Modifying process names in Unix-like systems
9 months ago
- #Linux
- #UNIX
- #malware
- Explores the technique of dynamically modifying process names in UNIX-like systems for defense evasion, tracing back to the Morris worm in the late '80s.
- Details methods to modify process names in Linux, including overwriting `argv[0]`, using `prctl` system call, and safer alternatives like `PR_SET_MM`.
- Highlights detection opportunities through discrepancies between `comm` and `cmdline`, and checking `/proc/[pid]/exe` for original binary paths.
- Discusses process name modification in other UNIX-like systems (BSD, Solaris) and limitations, such as inability to change `comm` without kernel modules.
- Introduces `setproctitle` in BSDs as a safer alternative to directly overwriting `argv`, contrasting with Linux's lack of a native equivalent.
- Explains internal Linux kernel structures (`task_struct`, `mm_struct`) involved in process naming and memory management.
- Mentions future topics including tampering `/proc/[pid]/exe` and using `LD_PRELOAD` or `ptrace` for runtime code replacement.