Linux下修改进程名称
catalog
1. 应用场景 2. 通过Linux prctl修改进程名 3. 通过修改进程argv[0]修改进程名 4. 通过bash exec命令修改一个进程的cmdline信息
1. 应用场景
1. 标识父子进程名称,防止被误杀 2. 构造假的进程名及参数,引导非法进入人员到蜜罐系统,取证 3. 恶意程序、木马会通过"檫除"自己的进程名,使ps的时候显示的是一个无名字的进程,同时删除进程对应磁盘上的文件
Relevant Link:
http://blog.chinaunix.net/uid-29482215-id-4120748.html
2. 通过Linux prctl修改进程名
虽然Linux将所有资源对象都抽象为了文件,但是对一些特殊作用的文件特别定制了一些特别的API集合,对其进行特殊操作,prctl就是其中一个例子
prctl - operations on a process #include <sys/prctl.h> int prctl(int option, unsigned long arg2, unsigned long arg3,unsigned long arg4, unsigned long arg5);
prctl() is called with a first argument describing what to do (with values defined in <linux/prctl.h>), and further arguments with a significance depending on the first one. The first argument can be:
1. PR_CAPBSET_READ 2. PR_CAPBSET_DROP 3. PR_SET_CHILD_SUBREAPER 4. PR_GET_CHILD_SUBREAPER 5. PR_SET_DUMPABLE 6. PR_SET_ENDIAN 7. PR_GET_ENDIAN 8. PR_SET_FPEMU 9. PR_GET_FPEMU 10. PR_SET_FPEXC 11. PR_GET_FPEXC 12. PR_SET_KEEPCAPS 13. PR_GET_KEEPCAPS 14. PR_SET_NAME 1) Set the name of the calling thread, using the value in the location pointed to by (char *) arg2. 2) The name can be up to 16 bytes long, including the terminating null byte. (If the length of the string, including the terminating null byte, exceeds 16 bytes, the string is silently truncated.) 3) This is the same attribute that can be set via pthread_setname_np and retrieved using pthread_getname_np. 4) The attribute is likewise accessible via /proc/self/task/[tid]/comm, where tid is the name of the calling thread. 15. PR_GET_NAME 16. PR_SET_NO_NEW_PRIVS 17. PR_GET_NO_NEW_PRIVS 18. PR_SET_PDEATHSIG 19. PR_GET_PDEATHSIG 20. PR_SET_PTRACER 21. PR_SET_SECCOMP 22. PR_GET_SECCOMP 23. PR_SET_SECUREBITS 24. PR_GET_SECUREBITS 25. PR_SET_THP_DISABLE 26. PR_GET_THP_DISABLE 27. PR_GET_TID_ADDRESS 28. PR_SET_TIMERSLACK 29. PR_GET_TIMERSLACK 30. PR_SET_TIMING 31. PR_GET_TIMING 32. PR_TASK_PERF_EVENTS_DISABLE 33. PR_TASK_PERF_EVENTS_ENABLE 34. PR_SET_TSC 35. PR_GET_TSC 36. PR_SET_UNALIGN 37. PR_GET_UNALIGN 38. PR_MCE_KILL 39. PR_MCE_KILL_GET 40. PR_SET_MM 41. PR_MPX_ENABLE_MANAGEMENT, PR_MPX_DISABLE_MANAGEMENT
0x1: Code Example
/* gcc changetitle.c -o changetitle */ #include <stdio.h> #include <sys/prctl.h> int main(int argc, char *argv[], char *envp[]) { char *new_name = "littlehann-program"; getchar(); prctl(PR_SET_NAME, new_name); getchar(); return 0; }
但是prctl修改的进程名,只能是16个字节(包括'\0'),同时,过ps -aux 查看,进程名称并没有改变,改变的只是/prco/$(PID)/stat和/prco/$(PID)/status的值,而/prco/$(PID)/cmdline并没有改变
Relevant Link:
http://man7.org/linux/man-pages/man2/prctl.2.html http://blog.csdn.net/dahailantian1/article/details/5950824 http://www.cppblog.com/beautykingdom/archive/2009/11/08/100419.aspx
3. 通过修改进程argv[0]修改进程名
/* gcc test.c -o test */ #include <stdio.h> #include <string.h> extern char **environ; int main(int argc , char *argv[]) { int i; printf("argc:%d\n" , argc); for (i = 0; i < argc; ++i) { printf("argv[%d](0x%x):%s\n" , i , (unsigned int)argv[i], argv[i]); } printf("evriron=0x%x\n" , (unsigned int)environ[0]); return 0; }
通过代码运行结果可以看出,我们只需要在进程启动时修改argv[0]所指向的内存空间的内容,就可以修改进程名
1. 如果新名称比argv[0]的长度小,我们可以直接修改,并把多余的部分请0 2. 如果新名称比argv[0]长我们需要两步 1) 申请新内存保存环境变量信息和argv[1...argc-1]参数信息 2) 修改argv[0],将新名称往后到environ的最后一项清0
0x1: Code Example
/* gcc changetitle.c -o changetitle */ #include <unistd.h> #include <stdio.h> #include <stdarg.h> #include <string.h> #include <stdlib.h> #include <sys/prctl.h> # define MAXLINE 2048 extern char **environ; static char **g_main_Argv = NULL; /* pointer to argument vector */ static char *g_main_LastArgv = NULL; /* end of argv */ void setproctitle_init(int argc, char **argv, char **envp) { int i; for (i = 0; envp[i] != NULL; i++) // calc envp num continue; environ = (char **) malloc(sizeof (char *) * (i + 1)); // malloc envp pointer for (i = 0; envp[i] != NULL; i++) { environ[i] = malloc(sizeof(char) * strlen(envp[i])); strcpy(environ[i], envp[i]); } environ[i] = NULL; g_main_Argv = argv; if (i > 0) g_main_LastArgv = envp[i - 1] + strlen(envp[i - 1]); else g_main_LastArgv = argv[argc - 1] + strlen(argv[argc - 1]); } void setproctitle(const char *fmt, ...) { char *p; int i; char buf[MAXLINE]; extern char **g_main_Argv; extern char *g_main_LastArgv; va_list ap; p = buf; va_start(ap, fmt); vsprintf(p, fmt, ap); va_end(ap); i = strlen(buf); if (i > g_main_LastArgv - g_main_Argv[0] - 2) { i = g_main_LastArgv - g_main_Argv[0] - 2; buf[i] = '\0'; } //修改argv[0] (void) strcpy(g_main_Argv[0], buf); p = &g_main_Argv[0][i]; while (p < g_main_LastArgv) *p++ = '\0'; g_main_Argv[1] = NULL; //调用prctl prctl(PR_SET_NAME,buf); } int main(int argc, char *argv[]) { char argv_buf[MAXLINE] = {0}; // save argv paramters int i; for( i = 1; i < argc; i++) { strcat(argv_buf, argv[i]); strcat(argv_buf, " "); } //修改argv[0]所指向的内存空间的内容 setproctitle_init(argc, argv, environ); //调用prctl修改进程名 setproctitle("%s@%s %s", "littlehann-prog", "ip", argv_buf); for (i = 0; environ[i] != NULL; i++) free(environ[i]); getchar(); return 0; }
Relevant Link:
http://blog.chinaunix.net/uid-29482215-id-4120748.html
4. 通过bash exec命令修改一个进程的cmdline信息
exec -l -a "littlehann-prog" bash ps ps -l 29116
Relevant Link:
http://blog.ailms.me/2014/05/24/bash-exec-usage-example.html
Copyright (c) 2015 LittleHann All rights reserved