aboutsummaryrefslogtreecommitdiffstats
path: root/src/organize.go
diff options
context:
space:
mode:
authorWe-unite <3205135446@qq.com>2024-07-26 17:23:53 +0800
committerWe-unite <3205135446@qq.com>2024-07-26 17:23:53 +0800
commitec260a31927ef77295eaa07ba370b58b416f47f5 (patch)
tree317dcc68bbeb095af71e5135bf57caefff0bd123 /src/organize.go
parentb765715b4795ce4bc8940c7b1a1092a78550de94 (diff)
downloadgodo-ec260a31927ef77295eaa07ba370b58b416f47f5.tar.gz
godo-ec260a31927ef77295eaa07ba370b58b416f47f5.zip
Fix execve before fork & Fix regex to match "exit"
There's 2 bugs from ancestor commits: - In the 'things_left' tag commit(the grandpa of this commit), we add a function that allows execve comes before fork, but when it happens, I forget to insert the basic info (pid, ppid, etc.), as a result of which it doesn't work in the designed way. Now it is well, insert execve with pid and ppid, so that the fork event can find it and finish other info. However, we shouldn't make start_stamp in this case, so that it's also a flag. I've not removed the unused execve info, waiting for the future. - In the parent commit, the syscallRegex is changed, because when we add more syscalls to be watched, we need more info about their params but not only the first one. Instead of keeping using single a0 to get the first param, i use argsRegex for all the params. But this change causes mismatch of syscallRegex. Now it's fixed.
Diffstat (limited to 'src/organize.go')
-rw-r--r--src/organize.go47
1 files changed, 30 insertions, 17 deletions
diff --git a/src/organize.go b/src/organize.go
index 679f361..2489961 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -21,11 +21,11 @@ var ok bool
21var event Event 21var event Event
22var pEvent *Event 22var pEvent *Event
23var eventId, argc int 23var eventId, argc int
24var err [6]error 24var errs [6]error
25 25
26// 要用的正则匹配列表 26// 要用的正则匹配列表
27var ( 27var (
28 syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?(exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`) 28 syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`)
29 execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) 29 execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
30 argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) 30 argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
31 pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`) 31 pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`)
@@ -76,17 +76,17 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
76 var a [4]uint64 76 var a [4]uint64
77 // 捕获基础信息 77 // 捕获基础信息
78 match := syscallRegex.FindSubmatch(rawEvent.Data) 78 match := syscallRegex.FindSubmatch(rawEvent.Data)
79 event.timestamp, err[0] = getTimeFromStr(string(match[1])) 79 event.timestamp, errs[0] = getTimeFromStr(string(match[1]))
80 eventId, err[1] = strconv.Atoi(string(match[2])) 80 eventId, errs[1] = strconv.Atoi(string(match[2]))
81 event.syscall, err[2] = strconv.Atoi(string(match[3])) 81 event.syscall, errs[2] = strconv.Atoi(string(match[3]))
82 if string(match[5]) == "" { 82 if string(match[4]) == "" {
83 // exit没捕获到 83 // exit没捕获到
84 exit = 0 84 exit = 0
85 } else { 85 } else {
86 exit, err[3] = strconv.Atoi(string(match[5])) 86 exit, errs[3] = strconv.Atoi(string(match[4]))
87 } 87 }
88 event.ppid, err[4] = strconv.Atoi(string(match[6])) 88 event.ppid, errs[4] = strconv.Atoi(string(match[5]))
89 event.pid, err[5] = strconv.Atoi(string(match[7])) 89 event.pid, errs[5] = strconv.Atoi(string(match[6]))
90 90
91 // 捕获参数 91 // 捕获参数
92 if !argsRegex.Match(rawEvent.Data) { 92 if !argsRegex.Match(rawEvent.Data) {
@@ -95,7 +95,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
95 } 95 }
96 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) 96 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
97 for i := 0; i < 4; i++ { 97 for i := 0; i < 4; i++ {
98 a[i], err[0] = strconv.ParseUint(string(argsMatch[i][2]), 16, 64) 98 a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][2]), 16, 64)
99 } 99 }
100 100
101 switch syscallTable[event.syscall] { 101 switch syscallTable[event.syscall] {
@@ -136,6 +136,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
136 syscallParam: a, 136 syscallParam: a,
137 pathName: "", 137 pathName: "",
138 }) 138 })
139 case "execve":
140 eventTable.Store(eventId, &Event{
141 tag: EXECVE,
142 timestamp: event.timestamp,
143 syscall: event.syscall,
144 exit_code: a[0],
145 ppid: event.ppid,
146 pid: event.pid,
147 argc: 0,
148 argv: make([]string, 0),
149 cwd: "",
150 })
139 case "exit", "exit_group": 151 case "exit", "exit_group":
140 eventTable.Store(eventId, &Event{ 152 eventTable.Store(eventId, &Event{
141 tag: PIDEXIT, 153 tag: PIDEXIT,
@@ -157,14 +169,14 @@ func execve(rawEvent libaudit.RawAuditMessage) {
157 } 169 }
158 170
159 match := execveRegex.FindSubmatch(rawEvent.Data) 171 match := execveRegex.FindSubmatch(rawEvent.Data)
160 eventId, err[0] = strconv.Atoi(string(match[1])) 172 eventId, errs[0] = strconv.Atoi(string(match[1]))
161 argc, err[1] = strconv.Atoi(string(match[2])) 173 argc, errs[1] = strconv.Atoi(string(match[2]))
162 tmp, ok = eventTable.Load(eventId) 174 tmp, ok = eventTable.Load(eventId)
163 if !ok { 175 if !ok {
164 return 176 return
165 } 177 }
166 pEvent = tmp.(*Event) 178 pEvent = tmp.(*Event)
167 if err[0] == nil && err[1] == nil && argsRegex.Match(rawEvent.Data) { 179 if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) {
168 match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) 180 match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
169 for i := 0; i < argc; i++ { 181 for i := 0; i < argc; i++ {
170 if len(match[i][2]) == 0 { 182 if len(match[i][2]) == 0 {
@@ -185,7 +197,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) {
185 } 197 }
186 198
187 match := cwdRegex.FindSubmatch(rawEvent.Data) 199 match := cwdRegex.FindSubmatch(rawEvent.Data)
188 eventId, err[0] = strconv.Atoi(string(match[1])) 200 eventId, errs[0] = strconv.Atoi(string(match[1]))
189 tmp, ok = eventTable.Load(eventId) 201 tmp, ok = eventTable.Load(eventId)
190 if !ok { 202 if !ok {
191 return 203 return
@@ -200,7 +212,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) {
200 212
201 var cmdline string 213 var cmdline string
202 match := proctitleRegex.FindSubmatch(rawEvent.Data) 214 match := proctitleRegex.FindSubmatch(rawEvent.Data)
203 eventId, err[0] = strconv.Atoi(string(match[1])) 215 eventId, errs[0] = strconv.Atoi(string(match[1]))
204 tmp, ok = eventTable.Load(eventId) 216 tmp, ok = eventTable.Load(eventId)
205 if !ok { 217 if !ok {
206 return 218 return
@@ -225,13 +237,14 @@ func eoe(rawEvent libaudit.RawAuditMessage) {
225 } 237 }
226 238
227 match := eoeRegex.FindSubmatch(rawEvent.Data) 239 match := eoeRegex.FindSubmatch(rawEvent.Data)
228 eventId, err[0] = strconv.Atoi(string(match[1])) 240 eventId, errs[0] = strconv.Atoi(string(match[1]))
229 tmp, ok = eventTable.Load(eventId) 241 tmp, ok = eventTable.Load(eventId)
230 if !ok { 242 if !ok {
231 return 243 return
232 } 244 }
233 cooked := *(tmp.(*Event)) 245 cooked := *(tmp.(*Event))
234 cookedChan <- cooked 246 cookedChan <- cooked
247 fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid)
235 eventTable.Delete(eventId) // 死人别占地 248 eventTable.Delete(eventId) // 死人别占地
236} 249}
237 250
@@ -240,7 +253,7 @@ func path(rawEvent libaudit.RawAuditMessage) {
240 return 253 return
241 } 254 }
242 match := pathRegex.FindSubmatch(rawEvent.Data) 255 match := pathRegex.FindSubmatch(rawEvent.Data)
243 eventId, err[0] = strconv.Atoi(string(match[1])) 256 eventId, errs[0] = strconv.Atoi(string(match[1]))
244 name := string(match[2]) 257 name := string(match[2])
245 258
246 tmp, ok = eventTable.Load(eventId) 259 tmp, ok = eventTable.Load(eventId)
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-08 17:29:55 +0800