Add event type: registry modification

WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs

@@ -15,7 +15,10 @@ namespace WelsonJS.Service
         private enum EventType: int
         {
             FileCreate = 11,
-            NetworkConnection = 3
+            NetworkConnection = 3,
+            RegistryEvent_1 = 12,
+            RegistryEvent_2 = 13,
+            RegistryEvent_3 = 14
         };
         private enum FileCreateEvent: int {
             RuleName,
@@ -48,6 +51,18 @@ namespace WelsonJS.Service
             DestinationPort,
             DestinationPortName,
         };
+        private enum RegistryEvent: int
+        {
+            RuleName,
+            EventType,
+            UtcTime,
+            ProcessGuid,
+            ProcessId,
+            Image,
+            TargetObject,
+            Details,
+            User
+        }
 
         public FileEventMonitor(ServiceBase parent, string workingDirectory)
         {
@@ -100,20 +115,15 @@ namespace WelsonJS.Service
 
                 try
                 {
-                    if (eventId == (int)EventType.FileCreate)
+                    switch (eventId)
+                    {
+                        case (int)EventType.FileCreate:
                             {
                                 string ruleName = e.EventRecord.Properties[(int)FileCreateEvent.RuleName]?.Value?.ToString();
                                 string processId = e.EventRecord.Properties[(int)FileCreateEvent.ProcessId]?.Value?.ToString();
                                 string image = e.EventRecord.Properties[(int)FileCreateEvent.Image]?.Value?.ToString();
                                 string fileName = e.EventRecord.Properties[(int)FileCreateEvent.TargetFilename]?.Value?.ToString();
 
-                        if (string.IsNullOrEmpty(fileName))
-                        {
-                            throw new ArgumentException("Could not read the target filename.");
-                        }
-
-                        if (File.Exists(fileName))
-                        {
                                 parent.Log($"> Detected the file creation: {fileName}");
                                 parent.Log(parent.DispatchServiceEvent("fileCreated", new string[] {
                                     ruleName,
@@ -121,13 +131,11 @@ namespace WelsonJS.Service
                                     image,
                                     fileName
                                 }));
+
+                                break;
                             }
-                        else
+
-                        {
+                        case (int)EventType.NetworkConnection:
-                            throw new FileNotFoundException($"{fileName} file not found.");
-                        }
-                    }
-                    else if (eventId == (int)EventType.NetworkConnection)
                             {
                                 string ruleName = e.EventRecord.Properties[(int)NetworkConnectionEvent.RuleName]?.Value?.ToString();
                                 string processId = e.EventRecord.Properties[(int)NetworkConnectionEvent.ProcessId]?.Value?.ToString();
@@ -144,6 +152,34 @@ namespace WelsonJS.Service
                                     image,
                                     dstinationAddress
                                 }));
+
+                                break;
+                            }
+
+                        case (int)EventType.RegistryEvent_1:
+                        case (int)EventType.RegistryEvent_2:
+                        case (int)EventType.RegistryEvent_3:
+                            {
+                                string ruleName = e.EventRecord.Properties[(int)RegistryEvent.RuleName]?.Value?.ToString();
+                                string processId = e.EventRecord.Properties[(int)RegistryEvent.ProcessId]?.Value?.ToString();
+                                string image = e.EventRecord.Properties[(int)RegistryEvent.Image]?.Value?.ToString();
+                                string eventType = e.EventRecord.Properties[(int)RegistryEvent.EventType]?.Value?.ToString();
+                                string targetObject = e.EventRecord.Properties[(int)RegistryEvent.TargetObject]?.Value?.ToString();
+
+                                parent.Log($"> Detected the registry modification: {targetObject}");
+                                parent.Log(parent.DispatchServiceEvent("registryModified", new string[] {
+                                    ruleName,
+                                    processId,
+                                    image,
+                                    eventType,
+                                    targetObject
+                                }));
+
+                                break;
+                            }
+
+                        default:
+                            throw new ArgumentException("Not supported event type");
                     }
                 }
                 catch (Exception ex)

app.js

@@ -628,7 +628,8 @@ function dispatchServiceEvent(name, eventType, w_args, argl) {
             elapsedTime: bind("ServiceElapsedTime"),
             screenTime: bind("ServiceScreenTime"),
             fileCreated: bind("FileCreated"),
-            networkConnected: bind("NetworkConnected")
+            networkConnected: bind("NetworkConnected"),
+            registryModified: bind("RegistryModified")
         });
     } else {
         console.error("Could not find", name + ".js");

defaultService.js

@@ -36,6 +36,11 @@ function onNetworkConnected(args) {
     return "onNetworkConnected recevied. " + args.join(', ');
 }
 
+function onRegistryModified(args) {
+    return "onRegistryModified recevied. " + args.join(', ');
+}
+
+
 exports.main = main;
 exports.getDeviceID = getDeviceID;
 exports.onServiceStart = onServiceStart;
@@ -44,3 +49,4 @@ exports.onServiceElapsedTime = onServiceElapsedTime;
 exports.onServiceScreenTime = onServiceScreenTime;
 exports.onFileCreated = onFileCreated;
 exports.onNetworkConnected = onNetworkConnected;
+exports.onRegistryModified = onRegistryModified;