[storage] 新增读取可疑进

程
[cmd] 支持处理可疑进程

cmd/safe/safe.go

@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 	"strings"
 	"sysmonitord/internal/config"
+	"sysmonitord/internal/scanner/process"
 	"sysmonitord/internal/storage"
 	"sysmonitord/pkg/logger"
 	"time"
@@ -56,7 +57,7 @@ func readKeyWithESC() (string, error) {
 func interactiveSafe(cfg *config.Config) {
 	dataDir := cfg.Storage.DataDir
 
-	dubiousFiles, err := readDubiousList(filepath.Join(dataDir, cfg.Storage.DubiousFileListFile))
+	dubiousFiles, err := readDubiousFileList(filepath.Join(dataDir, cfg.Storage.DubiousFileListFile))
 	if err != nil {
 		fmt.Printf("无法读取可疑文件列表: %v\n", err)
 		return
@@ -66,6 +67,16 @@ func interactiveSafe(cfg *config.Config) {
 		return
 	}
 
+	dubiousProcesses, err := storage.LoadDubiousProcesses(dataDir, cfg.Storage.DubiousProcessListFile)
+	if err != nil {
+		fmt.Printf("无法读取可疑进程列表: %v\n", err)
+		return
+	}
+	if len(dubiousProcesses) == 0 {
+		fmt.Println("没有可疑进程需要处理。")
+		return
+	}
+
 	fmt.Println("\n╔══════════════════════════════════════════════╗")
 	fmt.Println("║           可疑文件清单 (" + fmt.Sprintf("%d", len(dubiousFiles)) + "个)                 ║")
 	fmt.Println("╠══════════════════════════════════════════════╣")
@@ -75,8 +86,18 @@ func interactiveSafe(cfg *config.Config) {
 	}
 	fmt.Println("╚══════════════════════════════════════════════╝")
 
+	fmt.Println("\n╔══════════════════════════════════════════════╗")
+	fmt.Println("║           可疑进程清单 (" + fmt.Sprintf("%d", len(dubiousProcesses)) + "个)                 ║")
+	fmt.Println("╠══════════════════════════════════════════════╣")
+	for _, proc := range dubiousProcesses {
+		fmt.Printf("║ %-45s║\n", fmt.Sprintf("%s (%s)", proc.Name, proc.Path))
+	}
+	fmt.Println("╚══════════════════════════════════════════════╝")
+
 	fmt.Println("\n请选择操作:")
 	fmt.Println("[1] 将以上可疑文件全部确认为安全 (移至白名单)")
+	fmt.Println("[2] 将以上可疑进程全部确认为安全 (移至白名单)")
+	fmt.Println("[3] 全部确认安全 (文件和进程)")
 	// Todo: 支持逐个确认
 	fmt.Println("[ESC] 退出不处理")
 	fmt.Print("请输入选项: ")
@@ -95,14 +116,34 @@ func interactiveSafe(cfg *config.Config) {
 		} else {
 			fmt.Println("已将可疑文件移入白名单。")
 		}
+	case "2":
+		fmt.Println("正在处理...")
+		if err := confirmProcessesAsSafe(cfg, dubiousProcesses); err != nil {
+			fmt.Printf("处理失败: %v\n", err)
+		} else {
+			fmt.Println("已将可疑进程移入白名单。")
+		}
+	case "3":
+		fmt.Println("正在处理...")
+		if err := confirmFilesAsSafe(cfg, dubiousFiles); err != nil {
+			fmt.Printf("处理失败: %v\n", err)
+		} else {
+			fmt.Println("已将可疑文件移入白名单。")
+		}
+		if err := confirmProcessesAsSafe(cfg, dubiousProcesses); err != nil {
+			fmt.Printf("处理失败: %v\n", err)
+		} else {
+			fmt.Println("已将可疑进程移入白名单。")
+		}
 	case "ESC":
 		fmt.Println("已取消操作。")
 	default:
 		fmt.Println("无效选项，已退出。")
 	}
+
 }
 
-func readDubiousList(filePath string) ([]storage.DubiousFileInfo, error) {
+func readDubiousFileList(filePath string) ([]storage.DubiousFileInfo, error) {
 	file, err := os.Open(filePath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -131,6 +172,41 @@ func readDubiousList(filePath string) ([]storage.DubiousFileInfo, error) {
 	return list, scanner.Err()
 }
 
+func confirmProcessesAsSafe(cfg *config.Config, processes []storage.DubiousProcessInfo) error {
+	dataDir := cfg.Storage.DataDir
+	whiteListPath := filepath.Join(dataDir, cfg.Storage.ProcessSystemFile)
+	// dubiousFile := filepath.Join(dataDir, cfg.Storage.DubiousProcessListFile)
+
+	f, err := os.OpenFile(whiteListPath, os.O_APPEND|os.O_WRONLY, 0644)
+	if err != nil {
+		return fmt.Errorf("无法打开白名单文件: %v", err)
+	}
+	defer f.Close()
+
+	var toWhitelist []process.ProcessInfo
+	for _, proc := range processes {
+		toWhitelist = append(toWhitelist, process.ProcessInfo{
+			Name:     proc.Name,
+			Path:     proc.Path,
+			FileHash: proc.FileHash,
+		})
+	}
+
+	if err := storage.AppendProcessToWhitelist(toWhitelist, dataDir, cfg.Storage.ProcessSystemFile); err != nil {
+		return fmt.Errorf("更新白名单失败: %v", err)
+	}
+
+	logger.Log.Debug("已将可疑进程移入白名单", zap.Int("count", len(toWhitelist)))
+
+	// Todo: 逐个删除条目
+	if err := storage.RemoveDubiousProcesses(dataDir, cfg.Storage.DubiousProcessListFile, []storage.DubiousProcessInfo{}); err != nil {
+		return fmt.Errorf("删除可疑进程列表失败: %v", err)
+	}
+
+	return nil
+
+}
+
 func confirmFilesAsSafe(cfg *config.Config, files []storage.DubiousFileInfo) error {
 	dataDir := cfg.Storage.DataDir
 	whiteListPath := filepath.Join(dataDir, cfg.Storage.FileSystemFile)
@@ -149,7 +225,7 @@ func confirmFilesAsSafe(cfg *config.Config, files []storage.DubiousFileInfo) err
 		if _, err := writer.WriteString(line); err != nil {
 			return fmt.Errorf("写入白名单失败: %v", err)
 		}
-		logger.Log.Info("已将可疑文件移入白名单", zap.String("path", file.Path), zap.String("hash", file.Hash))
+		logger.Log.Debug("已将可疑文件移入白名单", zap.String("path", file.Path), zap.String("hash", file.Hash))
 	}
 	if err := writer.Flush(); err != nil {
 		return fmt.Errorf("刷新写入缓冲区失败: %v", err)

internal/storage/storage.go

@@ -124,7 +124,8 @@ func SaveDubiousProcesses(proc DubiousProcessInfo, dataDir string, dubiousProces
 
 	writer := bufio.NewWriter(f)
 
-	line := fmt.Sprintf("%d:%s:%s:%s:%s\n", proc.PID, proc.Name, proc.Path, proc.Cmdline, proc.DiscoveredAt)
+	line := fmt.Sprintf("%s:%s:%s\n",
+		proc.Name, proc.Path, proc.FileHash)
 	if _, err := writer.WriteString(line); err != nil {
 		return err
 	}
@@ -132,6 +133,77 @@ func SaveDubiousProcesses(proc DubiousProcessInfo, dataDir string, dubiousProces
 	return writer.Flush()
 }
 
+func LoadDubiousProcesses(dataDir string, dubiousProcessFile string) ([]DubiousProcessInfo, error) {
+	filePath := filepath.Join(dataDir, dubiousProcessFile)
+	f, err := os.Open(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("[storage]无法打开可疑进程记录文件%s: %w", filePath, err)
+	}
+	defer f.Close()
+
+	var processes []DubiousProcessInfo
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+		parts := strings.Split(line, ":")
+		if len(parts) >= 3 {
+			processes = append(processes, DubiousProcessInfo{
+				Name:     parts[0],
+				Path:     parts[1],
+				FileHash: parts[2],
+			})
+		}
+	}
+	return processes, scanner.Err()
+}
+
+func AppendProcessToWhitelist(procs []process.ProcessInfo, dataDir string, processSystemFile string) error {
+	filePath := filepath.Join(dataDir, processSystemFile)
+	f, err := os.OpenFile(filePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return fmt.Errorf("[storage]无法创建或打开进程白名单文件%s: %w", filePath, err)
+	}
+	defer f.Close()
+
+	writer := bufio.NewWriter(f)
+
+	for _, p := range procs {
+		line := p.String() + "\n"
+		if _, err := writer.WriteString(line); err != nil {
+			return err
+		}
+	}
+
+	return writer.Flush()
+}
+
+func RemoveDubiousProcesses(dataDir string, dubiousProcessFile string, toKeep []DubiousProcessInfo) error {
+	filePath := filepath.Join(dataDir, dubiousProcessFile)
+	if len(toKeep) == 0 {
+		return os.Remove(filePath)
+	}
+
+	f, err := os.Create(filePath)
+	if err != nil {
+		return fmt.Errorf("[storage]无法创建可疑进程记录文件%s: %w", filePath, err)
+	}
+	defer f.Close()
+
+	writer := bufio.NewWriter(f)
+
+	for _, proc := range toKeep {
+		line := fmt.Sprintf("%s:%s:%s\n", proc.Name, proc.Path, proc.FileHash)
+		if _, err := writer.WriteString(line); err != nil {
+			return err
+		}
+	}
+
+	return writer.Flush()
+}
+
 func SaveDubiousFiles(files DubiousFileInfo, dataDir string, dubiousFileName string) error {
 	filePath := filepath.Join(dataDir, dubiousFileName)