param>
public static void CommunicateProcessDecision(Decision d, ref COMM_CREATE_PROC createProc, string filePath)
{
if (d == Decision.DENY)
{
MessagingInterfaces.UIComm.InformUI(string.Format("Stopping process from running: {0}", filePath));
}
QdControl((UInt16)d, createProc.IntegrityCheck);
}
