From 35294a1889b0764c8ee79e359b323017c3715c44 Mon Sep 17 00:00:00 2001 From: wuko233 Date: Thu, 9 Apr 2026 21:48:12 +0800 Subject: [PATCH] =?UTF-8?q?[storage]=20=E6=96=B0=E5=A2=9E=E8=AF=BB?= =?UTF-8?q?=E5=8F=96=E5=8F=AF=E7=96=91=E8=BF=9B=20=E7=A8=8B=20[cmd]=20?= =?UTF-8?q?=E6=94=AF=E6=8C=81=E5=A4=84=E7=90=86=E5=8F=AF=E7=96=91=E8=BF=9B?= =?UTF-8?q?=E7=A8=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cmd/safe/safe.go | 82 +++++++++++++++++++++++++++++++++++-- internal/storage/storage.go | 74 ++++++++++++++++++++++++++++++++- 2 files changed, 152 insertions(+), 4 deletions(-) diff --git a/cmd/safe/safe.go b/cmd/safe/safe.go index d607ecc..e114970 100644 --- a/cmd/safe/safe.go +++ b/cmd/safe/safe.go @@ -7,6 +7,7 @@ import ( "path/filepath" "strings" "sysmonitord/internal/config" + "sysmonitord/internal/scanner/process" "sysmonitord/internal/storage" "sysmonitord/pkg/logger" "time" @@ -56,7 +57,7 @@ func readKeyWithESC() (string, error) { func interactiveSafe(cfg *config.Config) { dataDir := cfg.Storage.DataDir - dubiousFiles, err := readDubiousList(filepath.Join(dataDir, cfg.Storage.DubiousFileListFile)) + dubiousFiles, err := readDubiousFileList(filepath.Join(dataDir, cfg.Storage.DubiousFileListFile)) if err != nil { fmt.Printf("无法读取可疑文件列表: %v\n", err) return @@ -66,6 +67,16 @@ func interactiveSafe(cfg *config.Config) { return } + dubiousProcesses, err := storage.LoadDubiousProcesses(dataDir, cfg.Storage.DubiousProcessListFile) + if err != nil { + fmt.Printf("无法读取可疑进程列表: %v\n", err) + return + } + if len(dubiousProcesses) == 0 { + fmt.Println("没有可疑进程需要处理。") + return + } + fmt.Println("\n╔══════════════════════════════════════════════╗") fmt.Println("║ 可疑文件清单 (" + fmt.Sprintf("%d", len(dubiousFiles)) + "个) ║") fmt.Println("╠══════════════════════════════════════════════╣") @@ -75,8 +86,18 @@ func interactiveSafe(cfg *config.Config) { } fmt.Println("╚══════════════════════════════════════════════╝") + fmt.Println("\n╔══════════════════════════════════════════════╗") + fmt.Println("║ 可疑进程清单 (" + fmt.Sprintf("%d", len(dubiousProcesses)) + "个) ║") + fmt.Println("╠══════════════════════════════════════════════╣") + for _, proc := range dubiousProcesses { + fmt.Printf("║ %-45s║\n", fmt.Sprintf("%s (%s)", proc.Name, proc.Path)) + } + fmt.Println("╚══════════════════════════════════════════════╝") + fmt.Println("\n请选择操作:") fmt.Println("[1] 将以上可疑文件全部确认为安全 (移至白名单)") + fmt.Println("[2] 将以上可疑进程全部确认为安全 (移至白名单)") + fmt.Println("[3] 全部确认安全 (文件和进程)") // Todo: 支持逐个确认 fmt.Println("[ESC] 退出不处理") fmt.Print("请输入选项: ") @@ -95,14 +116,34 @@ func interactiveSafe(cfg *config.Config) { } else { fmt.Println("已将可疑文件移入白名单。") } + case "2": + fmt.Println("正在处理...") + if err := confirmProcessesAsSafe(cfg, dubiousProcesses); err != nil { + fmt.Printf("处理失败: %v\n", err) + } else { + fmt.Println("已将可疑进程移入白名单。") + } + case "3": + fmt.Println("正在处理...") + if err := confirmFilesAsSafe(cfg, dubiousFiles); err != nil { + fmt.Printf("处理失败: %v\n", err) + } else { + fmt.Println("已将可疑文件移入白名单。") + } + if err := confirmProcessesAsSafe(cfg, dubiousProcesses); err != nil { + fmt.Printf("处理失败: %v\n", err) + } else { + fmt.Println("已将可疑进程移入白名单。") + } case "ESC": fmt.Println("已取消操作。") default: fmt.Println("无效选项,已退出。") } + } -func readDubiousList(filePath string) ([]storage.DubiousFileInfo, error) { +func readDubiousFileList(filePath string) ([]storage.DubiousFileInfo, error) { file, err := os.Open(filePath) if err != nil { if os.IsNotExist(err) { @@ -131,6 +172,41 @@ func readDubiousList(filePath string) ([]storage.DubiousFileInfo, error) { return list, scanner.Err() } +func confirmProcessesAsSafe(cfg *config.Config, processes []storage.DubiousProcessInfo) error { + dataDir := cfg.Storage.DataDir + whiteListPath := filepath.Join(dataDir, cfg.Storage.ProcessSystemFile) + // dubiousFile := filepath.Join(dataDir, cfg.Storage.DubiousProcessListFile) + + f, err := os.OpenFile(whiteListPath, os.O_APPEND|os.O_WRONLY, 0644) + if err != nil { + return fmt.Errorf("无法打开白名单文件: %v", err) + } + defer f.Close() + + var toWhitelist []process.ProcessInfo + for _, proc := range processes { + toWhitelist = append(toWhitelist, process.ProcessInfo{ + Name: proc.Name, + Path: proc.Path, + FileHash: proc.FileHash, + }) + } + + if err := storage.AppendProcessToWhitelist(toWhitelist, dataDir, cfg.Storage.ProcessSystemFile); err != nil { + return fmt.Errorf("更新白名单失败: %v", err) + } + + logger.Log.Debug("已将可疑进程移入白名单", zap.Int("count", len(toWhitelist))) + + // Todo: 逐个删除条目 + if err := storage.RemoveDubiousProcesses(dataDir, cfg.Storage.DubiousProcessListFile, []storage.DubiousProcessInfo{}); err != nil { + return fmt.Errorf("删除可疑进程列表失败: %v", err) + } + + return nil + +} + func confirmFilesAsSafe(cfg *config.Config, files []storage.DubiousFileInfo) error { dataDir := cfg.Storage.DataDir whiteListPath := filepath.Join(dataDir, cfg.Storage.FileSystemFile) @@ -149,7 +225,7 @@ func confirmFilesAsSafe(cfg *config.Config, files []storage.DubiousFileInfo) err if _, err := writer.WriteString(line); err != nil { return fmt.Errorf("写入白名单失败: %v", err) } - logger.Log.Info("已将可疑文件移入白名单", zap.String("path", file.Path), zap.String("hash", file.Hash)) + logger.Log.Debug("已将可疑文件移入白名单", zap.String("path", file.Path), zap.String("hash", file.Hash)) } if err := writer.Flush(); err != nil { return fmt.Errorf("刷新写入缓冲区失败: %v", err) diff --git a/internal/storage/storage.go b/internal/storage/storage.go index 985097a..a29928c 100644 --- a/internal/storage/storage.go +++ b/internal/storage/storage.go @@ -124,7 +124,8 @@ func SaveDubiousProcesses(proc DubiousProcessInfo, dataDir string, dubiousProces writer := bufio.NewWriter(f) - line := fmt.Sprintf("%d:%s:%s:%s:%s\n", proc.PID, proc.Name, proc.Path, proc.Cmdline, proc.DiscoveredAt) + line := fmt.Sprintf("%s:%s:%s\n", + proc.Name, proc.Path, proc.FileHash) if _, err := writer.WriteString(line); err != nil { return err } @@ -132,6 +133,77 @@ func SaveDubiousProcesses(proc DubiousProcessInfo, dataDir string, dubiousProces return writer.Flush() } +func LoadDubiousProcesses(dataDir string, dubiousProcessFile string) ([]DubiousProcessInfo, error) { + filePath := filepath.Join(dataDir, dubiousProcessFile) + f, err := os.Open(filePath) + if err != nil { + return nil, fmt.Errorf("[storage]无法打开可疑进程记录文件%s: %w", filePath, err) + } + defer f.Close() + + var processes []DubiousProcessInfo + scanner := bufio.NewScanner(f) + for scanner.Scan() { + line := scanner.Text() + if line == "" || strings.HasPrefix(line, "#") { + continue + } + parts := strings.Split(line, ":") + if len(parts) >= 3 { + processes = append(processes, DubiousProcessInfo{ + Name: parts[0], + Path: parts[1], + FileHash: parts[2], + }) + } + } + return processes, scanner.Err() +} + +func AppendProcessToWhitelist(procs []process.ProcessInfo, dataDir string, processSystemFile string) error { + filePath := filepath.Join(dataDir, processSystemFile) + f, err := os.OpenFile(filePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) + if err != nil { + return fmt.Errorf("[storage]无法创建或打开进程白名单文件%s: %w", filePath, err) + } + defer f.Close() + + writer := bufio.NewWriter(f) + + for _, p := range procs { + line := p.String() + "\n" + if _, err := writer.WriteString(line); err != nil { + return err + } + } + + return writer.Flush() +} + +func RemoveDubiousProcesses(dataDir string, dubiousProcessFile string, toKeep []DubiousProcessInfo) error { + filePath := filepath.Join(dataDir, dubiousProcessFile) + if len(toKeep) == 0 { + return os.Remove(filePath) + } + + f, err := os.Create(filePath) + if err != nil { + return fmt.Errorf("[storage]无法创建可疑进程记录文件%s: %w", filePath, err) + } + defer f.Close() + + writer := bufio.NewWriter(f) + + for _, proc := range toKeep { + line := fmt.Sprintf("%s:%s:%s\n", proc.Name, proc.Path, proc.FileHash) + if _, err := writer.WriteString(line); err != nil { + return err + } + } + + return writer.Flush() +} + func SaveDubiousFiles(files DubiousFileInfo, dataDir string, dubiousFileName string) error { filePath := filepath.Join(dataDir, dubiousFileName)