aboutsummaryrefslogtreecommitdiffstats
path: root/src/deal.go
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/deal.go45
1 files changed, 23 insertions, 22 deletions
diff --git a/src/deal.go b/src/deal.go
index 483d4d2..1dd309c 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -67,17 +67,19 @@ func deal() {
67 case PIDEXIT: 67 case PIDEXIT:
68 go deletePid(cooked) 68 go deletePid(cooked)
69 case FILEOPEN: 69 case FILEOPEN:
70 fileOpen(cooked) 70 go fileOpen(cooked)
71 case FILEWRITE: 71 case FILEWRITE:
72 fileWrite(cooked) 72 go fileWrite(cooked)
73 case FILECLOSE: 73 case FILECLOSE:
74 fileClose(cooked) 74 go fileClose(cooked)
75 } 75 }
76 } 76 }
77} 77}
78 78
79func deletePid(cooked Event) { 79func deletePid(cooked Event) {
80 pidCol.GetLock() 80 if !pidCol.GetLock() {
81 return
82 }
81 // 先从老爹那里销户 83 // 先从老爹那里销户
82 pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{ 84 pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{
83 "$pull": bson.M{ 85 "$pull": bson.M{
@@ -102,9 +104,9 @@ func deletePid(cooked Event) {
102} 104}
103 105
104func dealNewPid(cooked Event) { 106func dealNewPid(cooked Event) {
105 fmt.Printf("Fork: %v\t%6d\t%6d\n", cooked.timestamp, cooked.ppid, cooked.pid) 107 fmt.Printf("Fork\t%6d\t%6d\t%6d\t%6d\n", cooked.ppid, cooked.parentTgid, cooked.pid, cooked.tgid)
106 // 有无父进程在观察中 108 // 有无父进程在观察中
107 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) 109 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.parentTgid})
108 if err != nil || len(docRes) != 1 { 110 if err != nil || len(docRes) != 1 {
109 return 111 return
110 } 112 }
@@ -116,7 +118,9 @@ func dealNewPid(cooked Event) {
116 return 118 return
117 } 119 }
118 120
119 pidCol.GetLock() 121 if !pidCol.GetLock() {
122 return
123 }
120 if len(docRes) != 0 { 124 if len(docRes) != 0 {
121 // 进程原本就存在,换言之别的消息先到了 125 // 进程原本就存在,换言之别的消息先到了
122 // 所有先行抵达的消息必须保留execve/children字段 126 // 所有先行抵达的消息必须保留execve/children字段
@@ -125,7 +129,9 @@ func dealNewPid(cooked Event) {
125 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ 129 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
126 "start_timestamp": cooked.timestamp, 130 "start_timestamp": cooked.timestamp,
127 "ppid": cooked.ppid, 131 "ppid": cooked.ppid,
132 "parentTgid": cooked.parentTgid,
128 "pid": cooked.pid, 133 "pid": cooked.pid,
134 "tgid": cooked.tgid,
129 "cwd": cooked.cwd, 135 "cwd": cooked.cwd,
130 // "execve": []bson.M{}, 136 // "execve": []bson.M{},
131 "args": cooked.argv, 137 "args": cooked.argv,
@@ -136,7 +142,9 @@ func dealNewPid(cooked Event) {
136 pidCol.InsertOne(bson.M{ 142 pidCol.InsertOne(bson.M{
137 "start_timestamp": cooked.timestamp, 143 "start_timestamp": cooked.timestamp,
138 "ppid": cooked.ppid, 144 "ppid": cooked.ppid,
145 "parentTgid": cooked.parentTgid,
139 "pid": cooked.pid, 146 "pid": cooked.pid,
147 "tgid": cooked.tgid,
140 "cwd": cooked.cwd, 148 "cwd": cooked.cwd,
141 "execve": []bson.M{}, 149 "execve": []bson.M{},
142 "args": cooked.argv, 150 "args": cooked.argv,
@@ -153,7 +161,6 @@ func dealNewPid(cooked Event) {
153} 161}
154 162
155func dealExecve(cooked Event) { 163func dealExecve(cooked Event) {
156 fmt.Printf("EXEC: %6d\t%6d\n", cooked.ppid, cooked.pid)
157 // 父进程在不在?不在扔 164 // 父进程在不在?不在扔
158 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) 165 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
159 if err != nil || len(docRes) != 1 { 166 if err != nil || len(docRes) != 1 {
@@ -166,7 +173,9 @@ func dealExecve(cooked Event) {
166 return 173 return
167 } 174 }
168 175
169 pidCol.GetLock() 176 if !pidCol.GetLock() {
177 return
178 }
170 if len(docRes) == 1 { 179 if len(docRes) == 1 {
171 // 自身已在,直接记录 180 // 自身已在,直接记录
172 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ 181 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
@@ -215,22 +224,14 @@ func fileOpen(cooked Event) {
215} 224}
216 225
217func fileClose(cooked Event) { 226func fileClose(cooked Event) {
218 res, err := fdCol.Finddoc(bson.M{ 227 res, err := fdCol.FindOneAndDelete(bson.M{"pid": cooked.pid, "fd": cooked.syscallParam[0]})
219 "pid": cooked.pid,
220 "fd": cooked.syscallParam[0],
221 "close_timestamp": bson.M{"$exists": false},
222 })
223 if err != nil { 228 if err != nil {
224 fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err)
225 }
226 if len(res) == 0 {
227 return 229 return
228 } 230 }
229 fdCol.UpdateOne(bson.M{ 231 res["close_timestamp"] = cooked.timestamp
230 "pid": cooked.pid, 232 if err := fileCol.InsertOne(res); err != nil {
231 "fd": cooked.syscallParam[0], 233 fmt.Printf("Err inserting files: %v\n", err)
232 "close_timestamp": bson.M{"$exists": false}, 234 }
233 }, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}})
234} 235}
235 236
236func fileWrite(cooked Event) { 237func fileWrite(cooked Event) {