Τρίτη, 10 Ιουνίου 2008

Listing running processes (ps) and revealing the hiding ones (unhide)

You can list all the processes on a system simply by running the ps command with the following syntax

ps ax



This will result a table, with those headers:
PID TTY STAT TIME COMMAND

PID - a number representing the process id.
TTY - the terminal the command started from
STAT - the status of the process (google "PROCESS STATE CODES")

The most common are:
R Running or runnable (on run queue)
S Interruptible sleep (waiting for an event to complete)
Z Defunct ("zombie") process, terminated but not reaped by its parent.
s is a session leader
l is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)
+ is in the foreground process group

COMMAND - the path of the process.

If you add the "u" flag like

ps aux

you will get more detailed info about the process like the owner of the process, CPU and memory usage and more.

There are some malicious processes that can hide themselves from listing at the ps command.
You can reveal them by executing the unhide command. The unhide command can discover a hiding process by searching in three ways: proc, sys and brute.

The proc technique consists of comparing /proc with the output of /bin/ps.

The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.

The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels.

unhide proc

unhide sys

unhide unhide brute



It is a good practice to

Δεν υπάρχουν σχόλια: