basic process event message handling

author: Laurent Ghigonis <laurent@p1sec.com> 2012-11-29 18:59:48 +0100
committer: Laurent Ghigonis <laurent@p1sec.com> 2012-11-29 18:59:48 +0100
commit: 6f78c1e2c1fa7a824606fffb3aca05e16c7b9c74 (patch)
tree: 3f803fc77abf3ebf18b54312bf3c2ea36d385295 /libglouglou
parent: remove TODO, in README.txt now (diff)
download: glouglou-6f78c1e2c1fa7a824606fffb3aca05e16c7b9c74.tar.xz
glouglou-6f78c1e2c1fa7a824606fffb3aca05e16c7b9c74.zip
2 files changed, 67 insertions, 12 deletions
diff --git a/libglouglou/libglouglou.c b/libglouglou/libglouglou.c
index ca777dc..8d4a300 100644
--- a/libglouglou/libglouglou.c
+++ b/libglouglou/libglouglou.c
@@ -370,11 +370,34 @@ pkt_decode(char **buf, int *buf_len)
       if (strnlen((char *)pkt->name_fqdn, len) != pkt->name_len)
         goto invalid;
       newpkt->name_addr = ntohl(pkt->name_addr);
-      newpkt->name_len = pkt->name_len;
+      newpkt->name_len = ntohs(pkt->name_len);
       strncpy((char *)newpkt->name_fqdn, (char *)pkt->name_fqdn,
               pkt->name_len);
       break;
-    goto invalid;
+    case PACKET_PROC_FORK:
+      packet_len = PACKET_PROC_FORK_SIZE;
+      if (len < packet_len)
+        goto invalid;
+      newpkt->proc_pid = ntohl(pkt->proc_pid);
+      newpkt->proc_fork_ppid = ntohl(pkt->proc_fork_ppid);
+      newpkt->proc_fork_cpid = ntohl(pkt->proc_fork_cpid);
+      newpkt->proc_fork_tgid = ntohl(pkt->proc_fork_tgid);
+      break;
+    case PACKET_PROC_EXEC:
+      packet_len = PACKET_PROC_EXEC_SIZE;
+      if (len < packet_len)
+        goto invalid;
+      if (len < packet_len + pkt->proc_exec_cmdlen)
+        goto invalid;
+      if (strnlen((char *)pkt->proc_exec_cmd, len) != pkt->proc_exec_cmdlen)
+        goto invalid;
+      newpkt->proc_pid = ntohl(pkt->proc_pid);
+      newpkt->proc_exec_cmdlen = ntohs(pkt->proc_exec_cmdlen);
+      strncpy((char *)newpkt->proc_exec_cmd, (char *)pkt->proc_exec_cmd,
+              pkt->proc_exec_cmdlen);
+      break;
+    default:
+      goto invalid;
   }
 
   *buf = *buf + packet_len;
@@ -416,7 +439,15 @@ pkt_getsize(struct gg_packet *pkt)
       size = PACKET_DATA_SIZE;
       break;
     case PACKET_NAME:
-      size = PACKET_NAME_SIZE + strnlen((char *)pkt->name_fqdn, DNSNAME_MAX);
+      size = PACKET_NAME_SIZE +
+        strnlen((char *)pkt->name_fqdn, GG_PKTARG_MAX);
+      break;
+    case PACKET_PROC_FORK:
+      size = PACKET_PROC_FORK_SIZE;
+      break;
+    case PACKET_PROC_EXEC:
+      size = PACKET_PROC_EXEC_SIZE  +
+        strnlen((char *)pkt->proc_exec_cmd, GG_PKTARG_MAX);
       break;
     default:
       size = 0;
diff --git a/libglouglou/libglouglou.h b/libglouglou/libglouglou.h
index cf73371..04ee779 100644
--- a/libglouglou/libglouglou.h
+++ b/libglouglou/libglouglou.h
@@ -12,23 +12,27 @@
 
 #define PACKET_VERSION 1
 #define PACKET_BUFFER_SIZE 16384
-#define DNSNAME_MAX 20
+#define GG_PKTARG_MAX 30
 
 struct gg_packet {
 #define PACKET_HEADER_SIZE 2
 	u_int8_t	ver;
 	u_int8_t	type;
 /* XXX nicer way for _SIZE ... ? */
-#define PACKET_TYPE_MIN 0
-#define PACKET_TYPE_MAX 3
-#define PACKET_NEWCONN 0
+#define PACKET_TYPE_MIN 0x00
+#define PACKET_TYPE_MAX 0x11
+#define PACKET_NEWCONN 0x00
 #define PACKET_NEWCONN_SIZE (PACKET_HEADER_SIZE + sizeof((struct gg_packet *)0)->pdat.newconn)
-#define PACKET_DELCONN 1
+#define PACKET_DELCONN 0x01
 #define PACKET_DELCONN_SIZE (PACKET_HEADER_SIZE + sizeof((struct gg_packet *)0)->pdat.delconn)
-#define PACKET_DATA 2
+#define PACKET_DATA 0x02
 #define PACKET_DATA_SIZE (PACKET_HEADER_SIZE + sizeof((struct gg_packet *)0)->pdat.data)
-#define PACKET_NAME 3
-#define PACKET_NAME_SIZE ((PACKET_HEADER_SIZE + sizeof((struct gg_packet *)0)->pdat.name) - DNSNAME_MAX)
+#define PACKET_NAME 0x03
+#define PACKET_NAME_SIZE ((PACKET_HEADER_SIZE + sizeof((struct gg_packet *)0)->pdat.name) - GG_PKTARG_MAX)
+#define PACKET_PROC_FORK 0x10
+#define PACKET_PROC_FORK_SIZE (PACKET_HEADER_SIZE + sizeof((struct gg_packet *)0)->pdat.proc.ev.fork)
+#define PACKET_PROC_EXEC 0x11
+#define PACKET_PROC_EXEC_SIZE ((PACKET_HEADER_SIZE + sizeof((struct gg_packet *)0)->pdat.proc.ev.exec) - GG_PKTARG_MAX)
 
 	union {
 		struct newconn {
@@ -48,8 +52,22 @@ struct gg_packet {
 		struct name {
 			u_int32_t	addr;
 			u_int8_t	len;
-			u_char		fqdn[DNSNAME_MAX];
+			u_char		fqdn[GG_PKTARG_MAX];
 		} name;
+		struct proc {
+		  u_int32_t pid;
+      union {
+        struct fork {
+          u_int32_t ppid;
+          u_int32_t cpid;
+          u_int32_t tgid;
+        } fork;
+        struct exec {
+          u_int8_t cmdlen;
+          u_char   cmd[GG_PKTARG_MAX];
+        } exec;
+      } ev;
+    } proc;
 	} pdat;
 #define newconn_id	pdat.newconn.id
 #define newconn_src	pdat.newconn.src
@@ -62,6 +80,12 @@ struct gg_packet {
 #define name_addr	pdat.name.addr
 #define name_len	pdat.name.len
 #define name_fqdn	pdat.name.fqdn
+#define proc_pid pdat.proc.pid
+#define proc_fork_ppid pdat.proc.ev.fork.ppid
+#define proc_fork_cpid pdat.proc.ev.fork.cpid
+#define proc_fork_tgid pdat.proc.ev.fork.tgid
+#define proc_exec_cmdlen pdat.proc.ev.exec.cmdlen
+#define proc_exec_cmd pdat.proc.ev.exec.cmd
 };
 
 struct gg_user {
author	Laurent Ghigonis <laurent@p1sec.com>	2012-11-29 18:59:48 +0100
committer	Laurent Ghigonis <laurent@p1sec.com>	2012-11-29 18:59:48 +0100
commit	6f78c1e2c1fa7a824606fffb3aca05e16c7b9c74 (patch)
tree	3f803fc77abf3ebf18b54312bf3c2ea36d385295 /libglouglou
parent	remove TODO, in README.txt now (diff)
download	glouglou-6f78c1e2c1fa7a824606fffb3aca05e16c7b9c74.tar.xz glouglou-6f78c1e2c1fa7a824606fffb3aca05e16c7b9c74.zip