#!/usr/bin/perl -w
# This hackish script will examine each running process (ala /proc) and
# try to determine if the program modified it's process name.
# This is a common trick with 'malware': programs with malicious or hidden
# intent. Of course, this script is not fool proof.
# There are several publically available script kiddie tools (scanners, sniffers
# and the like) that this should detect.
# --rpc <rpc@lilo.org>
use strict;

die 'this script has only been tested on linux.' unless $^O eq 'linux';

for my $proc (</proc/*>) {
    next unless $proc =~ /(\d+)/;
    my $pid = $1;

    next if $pid == 1; # there's bigger problems if init is munged. 
    
    open CMDLINE, "$proc/cmdline" or next;
    my $ret = sysread CMDLINE, (my $cmdline), 256;
    close CMDLINE;

    next if $ret == 0; # most kernel daemons have no cmdline.
    
    my($procname, $args) = $cmdline =~ m!^([^\0]+)\0(.*)$!;

    # User processes can NULL their process names, but they can't make it
    # 0 bytes, like kernel daemons. If $procname is null yet we read more
    # than 0 bytes from sysread, something's fishy.
    
    print "WARNING: PID $pid has NULL proccess name!\n" and next unless $procname;

    # Get the real name the process was invoked with.
    
    open STATUS, "$proc/status" or next; 
    my($status) = <STATUS> or next;
    close STATUS;

    my($realname) = $status =~ m/Name:\s+(.*)/ or next;
    $procname =~ s!.*/([^/]+)$!$1!;
    if($procname !~ /$realname/) {
        my $matched = 0;
        for my $arg(split /\0/, $args) {
            if($arg =~ /$realname/) {
                print "PID $pid has MODIFIED process name, but may be a script.($realname)\n";
                $matched = 1;
                last;
            }
        }
        unless($matched) {
            print "WARNING: PID $pid has MODIFIED process name but doesn't look like a script ($realname)\n";
        }
    }
}