add 'add user name' for user space agent(golang)

xirotech · Sep 5, 2019 · 61c284a · 61c284a
1 parent 483c5cf
commit 61c284a
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 23 deletions.
diff --git a/agent_golang/src/c_until.c b/agent_golang/src/c_until.c
@@ -41,20 +41,6 @@ struct sh_mem_list_head
 struct msg_slot *slot;
 struct sh_mem_list_head *list_head;
 
-static char *get_user_id(const char *msg)
-{
-    int i;
-    int first = strcspn(msg, split_ymbol);
-
-    for (i = 0; i < sizeof(user_id); i++)
-        user_id[i] = 0;
-
-    for (i = 0; i < first; i++)
-        user_id[i] = msg[i];
-
-    return user_id;
-}
-
 static char *get_user(uid_t uid)
 {
     struct passwd *pws;
@@ -125,7 +111,6 @@ static char *shm_msg_factory_no_callback(char *msg)
 
             if (shm_res_len > 16)
             {
-                user_id = get_user_id(shm_res);
                 strcat(shm_res, time_buffer);
                 return shm_res;
             }

diff --git a/agent_golang/src/c_until.h b/agent_golang/src/c_until.h
@@ -1,4 +1,5 @@
 void init(void);
 void shm_init(void);
 void shm_close(void);
+static char *get_user(uid_t uid);
 char *shm_run_no_callback(void);
diff --git a/agent_golang/src/main.go b/agent_golang/src/main.go
@@ -6,6 +6,7 @@ package main
 import "C"
 import (
 	"fmt"
+	"strconv"
 	"strings"
 )
 
@@ -27,42 +28,42 @@ func GetMsgFromKernel(c chan string) {
 }
 
 func ParserExecveMsg(msg []string) string {
-	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"run_path\":\"" + msg[2] + "\",\"elf\":\"" + msg[3] + "\",\"argv\":\"" + msg[4] + "\",\"pid\":\"" + msg[5] + "\",\"ppid\":\"" + msg[6] + "\",\"pgid\":\"" + msg[7] + "\",\"tgid\":\"" + msg[8] + "\",\"comm\":\"" + msg[9] + "\",\"nodename\":\"" + msg[10] + "\",\"stdin\":\"" + msg[11] + "\",\"stdout\":\"" + msg[12] + "\",\"pid_rootkit_check\":\"" + msg[13] + "\",\"file_rootkit_check\":\"" + msg[14] + "\",\"time\":\"" + msg[15] + "\"}"
+	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"run_path\":\"" + msg[2] + "\",\"elf\":\"" + msg[3] + "\",\"argv\":\"" + msg[4] + "\",\"pid\":\"" + msg[5] + "\",\"ppid\":\"" + msg[6] + "\",\"pgid\":\"" + msg[7] + "\",\"tgid\":\"" + msg[8] + "\",\"comm\":\"" + msg[9] + "\",\"nodename\":\"" + msg[10] + "\",\"stdin\":\"" + msg[11] + "\",\"stdout\":\"" + msg[12] + "\",\"pid_rootkit_check\":\"" + msg[13] + "\",\"file_rootkit_check\":\"" + msg[14] + "\",\"time\":\"" + msg[15] + "\",\"user\":\"" + msg[16] + "\"}"
 	return jsonStr
 }
 
 func ParserInitMsg(msg []string) string {
-	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"cwd\":\"" + msg[2] + "\",\"pid\":\"" + msg[3] + "\",\"pgid\":\"" + msg[4] + "\",\"tgid\":\"" + msg[5] + "\",\"comm\":\"" + msg[6] + "\",\"nodename\":\"" + msg[7] + "\",\"time\":\"" + msg[8] + "\"}"
+	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"cwd\":\"" + msg[2] + "\",\"pid\":\"" + msg[3] + "\",\"pgid\":\"" + msg[4] + "\",\"tgid\":\"" + msg[5] + "\",\"comm\":\"" + msg[6] + "\",\"nodename\":\"" + msg[7] + "\",\"time\":\"" + msg[8] + "\",\"user\":\"" + msg[9] + "\"}"
 	return jsonStr
 }
 
 func ParserFinitMsg(msg []string) string {
-	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"cwd\":\"" + msg[2] + "\",\"pid\":\"" + msg[3] + "\",\"pgid\":\"" + msg[4] + "\",\"tgid\":\"" + msg[5] + "\",\"comm\":\"" + msg[6] + "\",\"nodename\":\"" + msg[7] + "\",\"time\":\"" + msg[8] + "\"}"
+	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"cwd\":\"" + msg[2] + "\",\"pid\":\"" + msg[3] + "\",\"pgid\":\"" + msg[4] + "\",\"tgid\":\"" + msg[5] + "\",\"comm\":\"" + msg[6] + "\",\"nodename\":\"" + msg[7] + "\",\"time\":\"" + msg[8] + "\",\"user\":\"" + msg[9] + "\"}"
 	return jsonStr
 }
 
 func ParserConnectMsg(msg []string) string {
-	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"sa_family\":\"" + msg[2] + "\",\"fd\":\"" + msg[3] + "\",\"dport\":\"" + msg[4] + "\",\"dip\":\"" + msg[5] + "\",\"elf\":\"" + msg[6] + "\",\"pid\":\"" + msg[7] + "\",\"ppid\":\"" + msg[8] + "\",\"pgid\":\"" + msg[9] + "\",\"tgid\":\"" + msg[10] + "\",\"comm\":\"" + msg[11] + "\",\"nodename\":\"" + msg[12] + "\",\"sip\":\"" + msg[13] + "\",\"sport\":\"" + msg[14] + "\",\"res\":\"" + msg[15] + "\",\"pid_rootkit_check\":\"" + msg[16] + "\",\"file_rootkit_check\":\"" + msg[17] + "\",\"time\":\"" + msg[18] + "\"}"
+	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"sa_family\":\"" + msg[2] + "\",\"fd\":\"" + msg[3] + "\",\"dport\":\"" + msg[4] + "\",\"dip\":\"" + msg[5] + "\",\"elf\":\"" + msg[6] + "\",\"pid\":\"" + msg[7] + "\",\"ppid\":\"" + msg[8] + "\",\"pgid\":\"" + msg[9] + "\",\"tgid\":\"" + msg[10] + "\",\"comm\":\"" + msg[11] + "\",\"nodename\":\"" + msg[12] + "\",\"sip\":\"" + msg[13] + "\",\"sport\":\"" + msg[14] + "\",\"res\":\"" + msg[15] + "\",\"pid_rootkit_check\":\"" + msg[16] + "\",\"file_rootkit_check\":\"" + msg[17] + "\",\"time\":\"" + msg[18] + "\",\"user\":\"" + msg[19] + "\"}"
 	return jsonStr
 }
 
 func ParserAcceptMsg(msg []string) string {
-	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"sa_family\":\"" + msg[2] + "\",\"fd\":\"" + msg[3] + "\",\"sport\":\"" + msg[4] + "\",\"sip\":\"" + msg[5] + "\",\"elf\":\"" + msg[6] + "\",\"pid\":\"" + msg[7] + "\",\"ppid\":\"" + msg[8] + "\",\"pgid\":\"" + msg[9] + "\",\"tgid\":\"" + msg[10] + "\",\"comm\":\"" + msg[11] + "\",\"nodename\":\"" + msg[12] + "\",\"dip\":\"" + msg[13] + "\",\"dport\":\"" + msg[14] + "\",\"res\":\"" + msg[15] + "\",\"pid_rootkit_check\":\"" + msg[16] + "\",\"file_rootkit_check\":\"" + msg[17] + "\",\"time\":\"" + msg[18] + "\"}"
+	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"sa_family\":\"" + msg[2] + "\",\"fd\":\"" + msg[3] + "\",\"sport\":\"" + msg[4] + "\",\"sip\":\"" + msg[5] + "\",\"elf\":\"" + msg[6] + "\",\"pid\":\"" + msg[7] + "\",\"ppid\":\"" + msg[8] + "\",\"pgid\":\"" + msg[9] + "\",\"tgid\":\"" + msg[10] + "\",\"comm\":\"" + msg[11] + "\",\"nodename\":\"" + msg[12] + "\",\"dip\":\"" + msg[13] + "\",\"dport\":\"" + msg[14] + "\",\"res\":\"" + msg[15] + "\",\"pid_rootkit_check\":\"" + msg[16] + "\",\"file_rootkit_check\":\"" + msg[17] + "\",\"time\":\"" + msg[18] + "\",\"user\":\"" + msg[19] + "\"}"
 	return jsonStr
 }
 
 func ParserPtraceMsg(msg []string) string {
-	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"ptrace_request\":\"" + msg[2] + "\",\"target_pid\":\"" + msg[3] + "\",\"addr\":\"" + msg[4] + "\",\"data\":\"" + msg[5] + "\",\"elf\":\"" + msg[6] + "\",\"pid\":\"" + msg[7] + "\",\"ppid\":\"" + msg[8] + "\",\"pgid\":\"" + msg[9] + "\",\"tgid\":\"" + msg[10] + "\",\"comm\":\"" + msg[11] + "\",\"nodename\":\"" + msg[12] + "\",\"res\":\"" + msg[13] + "\",\"time\":\"" + msg[14] + "\"}"
+	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"ptrace_request\":\"" + msg[2] + "\",\"target_pid\":\"" + msg[3] + "\",\"addr\":\"" + msg[4] + "\",\"data\":\"" + msg[5] + "\",\"elf\":\"" + msg[6] + "\",\"pid\":\"" + msg[7] + "\",\"ppid\":\"" + msg[8] + "\",\"pgid\":\"" + msg[9] + "\",\"tgid\":\"" + msg[10] + "\",\"comm\":\"" + msg[11] + "\",\"nodename\":\"" + msg[12] + "\",\"res\":\"" + msg[13] + "\",\"time\":\"" + msg[14] + "\",\"user\":\"" + msg[15] + "\"}"
 	return jsonStr
 }
 
 func ParserDNSMsg(msg []string) string {
-	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"sa_family\":\"" + msg[2] + "\",\"fd\":\"" + msg[3] + "\",\"sport\":\"" + msg[4] + "\",\"sip\":\"" + msg[5] + "\",\"elf\":\"" + msg[6] + "\",\"pid\":\"" + msg[7] + "\",\"ppid\":\"" + msg[8] + "\",\"pgid\":\"" + msg[9] + "\",\"tgid\":\"" + msg[10] + "\",\"comm\":\"" + msg[11] + "\",\"nodename\":\"" + msg[12] + "\",\"dip\":\"" + msg[13] + "\",\"dport\":\"" + msg[14] + "\",\"qr\":\"" + msg[15] + "\",\"opcode\":\"" + msg[16] + "\",\"rcode\":\"" + msg[17] + "\",\"query\":\"" + msg[18] + "\",\"time\":\"" + msg[19] + "\"}"
+	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"sa_family\":\"" + msg[2] + "\",\"fd\":\"" + msg[3] + "\",\"sport\":\"" + msg[4] + "\",\"sip\":\"" + msg[5] + "\",\"elf\":\"" + msg[6] + "\",\"pid\":\"" + msg[7] + "\",\"ppid\":\"" + msg[8] + "\",\"pgid\":\"" + msg[9] + "\",\"tgid\":\"" + msg[10] + "\",\"comm\":\"" + msg[11] + "\",\"nodename\":\"" + msg[12] + "\",\"dip\":\"" + msg[13] + "\",\"dport\":\"" + msg[14] + "\",\"qr\":\"" + msg[15] + "\",\"opcode\":\"" + msg[16] + "\",\"rcode\":\"" + msg[17] + "\",\"query\":\"" + msg[18] + "\",\"time\":\"" + msg[19] + "\",\"user\":\"" + msg[20] + "\"}"
 	return jsonStr
 }
 
 func ParserCreateFileMsg(msg []string) string {
-	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"elf\":\"" + msg[2] + "\",\"file_path\":\"" + msg[3] + "\",\"pid\":\"" + msg[4] + "\",\"ppid\":\"" + msg[5] + "\",\"pgid\":\"" + msg[6] + "\",\"tgid\":\"" + msg[7] + "\",\"comm\":\"" + msg[8] + "\",\"nodename\":\"" + msg[9] + "\",\"time\":\"" + msg[10] + "\"}"
+	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"elf\":\"" + msg[2] + "\",\"file_path\":\"" + msg[3] + "\",\"pid\":\"" + msg[4] + "\",\"ppid\":\"" + msg[5] + "\",\"pgid\":\"" + msg[6] + "\",\"tgid\":\"" + msg[7] + "\",\"comm\":\"" + msg[8] + "\",\"nodename\":\"" + msg[9] + "\",\"time\":\"" + msg[10] + "\",\"user\":\"" + msg[11] + "\"}"
 	return jsonStr
 }
 
@@ -72,6 +73,14 @@ func ParserMsg(msgChan chan string) {
 		msg := <-msgChan
 		msgList := strings.Split(msg, "\n")
 		msgType := msgList[1]
+		uidTmp, err := strconv.Atoi(msgList[0])
+		if err != nil {
+			continue
+		}
+
+		uid := C.uid_t(uidTmp)
+		userNmae := C.GoString(C.get_user(uid))
+		msgList = append(msgList, userNmae)
 		switch msgType {
 		case "59":
 			res = ParserExecveMsg(msgList)