diff options
Diffstat (limited to 'src/deal.go')
| -rw-r--r-- | src/deal.go | 45 |
1 files changed, 23 insertions, 22 deletions
diff --git a/src/deal.go b/src/deal.go index 483d4d2..1dd309c 100644 --- a/src/deal.go +++ b/src/deal.go | |||
| @@ -67,17 +67,19 @@ func deal() { | |||
| 67 | case PIDEXIT: | 67 | case PIDEXIT: |
| 68 | go deletePid(cooked) | 68 | go deletePid(cooked) |
| 69 | case FILEOPEN: | 69 | case FILEOPEN: |
| 70 | fileOpen(cooked) | 70 | go fileOpen(cooked) |
| 71 | case FILEWRITE: | 71 | case FILEWRITE: |
| 72 | fileWrite(cooked) | 72 | go fileWrite(cooked) |
| 73 | case FILECLOSE: | 73 | case FILECLOSE: |
| 74 | fileClose(cooked) | 74 | go fileClose(cooked) |
| 75 | } | 75 | } |
| 76 | } | 76 | } |
| 77 | } | 77 | } |
| 78 | 78 | ||
| 79 | func deletePid(cooked Event) { | 79 | func deletePid(cooked Event) { |
| 80 | pidCol.GetLock() | 80 | if !pidCol.GetLock() { |
| 81 | return | ||
| 82 | } | ||
| 81 | // 先从老爹那里销户 | 83 | // 先从老爹那里销户 |
| 82 | pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{ | 84 | pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{ |
| 83 | "$pull": bson.M{ | 85 | "$pull": bson.M{ |
| @@ -102,9 +104,9 @@ func deletePid(cooked Event) { | |||
| 102 | } | 104 | } |
| 103 | 105 | ||
| 104 | func dealNewPid(cooked Event) { | 106 | func dealNewPid(cooked Event) { |
| 105 | fmt.Printf("Fork: %v\t%6d\t%6d\n", cooked.timestamp, cooked.ppid, cooked.pid) | 107 | fmt.Printf("Fork\t%6d\t%6d\t%6d\t%6d\n", cooked.ppid, cooked.parentTgid, cooked.pid, cooked.tgid) |
| 106 | // 有无父进程在观察中 | 108 | // 有无父进程在观察中 |
| 107 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) | 109 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.parentTgid}) |
| 108 | if err != nil || len(docRes) != 1 { | 110 | if err != nil || len(docRes) != 1 { |
| 109 | return | 111 | return |
| 110 | } | 112 | } |
| @@ -116,7 +118,9 @@ func dealNewPid(cooked Event) { | |||
| 116 | return | 118 | return |
| 117 | } | 119 | } |
| 118 | 120 | ||
| 119 | pidCol.GetLock() | 121 | if !pidCol.GetLock() { |
| 122 | return | ||
| 123 | } | ||
| 120 | if len(docRes) != 0 { | 124 | if len(docRes) != 0 { |
| 121 | // 进程原本就存在,换言之别的消息先到了 | 125 | // 进程原本就存在,换言之别的消息先到了 |
| 122 | // 所有先行抵达的消息必须保留execve/children字段 | 126 | // 所有先行抵达的消息必须保留execve/children字段 |
| @@ -125,7 +129,9 @@ func dealNewPid(cooked Event) { | |||
| 125 | pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ | 129 | pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ |
| 126 | "start_timestamp": cooked.timestamp, | 130 | "start_timestamp": cooked.timestamp, |
| 127 | "ppid": cooked.ppid, | 131 | "ppid": cooked.ppid, |
| 132 | "parentTgid": cooked.parentTgid, | ||
| 128 | "pid": cooked.pid, | 133 | "pid": cooked.pid, |
| 134 | "tgid": cooked.tgid, | ||
| 129 | "cwd": cooked.cwd, | 135 | "cwd": cooked.cwd, |
| 130 | // "execve": []bson.M{}, | 136 | // "execve": []bson.M{}, |
| 131 | "args": cooked.argv, | 137 | "args": cooked.argv, |
| @@ -136,7 +142,9 @@ func dealNewPid(cooked Event) { | |||
| 136 | pidCol.InsertOne(bson.M{ | 142 | pidCol.InsertOne(bson.M{ |
| 137 | "start_timestamp": cooked.timestamp, | 143 | "start_timestamp": cooked.timestamp, |
| 138 | "ppid": cooked.ppid, | 144 | "ppid": cooked.ppid, |
| 145 | "parentTgid": cooked.parentTgid, | ||
| 139 | "pid": cooked.pid, | 146 | "pid": cooked.pid, |
| 147 | "tgid": cooked.tgid, | ||
| 140 | "cwd": cooked.cwd, | 148 | "cwd": cooked.cwd, |
| 141 | "execve": []bson.M{}, | 149 | "execve": []bson.M{}, |
| 142 | "args": cooked.argv, | 150 | "args": cooked.argv, |
| @@ -153,7 +161,6 @@ func dealNewPid(cooked Event) { | |||
| 153 | } | 161 | } |
| 154 | 162 | ||
| 155 | func dealExecve(cooked Event) { | 163 | func dealExecve(cooked Event) { |
| 156 | fmt.Printf("EXEC: %6d\t%6d\n", cooked.ppid, cooked.pid) | ||
| 157 | // 父进程在不在?不在扔 | 164 | // 父进程在不在?不在扔 |
| 158 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) | 165 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) |
| 159 | if err != nil || len(docRes) != 1 { | 166 | if err != nil || len(docRes) != 1 { |
| @@ -166,7 +173,9 @@ func dealExecve(cooked Event) { | |||
| 166 | return | 173 | return |
| 167 | } | 174 | } |
| 168 | 175 | ||
| 169 | pidCol.GetLock() | 176 | if !pidCol.GetLock() { |
| 177 | return | ||
| 178 | } | ||
| 170 | if len(docRes) == 1 { | 179 | if len(docRes) == 1 { |
| 171 | // 自身已在,直接记录 | 180 | // 自身已在,直接记录 |
| 172 | pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ | 181 | pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ |
| @@ -215,22 +224,14 @@ func fileOpen(cooked Event) { | |||
| 215 | } | 224 | } |
| 216 | 225 | ||
| 217 | func fileClose(cooked Event) { | 226 | func fileClose(cooked Event) { |
| 218 | res, err := fdCol.Finddoc(bson.M{ | 227 | res, err := fdCol.FindOneAndDelete(bson.M{"pid": cooked.pid, "fd": cooked.syscallParam[0]}) |
| 219 | "pid": cooked.pid, | ||
| 220 | "fd": cooked.syscallParam[0], | ||
| 221 | "close_timestamp": bson.M{"$exists": false}, | ||
| 222 | }) | ||
| 223 | if err != nil { | 228 | if err != nil { |
| 224 | fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err) | ||
| 225 | } | ||
| 226 | if len(res) == 0 { | ||
| 227 | return | 229 | return |
| 228 | } | 230 | } |
| 229 | fdCol.UpdateOne(bson.M{ | 231 | res["close_timestamp"] = cooked.timestamp |
| 230 | "pid": cooked.pid, | 232 | if err := fileCol.InsertOne(res); err != nil { |
| 231 | "fd": cooked.syscallParam[0], | 233 | fmt.Printf("Err inserting files: %v\n", err) |
| 232 | "close_timestamp": bson.M{"$exists": false}, | 234 | } |
| 233 | }, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}}) | ||
| 234 | } | 235 | } |
| 235 | 236 | ||
| 236 | func fileWrite(cooked Event) { | 237 | func fileWrite(cooked Event) { |