in PsfShimMonitor/MainWindow.xaml.cs [391:641]
private bool ApplyFilterCategoryEventToEventItem(EventItem ei)
{
bool washidden = ei.IsHidden;
switch (ei.Event)
{
case "CreateProcess":
case "CreateProcessAsUser":
if ((bool)cbCatProcess.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "CreateFile":
case "CreateFile2":
case "CopyFile":
case "CopyFile2":
case "CopyFileEx":
case "CreateHardLink":
case "CreateSymbolicLink":
case "DeleteFile":
case "MoveFile":
case "MoveFileEx":
case "ReplaceFile":
case "FindFirstFile":
case "FindFirstFileEx":
case "FindNextFile":
case "FindClose":
case "CreateDirectory":
case "CreateDirectoryEx":
case "RemoveDirectory":
case "SetCurrentDirectory":
case "GetCurrentDirectory":
case "GetFileAttributes":
case "SetFileAttributes":
case "GetFileAttributesEx":
if ((bool)cbCatFile.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "RegCreateKey":
case "RegCreateKeyEx":
case "RegOpenKey":
case "RegOpenKeyEx":
case "RegGetValue":
case "RegQueryValue":
case "RegQueryValueEx":
case "RegSetKeyValue":
case "RegSetValue":
case "RegSetValueEx":
case "RegDeleteKey":
case "RegDeleteKeyEx":
case "RegDeleteKeyValue":
case "RegDeleteValue":
case "RegDeleteTree":
case "RegCopyTree":
case "RegEnumKey":
case "RegEnumKeyEx":
case "RegEnumValue":
if ((bool)cbCatReg.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
// NT Level
case "NtCreateFile":
case "NtOpenFile":
case "NtCreateDirectoryObject":
case "NtOpenDirectoryObject":
case "NtQueryDirectoryObject":
case "NtOpenSymbolicLinkObject":
case "NtQuerySymbolicLinkObject":
if ((bool)cbCatNTFile.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "NtCreateKey":
case "NtOpenKey":
case "NtOpenKeyEx":
case "NtSetValueKey":
case "NtQueryValueKey":
if ((bool)cbCatNTReg.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "AddDllDirectory":
case "LoadLibrary":
case "LoadLibraryEx":
case "LoadModule":
case "LoadPackagedLibrary":
case "RemoveDllDirectory":
case "SetDefaultDllDirectories":
case "SetDllDirectory":
if ((bool)cbCatDll.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
// Kernel traces
case "Process/Start":
case "Process/Stop":
if ((bool)cbCatKernelProcess.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "Image/Load":
if ((bool)cbCatKernelImageLoad.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "FileIO/Query":
case "FileIO/QueryInfo":
case "FileIO/Create":
case "FileIO/FileCreate":
case "FileIO/Read":
case "FileIO/Write":
case "FileIO/Close":
case "FileIO/Cleanup":
case "FileIO/OperationEnd":
case "FileIO/DirEnum":
case "FileIO/SetInfo":
case "FileIO/Rename":
case "FileIO/Delete":
case "FileIO/FileDelete":
case "FileIO/Flush":
if ((bool)cbCatKernelFile.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "DiskIO/Read":
case "DiskIO/Write":
if ((bool)cbCatKernelDisk.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "Registry/Open":
case "Registry/Query":
case "Registry/QueryValue":
case "Registry/SetInformation":
case "Registry/Close":
case "Registry/Create":
case "Registry/SetValue":
case "Registry/EnumerateKey":
case "Registry/Delete":
case "Registry/DeleteValue":
case "Registry/EnumerateValueKey":
if ((bool)cbCatKernelRegistry.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "Application":
if ((bool)cbCatApplicationLog.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "System":
if ((bool)cbCatSystemLog.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
default:
if ((bool)cbCatOther.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
}
if (ei.IsHidden != washidden)
{
return true;
}
else
{
return false;
}
}