1 files changed, 57 insertions, 22 deletions

diff --git a/src/organize.go b/src/organize.go
index bb6736a..d963288 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -1,9 +1,11 @@
 package main
 
 import (
+        "fmt"
         "regexp"
         "strconv"
         "strings"
+        "sync"
 
         "github.com/elastic/go-libaudit/v2"
         "github.com/elastic/go-libaudit/v2/auparse"
@@ -19,16 +21,20 @@ func orgnaze() {
         // 事件信息
         var eventId, argc int
         var err [6]error
-        var event, cooked Event
+        var event Event
+        var pEvent *Event
+        var tmp any
         // 为每个事务id存储其信息，事务id在操作系统运行期间是唯一的
-        eventTable := make(map[int]*Event)
+        var eventTable sync.Map
+
         // 要用的正则匹配列表
-        syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?(exit=([-+]?\d+).*?)?ppid=(\d+) pid=(\d+).*?$`)
+        syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?(exit=([-+]?\d+))? a0=([0-9a-fA-F]+).*?ppid=(\d+) pid=(\d+).*?$`)
         execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
         argsRegex := regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
         cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):  cwd="(.*?)"`)
         proctitleRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`)
         eoeRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)
+
         for {
                 raw, ok = <-rawChan
                 if !ok {
@@ -44,39 +50,53 @@ func orgnaze() {
                                 eventId, err[1] = strconv.Atoi(string(match[2]))
                                 event.syscall, err[2] = strconv.Atoi(string(match[3]))
                                 var exit int
-                                // exit, err[3] = strconv.Atoi(string(match[4]))
+                                var a0 uint64
                                 if string(match[5]) == "" {
                                         // exit没捕获到
                                         exit = 0
                                 } else {
                                         exit, err[3] = strconv.Atoi(string(match[5]))
                                 }
-                                event.ppid, err[4] = strconv.Atoi(string(match[5]))
-                                event.pid, err[5] = strconv.Atoi(string(match[6]))
+                                if string(match[6]) == "" {
+                                        a0 = 0
+                                } else {
+                                        // 系统调用的第一个参数
+                                        // exit和exit_group都是syscall_define1，只有一个参数
+                                        // fork没参数，clone几个参数不重要
+                                        // execve三个参数咱也不关心
+                                        // 所以看第一个就够了
+                                        a0, err[4] = strconv.ParseUint(string(match[6]), 16, 64)
+                                }
+                                event.ppid, err[4] = strconv.Atoi(string(match[7]))
+                                event.pid, err[5] = strconv.Atoi(string(match[8]))
                                 if syscallTable[event.syscall] == "clone" {
-                                        if exit == 0 {
+                                        if exit == 0 || event.pid > exit {
+                                                // exit=0是给新进程的返回，没用
+                                                // pid>exit，证明有问题，抛弃
                                                 break
                                         } else {
-                                                eventTable[eventId] = &Event{
+                                                eventTable.Store(eventId, &Event{
                                                         timestamp: event.timestamp,
                                                         syscall:   event.syscall,
+                                                        exit_code: 0,
                                                         ppid:      event.pid,
                                                         pid:       exit,
                                                         argc:      0,
                                                         argv:      make([]string, 0),
                                                         cwd:       "",
-                                                }
+                                                })
                                         }
                                 } else {
-                                        eventTable[eventId] = &Event{
+                                        eventTable.Store(eventId, &Event{
                                                 timestamp: event.timestamp,
                                                 syscall:   event.syscall,
+                                                exit_code: a0,
                                                 ppid:      event.ppid,
                                                 pid:       event.pid,
                                                 argc:      0,
                                                 argv:      make([]string, 0),
                                                 cwd:       "",
-                                        }
+                                        })
                                 }
                         }
                 case auparse.AUDIT_EXECVE:
@@ -84,34 +104,45 @@ func orgnaze() {
                                 match := execveRegex.FindSubmatch(rawEvent.Data)
                                 eventId, err[0] = strconv.Atoi(string(match[1]))
                                 argc, err[1] = strconv.Atoi(string(match[2]))
+                                tmp, ok = eventTable.Load(eventId)
+                                if !ok {
+                                        break
+                                }
+                                pEvent = tmp.(*Event)
                                 if err[0] == nil && err[1] == nil && argsRegex.Match(rawEvent.Data) {
                                         match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
                                         for i := 0; i < argc; i++ {
                                                 if len(match[i][2]) == 0 {
                                                         // 代表着匹配到的是十六进制数
                                                         str := hexToAscii(string(match[i][3]))
-                                                        eventTable[eventId].argv = append(eventTable[eventId].argv, str)
+                                                        pEvent.argv = append(pEvent.argv, str)
                                                 } else {
-                                                        eventTable[eventId].argv = append(eventTable[eventId].argv, string(match[i][2]))
+                                                        pEvent.argv = append(pEvent.argv, string(match[i][2]))
                                                 }
                                         }
-                                        eventTable[eventId].argc = argc
+                                        pEvent.argc = argc
                                 }
                         }
-                // case auparse.AUDIT_PATH:
                 case auparse.AUDIT_CWD:
                         if cwdRegex.Match(rawEvent.Data) {
                                 match := cwdRegex.FindSubmatch(rawEvent.Data)
                                 eventId, err[0] = strconv.Atoi(string(match[1]))
-                                eventTable[eventId].cwd = string(match[2])
+                                tmp, ok = eventTable.Load(eventId)
+                                if !ok {
+                                        break
+                                }
+                                tmp.(*Event).cwd = string(match[2])
                         }
                 case auparse.AUDIT_PROCTITLE:
                         if proctitleRegex.Match(rawEvent.Data) {
                                 var cmdline string
-                                var pEvent *Event
                                 match := proctitleRegex.FindSubmatch(rawEvent.Data)
                                 eventId, err[0] = strconv.Atoi(string(match[1]))
-                                pEvent = eventTable[eventId]
+                                tmp, ok = eventTable.Load(eventId)
+                                if !ok {
+                                        break
+                                }
+                                pEvent = tmp.(*Event)
                                 if pEvent.argc == 0 {
                                         // 只有等于0，才证明没经过EXECVE提取参数，才允许使用PROCTITLE提取参数
                                         if match[3] == nil {
@@ -121,17 +152,21 @@ func orgnaze() {
                                                 cmdline = string(match[3])
                                         }
                                         pEvent.argv = strings.Split(cmdline, " ")
-                                        pEvent.argc = len(eventTable[eventId].argv)
+                                        pEvent.argc = len(pEvent.argv)
                                 }
                         }
                 case auparse.AUDIT_EOE:
                         if eoeRegex.Match(rawEvent.Data) {
                                 match := eoeRegex.FindSubmatch(rawEvent.Data)
                                 eventId, err[0] = strconv.Atoi(string(match[1]))
-                                // ATTENTION: 事件整理完毕，即刻发出，是否合理呢？
-                                cooked = *eventTable[eventId] // 应当采用深拷贝吗？有待实验
+                                tmp, ok = eventTable.Load(eventId)
+                                if !ok {
+                                        break
+                                }
+                                cooked := *(tmp.(*Event))
                                 cookedChan <- cooked
-                                delete(eventTable, eventId) //发出之后就从信息表扔掉，死人别占地
+                                eventTable.Delete(eventId) // 死人别占地
+                                fmt.Printf("%d: %3d %6d %6d\n", eventId, cooked.syscall, cooked.ppid, cooked.pid)
                         }
                 default:
                         // ATTENTION: 这里也需要做防护