Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

detect sneaky processes which modify their process name.

by rpc (Monk)
on Mar 26, 2001 at 06:11 UTC ( #67100=sourcecode: print w/replies, xml ) Need Help??
Category: utility scripts
Author/Contact Info rpc <>
Description: This script walks through each PID in /proc and performs several checks to determine whether or not a process has modified its process name. It's trivial for a program to mung its process name and fool utilities such as 'ps'. There's many malicious tools available which try to hide their pressence, using more common process names like 'pine'. However, if the binary itself was not invoked with this name, it's possible to detect using the /proc interface.
#!/usr/bin/perl -w
# This hackish script will examine each running process (ala /proc) an
# try to determine if the program modified it's process name.
# This is a common trick with 'malware': programs with malicious or hi
# intent. Of course, this script is not fool proof.
# There are several publically available script kiddie tools (scanners
+, sniffers
# and the like) that this should detect.
# --rpc <>
use strict;

die 'this script has only been tested on linux.' unless $^O eq 'linux'

for my $proc (</proc/*>) {
    next unless $proc =~ /(\d+)/;
    my $pid = $1;

    next if $pid == 1; # there's bigger problems if init is munged. 
    open CMDLINE, "$proc/cmdline" or next;
    my $ret = sysread CMDLINE, (my $cmdline), 256;
    close CMDLINE;

    next if $ret == 0; # most kernel daemons have no cmdline.
    my($procname, $args) = $cmdline =~ m!^([^\0]+)\0(.*)$!;

    # User processes can NULL their process names, but they can't make
+ it
    # 0 bytes, like kernel daemons. If $procname is null yet we read m
    # than 0 bytes from sysread, something's fishy.
    print "WARNING: PID $pid has NULL proccess name!\n" and next unles
+s $procname;

    # Get the real name the process was invoked with.
    open STATUS, "$proc/status" or next; 
    my($status) = <STATUS> or next;
    close STATUS;

    my($realname) = $status =~ m/Name:\s+(.*)/ or next;
    $procname =~ s!.*/([^/]+)$!$1!;
    if($procname !~ /$realname/) {
        my $matched = 0;
        for my $arg(split /\0/, $args) {
            if($arg =~ /$realname/) {
                print "PID $pid has MODIFIED process name, but may be 
+a script.($realname)\n";
                $matched = 1;
        unless($matched) {
            print "WARNING: PID $pid has MODIFIED process name but doe
+sn't look like a script ($realname)\n";
Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://67100]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (7)
As of 2016-10-22 23:02 GMT
Find Nodes?
    Voting Booth?
    How many different varieties (color, size, etc) of socks do you have in your sock drawer?

    Results (299 votes). Check out past polls.