1 files changed, 30 insertions, 17 deletions
diff --git a/src/organize.go b/src/organize.go
index 679f361..2489961 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -21,11 +21,11 @@ var ok bool
 var event Event
 var pEvent *Event
 var eventId, argc int
-var err [6]error
+var errs [6]error
 // 要用的正则匹配列表
 var (
-        syscallRegex   = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?(exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`)
+        syscallRegex   = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`)
        execveRegex    = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
        argsRegex      = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
        pathRegex      = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`)
@@ -76,17 +76,17 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
        var a [4]uint64
        // 捕获基础信息
        match := syscallRegex.FindSubmatch(rawEvent.Data)
-        event.timestamp, err[0] = getTimeFromStr(string(match[1]))
+        event.timestamp, errs[0] = getTimeFromStr(string(match[1]))
-        eventId, err[1] = strconv.Atoi(string(match[2]))
+        eventId, errs[1] = strconv.Atoi(string(match[2]))
-        event.syscall, err[2] = strconv.Atoi(string(match[3]))
+        event.syscall, errs[2] = strconv.Atoi(string(match[3]))
-        if string(match[5]) == "" {
+        if string(match[4]) == "" {
                // exit没捕获到
                exit = 0
        } else {
-                exit, err[3] = strconv.Atoi(string(match[5]))
+                exit, errs[3] = strconv.Atoi(string(match[4]))
        }
-        event.ppid, err[4] = strconv.Atoi(string(match[6]))
+        event.ppid, errs[4] = strconv.Atoi(string(match[5]))
-        event.pid, err[5] = strconv.Atoi(string(match[7]))
+        event.pid, errs[5] = strconv.Atoi(string(match[6]))
        // 捕获参数
        if !argsRegex.Match(rawEvent.Data) {
@@ -95,7 +95,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
        }
        argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
        for i := 0; i < 4; i++ {
-                a[i], err[0] = strconv.ParseUint(string(argsMatch[i][2]), 16, 64)
+                a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][2]), 16, 64)
        }
        switch syscallTable[event.syscall] {
@@ -136,6 +136,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                        syscallParam: a,
                        pathName:     "",
                })
+        case "execve":
+                eventTable.Store(eventId, &Event{
+                        tag:       EXECVE,
+                        timestamp: event.timestamp,
+                        syscall:   event.syscall,
+                        exit_code: a[0],
+                        ppid:      event.ppid,
+                        pid:       event.pid,
+                        argc:      0,
+                        argv:      make([]string, 0),
+                        cwd:       "",
+                })
        case "exit", "exit_group":
                eventTable.Store(eventId, &Event{
                        tag:       PIDEXIT,
@@ -157,14 +169,14 @@ func execve(rawEvent libaudit.RawAuditMessage) {
        }
        match := execveRegex.FindSubmatch(rawEvent.Data)
-        eventId, err[0] = strconv.Atoi(string(match[1]))
+        eventId, errs[0] = strconv.Atoi(string(match[1]))
-        argc, err[1] = strconv.Atoi(string(match[2]))
+        argc, errs[1] = strconv.Atoi(string(match[2]))
        tmp, ok = eventTable.Load(eventId)
        if !ok {
                return
        }
        pEvent = tmp.(*Event)
-        if err[0] == nil && err[1] == nil && argsRegex.Match(rawEvent.Data) {
+        if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) {
                match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
                for i := 0; i < argc; i++ {
                        if len(match[i][2]) == 0 {
@@ -185,7 +197,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) {
        }
        match := cwdRegex.FindSubmatch(rawEvent.Data)
-        eventId, err[0] = strconv.Atoi(string(match[1]))
+        eventId, errs[0] = strconv.Atoi(string(match[1]))
        tmp, ok = eventTable.Load(eventId)
        if !ok {
                return
@@ -200,7 +212,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) {
        var cmdline string
        match := proctitleRegex.FindSubmatch(rawEvent.Data)
-        eventId, err[0] = strconv.Atoi(string(match[1]))
+        eventId, errs[0] = strconv.Atoi(string(match[1]))
        tmp, ok = eventTable.Load(eventId)
        if !ok {
                return
@@ -225,13 +237,14 @@ func eoe(rawEvent libaudit.RawAuditMessage) {
        }
        match := eoeRegex.FindSubmatch(rawEvent.Data)
-        eventId, err[0] = strconv.Atoi(string(match[1]))
+        eventId, errs[0] = strconv.Atoi(string(match[1]))
        tmp, ok = eventTable.Load(eventId)
        if !ok {
                return
        }
        cooked := *(tmp.(*Event))
        cookedChan <- cooked
+        fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid)
        eventTable.Delete(eventId) // 死人别占地
 }
@@ -240,7 +253,7 @@ func path(rawEvent libaudit.RawAuditMessage) {
                return
        }
        match := pathRegex.FindSubmatch(rawEvent.Data)
-        eventId, err[0] = strconv.Atoi(string(match[1]))
+        eventId, errs[0] = strconv.Atoi(string(match[1]))
        name := string(match[2])
        tmp, ok = eventTable.Load(eventId)