#!/usr/bin/perl -w # This hackish script will examine each running process (ala /proc) an +d # try to determine if the program modified it's process name. # This is a common trick with 'malware': programs with malicious or hi +dden # intent. Of course, this script is not fool proof. # There are several publically available script kiddie tools (scanners +, sniffers # and the like) that this should detect. # --rpc <rpc@lilo.org> use strict; die 'this script has only been tested on linux.' unless $^O eq 'linux' +; for my $proc (</proc/*>) { next unless $proc =~ /(\d+)/; my $pid = $1; next if $pid == 1; # there's bigger problems if init is munged. open CMDLINE, "$proc/cmdline" or next; my $ret = sysread CMDLINE, (my $cmdline), 256; close CMDLINE; next if $ret == 0; # most kernel daemons have no cmdline. my($procname, $args) = $cmdline =~ m!^([^\0]+)\0(.*)$!; # User processes can NULL their process names, but they can't make + it # 0 bytes, like kernel daemons. If $procname is null yet we read m +ore # than 0 bytes from sysread, something's fishy. print "WARNING: PID $pid has NULL proccess name!\n" and next unles +s $procname; # Get the real name the process was invoked with. open STATUS, "$proc/status" or next; my($status) = <STATUS> or next; close STATUS; my($realname) = $status =~ m/Name:\s+(.*)/ or next; $procname =~ s!.*/([^/]+)$!$1!; if($procname !~ /$realname/) { my $matched = 0; for my $arg(split /\0/, $args) { if($arg =~ /$realname/) { print "PID $pid has MODIFIED process name, but may be +a script.($realname)\n"; $matched = 1; last; } } unless($matched) { print "WARNING: PID $pid has MODIFIED process name but doe +sn't look like a script ($realname)\n"; } } }
In reply to detect sneaky processes which modify their process name. by rpc
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |