![]() ps – displays a list of all processes it can also be used with options to get a more detailed output.Use one of the three commands to list processes in Linux: Processes running in the background allow you to work on other things at the same time. This implies that it must be completed before a new process may begin. Similarly, when you run a command in the terminal (such as curl ), it starts a process that will only terminate when the command completes or is terminated.Įach new process starts as a foreground process by default. When you launch your Visual Studio Code editor, for example, you start a process that will only cease (or die) when you exit or terminate the Visual Studio Code application. Applications, on the other hand, generate and execute several processes for various tasks, whereas commands only create one. When you perform a command or open an application in Linux, it starts a process. Using the htop command in Linux, you may see what processes are currently running.Using the top command in Linux, you can get a list of currently running processes.To show the currently executing processes in a hierarchical order.Running the ps command without any options produces an output similar to.Put away the kill -9 and take your time when investigating a Linux process. If you go in guns blazing you will not be able to see what the malware may be up to, what files it has open, who it is talking to and other useful pieces of data. The second takeaway is to never go in and kill a suspicious process on Linux until live process forensics have determined what it may be doing. You can do this without the risk of attaching debuggers and it is far safer and faster. The biggest takeaway from this is a malicious process is happy to tell you what it is interested in if you take the time to look at what files it has open. lsof on the other hand is pretty specific and there is always the chance it is being targeted by malware to avoid detection or worse. ![]() The last point may be a bit academic, but the simpler ls and cat commands are very common and hard to tell why they may be used. The lsof command is not commonly called and could alert malware or an intruder about investigators present. It may not be installed and you don’t want to alter a compromised machine by loading new packages. There are two reasons why using lsof may not be the first thing to do when looking at a suspicious process: The lsof command will show all open files in one easy to use way. ![]() If not installed, you will have to use the methods above. Lsof is a tool that shows all open files on a system. This will show you the kind of socket the process is using (e.g. Where INODE is again the number in brackets from above. Andrew Case contributed in a tweet this command: You can run it through netstat in a variety of ways. ![]() The open socket can also be investigated by using the number in which is the inode. We can use this information to view the contents of that file and determine what may be going on. Suspicious Linux Process Exampleīelow we see a suspicious process called tmpwrk and it has a particular interest in a file under the /tmp directory. Once you do this you’ll see what files the process has open and if any are interesting. The basic format for listing the open file descriptors of a process is simply: To find the open file descriptors of a process, we will go to our old friend the /proc file system. The key point here is if the process is running you can quickly see what files it has open and can use that information to determine if it is malicious and what it may be doing. Often live malware will write data to the disk it is stealing or using for other reasons (such as data logs). the process may be talking to when running. But more than this, the file descriptors will also show what files, sockets, etc. These allow the process to communicate back to the terminal and take data input ( stdin), output data to the terminal ( stdout) and pass out errors ( stderr). On Linux the most basic file descriptors you’ll see open by most processes will be stdin, stdout and stderr. These file descriptors can be any legal file or resource on Linux such as: We’re simplifying this for our discussion, but just know that basically all processes on Linux that are running are going to have some kind of file descriptor open. It is the same as a phone number you dial to get a specific person, except on Linux the number will give you a pointer to a file. A file descriptor is a handle used by the operating system to access a file or other I/O mechanism. We can quibble about the specifics, but mostly this is true and for our purposes is all we need to know. Since the inception of Unix (on which Linux is based), everything is a file. Let’s talk about Linux file descriptors and how to investigate a malicious process using them.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |