From d6c6e13796435f9e1e59fec891aa53680748a2d7 Mon Sep 17 00:00:00 2001
From: We-unite <3205135446@qq.com>
Date: Tue, 30 Jul 2024 19:37:48 +0800
Subject: Try to use kernel connector

---
 src/deal.go | 57 ++++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 44 insertions(+), 13 deletions(-)

(limited to 'src/deal.go')

diff --git a/src/deal.go b/src/deal.go
index aaac8c5..717344c 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -55,18 +55,25 @@ func deal() {
 			break
 		}
 
+		// fmt.Printf("%v\n", cooked)
+
 		switch cooked.tag {
 		case NEWPID:
 			dealNewPid(cooked)
 		case EXECVE:
+			check(cooked)
 			dealExecve(cooked)
 		case PIDEXIT:
+			check(cooked)
 			deletePid(cooked)
 		case FILEOPEN:
+			check(cooked)
 			fileOpen(cooked)
 		case FILEWRITE:
+			check(cooked)
 			fileWrite(cooked)
 		case FILECLOSE:
+			check(cooked)
 			fileClose(cooked)
 		}
 	}
@@ -168,19 +175,19 @@ func dealExecve(cooked Event) {
 				},
 			},
 		})
-	} else {
-		// 先fork抵达，插入
-		pidCol.InsertOne(bson.M{
-			"ppid":     cooked.ppid,
-			"pid":      cooked.pid,
-			"children": []bson.M{},
-			"execve": []bson.M{
-				{
-					"timestamp": cooked.timestamp,
-					"execArgs":  cooked.argv,
-				},
-			},
-		})
+		// } else {
+		// 	// 先fork抵达，插入
+		// 	pidCol.InsertOne(bson.M{
+		// 		"ppid":     cooked.ppid,
+		// 		"pid":      cooked.pid,
+		// 		"children": []bson.M{},
+		// 		"execve": []bson.M{
+		// 			{
+		// 				"timestamp": cooked.timestamp,
+		// 				"execArgs":  cooked.argv,
+		// 			},
+		// 		},
+		// 	})
 	}
 	mongoMutex.Unlock()
 }
@@ -255,3 +262,27 @@ func fileWrite(cooked Event) {
 		"close_timestamp": bson.M{"$exists": false},
 	}, bson.M{"$push": bson.M{"written": cooked.timestamp}})
 }
+
+func check(cooked Event) {
+	// 检查进程是否需要记录
+	// 有无父进程在观察中
+	docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
+	if err != nil || len(docRes) != 1 {
+		return
+	}
+
+	// 自身是否已经记录
+	docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
+	if err != nil {
+		fmt.Printf("Err finding: %v\n", err)
+		return
+	}
+	if len(docRes) == 0 {
+		pidCol.InsertOne(bson.M{
+			"ppid":            cooked.ppid,
+			"pid":             cooked.pid,
+			"children":        []bson.M{},
+			"start_timestamp": cooked.timestamp,
+		})
+	}
+}
-- 
cgit v1.2.3-70-g09d2