Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

detect sneaky processes which modify their process name.

by rpc (Monk)
on Mar 26, 2001 at 06:11 UTC ( [id://67100]=sourcecode: print w/replies, xml ) Need Help??
Category: utility scripts
Author/Contact Info rpc <rpc@lilo.org>
Description: This script walks through each PID in /proc and performs several checks to determine whether or not a process has modified its process name. It's trivial for a program to mung its process name and fool utilities such as 'ps'. There's many malicious tools available which try to hide their pressence, using more common process names like 'pine'. However, if the binary itself was not invoked with this name, it's possible to detect using the /proc interface. 
#!/usr/bin/perl -w
# This hackish script will examine each running process (ala /proc) an
+d
# try to determine if the program modified it's process name.
# This is a common trick with 'malware': programs with malicious or hi
+dden
# intent. Of course, this script is not fool proof.
# There are several publically available script kiddie tools (scanners
+, sniffers
# and the like) that this should detect.
# --rpc <rpc@lilo.org>
use strict;

die 'this script has only been tested on linux.' unless $^O eq 'linux'
+;

for my $proc (</proc/*>) {
    next unless $proc =~ /(\d+)/;
    my $pid = $1;

    next if $pid == 1; # there's bigger problems if init is munged. 
    
    open CMDLINE, "$proc/cmdline" or next;
    my $ret = sysread CMDLINE, (my $cmdline), 256;
    close CMDLINE;

    next if $ret == 0; # most kernel daemons have no cmdline.
    
    my($procname, $args) = $cmdline =~ m!^([^\0]+)\0(.*)$!;

    # User processes can NULL their process names, but they can't make
+ it
    # 0 bytes, like kernel daemons. If $procname is null yet we read m
+ore
    # than 0 bytes from sysread, something's fishy.
    
    print "WARNING: PID $pid has NULL proccess name!\n" and next unles
+s $procname;

    # Get the real name the process was invoked with.
    
    open STATUS, "$proc/status" or next; 
    my($status) = <STATUS> or next;
    close STATUS;

    my($realname) = $status =~ m/Name:\s+(.*)/ or next;
    $procname =~ s!.*/([^/]+)$!$1!;
    if($procname !~ /$realname/) {
        my $matched = 0;
        for my $arg(split /\0/, $args) {
            if($arg =~ /$realname/) {
                print "PID $pid has MODIFIED process name, but may be 
+a script.($realname)\n";
                $matched = 1;
                last;
            }
        }
        unless($matched) {
            print "WARNING: PID $pid has MODIFIED process name but doe
+sn't look like a script ($realname)\n";
        }
    }
}

Back to Code Catacombs

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: sourcecode [id://67100]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others admiring the Monastery: (6)
As of 2024-04-25 10:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found