linux process that changes its own name
2013-01-22 16:36
323 查看
In one of our earlier articles, we learned how command line arguments are accessed from within the code. Here in this article, we will see how these command line arguments can be used by a Linux process
to change its own name.
the process name could be changed.
In the code above, we try to change the second character of the process name with ‘c’. The sleep function that is used twice in the code used so that the user can get time to run the ps command to check
the original and updated name of the process.
Here is how the above code is compiled :
Now, lets run the code :
The above partial output is displayed and then the program waits for 5 seconds. So we see that the program says that the process name is ‘./cmd’. Within these 5 seconds, lets quickly confirm this by
running the ps command :
So we see that indeed there is a process in our Linux system with the same name.
Now, 5 seconds wait gets over and the output proceeds :
So we see that now the code says that the process name has been changed to ‘./ccd’. Lets quickly confirm it while the execution is waiting for next 5 seconds. Again we use the ps command for this :
So we see that the process name changed. So this is how we can tweak the array ‘argv’ and can change the process name from within the process itself.
NOTE: As of now I cannot figure out any practical usage of this hack but I think this can be used in some virus or malware so that process can change its name frequently
to remain hidden in the Linux system.
to change its own name.
Linux process that changes its own name
The concept
Well, the concept behind this logic is simple. The first element of the array ‘argv’ (second argument to main() function) points to the process name. Now, if the content of this element is changed, thenthe process name could be changed.
An example
Lets take an example :#include<stdio.h> #include<unistd.h> int main(int argc, char *argv[]) { int counter = 0; printf("\n The number of command line arguments passed to this executable is [%d]\n",argc); printf("\n The arguments are :\n"); for(;counter<argc;counter++) { printf("[%s] ",argv[counter]); fflush(stdout); } // Introduce a delay sleep(5); argv[0][3] = 'c'; printf("\n Updated arguments are :\n"); counter =0; for(;counter<argc;counter++) { printf("[%s] ",argv[counter]); fflush(stdout); } sleep(5); return 0; }
In the code above, we try to change the second character of the process name with ‘c’. The sleep function that is used twice in the code used so that the user can get time to run the ps command to check
the original and updated name of the process.
Here is how the above code is compiled :
$ gcc -Wall cmd.c -o cmd
Now, lets run the code :
$ ./cmd The number of command line arguments passed to this executable is [1] The arguments are : [./cmd]
The above partial output is displayed and then the program waits for 5 seconds. So we see that the program says that the process name is ‘./cmd’. Within these 5 seconds, lets quickly confirm this by
running the ps command :
$ps -aef ... ... ... tarun 2857 2209 0 22:47 pts/0 00:00:00 ./cmd tarun 2858 2841 0 22:47 pts/1 00:00:00 ps -aef
So we see that indeed there is a process in our Linux system with the same name.
Now, 5 seconds wait gets over and the output proceeds :
$ ./cmd The number of command line arguments passed to this executable is [1] The arguments are : [./cmd]
Updated arguments are :
[./ccd]
So we see that now the code says that the process name has been changed to ‘./ccd’. Lets quickly confirm it while the execution is waiting for next 5 seconds. Again we use the ps command for this :
$ps -aef ... ... ... tarun 2857 2209 0 22:47 pts/0 00:00:00 ./ccd tarun 2859 2841 0 22:47 pts/1 00:00:00 ps -aef
So we see that the process name changed. So this is how we can tweak the array ‘argv’ and can change the process name from within the process itself.
NOTE: As of now I cannot figure out any practical usage of this hack but I think this can be used in some virus or malware so that process can change its name frequently
to remain hidden in the Linux system.
相关文章推荐
- Analyzing Linux kernel crash dumps with crash - The one tutorial that has it all
- android The public type classname must be defined in its own file 报错
- The password supplied with the username Domain\UserName was not correct. Verify that it was enter...
- 调试记录:The public type <<classname>> must be defined in its own file
- linux 终端报错 Out of memory: Kill process[PID] [process name] score问题分析
- ANR in an IntentService with its own process
- The password supplied with the username Domain\UserName was not correct. Verify that it was enter...
- [大数据-linux基础]linux ssh远程连接出现IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
- kill a process by name on Linux
- Analyzing Linux kernel crash dumps with crash - The one tutorial that has it all
- linux 远程连接ssh提示IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY解决
- SharePoint创建web application出现“The password supplied with the username was not correct. Verify that it was entered correctly and try again.”错误
- linux 远程连接ssh提示IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY解决
- Finding a running process (pid) by name in Linux
- hadoop出现namenode running as process 18472. Stop it first.
- linux 远程连接ssh提示IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY解决
- linux 远程连接ssh提示IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY
- webview使用遇到 It is possible that this object was over-released, or is in the process of deallocation错误的解决办法
- Process name from its pid in linux
- Can a DOS batch file determine its own file name?