yo/libbsm
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use bufio.NewReader so we can read pipe (/dev/auditpipe or stdin)

Browse Source
This commit is contained in:
yo
2022-01-10 17:51:12 +01:00
parent 417f387f3c
commit 9e675658b6
2 changed files with 314 additions and 387 deletions
Download Patch File Download Diff File Expand all files Collapse all files

663
libbsm.go
View File

@ -144,7 +144,7 @@ type event struct {
type Record interface { type Record interface {
GetType() uint8 GetType() uint8
// Length() // Length()
LoadFromBinary(file *os.File) error LoadFromBinary(rdr *bufio.Reader) error
Print(*os.File, string, int) Print(*os.File, string, int)
} }
@ -482,29 +482,29 @@ func (h *Header32) GetType() uint8 {
} }
// TODO : Take *io.Reader as arg? // TODO : Take *io.Reader as arg?
func (h *Header32) LoadFromBinary(file *os.File) error { func (h *Header32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &h.Size) err := binary.Read(rdr, binary.BigEndian, &h.Size)
if err != nil { return fmt.Errorf("Unable to read Header32.Size from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Header32.Size: %v", err) }
/* Check for recsize sanity: We already read 32 bits + 8 bits */ /* Check for recsize sanity: We already read 32 bits + 8 bits */
if h.Size < (4 + 1) { if h.Size < (4 + 1) {
return fmt.Errorf("Record size is corrupted: %d", h.Size) return fmt.Errorf("Record size is corrupted: %d", h.Size)
} }
err = binary.Read(file, binary.BigEndian, &h.Version) err = binary.Read(rdr, binary.BigEndian, &h.Version)
if err != nil { return fmt.Errorf("Unable to read Header32.Version from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Header32.Version: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.E_type) err = binary.Read(rdr, binary.BigEndian, &h.E_type)
if err != nil { return fmt.Errorf("Unable to read Header32.E_type from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Header32.E_type: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.E_mod) err = binary.Read(rdr, binary.BigEndian, &h.E_mod)
if err != nil { return fmt.Errorf("Unable to read Header32.E_mod from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Header32.E_mod: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.S) err = binary.Read(rdr, binary.BigEndian, &h.S)
if err != nil { return fmt.Errorf("Unable to read Header32.S from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Header32.S: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.Msec) err = binary.Read(rdr, binary.BigEndian, &h.Msec)
if err != nil { return fmt.Errorf("Unable to read Header32.Msec from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Header32.Msec: %v", err) }
return nil return nil
} }
@ -545,43 +545,19 @@ func (e *ExecArg) GetType() uint8 {
return AUT_EXEC_ARGS return AUT_EXEC_ARGS
} }
func (e *ExecArg) LoadFromBinary(file *os.File) error { func (e *ExecArg) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &e.Count) err := binary.Read(rdr, binary.BigEndian, &e.Count)
if err != nil { return fmt.Errorf("Unable to read ExecArg.Count from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read ExecArg.Count: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these alreday read bytes into working flow, to avoir rereading them
chunk := make([]byte, e.Count*MAX_AUDIT_ARG_LENGTH + e.Count)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read %d * MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte, Count times
totLen := int64(0)
buf := bytes.NewBuffer(chunk)
for i := uint32(0) ; i < e.Count ; i++ { for i := uint32(0) ; i < e.Count ; i++ {
// TODO : Needs a bufio.Reader
// Get this arg length // Get this arg length
arg, err := buf.ReadBytes((byte)(0x00)) arg, err := rdr.ReadBytes((byte)(0x00))
if err != nil { if err != nil {
return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, offset of record start: %x, error : %v", i, startOf, err) return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, error : %v", i, err)
} }
// Allocate before reading
totLen += int64(len(arg))
//e.Text = append(e.Text, arg) // Discard last 0
e.Text = append(e.Text, arg[:len(arg)-1]) e.Text = append(e.Text, arg[:len(arg)-1])
} }
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
}
return nil return nil
} }
@ -612,37 +588,15 @@ func (p *Path) GetType() uint8 {
return AUT_PATH return AUT_PATH
} }
func (p *Path) LoadFromBinary(file *os.File) error { func (p *Path) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &p.Length) err := binary.Read(rdr, binary.BigEndian, &p.Length)
if err != nil { return fmt.Errorf("Unable to read Path.Length from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Path.Length: %v", err) }
// Get current offset in file arg, err := rdr.ReadBytes((byte)(0x00))
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil { if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err) return fmt.Errorf("Error searching for null terminated path: error : %v", err)
}
// TODO : Reinject these already read bytes into working flow, to avoir rereading them
chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte
buf := bytes.NewBuffer(chunk)
// TODO : Needs a bufio.Reader
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
p.Path = arg[:totLen-1]
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
} }
p.Path = arg[:len(arg)-1]
return nil return nil
} }
@ -671,24 +625,24 @@ func (a* Attribute32) GetType() uint8 {
return AUT_ATTR32 return AUT_ATTR32
} }
func (a *Attribute32) LoadFromBinary(file *os.File) error { func (a *Attribute32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &a.Mode) err := binary.Read(rdr, binary.BigEndian, &a.Mode)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Uid) err = binary.Read(rdr, binary.BigEndian, &a.Uid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Gid) err = binary.Read(rdr, binary.BigEndian, &a.Gid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Fsid) err = binary.Read(rdr, binary.BigEndian, &a.Fsid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Nid) err = binary.Read(rdr, binary.BigEndian, &a.Nid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Dev) err = binary.Read(rdr, binary.BigEndian, &a.Dev)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev: %v", err) }
return nil return nil
} }
@ -730,24 +684,24 @@ func (a* Attribute64) GetType() uint8 {
return AUT_ATTR64 return AUT_ATTR64
} }
func (a *Attribute64) LoadFromBinary(file *os.File) error { func (a *Attribute64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &a.Mode) err := binary.Read(rdr, binary.BigEndian, &a.Mode)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Uid) err = binary.Read(rdr, binary.BigEndian, &a.Uid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Gid) err = binary.Read(rdr, binary.BigEndian, &a.Gid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Fsid) err = binary.Read(rdr, binary.BigEndian, &a.Fsid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Nid) err = binary.Read(rdr, binary.BigEndian, &a.Nid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Dev) err = binary.Read(rdr, binary.BigEndian, &a.Dev)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev: %v", err) }
return nil return nil
} }
@ -789,27 +743,27 @@ func (s *Subject32) GetType() uint8 {
return AUT_SUBJECT32 return AUT_SUBJECT32
} }
func (s *Subject32) LoadFromBinary(file *os.File) error { func (s *Subject32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &s.Auid) err := binary.Read(rdr, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid) err = binary.Read(rdr, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Euid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid) err = binary.Read(rdr, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Egid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid) err = binary.Read(rdr, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid) err = binary.Read(rdr, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid) err = binary.Read(rdr, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Sid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid) err = binary.Read(rdr, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Tid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32.Tid: %v", err) }
return nil return nil
} }
@ -860,27 +814,27 @@ func (p *Process32) GetType() uint8 {
return AUT_PROCESS32 return AUT_PROCESS32
} }
func (p *Process32) LoadFromBinary(file *os.File) error { func (p *Process32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &p.Auid) err := binary.Read(rdr, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process32.Auid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid) err = binary.Read(rdr, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process32.Euid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid) err = binary.Read(rdr, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process32.Egid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid) err = binary.Read(rdr, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process32.Ruid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid) err = binary.Read(rdr, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process32.Rgid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid) err = binary.Read(rdr, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process32.Sid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid) err = binary.Read(rdr, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process32.Tid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32.Tid: %v", err) }
return nil return nil
} }
@ -931,41 +885,41 @@ func (s *Subject32Ex) GetType() uint8 {
return AUT_SUBJECT32_EX return AUT_SUBJECT32_EX
} }
func (s *Subject32Ex) LoadFromBinary(file *os.File) error { func (s *Subject32Ex) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &s.Auid) err := binary.Read(rdr, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid) err = binary.Read(rdr, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid) err = binary.Read(rdr, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid) err = binary.Read(rdr, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid) err = binary.Read(rdr, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid) err = binary.Read(rdr, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Port) err = binary.Read(rdr, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype) err = binary.Read(rdr, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers) err = binary.Read(rdr, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers: %v", err) }
if s.Tid.IpVers == 0x10 { if s.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6) err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6 from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6: %v", err) }
} else if s.Tid.IpVers == 0x04 { } else if s.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4) err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4 from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4: %v", err) }
} }
return nil return nil
@ -1024,41 +978,41 @@ func (s *Process32Ex) GetType() uint8 {
return AUT_PROCESS32_EX return AUT_PROCESS32_EX
} }
func (p *Process32Ex) LoadFromBinary(file *os.File) error { func (p *Process32Ex) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &p.Auid) err := binary.Read(rdr, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid) err = binary.Read(rdr, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid) err = binary.Read(rdr, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid) err = binary.Read(rdr, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid) err = binary.Read(rdr, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid) err = binary.Read(rdr, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Port) err = binary.Read(rdr, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype) err = binary.Read(rdr, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers) err = binary.Read(rdr, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers: %v", err) }
if p.Tid.IpVers == 0x10 { if p.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6) err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6 from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6: %v", err) }
} else if p.Tid.IpVers == 0x04 { } else if p.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4) err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4 from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4: %v", err) }
} }
return nil return nil
@ -1119,27 +1073,27 @@ func (s *Subject64) GetType() uint8 {
return AUT_SUBJECT64 return AUT_SUBJECT64
} }
func (s *Subject64) LoadFromBinary(file *os.File) error { func (s *Subject64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &s.Auid) err := binary.Read(rdr, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid) err = binary.Read(rdr, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Euid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid) err = binary.Read(rdr, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Egid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid) err = binary.Read(rdr, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid) err = binary.Read(rdr, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid) err = binary.Read(rdr, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Sid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid) err = binary.Read(rdr, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Tid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64.Tid: %v", err) }
return nil return nil
} }
@ -1190,27 +1144,27 @@ func (s *Process64) GetType() uint8 {
return AUT_PROCESS64 return AUT_PROCESS64
} }
func (p *Process64) LoadFromBinary(file *os.File) error { func (p *Process64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &p.Auid) err := binary.Read(rdr, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process64.Auid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid) err = binary.Read(rdr, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process64.Euid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid) err = binary.Read(rdr, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process64.Egid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid) err = binary.Read(rdr, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process64.Ruid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid) err = binary.Read(rdr, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process64.Rgid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid) err = binary.Read(rdr, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process64.Sid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid) err = binary.Read(rdr, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process64.Tid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64.Tid: %v", err) }
return nil return nil
} }
@ -1261,40 +1215,40 @@ func (s *Subject64Ex) GetType() uint8 {
return AUT_SUBJECT64_EX return AUT_SUBJECT64_EX
} }
func (s *Subject64Ex) LoadFromBinary(file *os.File) error { func (s *Subject64Ex) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &s.Auid) err := binary.Read(rdr, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid) err = binary.Read(rdr, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid) err = binary.Read(rdr, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid) err = binary.Read(rdr, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid) err = binary.Read(rdr, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid) err = binary.Read(rdr, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Port) err = binary.Read(rdr, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype) err = binary.Read(rdr, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers) err = binary.Read(rdr, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers: %v", err) }
if s.Tid.IpVers == 0x10 { if s.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6) err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6 from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6: %v", err) }
} else if s.Tid.IpVers == 0x04 { } else if s.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4) err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4 from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4: %v", err) }
} }
return nil return nil
@ -1354,40 +1308,40 @@ func (p *Process64Ex) GetType() uint8 {
return AUT_PROCESS64_EX return AUT_PROCESS64_EX
} }
func (p *Process64Ex) LoadFromBinary(file *os.File) error { func (p *Process64Ex) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &p.Auid) err := binary.Read(rdr, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid) err = binary.Read(rdr, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid) err = binary.Read(rdr, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid) err = binary.Read(rdr, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid) err = binary.Read(rdr, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid) err = binary.Read(rdr, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Port) err = binary.Read(rdr, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype) err = binary.Read(rdr, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers) err = binary.Read(rdr, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers: %v", err) }
if p.Tid.IpVers == 0x10 { if p.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6) err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6 from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6: %v", err) }
} else if p.Tid.IpVers == 0x04 { } else if p.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4) err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4 from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4: %v", err) }
} }
return nil return nil
@ -1441,12 +1395,12 @@ func (r *Return32) GetType() uint8 {
return AUT_RETURN32 return AUT_RETURN32
} }
func (r *Return32) LoadFromBinary(file *os.File) error { func (r *Return32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &r.Status) err := binary.Read(rdr, binary.BigEndian, &r.Status)
if err != nil { return fmt.Errorf("Unable to read Return32.Status from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Return32.Status: %v", err) }
err = binary.Read(file, binary.BigEndian, &r.Ret) err = binary.Read(rdr, binary.BigEndian, &r.Ret)
if err != nil { return fmt.Errorf("Unable to read Return32.Ret from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Return32.Ret: %v", err) }
return nil return nil
} }
@ -1471,12 +1425,12 @@ func (r *Return64) GetType() uint8 {
return AUT_RETURN64 return AUT_RETURN64
} }
func (r *Return64) LoadFromBinary(file *os.File) error { func (r *Return64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &r.Status) err := binary.Read(rdr, binary.BigEndian, &r.Status)
if err != nil { return fmt.Errorf("Unable to read Return64.Status from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Return64.Status: %v", err) }
err = binary.Read(file, binary.BigEndian, &r.Ret) err = binary.Read(rdr, binary.BigEndian, &r.Ret)
if err != nil { return fmt.Errorf("Unable to read Return64.Ret from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Return64.Ret: %v", err) }
return nil return nil
} }
@ -1501,12 +1455,12 @@ func (t *Trailer) GetType() uint8 {
return AUT_TRAILER return AUT_TRAILER
} }
func (t *Trailer) LoadFromBinary(file *os.File) error { func (t *Trailer) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &t.Magic) err := binary.Read(rdr, binary.BigEndian, &t.Magic)
if err != nil { return fmt.Errorf("Unable to read Trailer.Magic from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Trailer.Magic: %v", err) }
err = binary.Read(file, binary.BigEndian, &t.Count) err = binary.Read(rdr, binary.BigEndian, &t.Count)
if err != nil { return fmt.Errorf("Unable to read Trailer.Count from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Trailer.Count: %v", err) }
return nil return nil
} }
@ -1530,42 +1484,22 @@ func (a *Arg32) GetType() uint8 {
return AUT_ARG32 return AUT_ARG32
} }
func (a *Arg32) LoadFromBinary(file *os.File) error { func (a *Arg32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &a.No) err := binary.Read(rdr, binary.BigEndian, &a.No)
if err != nil { return fmt.Errorf("Unable to read Arg32.No from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Arg32.No: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Val) err = binary.Read(rdr, binary.BigEndian, &a.Val)
if err != nil { return fmt.Errorf("Unable to read Arg32.Val from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Arg32.Val: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Length) err = binary.Read(rdr, binary.BigEndian, &a.Length)
if err != nil { return fmt.Errorf("Unable to read Arg32.Length from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Arg32.Length: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these already read bytes into working flow, to avoir rereading them
chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte // Search for null terminating byte
buf := bytes.NewBuffer(chunk) arg, err := rdr.ReadBytes((byte)(0x00))
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
if err != nil { if err != nil {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) return fmt.Errorf("Error searching for null terminated path: %v", err)
}
totLen := int64(len(arg))
a.Text = arg[:totLen-1]
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
} }
a.Text = arg[:len(arg)-1]
return nil return nil
} }
@ -1592,42 +1526,22 @@ func (a *Arg64) GetType() uint8 {
return AUT_ARG64 return AUT_ARG64
} }
func (a *Arg64) LoadFromBinary(file *os.File) error { func (a *Arg64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &a.No) err := binary.Read(rdr, binary.BigEndian, &a.No)
if err != nil { return fmt.Errorf("Unable to read Arg64.No from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Arg64.No: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Val) err = binary.Read(rdr, binary.BigEndian, &a.Val)
if err != nil { return fmt.Errorf("Unable to read Arg64.Val from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Arg64.Val: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Length) err = binary.Read(rdr, binary.BigEndian, &a.Length)
if err != nil { return fmt.Errorf("Unable to read Arg64.Length from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Arg64.Length: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these already read bytes into working flow, to avoir rereading them
chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte // Search for null terminating byte
buf := bytes.NewBuffer(chunk) arg, err := rdr.ReadBytes((byte)(0x00))
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
if err != nil { if err != nil {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) return fmt.Errorf("Error searching for null terminated path: %v", err)
}
totLen := int64(len(arg))
a.Text = arg[:totLen-1]
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
} }
a.Text = arg[:len(arg)-1]
return nil return nil
} }
@ -1652,12 +1566,12 @@ func (e *Exit) GetType() uint8 {
return AUT_EXIT return AUT_EXIT
} }
func (e *Exit) LoadFromBinary(file *os.File) error { func (e *Exit) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &e.Status) err := binary.Read(rdr, binary.BigEndian, &e.Status)
if err != nil { return fmt.Errorf("Unable to read Exit.Status from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Exit.Status: %v", err) }
err = binary.Read(file, binary.BigEndian, &e.Ret) err = binary.Read(rdr, binary.BigEndian, &e.Ret)
if err != nil { return fmt.Errorf("Unable to read Exit.Ret from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Exit.Ret: %v", err) }
return nil return nil
} }
@ -1682,14 +1596,14 @@ func (t *Text) GetType() uint8 {
return AUT_TEXT return AUT_TEXT
} }
func (t *Text) LoadFromBinary(file *os.File) error { func (t *Text) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &t.Length) err := binary.Read(rdr, binary.BigEndian, &t.Length)
if err != nil { return fmt.Errorf("Unable to read Text.Length from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Text.Length: %v", err) }
text := make([]byte, t.Length) text := make([]byte, t.Length)
err = binary.Read(file, binary.BigEndian, &text) err = binary.Read(rdr, binary.BigEndian, &text)
if err != nil { return fmt.Errorf("Unable to read Text.Text from file: %v", err) } if err != nil { return fmt.Errorf("Unable to read Text.Text: %v", err) }
t.Text = text[:len(text)-1] t.Text = text[:len(text)-1]
return nil return nil
@ -1704,112 +1618,107 @@ func (t *Text) Print(file *os.File, delimiter string, flags int) {
} }
} }
func readRecordToStruct(file *os.File) (Record, error) { func readRecordToStruct(reader *bufio.Reader) (Record, error) {
var rec Record var rec Record
hdr := make([]byte, 1) hdr := make([]byte, 1)
n, err := file.Read(hdr) n, err := reader.Read(hdr)
if err != nil || n < 1 { if err != nil || n < 1 {
if err != io.EOF { if err != io.EOF {
return rec, fmt.Errorf("Unable to read header ID in file: %v", err) return rec, fmt.Errorf("Unable to read header ID: %v", err)
} }
return rec, err return rec, err
} }
// DEBUG
/* startOf, _ := file.Seek(0, io.SeekCurrent)
fmt.Printf("Offset dans le fichier : %x\n", startOf)
*/
switch (int8)(hdr[0]) { switch (int8)(hdr[0]) {
case AUT_HEADER32: case AUT_HEADER32:
var h Header32 var h Header32
err := h.LoadFromBinary(file) err := h.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewHeader32(h), nil return NewHeader32(h), nil
case AUT_EXEC_ARGS: case AUT_EXEC_ARGS:
var e ExecArg var e ExecArg
err := e.LoadFromBinary(file) err := e.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewExecArg(e), nil return NewExecArg(e), nil
case AUT_PATH: case AUT_PATH:
var p Path var p Path
err := p.LoadFromBinary(file) err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewPath(p), nil return NewPath(p), nil
case AUT_ATTR32: case AUT_ATTR32:
var a Attribute32 var a Attribute32
err := a.LoadFromBinary(file) err := a.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewAttribute32(a), nil return NewAttribute32(a), nil
case AUT_ATTR64: case AUT_ATTR64:
var a Attribute64 var a Attribute64
err := a.LoadFromBinary(file) err := a.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewAttribute64(a), nil return NewAttribute64(a), nil
case AUT_SUBJECT32: case AUT_SUBJECT32:
var s Subject32 var s Subject32
err := s.LoadFromBinary(file) err := s.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewSubject32(s), nil return NewSubject32(s), nil
case AUT_SUBJECT32_EX: case AUT_SUBJECT32_EX:
var s Subject32Ex var s Subject32Ex
err := s.LoadFromBinary(file) err := s.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewSubject32Ex(s), nil return NewSubject32Ex(s), nil
case AUT_RETURN32: case AUT_RETURN32:
var r Return32 var r Return32
err := r.LoadFromBinary(file) err := r.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewReturn32(r), nil return NewReturn32(r), nil
case AUT_TRAILER: case AUT_TRAILER:
var t Trailer var t Trailer
err := t.LoadFromBinary(file) err := t.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewTrailer(t), nil return NewTrailer(t), nil
case AUT_ARG32: case AUT_ARG32:
var a Arg32 var a Arg32
err := a.LoadFromBinary(file) err := a.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewArg32(a), nil return NewArg32(a), nil
case AUT_ARG64: case AUT_ARG64:
var a Arg64 var a Arg64
err := a.LoadFromBinary(file) err := a.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewArg64(a), nil return NewArg64(a), nil
case AUT_EXIT: case AUT_EXIT:
var e Exit var e Exit
err := e.LoadFromBinary(file) err := e.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewExit(e), nil return NewExit(e), nil
case AUT_PROCESS32: case AUT_PROCESS32:
var p Process32 var p Process32
err := p.LoadFromBinary(file) err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewProcess32(p), nil return NewProcess32(p), nil
case AUT_PROCESS32_EX: case AUT_PROCESS32_EX:
var p Process32Ex var p Process32Ex
err := p.LoadFromBinary(file) err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewProcess32Ex(p), nil return NewProcess32Ex(p), nil
case AUT_PROCESS64: case AUT_PROCESS64:
var p Process64 var p Process64
err := p.LoadFromBinary(file) err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewProcess64(p), nil return NewProcess64(p), nil
case AUT_PROCESS64_EX: case AUT_PROCESS64_EX:
var p Process64Ex var p Process64Ex
err := p.LoadFromBinary(file) err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewProcess64Ex(p), nil return NewProcess64Ex(p), nil
case AUT_TEXT: case AUT_TEXT:
var t Text var t Text
err := t.LoadFromBinary(file) err := t.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewText(t), nil return NewText(t), nil
} }
startOf, _ := file.Seek(0, io.SeekCurrent) return rec, fmt.Errorf("Event type not supported: 0x%x", hdr[0])
return rec, fmt.Errorf("Event type not supported: 0x%x at offset 0x%x", hdr[0], startOf)
} }

38
main.go
View File

@ -5,12 +5,18 @@
// //
/* /*
% time ./godit 20211228134923.20211228151348 > godit.log
11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w
% time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log % time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log
101.728u 7.315s 1:49.09 99.9% 10+167k 0+191152io 0pf+0w 101.728u 7.315s 1:49.09 99.9% 10+167k 0+191152io 0pf+0w
% time ./godit 20211228134923.20211228151348 > godit.log
11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w
% ./godit -V % ./godit -V
Godit v0.03 Godit v0.03
% time ./godit 20211228134923.20211228151348 > 20211228134923.20211228151348.godit3
7.183u 19.590s 0:25.98 103.0% 1038+559k 0+2262168io 0pf+0w
% ./godit -V
Godit v0.4.3
*/ */
package main package main
@ -19,11 +25,13 @@ import (
"io" "io"
"os" "os"
"fmt" "fmt"
"bufio"
"strings"
"github.com/spf13/pflag" "github.com/spf13/pflag"
) )
const ( const (
version = "0.4" version = "0.4.3"
) )
var ( var (
@ -66,27 +74,37 @@ func main() {
} }
args := os.Args args := os.Args
filename := args[len(args)-1] filename := args[len(args)-1]
/* fmt.Printf("Args: %s\n", args) /* fmt.Printf("Args: %s\n", args)
fmt.Printf("Filename: %s\n", filename) fmt.Printf("Filename: %s\n", filename)
*/ */
var f *os.File
var r *bufio.Reader
var err error
if len(filename) > 0 { if len(filename) > 0 {
f, err := os.Open(filename) // If arg is "-", open stdin to read content
if err != nil { if true == strings.EqualFold(filename, "-") {
fmt.Printf("Impossible d'ouvrir le fichier %s\n", filename) r = bufio.NewReader(os.Stdin)
return } else {
f, err = os.Open(filename)
if err != nil {
fmt.Printf("Impossible d'ouvrir le fichier %s\n", filename)
return
}
r = bufio.NewReader(f)
} }
//for i := 0 ; i < 20 ; i++ { //for i := 0 ; i < 20 ; i++ {
for { for {
rec, err := readRecordToStruct(f) rec, err := readRecordToStruct(r)
if err != nil { if err != nil {
if err != io.EOF { if err != io.EOF {
fmt.Printf("Erreur : %v\n", err) fmt.Printf("Erreur : %v\n", err)
} else { // v.0.4.2 : Continue on error
return
} }
return
} }
rec.Print(os.Stdout, ",", flags) rec.Print(os.Stdout, ",", flags)
} }