1 files changed, 116 insertions, 0 deletions

diff --git a/src/godo.go b/src/godo.go
new file mode 100644
index 0000000..6f73893
--- /dev/null
+++ b/src/godo.go
@@ -0,0 +1,116 @@
+package main
+
+import (
+        "flag"
+        "fmt"
+        "log"
+        "os"
+        "os/exec"
+        "time"
+
+        "github.com/elastic/go-libaudit/v2"
+)
+
+var (
+        fs          = flag.NewFlagSet("audit", flag.ExitOnError)
+        diag        = fs.String("diag", "", "dump raw information from kernel to file")
+        rate        = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
+        backlog     = fs.Uint("backlog", 8192, "backlog limit")
+        immutable   = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
+        receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
+)
+
+type Event struct {
+        timestamp time.Time
+        pid, ppid int
+        syscall   int
+        argc      int
+        argv      []string
+        cwd       string
+}
+
+type process struct {
+        timestamp time.Time
+        pid, ppid int
+        argv      []string
+        cwd       string
+        rootfs    string
+        children  []int
+}
+
+func main() {
+        // 检查用户身份，并添加auditd规则，监听所有syscall
+        if os.Geteuid() != 0 {
+                fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid())
+                return
+        }
+
+        // 所有的系统调用号与名称的关系
+        err := figureOutSyscalls()
+        if err != nil {
+                fmt.Printf("Error figuring out syscall numbers: %v\n", err)
+        }
+
+        syscall := [6]string{"fork", "vfork", "clone", "execve", "exit", "exit_group"}
+        var auditCmd *exec.Cmd
+        auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
+        auditCmd.Run()
+        // 设置监听规则
+        for i := 0; i < len(syscall); i++ {
+                auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall[i])
+                auditCmd.Run()
+        }
+
+        // 查找pid
+        containerdPid, err = getPid()
+        if err != nil {
+                fmt.Printf("Error finding containerd: %v\n", err)
+                return
+        }
+
+        // 创世之神，1号进程
+        // pids[1] = &process{rootfs: "/", children: make([]int, 0)}
+        // pids[1].children = append(pids[1].children, containerdPid)
+        // 1号进程还是不要在进程树上直接出现了，不然它的小儿子们都会出现
+
+        // /usr/bin/containerd，也就是我们最关注的进程
+        // pids[containerdPid] = &process{rootfs: "/", children: make([]int, 0)}
+        pids.Store(containerdPid, &process{
+                ppid:     1,
+                pid:      containerdPid,
+                argv:     make([]string, 0),
+                cwd:      "/",
+                rootfs:   "/",
+                children: make([]int, 0),
+        })
+        p, ok := pids.Load(containerdPid)
+        if !ok {
+                fmt.Printf("???\n")
+                return
+        }
+        p.(*process).argv = append(p.(*process).argv, "/usr/bin/containerd")
+
+        // 开始运行，解析命令行参数后监听
+        if err := fs.Parse(os.Args[1:]); err != nil {
+                log.Fatal(err)
+        }
+
+        if err := read(); err != nil {
+                log.Fatalf("error: %v", err)
+        }
+}
+
+func coroutine(client *libaudit.AuditClient) {
+        // 各协程至此开始
+        rawChan = make(chan interface{})
+        cookedChan = make(chan Event)
+        wg.Add(1)
+        go receive(client)
+        wg.Add(1)
+        go orgnaze()
+        wg.Add(1)
+        go deal()
+
+        wg.Wait()
+        time.Sleep(2 * time.Second)
+}