summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--connector/hello.c9
-rw-r--r--src/deal.go35
-rw-r--r--src/godo.go2
3 files changed, 9 insertions, 37 deletions
diff --git a/connector/hello.c b/connector/hello.c
index 5240c15..c0fc633 100644
--- a/connector/hello.c
+++ b/connector/hello.c
@@ -8,11 +8,10 @@
8#include <signal.h> 8#include <signal.h>
9#include <linux/netlink.h> 9#include <linux/netlink.h>
10#include <linux/connector.h> 10#include <linux/connector.h>
11// #include <linux/cn_proc.h> 11#include <linux/cn_proc.h>
12#include <unistd.h> 12#include <unistd.h>
13#include <errno.h> 13#include <errno.h>
14#include <time.h> 14#include <time.h>
15#include "cn_proc.h"
16 15
17typedef struct __attribute__((aligned(NLMSG_ALIGNTO))) 16typedef struct __attribute__((aligned(NLMSG_ALIGNTO)))
18{ 17{
@@ -55,16 +54,16 @@ void Now()
55 54
56void printEvent() 55void printEvent()
57{ 56{
58 union unnamed *procEvent = &proc_msg.proc_ev.event_data; 57 // union unnamed *procEvent = &proc_msg.proc_ev.event_data;
59 switch (proc_msg.proc_ev.what) 58 switch (proc_msg.proc_ev.what)
60 { 59 {
61 case PROC_EVENT_FORK: 60 case PROC_EVENT_FORK:
62 Now(); 61 Now();
63 printf("Fork\t%6d\t%6d\t%6d\t%6d\n", procEvent->fork.parent_pid, procEvent->fork.parent_tgid, procEvent->fork.child_pid, procEvent->fork.child_tgid); 62 printf("Fork\t%6d\t%6d\t%6d\t%6d\n", proc_msg.proc_ev.event_data.fork.parent_pid, proc_msg.proc_ev.event_data.fork.parent_tgid, proc_msg.proc_ev.event_data.fork.child_pid, proc_msg.proc_ev.event_data.fork.child_tgid);
64 break; 63 break;
65 case PROC_EVENT_EXIT: 64 case PROC_EVENT_EXIT:
66 Now(); 65 Now();
67 printf("Exit\t%6d\t%6d\t%6d\t%6d\n", procEvent->exit.process_pid, procEvent->exit.process_tgid, procEvent->exit.exit_code, procEvent->exit.exit_signal); 66 printf("Exit\t%6d\t%6d\t%6d\t%6d\n", proc_msg.proc_ev.event_data.exit.process_pid, proc_msg.proc_ev.event_data.exit.process_tgid, proc_msg.proc_ev.event_data.exit.exit_code, proc_msg.proc_ev.event_data.exit.exit_signal);
68 break; 67 break;
69 case PROC_EVENT_EXEC: 68 case PROC_EVENT_EXEC:
70 default: 69 default:
diff --git a/src/deal.go b/src/deal.go
index 3119fff..ae69003 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -55,31 +55,25 @@ func deal() {
55 break 55 break
56 } 56 }
57 57
58 // fmt.Printf("%v\n", cooked)
59
60 switch cooked.tag { 58 switch cooked.tag {
61 case NEWPID: 59 case NEWPID:
62 dealNewPid(cooked) 60 dealNewPid(cooked)
63 case EXECVE: 61 case EXECVE:
64 check(cooked)
65 dealExecve(cooked) 62 dealExecve(cooked)
66 case PIDEXIT: 63 case PIDEXIT:
67 check(cooked)
68 deletePid(cooked) 64 deletePid(cooked)
69 case FILEOPEN: 65 case FILEOPEN:
70 check(cooked)
71 fileOpen(cooked) 66 fileOpen(cooked)
72 case FILEWRITE: 67 case FILEWRITE:
73 check(cooked)
74 fileWrite(cooked) 68 fileWrite(cooked)
75 case FILECLOSE: 69 case FILECLOSE:
76 check(cooked)
77 fileClose(cooked) 70 fileClose(cooked)
78 } 71 }
79 } 72 }
80} 73}
81 74
82func deletePid(cooked Event) { 75func deletePid(cooked Event) {
76 // TODO: 是否还需要延时?
83 // time.Sleep(1 * time.Second) 77 // time.Sleep(1 * time.Second)
84 mongoMutex.Lock() 78 mongoMutex.Lock()
85 // 先从老爹那里销户 79 // 先从老爹那里销户
@@ -197,6 +191,7 @@ func dealExecve(cooked Event) {
197} 191}
198 192
199func fileOpen(cooked Event) { 193func fileOpen(cooked Event) {
194 fmt.Printf("Open: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
200 // 查看是否记录了该进程 195 // 查看是否记录了该进程
201 res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid}) 196 res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
202 if err != nil { 197 if err != nil {
@@ -228,6 +223,7 @@ func fileOpen(cooked Event) {
228} 223}
229 224
230func fileClose(cooked Event) { 225func fileClose(cooked Event) {
226 fmt.Printf("Close: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
231 // 直接看文件表有无记录 227 // 直接看文件表有无记录
232 res, err := fdCol.Finddoc(bson.M{ 228 res, err := fdCol.Finddoc(bson.M{
233 "pid": cooked.pid, 229 "pid": cooked.pid,
@@ -248,6 +244,7 @@ func fileClose(cooked Event) {
248} 244}
249 245
250func fileWrite(cooked Event) { 246func fileWrite(cooked Event) {
247 fmt.Printf("Write: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
251 // 直接看文件表有无记录 248 // 直接看文件表有无记录
252 res, err := fdCol.Finddoc(bson.M{ 249 res, err := fdCol.Finddoc(bson.M{
253 "pid": cooked.pid, 250 "pid": cooked.pid,
@@ -266,27 +263,3 @@ func fileWrite(cooked Event) {
266 "close_timestamp": bson.M{"$exists": false}, 263 "close_timestamp": bson.M{"$exists": false},
267 }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) 264 }, bson.M{"$push": bson.M{"written": cooked.timestamp}})
268} 265}
269
270func check(cooked Event) {
271 // 检查进程是否需要记录
272 // 有无父进程在观察中
273 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
274 if err != nil || len(docRes) != 1 {
275 return
276 }
277
278 // 自身是否已经记录
279 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
280 if err != nil {
281 fmt.Printf("Err finding: %v\n", err)
282 return
283 }
284 if len(docRes) == 0 {
285 pidCol.InsertOne(bson.M{
286 "ppid": cooked.ppid,
287 "pid": cooked.pid,
288 "children": []bson.M{},
289 "start_timestamp": cooked.timestamp,
290 })
291 }
292}
diff --git a/src/godo.go b/src/godo.go
index c332c86..cbd9e0a 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -147,7 +147,7 @@ func checkProc(pCooked *Event) {
147 fileName := fmt.Sprintf("/proc/%d/cmdline", pCooked.pid) 147 fileName := fmt.Sprintf("/proc/%d/cmdline", pCooked.pid)
148 fd, err := os.Open(fileName) 148 fd, err := os.Open(fileName)
149 if err != nil { 149 if err != nil {
150 fmt.Printf("Err opening file %s: %v\n", fileName, err) 150 fmt.Printf("Err: %v\n", err)
151 return 151 return
152 } 152 }
153 153
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-08 17:24:42 +0800