From 7cf8e470471d30fc821a8be350dcb97dc64e5add Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Fri, 19 Jul 2024 17:02:11 +0800 Subject: Depart the whole program into several files. Put all the src code in only one file is to ugly, so devide it! and mv them into src dir to keep the whole repo clear. --- src/godo.go | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 src/godo.go (limited to 'src/godo.go') diff --git a/src/godo.go b/src/godo.go new file mode 100644 index 0000000..6f73893 --- /dev/null +++ b/src/godo.go @@ -0,0 +1,116 @@ +package main + +import ( + "flag" + "fmt" + "log" + "os" + "os/exec" + "time" + + "github.com/elastic/go-libaudit/v2" +) + +var ( + fs = flag.NewFlagSet("audit", flag.ExitOnError) + diag = fs.String("diag", "", "dump raw information from kernel to file") + rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)") + backlog = fs.Uint("backlog", 8192, "backlog limit") + immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)") + receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") +) + +type Event struct { + timestamp time.Time + pid, ppid int + syscall int + argc int + argv []string + cwd string +} + +type process struct { + timestamp time.Time + pid, ppid int + argv []string + cwd string + rootfs string + children []int +} + +func main() { + // 检查用户身份,并添加auditd规则,监听所有syscall + if os.Geteuid() != 0 { + fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid()) + return + } + + // 所有的系统调用号与名称的关系 + err := figureOutSyscalls() + if err != nil { + fmt.Printf("Error figuring out syscall numbers: %v\n", err) + } + + syscall := [6]string{"fork", "vfork", "clone", "execve", "exit", "exit_group"} + var auditCmd *exec.Cmd + auditCmd = exec.Command("auditctl", "-D") // 清空所有规则 + auditCmd.Run() + // 设置监听规则 + for i := 0; i < len(syscall); i++ { + auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall[i]) + auditCmd.Run() + } + + // 查找pid + containerdPid, err = getPid() + if err != nil { + fmt.Printf("Error finding containerd: %v\n", err) + return + } + + // 创世之神,1号进程 + // pids[1] = &process{rootfs: "/", children: make([]int, 0)} + // pids[1].children = append(pids[1].children, containerdPid) + // 1号进程还是不要在进程树上直接出现了,不然它的小儿子们都会出现 + + // /usr/bin/containerd,也就是我们最关注的进程 + // pids[containerdPid] = &process{rootfs: "/", children: make([]int, 0)} + pids.Store(containerdPid, &process{ + ppid: 1, + pid: containerdPid, + argv: make([]string, 0), + cwd: "/", + rootfs: "/", + children: make([]int, 0), + }) + p, ok := pids.Load(containerdPid) + if !ok { + fmt.Printf("???\n") + return + } + p.(*process).argv = append(p.(*process).argv, "/usr/bin/containerd") + + // 开始运行,解析命令行参数后监听 + if err := fs.Parse(os.Args[1:]); err != nil { + log.Fatal(err) + } + + if err := read(); err != nil { + log.Fatalf("error: %v", err) + } +} + +func coroutine(client *libaudit.AuditClient) { + // 各协程至此开始 + rawChan = make(chan interface{}) + cookedChan = make(chan Event) + wg.Add(1) + go receive(client) + wg.Add(1) + go orgnaze() + wg.Add(1) + go deal() + + wg.Wait() + time.Sleep(2 * time.Second) +} -- cgit v1.2.3-70-g09d2