#!/usr/bin/perl -w
# This hackish script will examine each running process (ala /proc) an
+d
# try to determine if the program modified it's process name.
# This is a common trick with 'malware': programs with malicious or hi
+dden
# intent. Of course, this script is not fool proof.
# There are several publically available script kiddie tools (scanners
+, sniffers
# and the like) that this should detect.
# --rpc <rpc@lilo.org>
use strict;
die 'this script has only been tested on linux.' unless $^O eq 'linux'
+;
for my $proc (</proc/*>) {
next unless $proc =~ /(\d+)/;
my $pid = $1;
next if $pid == 1; # there's bigger problems if init is munged.
open CMDLINE, "$proc/cmdline" or next;
my $ret = sysread CMDLINE, (my $cmdline), 256;
close CMDLINE;
next if $ret == 0; # most kernel daemons have no cmdline.
my($procname, $args) = $cmdline =~ m!^([^\0]+)\0(.*)$!;
# User processes can NULL their process names, but they can't make
+ it
# 0 bytes, like kernel daemons. If $procname is null yet we read m
+ore
# than 0 bytes from sysread, something's fishy.
print "WARNING: PID $pid has NULL proccess name!\n" and next unles
+s $procname;
# Get the real name the process was invoked with.
open STATUS, "$proc/status" or next;
my($status) = <STATUS> or next;
close STATUS;
my($realname) = $status =~ m/Name:\s+(.*)/ or next;
$procname =~ s!.*/([^/]+)$!$1!;
if($procname !~ /$realname/) {
my $matched = 0;
for my $arg(split /\0/, $args) {
if($arg =~ /$realname/) {
print "PID $pid has MODIFIED process name, but may be
+a script.($realname)\n";
$matched = 1;
last;
}
}
unless($matched) {
print "WARNING: PID $pid has MODIFIED process name but doe
+sn't look like a script ($realname)\n";
}
}
}
|