[1.5.5.0] Fix warden once and for all

RainwayApp · Jan 28, 2019 · c8cd262 · c8cd262
1 parent f9df46f
commit c8cd262
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 40 deletions.
diff --git a/Warden/Core/WardenLogger.cs b/Warden/Core/WardenLogger.cs
@@ -0,0 +1,24 @@
+using System;
+
+namespace Warden.Core
+{
+    public class WardenLogger : IWardenLogger
+    {
+        public void Debug(string message)
+        {
+            #if DEBUG
+            Console.Out.WriteLine(message);
+            #endif
+        }
+
+        public void Error(string message)
+        {
+            Console.Error.WriteLine(message);
+        }
+
+        public void Info(string message)
+        {
+            Console.Out.WriteLine(message);
+        }
+    }
+}
diff --git a/Warden/Core/WardenManager.cs b/Warden/Core/WardenManager.cs
@@ -2,6 +2,7 @@
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Diagnostics.CodeAnalysis;
 using System.IO;
 using System.Linq;
 using System.Management;
@@ -17,6 +18,8 @@
 namespace Warden.Core
 {
 
+    [SuppressMessage("ReSharper", "AutoPropertyCanBeMadeGetOnly.Global")]
+    [SuppressMessage("ReSharper", "UnusedAutoPropertyAccessor.Global")]
     public class WardenOptions
     {
         /// <summary>
@@ -43,7 +46,12 @@ public class WardenOptions
         /// <summary>
         /// Processes not to kill
         /// </summary>
-        public IEnumerable<string> KillWhitelist { get; set; }
+        public IEnumerable<string> KillWhitelist { get; set; } = Array.Empty<string>();
+
+        /// <summary>
+        /// WMI Polling Interval
+        /// </summary>
+        public TimeSpan PollingInterval { get; set; } = TimeSpan.FromSeconds(1);
     }
 
     public static class WardenManager
@@ -84,11 +92,9 @@ public static void Initialize(WardenOptions options)
                 };
                 var scope = new ManagementScope($@"\\{Environment.MachineName}\root\cimv2", wmiOptions);
                 scope.Connect();
-                _processStartEvent = new ManagementEventWatcher(scope, new WqlEventQuery { EventClassName = "Win32_ProcessStartTrace" });
-                _processStartEvent.Options.Timeout = wmiOptions.Timeout;
+                _processStartEvent = new ManagementEventWatcher(scope, new WqlEventQuery("__InstanceCreationEvent", options.PollingInterval, "TargetInstance isa \"Win32_Process\""));
                 _processStartEvent.EventArrived += ProcessStarted;
-                _processStopEvent = new ManagementEventWatcher(scope, new WqlEventQuery { EventClassName = "Win32_ProcessStopTrace" });
-                _processStopEvent.Options.Timeout = wmiOptions.Timeout;
+                _processStopEvent = new ManagementEventWatcher(scope, new WqlEventQuery("__InstanceDeletionEvent", options.PollingInterval, "TargetInstance isa \"Win32_Process\""));
                 _processStopEvent.EventArrived += ProcessStopped;
                 _processStartEvent.Start();
                 _processStopEvent.Start();
@@ -131,7 +137,9 @@ private static void ProcessStopped(object sender, EventArrivedEventArgs e)
         {
             try 
             {
-                var processId = int.Parse(e.NewEvent.Properties["ProcessID"].Value.ToString());
+                var targetInstance = (ManagementBaseObject) e.NewEvent["TargetInstance"];
+                var processId      = int.Parse(targetInstance["ProcessId"].ToString());
+                targetInstance.Dispose();
                 e.NewEvent.Dispose();
                 #if DEBUG
                 Logger?.Debug($"{processId} stopped");
@@ -238,33 +246,26 @@ private static void ProcessStarted(object sender, EventArrivedEventArgs e)
         {
             try
             {
-                var processId = int.Parse(e.NewEvent.Properties["ProcessID"].Value.ToString());
-                var processParent = int.Parse(e.NewEvent.Properties["ParentProcessID"].Value.ToString());
-                string processName;
-                try
+                var targetInstance = (ManagementBaseObject) e.NewEvent["TargetInstance"];
+                var processId = int.Parse(targetInstance["ProcessId"].ToString());
+                var processParent = int.Parse(targetInstance["ParentProcessId"].ToString());
+                var processName = targetInstance["Name"].ToString().Trim();
+                if(processName == "?")
                 {
-                    processName = Path.GetFileName(ProcessUtils.GetProcessPath(processId))?.Trim();
                     try
                     {
+                        processName = Path.GetFileName(ProcessUtils.GetProcessPath(processId))?.Trim();
                         if (string.IsNullOrWhiteSpace(processName))
-                            processName = Path.GetFileName(Process.GetProcessById(processId).MainModule.FileName).Trim();
+                            processName = "Unknown";
                     }
-                    catch (ArgumentException)
+                    catch (Exception ex)
                     {
-                        processName = null;
-                    }
-
-                    if (string.IsNullOrWhiteSpace(processName))
-                        processName = e.NewEvent.Properties["ProcessName"].Value.ToString().Trim();
-                    if (string.IsNullOrWhiteSpace(processName))
+                        Logger?.Error(ex.ToString());
                         processName = "Unknown";
-                }
-                catch (Exception ex)
-                {
-                    Logger?.Error(ex.ToString());
-                    processName = "Unknown";
+                    }
                 }
 
+                targetInstance.Dispose();
                 e.NewEvent.Dispose();
 #if DEBUG
                 Logger?.Debug($"{processName} ({processId}) started by {processParent}");

diff --git a/Warden/Properties/AssemblyInfo.cs b/Warden/Properties/AssemblyInfo.cs
@@ -31,5 +31,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.5.4.7")]
-[assembly: AssemblyFileVersion("1.5.4.7")]
+[assembly: AssemblyVersion("1.5.5.0")]
+[assembly: AssemblyFileVersion("1.5.5.0")]
diff --git a/Warden/Warden.csproj b/Warden/Warden.csproj
@@ -63,6 +63,7 @@
     <Compile Include="Core\Utils\TaskKill.cs" />
     <Compile Include="Core\WardenImpersonator.cs" />
     <Compile Include="Core\IWardenLogger.cs" />
+    <Compile Include="Core\WardenLogger.cs" />
     <Compile Include="Core\WardenManager.cs" />
     <Compile Include="Core\WardenProcess.cs" />
     <Compile Include="Core\WardenEnums.cs" />

diff --git a/WardenExample/Program.cs b/WardenExample/Program.cs
@@ -1,21 +1,7 @@
 using System;
-using System.Collections.Concurrent;
-using System.Collections.Generic;
-using System.Collections.ObjectModel;
-using System.Collections.Specialized;
-using System.Diagnostics;
-using System.IO;
-using System.Linq;
-using System.Linq.Expressions;
-using System.Reflection;
-using System.Text;
-using System.Threading;
 using System.Threading.Tasks;
 using Newtonsoft.Json;
-using Newtonsoft.Json.Converters;
 using Warden.Core;
-using Warden.Core.Models;
-using Warden.Core.Utils;
 
 namespace WardenExample
 {
@@ -28,12 +14,15 @@ static void Main(string[] args)
 
         private static async Task Start()
         {
+            WardenManager.Logger = new WardenLogger();
             WardenManager.Initialize(new WardenOptions
             {
                 CleanOnExit = true,
                 DeepKill = true,
                 ReadFileHeaders = true
             });
+            Console.WriteLine("Press any key to continue");
+            Console.ReadKey(true);
             Console.Write("Enter the process ID: ");
             var processId = int.Parse(Console.ReadLine());
             var test = WardenProcess.GetProcessFromId(processId);