From 0deb0b10c28f72f08c330f183ef64d90405b1358 Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Mon, 29 Jul 2024 14:25:06 +0800 Subject: Add write --- src/deal.go | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'src/deal.go') diff --git a/src/deal.go b/src/deal.go index d3b5da0..56f6d1d 100644 --- a/src/deal.go +++ b/src/deal.go @@ -65,6 +65,8 @@ func deal() { go deletePid(cooked) case FILEOPEN: fileOpen(cooked) + case FILEWRITE: + fileWrite(cooked) case FILECLOSE: fileClose(cooked) } @@ -234,3 +236,23 @@ func fileClose(cooked Event) { "close_timestamp": bson.M{"$exists": false}, }, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}}) } + +func fileWrite(cooked Event) { + // 直接看文件表有无记录 + res, err := fdCol.Finddoc(bson.M{ + "pid": cooked.pid, + "fd": cooked.syscallParam[0], + "close_timestamp": bson.M{"$exists": false}, + }) + if err != nil { + fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err) + } + if len(res) == 0 { + return + } + fdCol.UpdateOne(bson.M{ + "pid": cooked.pid, + "fd": cooked.syscallParam[0], + "close_timestamp": bson.M{"$exists": false}, + }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) +} -- cgit v1.2.3-70-g09d2