package main import ( "encoding/json" "fmt" "time" ) type Exec struct { Timestamp time.Time `bson:"timestamp" json:"timestamp"` ExecArgs []string `bson:"execArgs" json:"execArgs"` } type Process struct { Star bool `bson:"star" json:"star"` StartTimestamp time.Time `bson:"start_timestamp" json:"start_timestamp"` Ppid int `bson:"ppid" json:"ppid"` ParentTgid int `bson:"parentTgid" json:"parentTgid"` Pid int `bson:"pid" json:"pid"` Tgid int `bson:"tgid" json:"tgid"` Args []string `bson:"args" json:"args"` Comm string `bson:"comm" json:"comm"` RootFS string `bson:"rootfs" json:"rootfs"` Cwd string `bson:"cwd" json:"cwd"` Children []int `bson:"children" json:"children"` DockerId string `bson:"docker_id" json:"docker_id"` Execve []Exec `bson:"execve" json:"execve"` ExitCode int `bson:"exit_code" json:"exit_code"` ExitSignal int `bson:"exit_signal" json:"exit_signal"` ExitTimestamp time.Time `bson:"exit_timestamp" json:"exit_timestamp"` } type tgidNode struct { Tgid int `bson:"tgid" json:"tgid"` FindPid map[int]int `bson:"findPid" json:"findPid"` Threads []Process `bson:"threads" json:"threads"` ChildTgid []int `bson:"child_tgid" json:"child_tgid"` } func (p Process) String() string { var res string res = "---------------------\n" res += fmt.Sprintf("timestamp\t%v\n", p.StartTimestamp) res += fmt.Sprintf("ppid\t%d\nparentTgid\t%d\n", p.Ppid, p.ParentTgid) res += fmt.Sprintf("pid\t%d\ntgid\t%d\nargs: ", p.Pid, p.Tgid) for i := 0; i < len(p.Args); i++ { res += fmt.Sprintf("%s ", p.Args[i]) } res += fmt.Sprintf("\ncomm\t%s\ncwd\t%s\nrootfs\t%s\ndocker_id\t%s\n", p.Comm, p.Cwd, p.RootFS, p.DockerId) if len(p.Execve) != 0 { res += "exec:\n" for i := 0; i < len(p.Execve); i++ { res += fmt.Sprintf("\ttimestamp: %v\n\texecArgs:\t", p.Execve[i].Timestamp) for j := 0; j < len(p.Execve[i].ExecArgs); j++ { res += fmt.Sprintf("%s ", p.Execve[i].ExecArgs[j]) } res += "\n" } } res += "children: " for i := 0; i < len(p.Children); i++ { res += fmt.Sprintf("%d ", p.Children[i]) } res += "\n" res += fmt.Sprintf("exit_timestamp:\t%v\nexit_code:\t%d\nexit_signal:\t%d\n", p.ExitTimestamp, p.ExitCode, p.ExitSignal) return res } func (node tgidNode) String() string { var res string res += fmt.Sprintf("==============================\ntgid: %6d, size: %6d, children: ", node.Tgid, len(node.Threads)) for _, child := range node.ChildTgid { res += fmt.Sprintf("%7d", child) } res += "\n" for _, process := range node.Threads { res += fmt.Sprintf("%v\n", process) } res += "\n" return res } type File struct { OpenTimestamp time.Time `bson:"timestamp" json:"timestamp"` FileName string `bson:"fileName" json:"fileName"` Pid int `bson:"pid" json:"pid"` Fd int `bson:"fd" json:"fd"` Flags [4]uint64 `bson:"flags" json:"flags"` Written []time.Time `bson:"written" json:"written"` CloseTimestamp time.Time `bson:"close_timestamp" json:"close_timestamp"` } func (f File) MarshalJSON() ([]byte, error) { type Alias File // 使用别名避免递归调用 return json.Marshal(&struct { Alias Flags0 string `json:"FileNamePointer"` Flags1 string `json:"FileFlags"` }{ Alias: Alias(f), Flags0: fmt.Sprintf("%#012x", f.Flags[0]), // flags[0] 转换为小写16进制 Flags1: parseFlags(f.Flags[1]), // flags[1] 解析为字符串 }) } // Queue 定义一个队列结构体 type Queue struct { items []interface{} } // NewQueue 创建一个新的队列 func NewQueue() *Queue { return &Queue{items: make([]interface{}, 0)} } // Enqueue 向队列中添加一个元素 func (q *Queue) Enqueue(item interface{}) { q.items = append(q.items, item) } // Dequeue 从队列中移除并返回队列前面的元素 func (q *Queue) Dequeue() (interface{}, bool) { if len(q.items) == 0 { return nil, false } item := q.items[0] q.items = q.items[1:] return item, true } // Size 返回队列中的元素数量 func (q *Queue) Size() int { return len(q.items) } // IsEmpty 检查队列是否为空 func (q *Queue) IsEmpty() bool { return len(q.items) == 0 }