package main
import (
"bufio"
"crypto/md5"
"encoding/hex"
"encoding/json"
"fmt"
"io"
"log"
"os"
"strings"
"github.com/fearful-symmetry/garlic"
ac "github.com/cloudflare/ahocorasick"
"github.com/chenhg5/collection"
)
type Exec struct {
Procname string `json:"procname"`
Procpath string `json:"procpath"`
Pid uint32 `json:"pid"`
Cmdline string `json:"cmdline"`
Md5hash string `json:"md5_hash"`
}
func getProcMd5(filepath string) string {
file, _ := os.Open(filepath)
defer file.Close()
h := md5.New()
io.Copy(h, file)
md := h.Sum(nil)
md5String := hex.EncodeToString(md)
return md5String
}
func getProcpath(pid uint32) string {
path := fmt.Sprintf("/proc/%d/exe", pid)
r ,_ := os.Readlink(strings.TrimSpace(path))
return strings.TrimSpace(r)
}
func getProcName(pid uint32) string {
path := fmt.Sprintf("/proc/%d/comm", pid)
f, err := os.Open(path)
if err != nil {
log.Println(err)
}
defer f.Close()
reader := bufio.NewReader(f)
cmdtext, _, _ := reader.ReadLine()
return strings.TrimSpace(string(cmdtext))
}
func getCmdLine(pid uint32) string {
path := fmt.Sprintf("/proc/%d/cmdline", pid)
f, err := os.Open(path)
if err != nil {
log.Println(err)
}
defer f.Close()
reader := bufio.NewReader(f)
cmdtext, _, _ := reader.ReadLine()
return strings.Replace(string(cmdtext), "\u0000", " ", -1)
}
func main() {
cn, err := garlic.DialPCNWithEvents([]garlic.EventType{garlic.ProcEventExec})
if err != nil {
fmt.Printf("%s", err)
}
//Read in events
for {
m := []string{"nc"}
m2 := ac.NewStringMatcher([]string{"/etc/passwd"})
m3 := ac.NewStringMatcher([]string{"749bda6cb12341b7c83c5bb45579201a","3dd534fc7f982d3d79391e8c26bcf023"})
data, err := cn.ReadPCN()
if err != nil {
fmt.Printf("Read fail: %s", err)
}
execdata := data[0].EventData
pid := execdata.Pid()
procname := getProcName(pid)
procpath := getProcpath(pid)
cmdline := getCmdLine(pid)
md5hash := getProcMd5(procpath)
evtstr := Exec{
Procname:procname,
Pid:pid,
Procpath:procpath,
Cmdline:cmdline,
Md5hash:md5hash,
}
jsonEvt, err := json.Marshal(evtstr)
if err != nil {
log.Fatal(err)
}
fmt.Println(string(jsonEvt))
fmt.Println("ac match 1:",m2.Match([]byte(cmdline)))
fmt.Println("ac match 2:",m3.Match([]byte(md5hash)))
fmt.Println("collection match:",collection.Collect(m).Contains(procname))
fmt.Println()
}
}
匹配例子
最新推荐文章于 2022-06-15 21:52:23 发布