public void OnCreatePacketReceived(dm_NotifyHdr notificationHeader, dm_CreateNotifyParams createParams, string pipeName)
{
UInt64 pipeFileIdentifier = createParams.fileIdentifier;
List <NamedPipeInfo> matchingPipes = namedPipeFiles.Values.Where((x) => x.FileObjects.Contains(pipeFileIdentifier)).ToList();
if (matchingPipes.Count >= 1)
{
// Opening a new file with an already-existing file object? The previous file object must be dead.
namedPipeFiles.Remove(matchingPipes[0].PipeFileName);
}
if (!namedPipeFiles.ContainsKey(pipeName))
{
// Create a new pipe
namedPipeFiles[pipeName] = new NamedPipeInfo(pipeFileIdentifier, pipeName, notificationHeader.processId);
chromeMonitor.UpdateRunningProcessesCache();
}
else
{
// We already know this pipe, it must be another process that opens a new handle to it
namedPipeFiles[pipeName].AddFileObjectIfNeeded(pipeFileIdentifier);
namedPipeFiles[pipeName].AddProcessIfNeeded(notificationHeader.processId);
}
}
public void ProcessNotification(dm_NotifyHdr notificationHeader, BinaryReader paramsReader)
{
dm_NotifyCode notificationType = (dm_NotifyCode)notificationHeader.code;
switch (notificationType)
{
case dm_NotifyCode.dm_NotifyCode_Write:
case dm_NotifyCode.dm_NotifyCode_Read:
case dm_NotifyCode.dm_NotifyCode_FastIoRead:
case dm_NotifyCode.dm_NotifyCode_FastIoWrite:
var writeParams = paramsReader.ReadStruct <dm_ReadWriteNotifyParams>();
long remainingParamSize = notificationHeader.paramSize - Marshal.SizeOf(typeof(dm_ReadWriteNotifyParams));
if (writeParams.dataSize > remainingParamSize)
{
// TODO: Remember this packet and expect its continued packet
Console.WriteLine("[!] Truncated packet.");
}
int dataSize = (int)Math.Min(writeParams.dataSize, remainingParamSize);
byte[] data = paramsReader.ReadBytes(dataSize);
OnReadWritePacketReceived(notificationHeader, writeParams, data, notificationType == dm_NotifyCode.dm_NotifyCode_Write);
break;
case dm_NotifyCode.dm_NotifyCode_Create:
case dm_NotifyCode.dm_NotifyCode_CreateNamedPipe:
dm_CreateNotifyParams createParams = notificationType == dm_NotifyCode.dm_NotifyCode_CreateNamedPipe ?
paramsReader.ReadStruct <dm_CreateNamedPipeNotifyParams>().createParams : paramsReader.ReadStruct <dm_CreateNotifyParams>();
int pipeFileNameLength = (int)createParams.fileNameLength * 2;
string pipeName = Encoding.Unicode.GetString(paramsReader.ReadBytes(pipeFileNameLength));
paramsReader.ReadUInt16(); // read the NULL-terminate
OnCreatePacketReceived(notificationHeader, createParams, pipeName);
break;
case dm_NotifyCode.dm_NotifyCode_Close:
dm_CloseNotifyParams closeParams = paramsReader.ReadStruct <dm_CloseNotifyParams>();
OnClosePacketReceived(notificationHeader, closeParams);
break;
}
if (useExtraStreamBuffering)
{
long catchUp = tdevBufferedStream.WritePosition - tdevBufferedStream.ReadPosition;
//if (catchUp > 1000)
// Console.WriteLine("Position catch-up: {0}", catchUp);
}
}
