public void GetRequest_ReturnsCorrectRequest()
{
var expectedRequest = new ACCESS_REQUEST {
MessageId = 1, AccessType = ACCESS_TYPE.REGISTRY, Operation = 133, Path = "SomePath", ProcessID = 10, ReplyLength = 11, RuleID = 122
};
fltLib.SetGetMessageReturn(0, expectedRequest);
driver.Start();
var actualRequest = driver.GetRequest();
Assert.AreEqual(expectedRequest, actualRequest);
}
public void GetMessage_Defaults()
{
var request = new ACCESS_REQUEST();
var hr = stub.FilterGetMessage(IntPtr.Zero, ref request, 0, IntPtr.Zero);
Assert.AreEqual(0, hr);
Assert.AreEqual((uint)0, request.ReplyLength);
Assert.AreEqual((ulong)0, request.MessageId);
Assert.AreEqual((uint)0, request.ProcessID);
Assert.AreEqual(ACCESS_TYPE.FILESYSTEM, request.AccessType);
Assert.AreEqual(0, request.RuleID);
Assert.AreEqual(null, request.Path);
}
public void WaitRequest_NoRule()
{
// Arrange
var ExpectedRequest = new ACCESS_REQUEST {
Path = "c:\\test.txt", MessageId = 123
};
fltLib.SetGetMessageReturn(0, ExpectedRequest);
core.Start(ruleset, serviceInterface, null);
// Act
core.WaitRequest();
// Assert
Assert.AreEqual((ulong)123, fltLib.LastAllowedMessageID);
}
public void WaitRequest_WildcardRuleWorks()
{
// Arrange
var ExpectedRequest = new ACCESS_REQUEST {
Path = "c:\\test.txt", ProcessID = 4, MessageId = 123
};
fltLib.SetGetMessageReturn(0, ExpectedRequest);
AddRule(ruleset, RuleAction.Block, "c:\\test.txt", "*"); // Wildcard rule.
core.Start(ruleset, serviceInterface, null);
// Act
core.WaitRequest();
// Assert
Assert.AreEqual(123ul, fltLib.LastBlockedMessageID);
}
public void WaitRequest_PathAndProcessExists_RuleDoesnt()
{
// Arrange
var ExpectedRequest = new ACCESS_REQUEST {
Path = "c:\\test.txt", ProcessID = 4, MessageId = 123
};
fltLib.SetGetMessageReturn(0, ExpectedRequest);
ruleset.Paths.AddPathsRow("c:\\test.txt");
ruleset.Processes.AddProcessesRow("System");
core.Start(ruleset, serviceInterface, null);
// Act
core.WaitRequest();
// Assert
Assert.AreEqual((ulong)123, fltLib.LastAllowedMessageID);
}
public void WaitRequest_BUG_WildcardRuleAndProcessAdded()
{
// Arrange
var ExpectedPath = "c:\\test.txt";
var ExpectedRequest = new ACCESS_REQUEST {
Path = ExpectedPath, MessageId = 123
};
fltLib.SetGetMessageReturn(0, ExpectedRequest);
AddRule(ruleset, RuleAction.Block, "*");
ruleset.Processes.AddProcessesRow(ExpectedRequest.ProcessPath);
core.Start(ruleset, serviceInterface, null);
// Act
core.WaitRequest();
// Assert
Assert.AreEqual((ulong)123, fltLib.LastBlockedMessageID);
}
private ACCESS_REQUEST ArrangeForCreateRuleTests(string processPath)
{
// User wants to create rule.
serviceInterface = new ServiceInterface(ruleset);
serviceInterface.AccessRequested += ((sender, e) =>
{
e.CreateRule = true;
e.Allow = true;
});
// Request which will be thrown.
var Request = new ACCESS_REQUEST {
Path = "c:\\test.txt", ProcessID = 4, MessageId = 123
};
fltLib.SetGetMessageReturn(0, Request);
// Add "wildcard" rule for which WaitRequest will create "specific" rule.
AddRule(ruleset, RuleAction.Ask, Request.Path, processPath);
core.Start(ruleset, serviceInterface, null);
return(Request);
}
public void GetMessage_SetGetMessageReturn()
{
var expectedData = new ACCESS_REQUEST();
expectedData.ReplyLength = (uint)Marshal.SizeOf(typeof(ACCESS_REQUEST));
expectedData.MessageId = 10;
expectedData.ProcessID = 11;
expectedData.AccessType = ACCESS_TYPE.REGISTRY;
expectedData.RuleID = 144;
expectedData.Path = "HKCU\\USER\\SOMEKEY";
stub.SetGetMessageReturn(-125, expectedData);
var request = new ACCESS_REQUEST();
var hr = stub.FilterGetMessage(IntPtr.Zero, ref request, 0, IntPtr.Zero);
Assert.AreNotSame(expectedData, request);
Assert.AreEqual(-125, hr);
Assert.AreEqual(expectedData.ReplyLength, request.ReplyLength);
Assert.AreEqual(expectedData.MessageId, request.MessageId);
Assert.AreEqual(expectedData.ProcessID, request.ProcessID);
Assert.AreEqual(expectedData.AccessType, request.AccessType);
Assert.AreEqual(expectedData.RuleID, request.RuleID);
Assert.AreEqual(expectedData.Path, request.Path);
}
public override int FilterGetMessage(IntPtr hPort, ref ACCESS_REQUEST lpMessageBuffer, int dwMessageBufferSize, IntPtr lpOverlapped)
{
lpMessageBuffer = getMessageRequest;
return(getMessageReturn);
}
public void SetGetMessageReturn(int returnCode, ACCESS_REQUEST request)
{
getMessageRequest = request;
getMessageReturn = returnCode;
}
private void ArrangeForTestCounters(ACCESS_REQUEST Request, RuleAction ruleAction)
{
core.Start(ruleset, serviceInterface, null);
fltLib.SetGetMessageReturn(0, Request);
AddRule(ruleset, ruleAction, "some path", "*");
}
