public event ProcessStartStopEventHandler ProcessWasStartedStopped; // The event that triggers the above delegate
protected virtual void OnProcessStartStop(ProcessStartStopEventArgs e) // protected and virtual by convention TODO: make this class sealed and work out the virtual/protected keywords
{
if (ProcessWasStartedStopped != null)
{
ProcessWasStartedStopped(e);
}
}
/// <summary>
/// Handles events raised by the process start and stop watchers, determines whether it was a start or stop trace and
/// raises the ProcessWasStartedStopped event.
/// </summary>
private void ProcessStartStopHandler(object sender, EventArrivedEventArgs e)
{
string classQueried = e.NewEvent.SystemProperties["__Class"].Value.ToString();
bool isStartTrace = (classQueried == "Win32_ProcessStartTrace");
ProcessStartStopEventArgs args = new ProcessStartStopEventArgs(isStartTrace, e);
OnProcessStartStop(args);
}
private void RecordProcessStartStop(ProcessStartStopEventArgs processEventDetails)
{
lock (baton)
{
Console.WriteLine("Start/stop event occuring");
ManagementBaseObject processDetails = processEventDetails.WmiQueryEvent;
if (processEventDetails.IsProcessStartEvent)
{
if (IsAlreadyTrackedExe(processDetails))
{
// New process detected on a tracked exe
Console.WriteLine("NEW INSTANCE OF TRACKED EXE {0} DETECTED!", GetExeName(processDetails));
UInt32 processId = (UInt32)processDetails["ProcessId"];
Program sp = GetStoredProgram(processDetails);
sp.RegisterNewInstanceSession(processId, processEventDetails.TimeStamp);
}
else
{
// New process detected on a never before seen exe
Console.WriteLine("NEW INSTANCE OF UNTRACKED EXE {0} DETECTED!", GetExeName(processDetails));
ManagementBaseObject newProgramDetails = SupplementStartTraceInfo(processDetails);
if (newProgramDetails == null)
{
string name = GetExeName(processDetails);
UInt32 processId = (UInt32)processDetails["ProcessId"];
unsavedNewStartTraces.Add(new KeyValuePair <string, uint>(name, processId));
Console.WriteLine($"PROGRAM RECORDER: New untracked program {name} detected, but attempt to query running processes for it has returned no results");
}
else
{
RecordNewProgram(newProgramDetails);
}
}
}
else
{
if (IsAlreadyTrackedExe(processDetails))
{
// End of process detected on a tracked exe
Console.WriteLine("END OF PROCESS FOR TRACKED EXE {0} DETECTED!", GetExeName(processDetails));
Program sp = GetStoredProgram(processDetails);
UInt32 processId = (UInt32)processDetails["ProcessId"];
sp.LogInstanceStopped(processId, processEventDetails.TimeStamp);
}
else
{
// End of process detected on a never before seen exe
// Probably shouldn't be possible... unless it's the end of a 'ghost' process - one where we detected the start trace
// but could not find it on querying running processes (stored in unsavedNewStartTraces), which we chack for below.
string name = GetExeName(processDetails);
UInt32 processId = (UInt32)processDetails["ProcessId"];
var kvp = new KeyValuePair <string, uint>(name, processId);
if (unsavedNewStartTraces.Exists(unst => unst.Equals(kvp)))
{
Console.WriteLine("PROGRAM RECORDER: END OF PROCESS FOR UNSAVED UNTRACKED EXE {0} DETECTED! (THIS IS OKAY)", GetExeName(processDetails));
unsavedNewStartTraces.Remove(kvp);
}
else
{
Console.WriteLine("PROGRAM RECORDER: END OF PROCESS FOR UNTRACKED EXE {0} DETECTED! (THIS SHOULDN'T BE HAPPENING!!)", GetExeName(processDetails));
}
}
}
Console.WriteLine("Start/stop event dealt with");
}
}