improved getting process's parents

evilsocket · Oct 2, 2023 · 7f493e8 · 7f493e8
1 parent c22e358
commit 7f493e8
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 11 deletions.
diff --git a/daemon/procmon/cache_events.go b/daemon/procmon/cache_events.go
@@ -69,9 +69,9 @@ func NewEventsStore() *EventsStore {
 
 	return &EventsStore{
 		mu:          &sync.RWMutex{},
-		checksums:   make(map[string]uint, 5000),
-		eventByPID:  make(map[int]*ExecEventItem, 5000),
-		eventByPath: make(map[string]*ExecEventItem, 5000),
+		checksums:   make(map[string]uint, 500),
+		eventByPID:  make(map[int]*ExecEventItem, 500),
+		eventByPath: make(map[string]*ExecEventItem, 500),
 	}
 }
 
@@ -185,6 +185,7 @@ func (e *EventsStore) DeleteOldItems() {
 	}
 }
 
+// UpdateItemDetails updates the details of a process
 func (e *EventsStore) UpdateItemDetails(proc *Process) {
 	proc.GetParent()
 	proc.GetTree()
@@ -246,15 +247,18 @@ func (e *EventsStore) ComputeChecksums(proc *Process) {
 	// pid found in cache
 	// we should check other parameters to see if the pid is really the same process
 	// proc/<pid>/maps
-	item.RLock()
+	item.Proc.mu.RLock()
 	checksumsNum := len(item.Proc.Checksums)
-	item.RUnlock()
+	item.Proc.mu.RUnlock()
 	if checksumsNum > 0 && (item.Proc.IsAlive() && item.Proc.Path == proc.Path) {
 		log.Debug("[cache] reuseChecksums() cached PID alive, already hashed: %v, %s new: %s", item.Proc.Checksums, item.Proc.Path, proc.Path)
 		proc.Checksums = item.Proc.Checksums
 		return
 	}
+	item.Proc.mu.RLock()
 	log.Debug("[cache] reuseChecksums() PID found inCache, computing hashes: %s new: %s - hashes: |%v<>%v|", item.Proc.Path, proc.Path, item.Proc.Checksums, proc.Checksums)
+	item.Proc.mu.RUnlock()
+
 	proc.ComputeChecksums(e.checksums)
 }
 

diff --git a/daemon/procmon/details.go b/daemon/procmon/details.go
@@ -27,8 +27,11 @@ var socketsRegex, _ = regexp.Compile(`socket:\[([0-9]+)\]`)
 
 // GetParent obtains the information of this process' parent.
 func (p *Process) GetParent() {
-	if p.Parent != nil {
-		log.Debug("%d already with parent: %v", p.ID, p.Parent)
+	p.mu.RLock()
+	hasParent := p.Parent != nil
+	p.mu.RUnlock()
+
+	if hasParent {
 		return
 	}
 
@@ -54,8 +57,10 @@ func (p *Process) GetParent() {
 
 		EventsCache.UpdateItem(p)
 	} else {
+		p.mu.Lock()
 		p.Parent = NewProcessEmpty(ppid, "")
 		p.Parent.ReadPath()
+		p.mu.Unlock()
 		EventsCache.Add(p.Parent)
 	}
 
@@ -68,21 +73,24 @@ func (p *Process) GetTree() {
 	if len(p.Tree) > 0 {
 		fmt.Println("GetTree not empty:", p.Tree)
 	}
-	p.mu.Lock()
-	p.Tree = make([]*protocol.StringInt, 0)
+	tree := make([]*protocol.StringInt, 0)
 	for pp := p.Parent; pp != nil; pp = pp.Parent {
 		// add the parents in reverse order, so when we iterate over them with the rules
 		// the first item is the most direct parent of the process.
-		p.Tree = append(p.Tree,
+		pp.mu.RLock()
+		tree = append(tree,
 			&protocol.StringInt{
 				Key: pp.Path, Value: uint32(pp.ID),
 			},
 		)
+		pp.mu.RUnlock()
 	}
+	p.mu.Lock()
+	p.Tree = tree
 	p.mu.Unlock()
 }
 
-// GetInfo collects information of a process.
+// GetDetails collects information of a process.
 func (p *Process) GetDetails() error {
 	if os.Getpid() == p.ID {
 		return nil
@@ -450,7 +458,9 @@ func (p *Process) ComputeChecksum(algo string) {
 				log.Debug("[hashing] Unable to dump process memory: %s", err)
 				continue
 			}
+			p.mu.Lock()
 			p.Checksums[algo] = hex.EncodeToString(h.Sum(code))
+			p.mu.Unlock()
 			log.Debug("[hashing] memory region hashed, elapsed: %v ,Hash: %s, %s\n", time.Since(start), p.Checksums[algo], paths[i])
 			code = nil
 			break