forked from gojue/ecapture
-
Notifications
You must be signed in to change notification settings - Fork 0
/
event_bash.go
42 lines (36 loc) · 955 Bytes
/
event_bash.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
package user
import (
"bytes"
"encoding/binary"
"fmt"
"golang.org/x/sys/unix"
)
type bashEvent struct {
Pid uint32
Line [80]uint8
Comm [16]byte
}
func (e *bashEvent) Decode(payload []byte) (err error) {
buf := bytes.NewBuffer(payload)
if err = binary.Read(buf, binary.LittleEndian, &e.Pid); err != nil {
return
}
if err = binary.Read(buf, binary.LittleEndian, &e.Line); err != nil {
return
}
if err = binary.Read(buf, binary.LittleEndian, &e.Comm); err != nil {
return
}
return nil
}
func (ei *bashEvent) String() string {
s := fmt.Sprintf(fmt.Sprintf(" PID:%d, \tComm:%s, \tLine:\n%s", ei.Pid, ei.Comm, unix.ByteSliceToString((ei.Line[:]))))
return s
}
func (ei *bashEvent) StringHex() string {
s := fmt.Sprintf(fmt.Sprintf(" PID:%d, \tComm:%s, \tLine:\n%s", ei.Pid, ei.Comm, dumpByteSlice([]byte(unix.ByteSliceToString((ei.Line[:]))), "")))
return s
}
func (ei *bashEvent) Clone() IEventStruct {
return new(bashEvent)
}