static void GetProcessInfo <T>(T ob, int procId, int?parentPId, EventName eventName, string procImage = null, string imageId = null)
{
string ps = procId + " --> ";
uint pid = 0;
bool flagForIdle = false;
var obj = ob;
var procObject = typeof(T);
Func <uint, bool, string> DoAction = null;
//<-- Check if process is valid or not to run
//var path = Utility.GetExecutePath(procId);
if (eventName == EventName.Process && procId != 0 && !string.IsNullOrEmpty(procImage) && !HashClass.IsValidHashProcess(HashClass.GetHashFile(procImage, new SHA512CryptoServiceProvider())) &&
ProcessToSkipList.ProcessNames.FirstOrDefault(x => procImage.ToLower().Contains(x.ProcessName.ToLower())) == null)
{
var pat = procImage;
HashClass.UnPermittedProcess.Add(Path.GetFileName(pat) + "(ID:" + (imageId ?? "0") + ")");
var kill = ProcessToSkipList.KillOrSuspendList.FirstOrDefault(x => x.EventName == eventName);
if (kill != null && kill.KillOrSuspend == 1)
{
try
{
Process.GetProcessById(int.Parse(imageId ?? "-1")).Kill();
}
catch
{
}
}
}
DoAction = (p, isParentProcess) =>
{
q.QueryString = "SELECT Name,CommandLine,ExecutablePath,ParentProcessId FROM Win32_Process Where ProcessId=" + p;
searcher.Query = q;
_collection = searcher.Get();
if (_collection.Count > 0)
{
foreach (var item in _collection)
{
var name = item["Name"].ToString();
var commandLine = item["CommandLine"] != null ? item["CommandLine"].ToString() : string.Empty;
//var executablePath = item["ExecutablePath"] != null ? item["ExecutablePath"].ToString() : string.Empty;
var parentProcessId = item["ParentProcessId"] != null ? item["ParentProcessId"].ToString() : string.Empty;
if (name.ToLower().Contains("wmiprvse") && gec.WmiPreId == "0")
{
gec.WmiPreId = p.ToString();
}
//<-- Rules
if (eventName == EventName.File)
{
if (
ProcessToSkipList.ProcessNames.FirstOrDefault(
x => name.ToLower().Contains(x.ProcessName.ToLower())) == null)
{
var kill = ProcessToSkipList.KillOrSuspendList.FirstOrDefault(x => x.EventName == eventName);
if (kill != null && kill.KillOrSuspend == 1)
{
try
{
Process.GetProcessById((int)p).Kill();
}
catch
{
}
}
}
}
else if (eventName == EventName.Registry)
{
if (
ProcessToSkipList.ProcessNames.FirstOrDefault(
x => name.ToLower().Contains(x.ProcessName.ToLower())) == null)
{
var kill = ProcessToSkipList.KillOrSuspendList.FirstOrDefault(x => x.EventName == eventName);
if (kill != null && kill.KillOrSuspend == 1)
{
try
{
Process.GetProcessById((int)p).Kill();
}
catch
{
}
}
}
}
else if (eventName == EventName.Network)
{
if (
ProcessToSkipList.ProcessNames.FirstOrDefault(
x => name.ToLower().Contains(x.ProcessName.ToLower())) == null)
{
var kill = ProcessToSkipList.KillOrSuspendList.FirstOrDefault(x => x.EventName == eventName);
if (kill != null && kill.KillOrSuspend == 1)
{
try
{
Process.GetProcessById((int)p).Kill();
}
catch
{
}
}
}
}
//-->
if (!isParentProcess)
{
var memberInfo = procObject.GetProperty("ProcessName");
if (memberInfo != null)
{
memberInfo.SetValue(obj, name);
}
//For Network Event
if (eventName == EventName.Network)
{
var propertyInfo = procObject.GetProperty("ProcessNameD");
if (propertyInfo != null)
{
propertyInfo.SetValue(obj, name);
}
}
}
ps += commandLine + " ProcessName: *" + name + "* --> ";
try
{
pid = uint.Parse(parentProcessId);
ps += parentProcessId + " --> ";
if (pid == 0)
{
flagForIdle = true;
}
}
catch
{
// ignored
}
}
if (!flagForIdle)
{
DoAction.Invoke(pid, true);
}
}
return(ps);
};
if (procImage != null)
{
string pname = Path.GetFileName(procImage);
ps += procImage + " --> " + " ProcessName: *" + pname + "* --> ";
var propertyInfo = procObject.GetProperty("ProcessImage");
if (propertyInfo != null)
{
propertyInfo.SetValue(obj, procImage);
}
var memberInfo = procObject.GetProperty("ProcessName");
if (memberInfo != null)
{
memberInfo.SetValue(obj, pname);
}
}
if (parentPId.HasValue && eventName != EventName.Network)
{
ps += parentPId;
var propertyInfo = procObject.GetProperty("ParentProcessId");
if (propertyInfo != null)
{
propertyInfo.SetValue(obj, parentPId);
}
string ph = DoAction.Invoke((uint)parentPId, true);
var memberInfo = procObject.GetProperty("ProcessHistory");
if (memberInfo != null)
{
memberInfo.SetValue(obj, ph);
}
}
else
{
string ph = DoAction.Invoke((uint)procId, false);
var propertyInfo = procObject.GetProperty("ProcessHistory");
if (propertyInfo != null)
{
propertyInfo.SetValue(obj, ph);
}
if (eventName == EventName.Network)
{
ph = DoAction.Invoke((uint)procId, false);
var memberInfo = procObject.GetProperty("ProcessHistoryD");
if (memberInfo != null)
{
memberInfo.SetValue(obj, ph);
}
}
}
}
