From 9e675658b68dade63d2cfd0a3eefe1b36a686e34 Mon Sep 17 00:00:00 2001 From: yo Date: Mon, 10 Jan 2022 17:51:12 +0100 Subject: [PATCH] Use bufio.NewReader so we can read pipe (/dev/auditpipe or stdin) --- libbsm.go | 663 +++++++++++++++++++++++------------------------------- main.go | 38 +++- 2 files changed, 314 insertions(+), 387 deletions(-) diff --git a/libbsm.go b/libbsm.go index ada4bfe..25d7874 100644 --- a/libbsm.go +++ b/libbsm.go @@ -144,7 +144,7 @@ type event struct { type Record interface { GetType() uint8 // Length() - LoadFromBinary(file *os.File) error + LoadFromBinary(rdr *bufio.Reader) error Print(*os.File, string, int) } @@ -482,29 +482,29 @@ func (h *Header32) GetType() uint8 { } // TODO : Take *io.Reader as arg? -func (h *Header32) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &h.Size) - if err != nil { return fmt.Errorf("Unable to read Header32.Size from file: %v", err) } +func (h *Header32) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &h.Size) + if err != nil { return fmt.Errorf("Unable to read Header32.Size: %v", err) } /* Check for recsize sanity: We already read 32 bits + 8 bits */ if h.Size < (4 + 1) { return fmt.Errorf("Record size is corrupted: %d", h.Size) } - err = binary.Read(file, binary.BigEndian, &h.Version) - if err != nil { return fmt.Errorf("Unable to read Header32.Version from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &h.Version) + if err != nil { return fmt.Errorf("Unable to read Header32.Version: %v", err) } - err = binary.Read(file, binary.BigEndian, &h.E_type) - if err != nil { return fmt.Errorf("Unable to read Header32.E_type from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &h.E_type) + if err != nil { return fmt.Errorf("Unable to read Header32.E_type: %v", err) } - err = binary.Read(file, binary.BigEndian, &h.E_mod) - if err != nil { return fmt.Errorf("Unable to read Header32.E_mod from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &h.E_mod) + if err != nil { return fmt.Errorf("Unable to read Header32.E_mod: %v", err) } - err = binary.Read(file, binary.BigEndian, &h.S) - if err != nil { return fmt.Errorf("Unable to read Header32.S from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &h.S) + if err != nil { return fmt.Errorf("Unable to read Header32.S: %v", err) } - err = binary.Read(file, binary.BigEndian, &h.Msec) - if err != nil { return fmt.Errorf("Unable to read Header32.Msec from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &h.Msec) + if err != nil { return fmt.Errorf("Unable to read Header32.Msec: %v", err) } return nil } @@ -545,43 +545,19 @@ func (e *ExecArg) GetType() uint8 { return AUT_EXEC_ARGS } -func (e *ExecArg) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &e.Count) - if err != nil { return fmt.Errorf("Unable to read ExecArg.Count from file: %v", err) } +func (e *ExecArg) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &e.Count) + if err != nil { return fmt.Errorf("Unable to read ExecArg.Count: %v", err) } - // Get current offset in file - startOf, err := file.Seek(0, io.SeekCurrent) - if err != nil { - return fmt.Errorf("Unable to seek to current position: %v", err) - } - - // TODO : Reinject these alreday read bytes into working flow, to avoir rereading them - chunk := make([]byte, e.Count*MAX_AUDIT_ARG_LENGTH + e.Count) - _, err = file.Read(chunk) - if err != nil { - return fmt.Errorf("Unable to read %d * MAX_AUDIT_ARG_LENGTH from current position: %v", err) - } - // Search for null terminating byte, Count times - totLen := int64(0) - buf := bytes.NewBuffer(chunk) for i := uint32(0) ; i < e.Count ; i++ { - // TODO : Needs a bufio.Reader // Get this arg length - arg, err := buf.ReadBytes((byte)(0x00)) + arg, err := rdr.ReadBytes((byte)(0x00)) if err != nil { - return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, offset of record start: %x, error : %v", i, startOf, err) + return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, error : %v", i, err) } - // Allocate before reading - totLen += int64(len(arg)) - //e.Text = append(e.Text, arg) // Discard last 0 e.Text = append(e.Text, arg[:len(arg)-1]) } - startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) - if err != nil { - return fmt.Errorf("Error seeking offset %x from file", startOf) - } - return nil } @@ -612,37 +588,15 @@ func (p *Path) GetType() uint8 { return AUT_PATH } -func (p *Path) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &p.Length) - if err != nil { return fmt.Errorf("Unable to read Path.Length from file: %v", err) } +func (p *Path) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &p.Length) + if err != nil { return fmt.Errorf("Unable to read Path.Length: %v", err) } - // Get current offset in file - startOf, err := file.Seek(0, io.SeekCurrent) + arg, err := rdr.ReadBytes((byte)(0x00)) if err != nil { - return fmt.Errorf("Unable to seek to current position: %v", err) - } - - // TODO : Reinject these already read bytes into working flow, to avoir rereading them - chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1) - _, err = file.Read(chunk) - if err != nil { - return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err) - } - // Search for null terminating byte - buf := bytes.NewBuffer(chunk) - // TODO : Needs a bufio.Reader - // Get this arg length - arg, err := buf.ReadBytes((byte)(0x00)) - if err != nil { - return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) - } - totLen := int64(len(arg)) - p.Path = arg[:totLen-1] - - startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) - if err != nil { - return fmt.Errorf("Error seeking offset %x from file", startOf) + return fmt.Errorf("Error searching for null terminated path: error : %v", err) } + p.Path = arg[:len(arg)-1] return nil } @@ -671,24 +625,24 @@ func (a* Attribute32) GetType() uint8 { return AUT_ATTR32 } -func (a *Attribute32) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &a.Mode) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode from file: %v", err) } +func (a *Attribute32) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &a.Mode) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Uid) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Uid) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Gid) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Gid) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Fsid) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Fsid) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Nid) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Nid) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Dev) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Dev) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev: %v", err) } return nil } @@ -730,24 +684,24 @@ func (a* Attribute64) GetType() uint8 { return AUT_ATTR64 } -func (a *Attribute64) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &a.Mode) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode from file: %v", err) } +func (a *Attribute64) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &a.Mode) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Uid) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Uid) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Gid) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Gid) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Fsid) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Fsid) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Nid) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Nid) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Dev) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Dev) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev: %v", err) } return nil } @@ -789,27 +743,27 @@ func (s *Subject32) GetType() uint8 { return AUT_SUBJECT32 } -func (s *Subject32) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &s.Auid) - if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid from file: %v", err) } +func (s *Subject32) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &s.Auid) + if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Euid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Euid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Euid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Euid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Egid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Egid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Egid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Egid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Ruid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Ruid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Rgid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Rgid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Sid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Sid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Sid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Sid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Tid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Tid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Tid: %v", err) } return nil } @@ -860,27 +814,27 @@ func (p *Process32) GetType() uint8 { return AUT_PROCESS32 } -func (p *Process32) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &p.Auid) - if err != nil { return fmt.Errorf("Unable to read Process32.Auid from file: %v", err) } +func (p *Process32) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &p.Auid) + if err != nil { return fmt.Errorf("Unable to read Process32.Auid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Euid) - if err != nil { return fmt.Errorf("Unable to read Process32.Euid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Euid) + if err != nil { return fmt.Errorf("Unable to read Process32.Euid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Egid) - if err != nil { return fmt.Errorf("Unable to read Process32.Egid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Egid) + if err != nil { return fmt.Errorf("Unable to read Process32.Egid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Ruid) - if err != nil { return fmt.Errorf("Unable to read Process32.Ruid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Ruid) + if err != nil { return fmt.Errorf("Unable to read Process32.Ruid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Rgid) - if err != nil { return fmt.Errorf("Unable to read Process32.Rgid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Rgid) + if err != nil { return fmt.Errorf("Unable to read Process32.Rgid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Sid) - if err != nil { return fmt.Errorf("Unable to read Process32.Sid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Sid) + if err != nil { return fmt.Errorf("Unable to read Process32.Sid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Tid) - if err != nil { return fmt.Errorf("Unable to read Process32.Tid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid) + if err != nil { return fmt.Errorf("Unable to read Process32.Tid: %v", err) } return nil } @@ -931,41 +885,41 @@ func (s *Subject32Ex) GetType() uint8 { return AUT_SUBJECT32_EX } -func (s *Subject32Ex) LoadFromBinary(file *os.File) error { +func (s *Subject32Ex) LoadFromBinary(rdr *bufio.Reader) error { - err := binary.Read(file, binary.BigEndian, &s.Auid) - if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid from file: %v", err) } + err := binary.Read(rdr, binary.BigEndian, &s.Auid) + if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Euid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Euid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Egid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Egid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Ruid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Ruid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Rgid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Rgid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Sid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Sid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Tid.Port) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.Port) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.Ttype) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.IpVers) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers: %v", err) } if s.Tid.IpVers == 0x10 { - err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6 from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr6) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6: %v", err) } } else if s.Tid.IpVers == 0x04 { - err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4 from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr4) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4: %v", err) } } return nil @@ -1024,41 +978,41 @@ func (s *Process32Ex) GetType() uint8 { return AUT_PROCESS32_EX } -func (p *Process32Ex) LoadFromBinary(file *os.File) error { +func (p *Process32Ex) LoadFromBinary(rdr *bufio.Reader) error { - err := binary.Read(file, binary.BigEndian, &p.Auid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid from file: %v", err) } + err := binary.Read(rdr, binary.BigEndian, &p.Auid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Euid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Euid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Egid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Egid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Ruid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Ruid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Rgid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Rgid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Sid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Sid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Tid.Port) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.Port) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.Ttype) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.IpVers) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers: %v", err) } if p.Tid.IpVers == 0x10 { - err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6 from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr6) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6: %v", err) } } else if p.Tid.IpVers == 0x04 { - err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4 from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr4) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4: %v", err) } } return nil @@ -1119,27 +1073,27 @@ func (s *Subject64) GetType() uint8 { return AUT_SUBJECT64 } -func (s *Subject64) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &s.Auid) - if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid from file: %v", err) } +func (s *Subject64) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &s.Auid) + if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Euid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Euid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Euid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Euid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Egid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Egid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Egid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Egid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Ruid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Ruid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Rgid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Rgid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Sid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Sid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Sid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Sid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Tid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Tid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Tid: %v", err) } return nil } @@ -1190,27 +1144,27 @@ func (s *Process64) GetType() uint8 { return AUT_PROCESS64 } -func (p *Process64) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &p.Auid) - if err != nil { return fmt.Errorf("Unable to read Process64.Auid from file: %v", err) } +func (p *Process64) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &p.Auid) + if err != nil { return fmt.Errorf("Unable to read Process64.Auid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Euid) - if err != nil { return fmt.Errorf("Unable to read Process64.Euid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Euid) + if err != nil { return fmt.Errorf("Unable to read Process64.Euid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Egid) - if err != nil { return fmt.Errorf("Unable to read Process64.Egid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Egid) + if err != nil { return fmt.Errorf("Unable to read Process64.Egid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Ruid) - if err != nil { return fmt.Errorf("Unable to read Process64.Ruid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Ruid) + if err != nil { return fmt.Errorf("Unable to read Process64.Ruid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Rgid) - if err != nil { return fmt.Errorf("Unable to read Process64.Rgid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Rgid) + if err != nil { return fmt.Errorf("Unable to read Process64.Rgid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Sid) - if err != nil { return fmt.Errorf("Unable to read Process64.Sid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Sid) + if err != nil { return fmt.Errorf("Unable to read Process64.Sid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Tid) - if err != nil { return fmt.Errorf("Unable to read Process64.Tid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid) + if err != nil { return fmt.Errorf("Unable to read Process64.Tid: %v", err) } return nil } @@ -1261,40 +1215,40 @@ func (s *Subject64Ex) GetType() uint8 { return AUT_SUBJECT64_EX } -func (s *Subject64Ex) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &s.Auid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid from file: %v", err) } +func (s *Subject64Ex) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &s.Auid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Euid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Euid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Egid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Egid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Ruid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Ruid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Rgid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Rgid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Sid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Sid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Tid.Port) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.Port) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.Ttype) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype: %v", err) } - err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.IpVers) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers: %v", err) } if s.Tid.IpVers == 0x10 { - err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6 from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr6) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6: %v", err) } } else if s.Tid.IpVers == 0x04 { - err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4 from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr4) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4: %v", err) } } return nil @@ -1354,40 +1308,40 @@ func (p *Process64Ex) GetType() uint8 { return AUT_PROCESS64_EX } -func (p *Process64Ex) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &p.Auid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid from file: %v", err) } +func (p *Process64Ex) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &p.Auid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Euid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Euid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Egid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Egid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Ruid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Ruid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Rgid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Rgid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Sid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Sid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Tid.Port) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.Port) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.Ttype) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype: %v", err) } - err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.IpVers) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers: %v", err) } if p.Tid.IpVers == 0x10 { - err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6 from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr6) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6: %v", err) } } else if p.Tid.IpVers == 0x04 { - err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4 from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr4) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4: %v", err) } } return nil @@ -1441,12 +1395,12 @@ func (r *Return32) GetType() uint8 { return AUT_RETURN32 } -func (r *Return32) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &r.Status) - if err != nil { return fmt.Errorf("Unable to read Return32.Status from file: %v", err) } +func (r *Return32) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &r.Status) + if err != nil { return fmt.Errorf("Unable to read Return32.Status: %v", err) } - err = binary.Read(file, binary.BigEndian, &r.Ret) - if err != nil { return fmt.Errorf("Unable to read Return32.Ret from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &r.Ret) + if err != nil { return fmt.Errorf("Unable to read Return32.Ret: %v", err) } return nil } @@ -1471,12 +1425,12 @@ func (r *Return64) GetType() uint8 { return AUT_RETURN64 } -func (r *Return64) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &r.Status) - if err != nil { return fmt.Errorf("Unable to read Return64.Status from file: %v", err) } +func (r *Return64) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &r.Status) + if err != nil { return fmt.Errorf("Unable to read Return64.Status: %v", err) } - err = binary.Read(file, binary.BigEndian, &r.Ret) - if err != nil { return fmt.Errorf("Unable to read Return64.Ret from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &r.Ret) + if err != nil { return fmt.Errorf("Unable to read Return64.Ret: %v", err) } return nil } @@ -1501,12 +1455,12 @@ func (t *Trailer) GetType() uint8 { return AUT_TRAILER } -func (t *Trailer) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &t.Magic) - if err != nil { return fmt.Errorf("Unable to read Trailer.Magic from file: %v", err) } +func (t *Trailer) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &t.Magic) + if err != nil { return fmt.Errorf("Unable to read Trailer.Magic: %v", err) } - err = binary.Read(file, binary.BigEndian, &t.Count) - if err != nil { return fmt.Errorf("Unable to read Trailer.Count from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &t.Count) + if err != nil { return fmt.Errorf("Unable to read Trailer.Count: %v", err) } return nil } @@ -1530,42 +1484,22 @@ func (a *Arg32) GetType() uint8 { return AUT_ARG32 } -func (a *Arg32) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &a.No) - if err != nil { return fmt.Errorf("Unable to read Arg32.No from file: %v", err) } +func (a *Arg32) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &a.No) + if err != nil { return fmt.Errorf("Unable to read Arg32.No: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Val) - if err != nil { return fmt.Errorf("Unable to read Arg32.Val from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Val) + if err != nil { return fmt.Errorf("Unable to read Arg32.Val: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Length) - if err != nil { return fmt.Errorf("Unable to read Arg32.Length from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Length) + if err != nil { return fmt.Errorf("Unable to read Arg32.Length: %v", err) } - // Get current offset in file - startOf, err := file.Seek(0, io.SeekCurrent) - if err != nil { - return fmt.Errorf("Unable to seek to current position: %v", err) - } - - // TODO : Reinject these already read bytes into working flow, to avoir rereading them - chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1) - _, err = file.Read(chunk) - if err != nil { - return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err) - } // Search for null terminating byte - buf := bytes.NewBuffer(chunk) - // Get this arg length - arg, err := buf.ReadBytes((byte)(0x00)) + arg, err := rdr.ReadBytes((byte)(0x00)) if err != nil { - return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) - } - totLen := int64(len(arg)) - a.Text = arg[:totLen-1] - - startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) - if err != nil { - return fmt.Errorf("Error seeking offset %x from file", startOf) + return fmt.Errorf("Error searching for null terminated path: %v", err) } + a.Text = arg[:len(arg)-1] return nil } @@ -1592,42 +1526,22 @@ func (a *Arg64) GetType() uint8 { return AUT_ARG64 } -func (a *Arg64) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &a.No) - if err != nil { return fmt.Errorf("Unable to read Arg64.No from file: %v", err) } +func (a *Arg64) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &a.No) + if err != nil { return fmt.Errorf("Unable to read Arg64.No: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Val) - if err != nil { return fmt.Errorf("Unable to read Arg64.Val from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Val) + if err != nil { return fmt.Errorf("Unable to read Arg64.Val: %v", err) } - err = binary.Read(file, binary.BigEndian, &a.Length) - if err != nil { return fmt.Errorf("Unable to read Arg64.Length from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &a.Length) + if err != nil { return fmt.Errorf("Unable to read Arg64.Length: %v", err) } - // Get current offset in file - startOf, err := file.Seek(0, io.SeekCurrent) - if err != nil { - return fmt.Errorf("Unable to seek to current position: %v", err) - } - - // TODO : Reinject these already read bytes into working flow, to avoir rereading them - chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1) - _, err = file.Read(chunk) - if err != nil { - return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err) - } // Search for null terminating byte - buf := bytes.NewBuffer(chunk) - // Get this arg length - arg, err := buf.ReadBytes((byte)(0x00)) + arg, err := rdr.ReadBytes((byte)(0x00)) if err != nil { - return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) - } - totLen := int64(len(arg)) - a.Text = arg[:totLen-1] - - startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) - if err != nil { - return fmt.Errorf("Error seeking offset %x from file", startOf) + return fmt.Errorf("Error searching for null terminated path: %v", err) } + a.Text = arg[:len(arg)-1] return nil } @@ -1652,12 +1566,12 @@ func (e *Exit) GetType() uint8 { return AUT_EXIT } -func (e *Exit) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &e.Status) - if err != nil { return fmt.Errorf("Unable to read Exit.Status from file: %v", err) } +func (e *Exit) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &e.Status) + if err != nil { return fmt.Errorf("Unable to read Exit.Status: %v", err) } - err = binary.Read(file, binary.BigEndian, &e.Ret) - if err != nil { return fmt.Errorf("Unable to read Exit.Ret from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &e.Ret) + if err != nil { return fmt.Errorf("Unable to read Exit.Ret: %v", err) } return nil } @@ -1682,14 +1596,14 @@ func (t *Text) GetType() uint8 { return AUT_TEXT } -func (t *Text) LoadFromBinary(file *os.File) error { - err := binary.Read(file, binary.BigEndian, &t.Length) - if err != nil { return fmt.Errorf("Unable to read Text.Length from file: %v", err) } +func (t *Text) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &t.Length) + if err != nil { return fmt.Errorf("Unable to read Text.Length: %v", err) } text := make([]byte, t.Length) - err = binary.Read(file, binary.BigEndian, &text) - if err != nil { return fmt.Errorf("Unable to read Text.Text from file: %v", err) } + err = binary.Read(rdr, binary.BigEndian, &text) + if err != nil { return fmt.Errorf("Unable to read Text.Text: %v", err) } t.Text = text[:len(text)-1] return nil @@ -1704,112 +1618,107 @@ func (t *Text) Print(file *os.File, delimiter string, flags int) { } } -func readRecordToStruct(file *os.File) (Record, error) { +func readRecordToStruct(reader *bufio.Reader) (Record, error) { var rec Record hdr := make([]byte, 1) - n, err := file.Read(hdr) + n, err := reader.Read(hdr) if err != nil || n < 1 { if err != io.EOF { - return rec, fmt.Errorf("Unable to read header ID in file: %v", err) + return rec, fmt.Errorf("Unable to read header ID: %v", err) } return rec, err } - // DEBUG -/* startOf, _ := file.Seek(0, io.SeekCurrent) - fmt.Printf("Offset dans le fichier : %x\n", startOf) -*/ switch (int8)(hdr[0]) { case AUT_HEADER32: var h Header32 - err := h.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := h.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewHeader32(h), nil case AUT_EXEC_ARGS: var e ExecArg - err := e.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := e.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewExecArg(e), nil case AUT_PATH: var p Path - err := p.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := p.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewPath(p), nil case AUT_ATTR32: var a Attribute32 - err := a.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := a.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewAttribute32(a), nil case AUT_ATTR64: var a Attribute64 - err := a.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := a.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewAttribute64(a), nil case AUT_SUBJECT32: var s Subject32 - err := s.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := s.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewSubject32(s), nil case AUT_SUBJECT32_EX: var s Subject32Ex - err := s.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := s.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewSubject32Ex(s), nil case AUT_RETURN32: var r Return32 - err := r.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := r.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewReturn32(r), nil case AUT_TRAILER: var t Trailer - err := t.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := t.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewTrailer(t), nil case AUT_ARG32: var a Arg32 - err := a.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := a.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewArg32(a), nil case AUT_ARG64: var a Arg64 - err := a.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := a.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewArg64(a), nil case AUT_EXIT: var e Exit - err := e.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := e.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewExit(e), nil case AUT_PROCESS32: var p Process32 - err := p.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := p.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewProcess32(p), nil case AUT_PROCESS32_EX: var p Process32Ex - err := p.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := p.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewProcess32Ex(p), nil case AUT_PROCESS64: var p Process64 - err := p.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := p.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewProcess64(p), nil case AUT_PROCESS64_EX: var p Process64Ex - err := p.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := p.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewProcess64Ex(p), nil case AUT_TEXT: var t Text - err := t.LoadFromBinary(file) - if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + err := t.LoadFromBinary(reader) + if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } return NewText(t), nil } - startOf, _ := file.Seek(0, io.SeekCurrent) - return rec, fmt.Errorf("Event type not supported: 0x%x at offset 0x%x", hdr[0], startOf) + return rec, fmt.Errorf("Event type not supported: 0x%x", hdr[0]) } diff --git a/main.go b/main.go index 300bdde..daea669 100644 --- a/main.go +++ b/main.go @@ -5,12 +5,18 @@ // /* -% time ./godit 20211228134923.20211228151348 > godit.log -11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w % time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log 101.728u 7.315s 1:49.09 99.9% 10+167k 0+191152io 0pf+0w + +% time ./godit 20211228134923.20211228151348 > godit.log +11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w % ./godit -V Godit v0.03 + +% time ./godit 20211228134923.20211228151348 > 20211228134923.20211228151348.godit3 +7.183u 19.590s 0:25.98 103.0% 1038+559k 0+2262168io 0pf+0w +% ./godit -V +Godit v0.4.3 */ package main @@ -19,11 +25,13 @@ import ( "io" "os" "fmt" + "bufio" + "strings" "github.com/spf13/pflag" ) const ( - version = "0.4" + version = "0.4.3" ) var ( @@ -66,27 +74,37 @@ func main() { } args := os.Args - filename := args[len(args)-1] /* fmt.Printf("Args: %s\n", args) fmt.Printf("Filename: %s\n", filename) */ + var f *os.File + var r *bufio.Reader + var err error if len(filename) > 0 { - f, err := os.Open(filename) - if err != nil { - fmt.Printf("Impossible d'ouvrir le fichier %s\n", filename) - return + // If arg is "-", open stdin to read content + if true == strings.EqualFold(filename, "-") { + r = bufio.NewReader(os.Stdin) + } else { + f, err = os.Open(filename) + if err != nil { + fmt.Printf("Impossible d'ouvrir le fichier %s\n", filename) + return + } + r = bufio.NewReader(f) } + //for i := 0 ; i < 20 ; i++ { for { - rec, err := readRecordToStruct(f) + rec, err := readRecordToStruct(r) if err != nil { if err != io.EOF { fmt.Printf("Erreur : %v\n", err) + } else { // v.0.4.2 : Continue on error + return } - return } rec.Print(os.Stdout, ",", flags) }