Пример #1
0
        public ListViewItem FormatRegistryMessage(FilterAPI.MessageSendData messageSend)
        {
            ListViewItem lvItem = new ListViewItem();

            try
            {
                string userName    = string.Empty;
                string processName = string.Empty;

                FilterAPI.DecodeUserName(messageSend.Sid, out userName);
                FilterAPI.DecodeProcessName(messageSend.ProcessId, out processName);

                string[] listData = new string[listView_Message.Columns.Count];
                int      col      = 0;
                listData[col++] = messageSend.MessageId.ToString();
                listData[col++] = FormatDateTime(messageSend.TransactionTime);
                listData[col++] = userName;
                listData[col++] = processName + "  (" + messageSend.ProcessId + ")";
                listData[col++] = messageSend.ThreadId.ToString();
                listData[col++] = GetRegCallbackClassName(messageSend);
                listData[col++] = messageSend.FileName;
                listData[col++] = FilterMessage.FormatStatus(messageSend.Status);
                listData[col++] = RegistryHandler.FormatDescription(messageSend);

                lvItem = new ListViewItem(listData, 0);

                if (messageSend.Status >= (uint)NtStatus.Status.Error)
                {
                    lvItem.BackColor = Color.LightGray;
                    lvItem.ForeColor = Color.Red;
                }
                else if (messageSend.Status > (uint)NtStatus.Status.Warning)
                {
                    lvItem.BackColor = Color.LightGray;
                    lvItem.ForeColor = Color.Yellow;
                }


                if (GlobalConfig.EnableLogTransaction)
                {
                    FilterMessage.LogTrasaction(listData);
                }

                AddItemToList(lvItem);
            }
            catch (Exception ex)
            {
                EventManager.WriteMessage(445, "GetFilterMessage", EventLevel.Error, "Add callback message failed." + ex.Message);
                lvItem = null;
            }

            return(lvItem);
        }
Пример #2
0
        Boolean FilterCallback(IntPtr sendDataPtr, IntPtr replyDataPtr)
        {
            Boolean ret = true;

            try
            {
                FilterAPI.MessageSendData messageSend = (FilterAPI.MessageSendData)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.MessageSendData));

                if (FilterAPI.MESSAGE_SEND_VERIFICATION_NUMBER != messageSend.VerificationNumber)
                {
                    MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
                    MessageBox.Show("Received message corrupted.Please check if the MessageSendData structure is correct.");

                    EventManager.WriteMessage(139, "FilterCallback", EventLevel.Error, "Received message corrupted.Please check if the MessageSendData structure is correct.");

                    return(false);
                }

                filterMessage.AddMessage(messageSend);

                MonitorDemo.UnitTestCallbackHandler(messageSend);

                string info = "FileMonitor process request " + FilterMessage.FormatIOName(messageSend) + ",pid:" + messageSend.ProcessId +
                              " ,filename:" + messageSend.FileName + ",return status:" + FilterMessage.FormatStatus(messageSend.Status);

                if (messageSend.Status == (uint)NtStatus.Status.Success)
                {
                    ret = false;
                    EventManager.WriteMessage(98, "FilterCallback", EventLevel.Verbose, info);
                }
                else
                {
                    ret = true;
                    EventManager.WriteMessage(98, "FilterCallback", EventLevel.Error, info);
                }

                return(ret);
            }
            catch (Exception ex)
            {
                EventManager.WriteMessage(134, "FilterCallback", EventLevel.Error, "filter callback exception." + ex.Message);
                return(false);
            }
        }
        Boolean FilterCallback(IntPtr sendDataPtr, IntPtr replyDataPtr)
        {
            Boolean ret = true;

            try
            {
                FilterAPI.MessageSendData messageSend = (FilterAPI.MessageSendData)Marshal.PtrToStructure(sendDataPtr, typeof(FilterAPI.MessageSendData));

                if (FilterAPI.MESSAGE_SEND_VERIFICATION_NUMBER != messageSend.VerificationNumber)
                {
                    MessageBoxHelper.PrepToCenterMessageBoxOnForm(this);
                    MessageBox.Show("Received message corrupted.Please check if the MessageSendData structure is correct.");

                    EventManager.WriteMessage(139, "FilterCallback", EventLevel.Error, "Received message corrupted.Please check if the MessageSendData structure is correct.");
                    return(false);
                }

                EventManager.WriteMessage(149, "FilterCallback", EventLevel.Verbose, "Received message Id#" + messageSend.MessageId + " type:" + messageSend.MessageType
                                          + " CreateOptions:" + messageSend.CreateOptions.ToString("X") + " infoClass:" + messageSend.InfoClass + " fileName:" + messageSend.FileName);

                filterMessage.AddMessage(messageSend);

                FileProtectorUnitTest.FileIOEventHandler(messageSend);

                if (replyDataPtr.ToInt64() != 0)
                {
                    FilterAPI.MessageReplyData messageReply = (FilterAPI.MessageReplyData)Marshal.PtrToStructure(replyDataPtr, typeof(FilterAPI.MessageReplyData));

                    //here you can control the IO behaviour and modify the data.
                    if (!FileProtectorUnitTest.UnitTestCallbackHandler(messageSend) || !FilterService.IOAccessControl(messageSend, ref messageReply))
                    {
                        //to comple the PRE_IO
                        messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_ACCESS_DENIED;
                        messageReply.FilterStatus = (uint)FilterAPI.FilterStatus.FILTER_COMPLETE_PRE_OPERATION;

                        EventManager.WriteMessage(160, "FilterCallback", EventLevel.Error, "Return error for I/O request:" + ((FilterAPI.MessageType)messageSend.MessageType).ToString() +
                                                  ",fileName:" + messageSend.FileName);
                    }
                    else
                    {
                        messageReply.MessageId    = messageSend.MessageId;
                        messageReply.MessageType  = messageSend.MessageType;
                        messageReply.ReturnStatus = (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS;
                    }

                    Marshal.StructureToPtr(messageReply, replyDataPtr, true);
                }

                string info = "FileProtector process request " + FilterMessage.FormatIOName(messageSend) + ",pid:" + messageSend.ProcessId +
                              " ,filename:" + messageSend.FileName + ",return status:" + FilterMessage.FormatStatus(messageSend.Status);

                if (messageSend.Status == (uint)NtStatus.Status.Success)
                {
                    ret = false;
                    EventManager.WriteMessage(98, "FilterCallback", EventLevel.Verbose, info);
                }
                else
                {
                    ret = true;
                    EventManager.WriteMessage(98, "FilterCallback", EventLevel.Error, info);
                }

                return(ret);
            }
            catch (Exception ex)
            {
                EventManager.WriteMessage(134, "FilterCallback", EventLevel.Error, "filter callback exception." + ex.Message);
                return(false);
            }
        }