Hidden pids

After few years I’ve found myself looking for a code I wrote after suspecting that my system had a weird behave while using chorme browser then I thought that I could take a deeper look at the running PID’s to see if there was anything suspicious.

Sometime ago, in ancient days, I was a fanatic Slackware user (I am not anymore) and the system/kernel/applications those times hadn’t the annoying approach of hiding some of its PID’s , it was rootkits approach only. Time has changed since then.

When you perform a simple “ps -ax” in your Linux system nowadays lots of running processes are hidden from userland tools like ps. Actually I don’t know exactly why but anyways the following code may help you to locate those PID’s in your system.

https://gist.github.com/carloslack/5375805

Compile: gcc -c psearch.c

Then:

./a.out |while read line ; do echo -n "$line: " ; cat /proc/$line/cmdline ; echo ; done 2>/dev/null

It is possible to list then because they are hidden only from sys_getdents* (If my memory is not failing) but once you know their numbers (PID’s) you can chadir() into.

Advertisements