internal PMLProcess(XmlReader processListReader) { XmlDocument processXMLDoc = new XmlDocument(); processXMLDoc.Load(processListReader); string tempString = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_Owner); // Actual object creation i.e., assigning values to members ProcessId = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ProcessId); ParentProcessId = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ParentProcessId); ProcessIndex = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ProcessIndex); ParentProcessIndex = XMLUtils.ParseTagContentAsInt(processXMLDoc, ProcMonXMLTagNames.Process_ParentProcessIndex); AuthenticationId = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_AuthenticationId); CreateTime = XMLUtils.ParseTagContentAsFileTime(processXMLDoc, ProcMonXMLTagNames.Process_CreateTime); FinishTime = XMLUtils.ParseTagContentAsFileTime(processXMLDoc, ProcMonXMLTagNames.Process_FinishTime); IsVirtualized = XMLUtils.ParseTagContentAsBoolean(processXMLDoc, ProcMonXMLTagNames.Process_IsVirtualized); Is64bit = XMLUtils.ParseTagContentAsBoolean(processXMLDoc, ProcMonXMLTagNames.Process_Is64bit); ProcessIntegrity = ProcessIntegrityLevelExtensions.ToProcessIntegrityLevel(XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_Integrity)); OwnerIndex = OwnerList.AddOwnerToList(tempString); ProcessNameIndex = ProcessNameList.AddProcessNameToList(XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_ProcessName)); CommandLine = (XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_CommandLine)).HTMLUnEscape().Trim(); LoadedModuleList = PMLModule.LoadModules(processXMLDoc); var image = XMLUtils.GetInnerText(processXMLDoc, ProcMonXMLTagNames.Process_ImagePath); ImageIndex = ModuleList.LocateInOrAddToModuleList(image); StringBuilder buffer = new StringBuilder(string.Format( "{0}{1} Process - {2} [{3}] with ID = {4} was created at {5} with {6} integrity, which loaded {7} modules, as a child of {8} by {9}", (IsVirtualized ? "Virtualized " : ""), (Is64bit ? "64-Bit" : "32-Bit"), ProcessNameList.GetProcessName(ProcessNameIndex), ModuleList.GetModuleDescription(ImageIndex), ProcessId, CreateTime, ProcessIntegrity, LoadedModuleList.Count, ParentProcessId, OwnerList.GetOwnerName(OwnerIndex) )); if (!string.IsNullOrWhiteSpace(CommandLine)) { buffer.AppendFormat(", using the command line {0}", CommandLine); } buffer.Append(" "); if (FinishTime <= CreateTime) { buffer.Append("and is running."); } else { buffer.AppendFormat("and ended at {0}.", FinishTime); } summary = #if DEBUG "[PMLProcess]:\n" + #endif buffer.ToString(); }
internal PMLEvent(XmlReader eventListReader) { XmlDocument eventXMLDoc = new XmlDocument(); eventXMLDoc.Load(eventListReader); ProcessIndex = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_ProcessIndex); TimeOfDay = XMLUtils.ParseTagContentAsFileTime(eventXMLDoc, ProcMonXMLTagNames.Event_TimeOfDay); var procName = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Process_Name); ProcessNameIndex = ProcessNameList.AddProcessNameToList(procName); PID = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_PID); TID = XMLUtils.ParseTagContentAsInt(eventXMLDoc, ProcMonXMLTagNames.Event_TID); var proc = ConvertedXMLProcessor.FindProcessByPID(PID); var temp = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Integrity); if (string.IsNullOrEmpty(temp)) { Integrity = proc.ProcessIntegrity; } else { Integrity = temp.ToProcessIntegrityLevel(); } Sequence = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Sequence); temp = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Virtualized); if (string.IsNullOrEmpty(temp)) { Virtualized = proc.IsVirtualized; } else { Virtualized = temp.StringToBoolean(); } //Virtualized = XMLUtils.ParseTagContentAsBoolean(eventXMLDoc, ProcMonXMLTagNames.Event_Virtualized); Operation = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Operation); pathIndex = FilePathList.AddFilePathToList(XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Path)); Result = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Result); Detail = XMLUtils.GetInnerText(eventXMLDoc, ProcMonXMLTagNames.Event_Detail); CallStack = PMLStackFrame.LoadStackFrames(eventXMLDoc); #if DEBUG Console.WriteLine("Stack:\n-------------------------------------------------------------"); foreach (var stackFrame in CallStack) { Console.WriteLine(stackFrame); } Console.WriteLine("-------------------------------------------------------------\n"); #endif }
public override bool Matches(IPMLEntity pmlEntity) { var evt = pmlEntity as PMLEvent; var proc = ConvertedXMLProcessor.FindProcessByPID(evt.PID); var actualValue = string.Empty; switch (PropertyName) { case "ProcessName": actualValue = ProcessNameList.GetProcessName(proc.ProcessNameIndex); break; case "ImagePath": actualValue = ModuleList.GetModulePath(proc.ImageIndex); break; case "FinishTime": if (proc.FinishTime == DateTimeZero) { actualValue = "0"; } else { actualValue = proc.FinishTime.ToString(); } break; case "Modules": if (FilterOperator != FilterOperators.Contains) { throw new Exception(string.Format("Filter Operator {0} is invalid when PropertyName is \"Modules\"", FilterOperator.ToString())); } var sbModules = new StringBuilder(); foreach (var i in proc.LoadedModuleList) { sbModules.Append(ModuleList.GetModulePath(i)).Append(Environment.NewLine); } actualValue = sbModules.ToString(); break; case "": throw new Exception("PropertyName cannot be empty."); default: throw new Exception(string.Format("Unidentified PropertyName {0}.", PropertyName)); } return(CompareStringValuesAsPerFilterOperator(actualValue, this)); }
public override string ToString() { return (#if DEBUG "[PMLEvent]:\n" + #endif string.Format("Thread {0} of Process {1} [PID: {2}] performed {3} at {4} on {5} and result was {6}.{7}Details:{8}{7}", TID, ProcessNameList.GetProcessName(ProcessNameIndex), PID, Operation, TimeOfDay, Path, Result, Environment.NewLine, Detail)); }
private static void SortCollection() { ProcessNameList.Clear(); ProcessNameList.AddRange(Processes.Select(x => x.ProcessName).ToList()); ProcessNameList.Sort(); string currentProcessName = String.Empty; int processNameOccurance = 0; for (int i = 0; i < ProcessNameList.Count; i++) { if (ProcessNameList[i] == currentProcessName) { processNameOccurance++; } else { currentProcessName = ProcessNameList[i]; processNameOccurance = 0; } ObservableProcess observableProcess = Processes.Where(x => x.ProcessName == ProcessNameList[i]).ToArray()[processNameOccurance]; Processes.Move(Processes.IndexOf(observableProcess), i); } }