1 files changed, 487 insertions, 0 deletions
diff --git a/connector/proc_mon_linux.cpp b/connector/proc_mon_linux.cpp
new file mode 100755
index 0000000..16dd51c
--- /dev/null
+++ b/connector/proc_mon_linux.cpp
@@ -0,0 +1,487 @@
+#ifndef WIN32
+#include <unistd.h>
+#include <sys/socket.h>
+#include <algorithm>
+#include "shared.h"
+#include "proc_mon_linux.h"
+#include <malloc.h>
+#include "linux_proc_baseline.h"
+#define MAX_PIPE_WAIT_USECOND 100
+#define PROCESS_SCAN_ITERTIME  10
+const char *WM_PROC_LOCATION = "proc_collector";
+ProcMon* ProcMon::m_instance = NULL;
+ProcMon& ProcMon::instance()
+{
+    if ( m_instance == NULL )
+    {
+        m_instance = new ProcMon;
+    }
+    return *m_instance;
+}
+void ProcMon::destroy()
+{
+    delete m_instance;
+    m_instance = NULL;
+}
+int ProcMon::init( const wm_proc_t* config )
+{
+    pthread_mutex_init(&m_mutex, NULL);
+    setConfig( config );
+    int ret = setupNetlink();
+    if (ret != 0 )
+    {
+        fini();
+        return -1;
+    }
+    ret = setupMQ();
+    if (ret != 0 )
+    {
+        fini();
+        return -1;
+    }
+    return 0;
+}
+int ProcMon::working()
+{
+    int rc;
+    event_msg_t procMsg;
+    fd_set readfds;
+    int maxfd = m_procFd + 1;
+    struct timeval tv;
+    time_t last = time(0);
+    if ( m_config.flags.enabled == 0 )
+    {
+        return 0;
+    }
+    getInventoryProcesses();
+    while ( 1 )
+    {
+        FD_ZERO(&readfds);
+        FD_SET( m_procFd, &readfds );
+        tv.tv_sec = 1;
+        tv.tv_usec = 0;
+        if ( time(0) - last > PROCESS_SCAN_ITERTIME )
+        {
+            // scan processes
+            scanProcesses(last);
+            last = time(0);
+        }
+        rc = select( maxfd, &readfds, NULL, NULL, &tv );
+        if ( 0 == rc )
+        {
+            continue;
+        }
+        if ( -1 == rc )
+        {
+            if ( errno == EINTR )
+            {
+                continue;
+            }
+            mterror(WM_PROC_LOGTAG, "failed to listen to netlink socket, errno=(%d:%m)", errno);
+            return rc;
+        }
+        if ( FD_ISSET( m_procFd, &readfds ) )
+        {
+            rc = recv( m_procFd, &procMsg, sizeof(procMsg), 0 );
+            if( rc > 0 )
+            {
+                switch (procMsg.proc_ev.what)
+                {
+                case proc_event::PROC_EVENT_FORK:
+                    handleForkMsg(procMsg);
+                    break;
+                case proc_event::PROC_EVENT_EXEC:
+                    handleExecMsg(procMsg);
+                    break;
+                case proc_event::PROC_EVENT_COMM:
+                    break;
+                case proc_event::PROC_EVENT_EXIT:
+                    handleExitMsg(procMsg);
+                    break;
+                default:
+                    break;
+                }
+            }
+            else if (rc == -1)
+            {
+                if (errno == EINTR)
+                {
+                    continue;
+                }
+                mterror(WM_PROC_LOGTAG, "failed to received from netlink socket, errno=(%d:%m)", errno);
+            }
+        }
+                malloc_trim(0);
+    }
+}
+ProcMon::ProcMon() 
+{
+    m_mutex = PTHREAD_MUTEX_INITIALIZER;
+    m_processes.clear();
+    m_pidCache.clear();
+    m_procFd = -1;
+    m_queueFd = -1;
+}
+ProcMon::~ProcMon()
+{
+    fini();
+}
+void ProcMon::setConfig( const wm_proc_t* config  )
+{
+    m_config.flags.enabled = config->flags.enabled;
+    m_config.flags.rootcheck = config->flags.rootcheck;
+    m_config.flags.limitcheck = config->flags.limitcheck;
+    m_config.flags.environcheck = config->flags.environcheck;
+    m_config.flags.statuscheck = config->flags.statuscheck;
+    m_config.flags.threadcheck = config->flags.threadcheck;
+    m_config.flags.cgroupcheck = config->flags.cgroupcheck;
+    m_config.flags.libcheck = config->flags.libcheck;
+    m_config.flags.malwarecheck = config->flags.malwarecheck;
+    m_config.interval = config->interval;
+}
+int ProcMon::setupNetlink()
+{
+    int rc;
+    int nl_sock;
+    struct sockaddr_nl sa_nl;
+    register_msg_t nlcn_msg;
+    nl_sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
+    if (nl_sock == -1)
+    {
+        mterror(WM_PROC_LOGTAG, "Can't open netlink socket");
+        return -1;
+    }
+    sa_nl.nl_family = AF_NETLINK;
+    sa_nl.nl_groups = CN_IDX_PROC;
+    sa_nl.nl_pid = getpid();
+    rc = bind(nl_sock, (struct sockaddr *)&sa_nl, sizeof(sa_nl));
+    if (rc == -1)
+    {
+        mterror(WM_PROC_LOGTAG, "Can't bind netlink socket");
+        close(nl_sock);
+        return -1;
+    }
+    // create listener
+    memset(&nlcn_msg, 0, sizeof(nlcn_msg));
+    nlcn_msg.nl_hdr.nlmsg_len = sizeof(nlcn_msg);
+    nlcn_msg.nl_hdr.nlmsg_pid = getpid();
+    nlcn_msg.nl_hdr.nlmsg_type = NLMSG_DONE;
+    nlcn_msg.cn_msg.id.idx = CN_IDX_PROC;
+    nlcn_msg.cn_msg.id.val = CN_VAL_PROC;
+    nlcn_msg.cn_msg.len = sizeof(enum proc_cn_mcast_op);
+    nlcn_msg.cn_mcast = PROC_CN_MCAST_LISTEN;
+    rc = send(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
+    if (rc == -1)
+    {
+        mterror(WM_PROC_LOGTAG, "can't register to netlink");
+        close(nl_sock);
+        return -1;
+    }
+    m_procFd = nl_sock;
+    return 0;
+}
+int ProcMon::setupMQ()
+{
+    unsigned int indx;
+    // Connect to socket
+    for (indx = 0; indx < WM_MAX_ATTEMPTS; indx++)
+    {
+        m_queueFd = StartMQ(DEFAULTQPATH, WRITE);
+        if (m_queueFd > 0)
+        {
+            break;
+        }
+        wm_delay(1000 * WM_MAX_WAIT);
+    }
+    if (indx == WM_MAX_ATTEMPTS)
+    {
+        mterror(WM_PROC_LOGTAG, "Can't connect to queue.");
+        pthread_exit(NULL);
+    }
+    return 0;
+}
+void ProcMon::fini()
+{
+    m_processes.clear();
+    m_pidCache.clear();
+    if (m_procFd != -1 )
+    {
+        close( m_procFd);
+        m_procFd = -1;
+    }
+    if (m_queueFd != -1 )
+    {
+        close( m_queueFd);
+        m_queueFd = -1;
+    }
+}
+void ProcMon::getInventoryProcesses()
+{
+    DIR *procDir = opendir( "/proc" );
+    if ( NULL == procDir )
+    {
+        mterror(WM_PROC_LOGTAG, "failed to open /proc, errno=(%d:%m)", errno);
+        return;
+    }
+    struct dirent *entry = NULL;
+    while (NULL != (entry = readdir(procDir)))
+    {
+        if (!strcmp(entry->d_name, ".") || !strcmp(entry->d_name, ".."))
+        {
+            continue;
+        }
+        int pid = atoi(entry->d_name);
+        if (0 == pid)
+        {
+            continue;
+        }
+        Process *proc = new Process(pid);
+        if ( NULL == proc )
+        {
+            continue;
+        }
+            if(0 != proc->init())
+            { 
+                delete proc;
+                        proc = NULL;
+                        continue;
+            }
+                std::pair<std::map<pid_t, Process*>::iterator,bool> ret = m_processes.insert(std::make_pair(pid, proc));
+                if(!ret.second)
+                {       
+                        delete proc;
+                        proc = NULL;
+                        continue;
+                }
+        std::vector<std::string> events = proc->getEvents();
+        if ( !events.empty() )
+        {
+            reportEvents(events);
+        }
+        usleep( 500 );
+    }
+    return;
+}
+void ProcMon::handleForkMsg( const event_msg_t& procMsg )
+{
+    pid_t pid = procMsg.proc_ev.event_data.fork.child_pid;
+    auto iter = m_pidCache.find( pid );
+    if ( iter != m_pidCache.end() )
+    {
+        m_pidCache.erase(iter);
+        return;
+    }
+    PidRelation relation;
+    relation.pid = pid;
+    relation.ppid = procMsg.proc_ev.event_data.fork.parent_pid;
+    relation.pidEvent = PidRelation::FORKEVENT;
+    relation.born = time(0);
+    m_pidCache.insert( std::make_pair(relation.pid, relation ));
+}
+void ProcMon::handleExecMsg( const event_msg_t& procMsg )
+{
+    pid_t pid = procMsg.proc_ev.event_data.exec.process_pid;
+    auto iter = m_pidCache.find( pid );
+    if ( iter == m_pidCache.end() )
+    {
+        return;
+    }
+    //mterror(WM_PROC_LOGTAG, "cache size:%lu", m_pidCache.size());
+    Process *proc = new Process( pid, iter->second.ppid, iter->second.born );
+    if ( NULL == proc )
+    {
+        return;
+    }
+    // check hidden process 
+    if ( 0 != proc->init()  )
+    {
+        return;
+    }
+    m_processes.insert( std::make_pair(pid, proc ));
+    std::vector<std::string> events = proc->getEvents();
+    if (!events.empty())
+    {
+        reportEvents(events);
+    }
+//      m_pidCache.erase(iter);
+    //mterror(WM_PROC_LOGTAG, "exec process:%d exe:%s", pid, proc.exe().c_str());
+}
+void ProcMon::handleExitMsg( const event_msg_t& procMsg )
+{
+    pid_t pid = procMsg.proc_ev.event_data.exit.process_pid;
+    auto iter = m_pidCache.find( pid );
+    if ( iter != m_pidCache.end() )
+    {
+        m_pidCache.erase(iter);
+    }
+    auto procIter = m_processes.find(pid);
+    if ( procIter == m_processes.end() )
+    {
+        return;
+    }
+    std::vector<int> signals{ 3, 9, 10, 12, 15,16,17,30,31};
+    //if ( signals.end() == std::find( signals.begin(), signals.end(), procMsg.proc_ev.event_data.exit.exit_signal )
+    //|| (procMsg.proc_ev.event_data.exit.exit_code != 0))
+    {
+        // report abnormal events
+        cJSON *obj= cJSON_CreateObject();
+        cJSON_AddStringToObject(obj, "type", "exit");
+        cJSON_AddStringToObject(obj, "exe", procIter->second->exe().c_str());
+        cJSON_AddNumberToObject(obj, "pid", procIter->first);
+        cJSON_AddNumberToObject(obj, "event_time", time(0));
+        cJSON_AddNumberToObject(obj, "exit_signal", procMsg.proc_ev.event_data.exit.exit_signal);
+        cJSON_AddNumberToObject(obj, "exit_code", procMsg.proc_ev.event_data.exit.exit_code);
+        char *data = cJSON_PrintUnformatted( obj );
+        std::string msg(data);
+        free(data);
+        reportEvent( msg );
+        cJSON_Delete(obj);
+        //mterror(WM_PROC_LOGTAG, "%s", msg.c_str());
+    }
+    delete procIter->second;
+    m_processes.erase(procIter);
+    //mterror(WM_PROC_LOGTAG, "process collection:%d", m_processes.size());
+}
+void ProcMon::scanProcesses(time_t last)
+{
+    time_t now = time(0);
+//      mterror(WM_PROC_LOGTAG, "pid cache size: %d , process collection size : %d", m_pidCache.size(), m_processes.size());
+    for (auto iter = m_pidCache.begin(); iter != m_pidCache.end(); )
+    {
+        if ( now - iter->second.born < 1 || m_processes.find(iter->second.pid) != m_processes.end())
+        {
+            iter++;
+        }
+        else
+        {
+            Process *proc = new Process( iter->second.pid, iter->second.ppid, iter->second.born);
+            if (NULL != proc ) 
+            {
+                if(0 != proc->init())
+                { 
+                        delete proc;
+                                        proc = NULL;
+                                        continue;
+                }
+                std::pair<std::map<pid_t, Process*>::iterator, bool> ret = m_processes.insert(std::make_pair(iter->first, proc));
+                                if(!ret.second)
+                                {       
+                                        delete proc;
+                                        proc = NULL;
+                                        continue;
+                                }
+                std::vector<std::string> events = proc->getEvents();
+                if (!events.empty())
+                {
+                    reportEvents(events);
+                }
+            }
+            else
+            {
+                 // hidden process found
+                 cJSON *obj = cJSON_CreateObject();
+                 cJSON_AddStringToObject(obj, "type", "rootkit");
+                 cJSON_AddNumberToObject(obj, "pid", iter->first);
+                 cJSON_AddNumberToObject(obj, "event_time", iter->second.born);
+                 cJSON_AddNumberToObject(obj, "ppid", iter->second.ppid);
+                 auto parent = m_processes.find(iter->second.ppid);
+                 if (parent != m_processes.end())
+                 {
+                     cJSON_AddStringToObject(obj, "parent exe", parent->second->exe().c_str());
+                 }
+                 char *data = cJSON_PrintUnformatted(obj);
+                 std::string msg(data);
+                 free(data);
+                 reportEvent(msg);
+                 cJSON_Delete(obj);
+            }
+            iter = m_pidCache.erase(iter);
+        }
+        usleep( 500 );
+    }
+/*
+    if ( now - last < 60 )
+    {
+        return;
+    }
+*/
+    for (auto& procIter : m_processes )
+    {
+        procIter.second->scan();
+        std::vector<std::string> events = procIter.second->getEvents();
+        if (!events.empty())
+        {
+            reportEvents(events);
+        }
+        usleep( 5000 );
+    }
+}
+void ProcMon::reportEvent( const std::string& event )
+{
+    wm_sendmsg(MAX_PIPE_WAIT_USECOND, m_queueFd, event.c_str(), WM_PROC_LOCATION, PROC_COLLECTOR_MQ);
+}
+void ProcMon::reportEvents(const std::vector<std::string> &events)
+{
+    for (auto it : events)
+    {
+        wm_sendmsg(MAX_PIPE_WAIT_USECOND, m_queueFd, it.c_str(), WM_PROC_LOCATION, PROC_COLLECTOR_MQ);
+    }
+}
+#endif

diff --git a/connector/proc_mon_linux.cpp b/connector/proc_mon_linux.cpp new file mode 100755 index 0000000..16dd51c --- /dev/null +++ b/connector/proc_mon_linux.cpp
@@ -0,0 +1,487 @@
	1	#ifndef WIN32
	2	#include <unistd.h>
	3	#include <sys/socket.h>
	4	#include <algorithm>
	5	#include "shared.h"
	6	#include "proc_mon_linux.h"
	7	#include <malloc.h>
	8	#include "linux_proc_baseline.h"
	9
	10
	11	#define MAX_PIPE_WAIT_USECOND 100
	12	#define PROCESS_SCAN_ITERTIME 10
	13	const char *WM_PROC_LOCATION = "proc_collector";
	14
	15	ProcMon* ProcMon::m_instance = NULL;
	16
	17	ProcMon& ProcMon::instance()
	18	{
	19	if ( m_instance == NULL )
	20	{
	21	m_instance = new ProcMon;
	22	}
	23
	24	return *m_instance;
	25	}
	26
	27	void ProcMon::destroy()
	28	{
	29	delete m_instance;
	30	m_instance = NULL;
	31	}
	32
	33	int ProcMon::init( const wm_proc_t* config )
	34	{
	35	pthread_mutex_init(&m_mutex, NULL);
	36	setConfig( config );
	37
	38	int ret = setupNetlink();
	39	if (ret != 0 )
	40	{
	41	fini();
	42	return -1;
	43	}
	44
	45	ret = setupMQ();
	46	if (ret != 0 )
	47	{
	48	fini();
	49	return -1;
	50	}
	51
	52	return 0;
	53	}
	54
	55	int ProcMon::working()
	56	{
	57	int rc;
	58	event_msg_t procMsg;
	59	fd_set readfds;
	60	int maxfd = m_procFd + 1;
	61	struct timeval tv;
	62	time_t last = time(0);
	63
	64	if ( m_config.flags.enabled == 0 )
	65	{
	66	return 0;
	67	}
	68
	69	getInventoryProcesses();
	70
	71
	72	while ( 1 )
	73	{
	74	FD_ZERO(&readfds);
	75	FD_SET( m_procFd, &readfds );
	76	tv.tv_sec = 1;
	77	tv.tv_usec = 0;
	78
	79	if ( time(0) - last > PROCESS_SCAN_ITERTIME )
	80	{
	81	// scan processes
	82	scanProcesses(last);
	83	last = time(0);
	84	}
	85
	86	rc = select( maxfd, &readfds, NULL, NULL, &tv );
	87	if ( 0 == rc )
	88	{
	89	continue;
	90	}
	91
	92	if ( -1 == rc )
	93	{
	94	if ( errno == EINTR )
	95	{
	96	continue;
	97	}
	98
	99	mterror(WM_PROC_LOGTAG, "failed to listen to netlink socket, errno=(%d:%m)", errno);
	100	return rc;
	101	}
	102
	103	if ( FD_ISSET( m_procFd, &readfds ) )
	104	{
	105	rc = recv( m_procFd, &procMsg, sizeof(procMsg), 0 );
	106	if( rc > 0 )
	107	{
	108	switch (procMsg.proc_ev.what)
	109	{
	110	case proc_event::PROC_EVENT_FORK:
	111	handleForkMsg(procMsg);
	112	break;
	113	case proc_event::PROC_EVENT_EXEC:
	114	handleExecMsg(procMsg);
	115	break;
	116	case proc_event::PROC_EVENT_COMM:
	117	break;
	118	case proc_event::PROC_EVENT_EXIT:
	119	handleExitMsg(procMsg);
	120	break;
	121	default:
	122	break;
	123	}
	124	}
	125	else if (rc == -1)
	126	{
	127	if (errno == EINTR)
	128	{
	129	continue;
	130	}
	131	mterror(WM_PROC_LOGTAG, "failed to received from netlink socket, errno=(%d:%m)", errno);
	132	}
	133	}
	134
	135	malloc_trim(0);
	136	}
	137	}
	138
	139	ProcMon::ProcMon()
	140	{
	141	m_mutex = PTHREAD_MUTEX_INITIALIZER;
	142	m_processes.clear();
	143	m_pidCache.clear();
	144	m_procFd = -1;
	145	m_queueFd = -1;
	146	}
	147
	148	ProcMon::~ProcMon()
	149	{
	150	fini();
	151	}
	152
	153	void ProcMon::setConfig( const wm_proc_t* config )
	154	{
	155	m_config.flags.enabled = config->flags.enabled;
	156	m_config.flags.rootcheck = config->flags.rootcheck;
	157	m_config.flags.limitcheck = config->flags.limitcheck;
	158	m_config.flags.environcheck = config->flags.environcheck;
	159	m_config.flags.statuscheck = config->flags.statuscheck;
	160	m_config.flags.threadcheck = config->flags.threadcheck;
	161	m_config.flags.cgroupcheck = config->flags.cgroupcheck;
	162	m_config.flags.libcheck = config->flags.libcheck;
	163	m_config.flags.malwarecheck = config->flags.malwarecheck;
	164	m_config.interval = config->interval;
	165	}
	166
	167	int ProcMon::setupNetlink()
	168	{
	169	int rc;
	170	int nl_sock;
	171	struct sockaddr_nl sa_nl;
	172	register_msg_t nlcn_msg;
	173
	174	nl_sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
	175	if (nl_sock == -1)
	176	{
	177	mterror(WM_PROC_LOGTAG, "Can't open netlink socket");
	178	return -1;
	179	}
	180
	181	sa_nl.nl_family = AF_NETLINK;
	182	sa_nl.nl_groups = CN_IDX_PROC;
	183	sa_nl.nl_pid = getpid();
	184
	185	rc = bind(nl_sock, (struct sockaddr *)&sa_nl, sizeof(sa_nl));
	186	if (rc == -1)
	187	{
	188	mterror(WM_PROC_LOGTAG, "Can't bind netlink socket");
	189	close(nl_sock);
	190	return -1;
	191	}
	192
	193	// create listener
	194	memset(&nlcn_msg, 0, sizeof(nlcn_msg));
	195	nlcn_msg.nl_hdr.nlmsg_len = sizeof(nlcn_msg);
	196	nlcn_msg.nl_hdr.nlmsg_pid = getpid();
	197	nlcn_msg.nl_hdr.nlmsg_type = NLMSG_DONE;
	198
	199	nlcn_msg.cn_msg.id.idx = CN_IDX_PROC;
	200	nlcn_msg.cn_msg.id.val = CN_VAL_PROC;
	201	nlcn_msg.cn_msg.len = sizeof(enum proc_cn_mcast_op);
	202
	203	nlcn_msg.cn_mcast = PROC_CN_MCAST_LISTEN;
	204
	205	rc = send(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
	206	if (rc == -1)
	207	{
	208	mterror(WM_PROC_LOGTAG, "can't register to netlink");
	209	close(nl_sock);
	210	return -1;
	211	}
	212
	213	m_procFd = nl_sock;
	214	return 0;
	215	}
	216
	217	int ProcMon::setupMQ()
	218	{
	219	unsigned int indx;
	220	// Connect to socket
	221	for (indx = 0; indx < WM_MAX_ATTEMPTS; indx++)
	222	{
	223	m_queueFd = StartMQ(DEFAULTQPATH, WRITE);
	224	if (m_queueFd > 0)
	225	{
	226	break;
	227	}
	228	wm_delay(1000 * WM_MAX_WAIT);
	229	}
	230
	231	if (indx == WM_MAX_ATTEMPTS)
	232	{
	233	mterror(WM_PROC_LOGTAG, "Can't connect to queue.");
	234	pthread_exit(NULL);
	235	}
	236
	237	return 0;
	238	}
	239
	240
	241	void ProcMon::fini()
	242	{
	243	m_processes.clear();
	244	m_pidCache.clear();
	245	if (m_procFd != -1 )
	246	{
	247	close( m_procFd);
	248	m_procFd = -1;
	249	}
	250
	251	if (m_queueFd != -1 )
	252	{
	253	close( m_queueFd);
	254	m_queueFd = -1;
	255	}
	256	}
	257
	258	void ProcMon::getInventoryProcesses()
	259	{
	260	DIR *procDir = opendir( "/proc" );
	261	if ( NULL == procDir )
	262	{
	263	mterror(WM_PROC_LOGTAG, "failed to open /proc, errno=(%d:%m)", errno);
	264	return;
	265	}
	266
	267	struct dirent *entry = NULL;
	268	while (NULL != (entry = readdir(procDir)))
	269	{
	270	if (!strcmp(entry->d_name, ".") \|\| !strcmp(entry->d_name, ".."))
	271	{
	272	continue;
	273	}
	274	int pid = atoi(entry->d_name);
	275	if (0 == pid)
	276	{
	277	continue;
	278	}
	279
	280	Process *proc = new Process(pid);
	281	if ( NULL == proc )
	282	{
	283	continue;
	284	}
	285	if(0 != proc->init())
	286	{
	287	delete proc;
	288	proc = NULL;
	289	continue;
	290	}
	291	std::pair<std::map<pid_t, Process*>::iterator,bool> ret = m_processes.insert(std::make_pair(pid, proc));
	292	if(!ret.second)
	293	{
	294	delete proc;
	295	proc = NULL;
	296	continue;
	297	}
	298	std::vector<std::string> events = proc->getEvents();
	299	if ( !events.empty() )
	300	{
	301	reportEvents(events);
	302	}
	303	usleep( 500 );
	304	}
	305
	306	return;
	307	}
	308
	309	void ProcMon::handleForkMsg( const event_msg_t& procMsg )
	310	{
	311	pid_t pid = procMsg.proc_ev.event_data.fork.child_pid;
	312	auto iter = m_pidCache.find( pid );
	313	if ( iter != m_pidCache.end() )
	314	{
	315	m_pidCache.erase(iter);
	316	return;
	317	}
	318
	319	PidRelation relation;
	320	relation.pid = pid;
	321	relation.ppid = procMsg.proc_ev.event_data.fork.parent_pid;
	322	relation.pidEvent = PidRelation::FORKEVENT;
	323	relation.born = time(0);
	324
	325	m_pidCache.insert( std::make_pair(relation.pid, relation ));
	326	}
	327
	328	void ProcMon::handleExecMsg( const event_msg_t& procMsg )
	329	{
	330	pid_t pid = procMsg.proc_ev.event_data.exec.process_pid;
	331	auto iter = m_pidCache.find( pid );
	332	if ( iter == m_pidCache.end() )
	333	{
	334	return;
	335	}
	336
	337	//mterror(WM_PROC_LOGTAG, "cache size:%lu", m_pidCache.size());
	338	Process *proc = new Process( pid, iter->second.ppid, iter->second.born );
	339	if ( NULL == proc )
	340	{
	341	return;
	342	}
	343	// check hidden process
	344	if ( 0 != proc->init() )
	345	{
	346	return;
	347	}
	348	m_processes.insert( std::make_pair(pid, proc ));
	349	std::vector<std::string> events = proc->getEvents();
	350	if (!events.empty())
	351	{
	352	reportEvents(events);
	353	}
	354	// m_pidCache.erase(iter);
	355	//mterror(WM_PROC_LOGTAG, "exec process:%d exe:%s", pid, proc.exe().c_str());
	356	}
	357
	358	void ProcMon::handleExitMsg( const event_msg_t& procMsg )
	359	{
	360	pid_t pid = procMsg.proc_ev.event_data.exit.process_pid;
	361	auto iter = m_pidCache.find( pid );
	362	if ( iter != m_pidCache.end() )
	363	{
	364	m_pidCache.erase(iter);
	365	}
	366
	367	auto procIter = m_processes.find(pid);
	368	if ( procIter == m_processes.end() )
	369	{
	370	return;
	371	}
	372
	373	std::vector<int> signals{ 3, 9, 10, 12, 15,16,17,30,31};
	374
	375	//if ( signals.end() == std::find( signals.begin(), signals.end(), procMsg.proc_ev.event_data.exit.exit_signal )
	376	//\|\| (procMsg.proc_ev.event_data.exit.exit_code != 0))
	377	{
	378	// report abnormal events
	379	cJSON *obj= cJSON_CreateObject();
	380	cJSON_AddStringToObject(obj, "type", "exit");
	381	cJSON_AddStringToObject(obj, "exe", procIter->second->exe().c_str());
	382	cJSON_AddNumberToObject(obj, "pid", procIter->first);
	383	cJSON_AddNumberToObject(obj, "event_time", time(0));
	384	cJSON_AddNumberToObject(obj, "exit_signal", procMsg.proc_ev.event_data.exit.exit_signal);
	385	cJSON_AddNumberToObject(obj, "exit_code", procMsg.proc_ev.event_data.exit.exit_code);
	386	char *data = cJSON_PrintUnformatted( obj );
	387	std::string msg(data);
	388	free(data);
	389	reportEvent( msg );
	390	cJSON_Delete(obj);
	391	//mterror(WM_PROC_LOGTAG, "%s", msg.c_str());
	392	}
	393
	394	delete procIter->second;
	395	m_processes.erase(procIter);
	396	//mterror(WM_PROC_LOGTAG, "process collection:%d", m_processes.size());
	397	}
	398
	399	void ProcMon::scanProcesses(time_t last)
	400	{
	401	time_t now = time(0);
	402	// mterror(WM_PROC_LOGTAG, "pid cache size: %d , process collection size : %d", m_pidCache.size(), m_processes.size());
	403	for (auto iter = m_pidCache.begin(); iter != m_pidCache.end(); )
	404	{
	405	if ( now - iter->second.born < 1 \|\| m_processes.find(iter->second.pid) != m_processes.end())
	406	{
	407	iter++;
	408	}
	409	else
	410	{
	411	Process *proc = new Process( iter->second.pid, iter->second.ppid, iter->second.born);
	412	if (NULL != proc )
	413	{
	414	if(0 != proc->init())
	415	{
	416	delete proc;
	417	proc = NULL;
	418	continue;
	419	}
	420	std::pair<std::map<pid_t, Process*>::iterator, bool> ret = m_processes.insert(std::make_pair(iter->first, proc));
	421	if(!ret.second)
	422	{
	423	delete proc;
	424	proc = NULL;
	425	continue;
	426	}
	427	std::vector<std::string> events = proc->getEvents();
	428	if (!events.empty())
	429	{
	430	reportEvents(events);
	431	}
	432
	433	}
	434	else
	435	{
	436	// hidden process found
	437	cJSON *obj = cJSON_CreateObject();
	438	cJSON_AddStringToObject(obj, "type", "rootkit");
	439	cJSON_AddNumberToObject(obj, "pid", iter->first);
	440	cJSON_AddNumberToObject(obj, "event_time", iter->second.born);
	441	cJSON_AddNumberToObject(obj, "ppid", iter->second.ppid);
	442	auto parent = m_processes.find(iter->second.ppid);
	443	if (parent != m_processes.end())
	444	{
	445	cJSON_AddStringToObject(obj, "parent exe", parent->second->exe().c_str());
	446	}
	447	char *data = cJSON_PrintUnformatted(obj);
	448	std::string msg(data);
	449	free(data);
	450	reportEvent(msg);
	451	cJSON_Delete(obj);
	452	}
	453	iter = m_pidCache.erase(iter);
	454	}
	455	usleep( 500 );
	456	}
	457	/*
	458	if ( now - last < 60 )
	459	{
	460	return;
	461	}
	462	*/
	463	for (auto& procIter : m_processes )
	464	{
	465	procIter.second->scan();
	466	std::vector<std::string> events = procIter.second->getEvents();
	467	if (!events.empty())
	468	{
	469	reportEvents(events);
	470	}
	471	usleep( 5000 );
	472	}
	473	}
	474
	475	void ProcMon::reportEvent( const std::string& event )
	476	{
	477	wm_sendmsg(MAX_PIPE_WAIT_USECOND, m_queueFd, event.c_str(), WM_PROC_LOCATION, PROC_COLLECTOR_MQ);
	478	}
	479
	480	void ProcMon::reportEvents(const std::vector<std::string> &events)
	481	{
	482	for (auto it : events)
	483	{
	484	wm_sendmsg(MAX_PIPE_WAIT_USECOND, m_queueFd, it.c_str(), WM_PROC_LOCATION, PROC_COLLECTOR_MQ);
	485	}
	486	}
	487	#endif