Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine

detect sneaky processes which modify their process name.

by rpc (Monk)
on Mar 26, 2001 at 06:11 UTC ( #67100=sourcecode: print w/replies, xml ) Need Help??
Category: utility scripts
Author/Contact Info rpc <>
Description: This script walks through each PID in /proc and performs several checks to determine whether or not a process has modified its process name. It's trivial for a program to mung its process name and fool utilities such as 'ps'. There's many malicious tools available which try to hide their pressence, using more common process names like 'pine'. However, if the binary itself was not invoked with this name, it's possible to detect using the /proc interface.
#!/usr/bin/perl -w
# This hackish script will examine each running process (ala /proc) an
# try to determine if the program modified it's process name.
# This is a common trick with 'malware': programs with malicious or hi
# intent. Of course, this script is not fool proof.
# There are several publically available script kiddie tools (scanners
+, sniffers
# and the like) that this should detect.
# --rpc <>
use strict;

die 'this script has only been tested on linux.' unless $^O eq 'linux'

for my $proc (</proc/*>) {
    next unless $proc =~ /(\d+)/;
    my $pid = $1;

    next if $pid == 1; # there's bigger problems if init is munged. 
    open CMDLINE, "$proc/cmdline" or next;
    my $ret = sysread CMDLINE, (my $cmdline), 256;
    close CMDLINE;

    next if $ret == 0; # most kernel daemons have no cmdline.
    my($procname, $args) = $cmdline =~ m!^([^\0]+)\0(.*)$!;

    # User processes can NULL their process names, but they can't make
+ it
    # 0 bytes, like kernel daemons. If $procname is null yet we read m
    # than 0 bytes from sysread, something's fishy.
    print "WARNING: PID $pid has NULL proccess name!\n" and next unles
+s $procname;

    # Get the real name the process was invoked with.
    open STATUS, "$proc/status" or next; 
    my($status) = <STATUS> or next;
    close STATUS;

    my($realname) = $status =~ m/Name:\s+(.*)/ or next;
    $procname =~ s!.*/([^/]+)$!$1!;
    if($procname !~ /$realname/) {
        my $matched = 0;
        for my $arg(split /\0/, $args) {
            if($arg =~ /$realname/) {
                print "PID $pid has MODIFIED process name, but may be 
+a script.($realname)\n";
                $matched = 1;
        unless($matched) {
            print "WARNING: PID $pid has MODIFIED process name but doe
+sn't look like a script ($realname)\n";
Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://67100]
[ovedpo15]: can't I use just use lib $FindBin::Bin/../ bin" asuming that p2 is in ./bin and p1 is in /config? it says "cant find" altought p2 is
[moritz]: ovedpo15 "use lib" is only for .pm files
[moritz]: if you don't have .pm file, you might to use "require" or "do" with an absolute path
[ovedpo15]: I need to use FindBin thought. does FindBin finds only modules? or it can find perl script also?
[moritz]: maybe you should start looking at the documentation of FindBin?

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (6)
As of 2018-03-17 20:47 GMT
Find Nodes?
    Voting Booth?
    When I think of a mole I think of:

    Results (226 votes). Check out past polls.