Controlling and Examining Processes
In addition to ps and kill, Unix supports a large number of lesser known tools for examining and controlling running processes. These commands can be useful for programmers and system administrators; they are also very helpful in analyzing the processes of an attacker during and after a break-in. Some of the ways you can examine or control processes include the following:
- gdb
You can attach to the running process with a debugger such as gdb.
- gcore
You can use the gcore command to dump the process memory map.
- lsof
You can use the lsof program to list the open files in use by the program.
- /proc
You can examine the process directly using the /proc process filesystem.
- pstree
You can see a tree of all processes with the pstree command.
Not all of these tools are available on every version of Unix.
Strictly speaking, many of these tools will work with processes that are either running or stopped. However, if you have a rogue process on your system, you may wish to stop it with the SIGSTOP signal before examining it.
Note
One reason to be familiar with these tools is that many attackers will modify a penetrated system in such a way that the system ps command will no longer display processes belonging to the attacker. These modifications are most often done with programs that are collectively known as rootkits.
Once a system has been modified with a rootkit, it can be very difficult to detect the continued presence of an attacker. However, few rootkits modify such ...
Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.