Tuesday, July 10, 2007

Re: [BLUG] spoofed process names?

Cool... note that this modifies the command line string, not the actual program name.   Depending on the arguments you pass to ps you can still see the actual program name.  The "f" in "ps -ef" causes it to display the command line instead of the program name.

So "ps" looks like this:

25660 pts/1    00:00:00 perl

and "ps -ef" looks like this:

ajpoland 25660 25574  0 08:43 pts/1    00:00:00 hello there!


Andrew


On Jul 10, 2007, at 8:34 AM, Brian Wheeler wrote:

On Tue, 2007-07-10 at 11:55 +0000, ben lipkowitz wrote:
recently i was poking around on a shared mainframe and saw that a user was 
running a rather interesting process:

nullogic q8 - Mon06PM 11:57 Hey, I dont look at you...

where normally it would look something like this:
fenn     rc - Mon07PM     0 (pine)

any ideas on how this might have been accomplished?
hint: sometimes i can get "w" to say "... (zsh)" at the end.
this is a NetBSD system btw

curiouser and curouser


Nah, its "normal".  Consider this perl program:

#!/usr/bin/perl
$0="hello there!";
sleep 1000;

run it and then do a ps -ef:

bdwheele 31578 31505  0 08:31 pts/6    00:00:00 hello there!

From the perlvar manpage, there's a description of what's going on:

       $PROGRAM_NAME
       $0      Contains the name of the program being executed.

               On some (read: not all) operating systems assigning to $0 modi-
               fies the argument area that the "ps" program sees.  On some
               platforms you may have to use special "ps" options or a differ-
               ent "ps" to see the changes.  Modifying the $0 is more useful
               as a way of indicating the current program state than it is for
               hiding the program you're running.  (Mnemonic: same as sh and
               ksh.)

               Note that there are platform specific limitations on the maxi-
               mum length of $0.  In the most extreme case it may be limited
               to the space occupied by the original $0.

               In some platforms there may be arbitrary amount of padding, for
               example space characters, after the modified name as shown by
               "ps".  In some platforms this padding may extend all the way to
               the original length of the argument area, no matter what you do
               (this is the case for example with Linux 2.2).

               Note for BSD users: setting $0 does not completely remove
               "perl" from the ps(1) output.  For example, setting $0 to "foo-
               bar" may result in "perl: foobar (perl)" (whether both the
               "perl: " prefix and the " (perl)" suffix are shown depends on
               your exact BSD variant and version).  This is an operating sys-
               tem feature, Perl cannot help it.

               In multithreaded scripts Perl coordinates the threads so that
               any thread may modify its copy of the $0 and the change becomes
               visible to ps(1) (assuming the operating system plays along).
               Note that the view of $0 the other threads have will not change
               since they have their own copies of it.




Brian



       /\-/\
( o.o )<
  _____>   <________fenn_____
_______________________________________________
BLUG mailing list

_______________________________________________
BLUG mailing list

---
Andrew Poland <ajpoland@iupui.edu>
Principal Developer
UITS Course Management Systems
Indiana University

Join us in #sakai - irc.freenode.net

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)