/// <summary> /// Callback is called when a new process is created so we can log it and decide to block it. /// </summary> /// <param name="createProc"></param> /// <returns></returns> public static UInt32 ProcessMonitorCallback(ref COMM_CREATE_PROC createProc) { try { string imageFileName = new string(createProc.ImageFileNameBuf, 0, createProc.ImageFileNameLength / 2); string cmdLine = new string(createProc.CommandLineBuf, 0, createProc.CommandLineLength / 2); Log.Info("New process: {0}", imageFileName); Log.Info(" Cmd line: {0}", new string(createProc.CommandLineBuf)); long ExecutableId; Decision decision = Arbiter.DecideOnProcess(imageFileName, out ExecutableId); PROCESS_INFO processInfo = new PROCESS_INFO(createProc); Database.LogProcessEvent(processInfo, ExecutableId, Database.ProcessState.Started); CommunicateProcessDecision(decision, ref createProc, imageFileName); } catch (Exception e) { Log.Exception(e, "Exception in ProcessMonitorCallback"); } return(0); }
public PROCESS_INFO(COMM_CREATE_PROC comm_Create_Proc) { pid = comm_Create_Proc.pid; ppid = comm_Create_Proc.ppid; CommandLine = new string(comm_Create_Proc.CommandLineBuf, 0, comm_Create_Proc.CommandLineLength / 2); ImageFileName = new string(comm_Create_Proc.ImageFileNameBuf, 0, comm_Create_Proc.ImageFileNameLength / 2); }
static processMonitorCallbackDelegate processMonitorCallback; // Ensure it doesn't get garbage collected /// <summary> /// Tell the driver to not run the process. Also tell the UI to inform the UI a process was blocked. /// </summary> /// <param name="d"></param> /// <param name="createProc"></param> /// <param name="filePath"></param> public static void CommunicateProcessDecision(Decision d, ref COMM_CREATE_PROC createProc, string filePath) { if (d == Decision.DENY) { MessagingInterfaces.UIComm.InformUI(string.Format("Stopping process from running: {0}", filePath)); } QdControl((UInt16)d, createProc.IntegrityCheck); }