aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/deal.go57
-rw-r--r--src/global.go48
2 files changed, 86 insertions, 19 deletions
diff --git a/src/deal.go b/src/deal.go
index aaac8c5..717344c 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -55,18 +55,25 @@ func deal() {
55 break 55 break
56 } 56 }
57 57
58 // fmt.Printf("%v\n", cooked)
59
58 switch cooked.tag { 60 switch cooked.tag {
59 case NEWPID: 61 case NEWPID:
60 dealNewPid(cooked) 62 dealNewPid(cooked)
61 case EXECVE: 63 case EXECVE:
64 check(cooked)
62 dealExecve(cooked) 65 dealExecve(cooked)
63 case PIDEXIT: 66 case PIDEXIT:
67 check(cooked)
64 deletePid(cooked) 68 deletePid(cooked)
65 case FILEOPEN: 69 case FILEOPEN:
70 check(cooked)
66 fileOpen(cooked) 71 fileOpen(cooked)
67 case FILEWRITE: 72 case FILEWRITE:
73 check(cooked)
68 fileWrite(cooked) 74 fileWrite(cooked)
69 case FILECLOSE: 75 case FILECLOSE:
76 check(cooked)
70 fileClose(cooked) 77 fileClose(cooked)
71 } 78 }
72 } 79 }
@@ -168,19 +175,19 @@ func dealExecve(cooked Event) {
168 }, 175 },
169 }, 176 },
170 }) 177 })
171 } else { 178 // } else {
172 // 先fork抵达,插入 179 // // 先fork抵达,插入
173 pidCol.InsertOne(bson.M{ 180 // pidCol.InsertOne(bson.M{
174 "ppid": cooked.ppid, 181 // "ppid": cooked.ppid,
175 "pid": cooked.pid, 182 // "pid": cooked.pid,
176 "children": []bson.M{}, 183 // "children": []bson.M{},
177 "execve": []bson.M{ 184 // "execve": []bson.M{
178 { 185 // {
179 "timestamp": cooked.timestamp, 186 // "timestamp": cooked.timestamp,
180 "execArgs": cooked.argv, 187 // "execArgs": cooked.argv,
181 }, 188 // },
182 }, 189 // },
183 }) 190 // })
184 } 191 }
185 mongoMutex.Unlock() 192 mongoMutex.Unlock()
186} 193}
@@ -255,3 +262,27 @@ func fileWrite(cooked Event) {
255 "close_timestamp": bson.M{"$exists": false}, 262 "close_timestamp": bson.M{"$exists": false},
256 }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) 263 }, bson.M{"$push": bson.M{"written": cooked.timestamp}})
257} 264}
265
266func check(cooked Event) {
267 // 检查进程是否需要记录
268 // 有无父进程在观察中
269 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
270 if err != nil || len(docRes) != 1 {
271 return
272 }
273
274 // 自身是否已经记录
275 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
276 if err != nil {
277 fmt.Printf("Err finding: %v\n", err)
278 return
279 }
280 if len(docRes) == 0 {
281 pidCol.InsertOne(bson.M{
282 "ppid": cooked.ppid,
283 "pid": cooked.pid,
284 "children": []bson.M{},
285 "start_timestamp": cooked.timestamp,
286 })
287 }
288}
diff --git a/src/global.go b/src/global.go
index d1c5c0f..f0f909c 100644
--- a/src/global.go
+++ b/src/global.go
@@ -1,8 +1,11 @@
1package main 1package main
2 2
3import ( 3import (
4 "fmt"
4 "sync" 5 "sync"
5 "time" 6 "time"
7
8 "go.mongodb.org/mongo-driver/bson/primitive"
6) 9)
7 10
8type eventType int 11type eventType int
@@ -12,11 +15,19 @@ const (
12 PIDEXIT 15 PIDEXIT
13 EXECVE 16 EXECVE
14 FILEOPEN 17 FILEOPEN
15 FILEWRITE
16 FILECLOSE 18 FILECLOSE
19 FILEWRITE
17 TYPENUM 20 TYPENUM
18) 21)
19 22
23func (et eventType) String() string {
24 names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "TYPENUM"}
25 if et < NEWPID || et > TYPENUM {
26 return "Unknown"
27 }
28 return names[et]
29}
30
20type Event struct { 31type Event struct {
21 tag eventType 32 tag eventType
22 timestamp time.Time 33 timestamp time.Time
@@ -30,12 +41,37 @@ type Event struct {
30 pathName string 41 pathName string
31} 42}
32 43
33func (et eventType) String() string { 44func (event Event) String() string {
34 names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILEWRITE", "TYPENUM"} 45 var res string
35 if et < NEWPID || et > TYPENUM { 46 res = fmt.Sprintf("tag: %v\ntimestamp: %v\nppid: %d\npid: %d\n", event.tag, event.timestamp.Local(), event.ppid, event.pid)
36 return "Unknown" 47 res += fmt.Sprintf("syscall: %s\nexit_code: %d\nargs: \n", syscallTable[event.syscall], event.exit_code)
48 for i := 0; i < len(event.argv); i++ {
49 res += fmt.Sprintf("\t\"%s\"\n", event.argv[i])
37 } 50 }
38 return names[et] 51 res += "syscallParam: "
52 for i := 0; i < len(event.syscallParam); i++ {
53 res += fmt.Sprintf("\t\"%d\"\n", event.syscallParam[i])
54 }
55 res += "pathName: \"" + event.pathName + "\"\n------\n"
56 return res
57}
58
59type pidExec struct {
60 timestamp time.Time `bson:"timestamp"`
61 execArgs []string `bson:"execArgs"`
62}
63
64type pid struct {
65 ID primitive.ObjectID `bson:"_id,ometempty"`
66 start_timestamp time.Time `bson:"start_timestamp"`
67 ppid int `bson:"ppid"`
68 pid int `bson:"pid"`
69 cwd string `bson:"cwd"`
70 args []string `bson:"args"`
71 execve []pidExec `bson:"execve"`
72 children []int `bson:"children"`
73 exit_timestamp time.Time `bson:"exit_timestamp"`
74 exit_code uint64 `bson:"exit_code"`
39} 75}
40 76
41var wg sync.WaitGroup // 掌管协程 77var wg sync.WaitGroup // 掌管协程