Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

detect sneaky processes which modify their process name.

by rpc (Monk)
on Mar 26, 2001 at 06:11 UTC ( #67100=sourcecode: print w/replies, xml ) Need Help??
Category: utility scripts
Author/Contact Info rpc <>
Description: This script walks through each PID in /proc and performs several checks to determine whether or not a process has modified its process name. It's trivial for a program to mung its process name and fool utilities such as 'ps'. There's many malicious tools available which try to hide their pressence, using more common process names like 'pine'. However, if the binary itself was not invoked with this name, it's possible to detect using the /proc interface.
#!/usr/bin/perl -w
# This hackish script will examine each running process (ala /proc) an
# try to determine if the program modified it's process name.
# This is a common trick with 'malware': programs with malicious or hi
# intent. Of course, this script is not fool proof.
# There are several publically available script kiddie tools (scanners
+, sniffers
# and the like) that this should detect.
# --rpc <>
use strict;

die 'this script has only been tested on linux.' unless $^O eq 'linux'

for my $proc (</proc/*>) {
    next unless $proc =~ /(\d+)/;
    my $pid = $1;

    next if $pid == 1; # there's bigger problems if init is munged. 
    open CMDLINE, "$proc/cmdline" or next;
    my $ret = sysread CMDLINE, (my $cmdline), 256;
    close CMDLINE;

    next if $ret == 0; # most kernel daemons have no cmdline.
    my($procname, $args) = $cmdline =~ m!^([^\0]+)\0(.*)$!;

    # User processes can NULL their process names, but they can't make
+ it
    # 0 bytes, like kernel daemons. If $procname is null yet we read m
    # than 0 bytes from sysread, something's fishy.
    print "WARNING: PID $pid has NULL proccess name!\n" and next unles
+s $procname;

    # Get the real name the process was invoked with.
    open STATUS, "$proc/status" or next; 
    my($status) = <STATUS> or next;
    close STATUS;

    my($realname) = $status =~ m/Name:\s+(.*)/ or next;
    $procname =~ s!.*/([^/]+)$!$1!;
    if($procname !~ /$realname/) {
        my $matched = 0;
        for my $arg(split /\0/, $args) {
            if($arg =~ /$realname/) {
                print "PID $pid has MODIFIED process name, but may be 
+a script.($realname)\n";
                $matched = 1;
        unless($matched) {
            print "WARNING: PID $pid has MODIFIED process name but doe
+sn't look like a script ($realname)\n";
Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://67100]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (3)
As of 2017-12-13 23:55 GMT
Find Nodes?
    Voting Booth?
    What programming language do you hate the most?

    Results (381 votes). Check out past polls.