diff options
Diffstat (limited to '')
-rw-r--r-- | src/deal.go | 57 | ||||
-rw-r--r-- | src/global.go | 48 |
2 files changed, 86 insertions, 19 deletions
diff --git a/src/deal.go b/src/deal.go index aaac8c5..717344c 100644 --- a/src/deal.go +++ b/src/deal.go | |||
@@ -55,18 +55,25 @@ func deal() { | |||
55 | break | 55 | break |
56 | } | 56 | } |
57 | 57 | ||
58 | // fmt.Printf("%v\n", cooked) | ||
59 | |||
58 | switch cooked.tag { | 60 | switch cooked.tag { |
59 | case NEWPID: | 61 | case NEWPID: |
60 | dealNewPid(cooked) | 62 | dealNewPid(cooked) |
61 | case EXECVE: | 63 | case EXECVE: |
64 | check(cooked) | ||
62 | dealExecve(cooked) | 65 | dealExecve(cooked) |
63 | case PIDEXIT: | 66 | case PIDEXIT: |
67 | check(cooked) | ||
64 | deletePid(cooked) | 68 | deletePid(cooked) |
65 | case FILEOPEN: | 69 | case FILEOPEN: |
70 | check(cooked) | ||
66 | fileOpen(cooked) | 71 | fileOpen(cooked) |
67 | case FILEWRITE: | 72 | case FILEWRITE: |
73 | check(cooked) | ||
68 | fileWrite(cooked) | 74 | fileWrite(cooked) |
69 | case FILECLOSE: | 75 | case FILECLOSE: |
76 | check(cooked) | ||
70 | fileClose(cooked) | 77 | fileClose(cooked) |
71 | } | 78 | } |
72 | } | 79 | } |
@@ -168,19 +175,19 @@ func dealExecve(cooked Event) { | |||
168 | }, | 175 | }, |
169 | }, | 176 | }, |
170 | }) | 177 | }) |
171 | } else { | 178 | // } else { |
172 | // 先fork抵达,插入 | 179 | // // 先fork抵达,插入 |
173 | pidCol.InsertOne(bson.M{ | 180 | // pidCol.InsertOne(bson.M{ |
174 | "ppid": cooked.ppid, | 181 | // "ppid": cooked.ppid, |
175 | "pid": cooked.pid, | 182 | // "pid": cooked.pid, |
176 | "children": []bson.M{}, | 183 | // "children": []bson.M{}, |
177 | "execve": []bson.M{ | 184 | // "execve": []bson.M{ |
178 | { | 185 | // { |
179 | "timestamp": cooked.timestamp, | 186 | // "timestamp": cooked.timestamp, |
180 | "execArgs": cooked.argv, | 187 | // "execArgs": cooked.argv, |
181 | }, | 188 | // }, |
182 | }, | 189 | // }, |
183 | }) | 190 | // }) |
184 | } | 191 | } |
185 | mongoMutex.Unlock() | 192 | mongoMutex.Unlock() |
186 | } | 193 | } |
@@ -255,3 +262,27 @@ func fileWrite(cooked Event) { | |||
255 | "close_timestamp": bson.M{"$exists": false}, | 262 | "close_timestamp": bson.M{"$exists": false}, |
256 | }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) | 263 | }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) |
257 | } | 264 | } |
265 | |||
266 | func check(cooked Event) { | ||
267 | // 检查进程是否需要记录 | ||
268 | // 有无父进程在观察中 | ||
269 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) | ||
270 | if err != nil || len(docRes) != 1 { | ||
271 | return | ||
272 | } | ||
273 | |||
274 | // 自身是否已经记录 | ||
275 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) | ||
276 | if err != nil { | ||
277 | fmt.Printf("Err finding: %v\n", err) | ||
278 | return | ||
279 | } | ||
280 | if len(docRes) == 0 { | ||
281 | pidCol.InsertOne(bson.M{ | ||
282 | "ppid": cooked.ppid, | ||
283 | "pid": cooked.pid, | ||
284 | "children": []bson.M{}, | ||
285 | "start_timestamp": cooked.timestamp, | ||
286 | }) | ||
287 | } | ||
288 | } | ||
diff --git a/src/global.go b/src/global.go index d1c5c0f..f0f909c 100644 --- a/src/global.go +++ b/src/global.go | |||
@@ -1,8 +1,11 @@ | |||
1 | package main | 1 | package main |
2 | 2 | ||
3 | import ( | 3 | import ( |
4 | "fmt" | ||
4 | "sync" | 5 | "sync" |
5 | "time" | 6 | "time" |
7 | |||
8 | "go.mongodb.org/mongo-driver/bson/primitive" | ||
6 | ) | 9 | ) |
7 | 10 | ||
8 | type eventType int | 11 | type eventType int |
@@ -12,11 +15,19 @@ const ( | |||
12 | PIDEXIT | 15 | PIDEXIT |
13 | EXECVE | 16 | EXECVE |
14 | FILEOPEN | 17 | FILEOPEN |
15 | FILEWRITE | ||
16 | FILECLOSE | 18 | FILECLOSE |
19 | FILEWRITE | ||
17 | TYPENUM | 20 | TYPENUM |
18 | ) | 21 | ) |
19 | 22 | ||
23 | func (et eventType) String() string { | ||
24 | names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "TYPENUM"} | ||
25 | if et < NEWPID || et > TYPENUM { | ||
26 | return "Unknown" | ||
27 | } | ||
28 | return names[et] | ||
29 | } | ||
30 | |||
20 | type Event struct { | 31 | type Event struct { |
21 | tag eventType | 32 | tag eventType |
22 | timestamp time.Time | 33 | timestamp time.Time |
@@ -30,12 +41,37 @@ type Event struct { | |||
30 | pathName string | 41 | pathName string |
31 | } | 42 | } |
32 | 43 | ||
33 | func (et eventType) String() string { | 44 | func (event Event) String() string { |
34 | names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILEWRITE", "TYPENUM"} | 45 | var res string |
35 | if et < NEWPID || et > TYPENUM { | 46 | res = fmt.Sprintf("tag: %v\ntimestamp: %v\nppid: %d\npid: %d\n", event.tag, event.timestamp.Local(), event.ppid, event.pid) |
36 | return "Unknown" | 47 | res += fmt.Sprintf("syscall: %s\nexit_code: %d\nargs: \n", syscallTable[event.syscall], event.exit_code) |
48 | for i := 0; i < len(event.argv); i++ { | ||
49 | res += fmt.Sprintf("\t\"%s\"\n", event.argv[i]) | ||
37 | } | 50 | } |
38 | return names[et] | 51 | res += "syscallParam: " |
52 | for i := 0; i < len(event.syscallParam); i++ { | ||
53 | res += fmt.Sprintf("\t\"%d\"\n", event.syscallParam[i]) | ||
54 | } | ||
55 | res += "pathName: \"" + event.pathName + "\"\n------\n" | ||
56 | return res | ||
57 | } | ||
58 | |||
59 | type pidExec struct { | ||
60 | timestamp time.Time `bson:"timestamp"` | ||
61 | execArgs []string `bson:"execArgs"` | ||
62 | } | ||
63 | |||
64 | type pid struct { | ||
65 | ID primitive.ObjectID `bson:"_id,ometempty"` | ||
66 | start_timestamp time.Time `bson:"start_timestamp"` | ||
67 | ppid int `bson:"ppid"` | ||
68 | pid int `bson:"pid"` | ||
69 | cwd string `bson:"cwd"` | ||
70 | args []string `bson:"args"` | ||
71 | execve []pidExec `bson:"execve"` | ||
72 | children []int `bson:"children"` | ||
73 | exit_timestamp time.Time `bson:"exit_timestamp"` | ||
74 | exit_code uint64 `bson:"exit_code"` | ||
39 | } | 75 | } |
40 | 76 | ||
41 | var wg sync.WaitGroup // 掌管协程 | 77 | var wg sync.WaitGroup // 掌管协程 |