private void HashFilebtn_Click(object sender, EventArgs e) { dataGridViewX1.Columns[2].AutoSizeMode = DataGridViewAutoSizeColumnMode.Fill; HashFiletxt.Text = HashClass.GetHashFile(FilePathtxt.Text, new SHA512CryptoServiceProvider()); SetDataGridSource(); dataGridViewX1.Visible = true; }
static void GetProcessInfo <T>(T ob, int procId, int?parentPId, EventName eventName, string procImage = null, string imageId = null) { string ps = procId + " --> "; uint pid = 0; bool flagForIdle = false; var obj = ob; var procObject = typeof(T); Func <uint, bool, string> DoAction = null; //<-- Check if process is valid or not to run //var path = Utility.GetExecutePath(procId); if (eventName == EventName.Process && procId != 0 && !string.IsNullOrEmpty(procImage) && !HashClass.IsValidHashProcess(HashClass.GetHashFile(procImage, new SHA512CryptoServiceProvider())) && ProcessToSkipList.ProcessNames.FirstOrDefault(x => procImage.ToLower().Contains(x.ProcessName.ToLower())) == null) { var pat = procImage; HashClass.UnPermittedProcess.Add(Path.GetFileName(pat) + "(ID:" + (imageId ?? "0") + ")"); var kill = ProcessToSkipList.KillOrSuspendList.FirstOrDefault(x => x.EventName == eventName); if (kill != null && kill.KillOrSuspend == 1) { try { Process.GetProcessById(int.Parse(imageId ?? "-1")).Kill(); } catch { } } } DoAction = (p, isParentProcess) => { q.QueryString = "SELECT Name,CommandLine,ExecutablePath,ParentProcessId FROM Win32_Process Where ProcessId=" + p; searcher.Query = q; _collection = searcher.Get(); if (_collection.Count > 0) { foreach (var item in _collection) { var name = item["Name"].ToString(); var commandLine = item["CommandLine"] != null ? item["CommandLine"].ToString() : string.Empty; //var executablePath = item["ExecutablePath"] != null ? item["ExecutablePath"].ToString() : string.Empty; var parentProcessId = item["ParentProcessId"] != null ? item["ParentProcessId"].ToString() : string.Empty; if (name.ToLower().Contains("wmiprvse") && gec.WmiPreId == "0") { gec.WmiPreId = p.ToString(); } //<-- Rules if (eventName == EventName.File) { if ( ProcessToSkipList.ProcessNames.FirstOrDefault( x => name.ToLower().Contains(x.ProcessName.ToLower())) == null) { var kill = ProcessToSkipList.KillOrSuspendList.FirstOrDefault(x => x.EventName == eventName); if (kill != null && kill.KillOrSuspend == 1) { try { Process.GetProcessById((int)p).Kill(); } catch { } } } } else if (eventName == EventName.Registry) { if ( ProcessToSkipList.ProcessNames.FirstOrDefault( x => name.ToLower().Contains(x.ProcessName.ToLower())) == null) { var kill = ProcessToSkipList.KillOrSuspendList.FirstOrDefault(x => x.EventName == eventName); if (kill != null && kill.KillOrSuspend == 1) { try { Process.GetProcessById((int)p).Kill(); } catch { } } } } else if (eventName == EventName.Network) { if ( ProcessToSkipList.ProcessNames.FirstOrDefault( x => name.ToLower().Contains(x.ProcessName.ToLower())) == null) { var kill = ProcessToSkipList.KillOrSuspendList.FirstOrDefault(x => x.EventName == eventName); if (kill != null && kill.KillOrSuspend == 1) { try { Process.GetProcessById((int)p).Kill(); } catch { } } } } //--> if (!isParentProcess) { var memberInfo = procObject.GetProperty("ProcessName"); if (memberInfo != null) { memberInfo.SetValue(obj, name); } //For Network Event if (eventName == EventName.Network) { var propertyInfo = procObject.GetProperty("ProcessNameD"); if (propertyInfo != null) { propertyInfo.SetValue(obj, name); } } } ps += commandLine + " ProcessName: *" + name + "* --> "; try { pid = uint.Parse(parentProcessId); ps += parentProcessId + " --> "; if (pid == 0) { flagForIdle = true; } } catch { // ignored } } if (!flagForIdle) { DoAction.Invoke(pid, true); } } return(ps); }; if (procImage != null) { string pname = Path.GetFileName(procImage); ps += procImage + " --> " + " ProcessName: *" + pname + "* --> "; var propertyInfo = procObject.GetProperty("ProcessImage"); if (propertyInfo != null) { propertyInfo.SetValue(obj, procImage); } var memberInfo = procObject.GetProperty("ProcessName"); if (memberInfo != null) { memberInfo.SetValue(obj, pname); } } if (parentPId.HasValue && eventName != EventName.Network) { ps += parentPId; var propertyInfo = procObject.GetProperty("ParentProcessId"); if (propertyInfo != null) { propertyInfo.SetValue(obj, parentPId); } string ph = DoAction.Invoke((uint)parentPId, true); var memberInfo = procObject.GetProperty("ProcessHistory"); if (memberInfo != null) { memberInfo.SetValue(obj, ph); } } else { string ph = DoAction.Invoke((uint)procId, false); var propertyInfo = procObject.GetProperty("ProcessHistory"); if (propertyInfo != null) { propertyInfo.SetValue(obj, ph); } if (eventName == EventName.Network) { ph = DoAction.Invoke((uint)procId, false); var memberInfo = procObject.GetProperty("ProcessHistoryD"); if (memberInfo != null) { memberInfo.SetValue(obj, ph); } } } }