Navigation
Friends & relatives
Search site
Recent blog posts
- creaktive: Proclamo a minha filosofia de vida: o máximo de resultado com o mínimo de esforço :D
- creaktive: @loize: Defenestrator Plus :D
- creaktive: ...e a lista dos afazeres só aumentando...
- creaktive: Darwin Award para ele O_O http://tinyurl.com/6bzr64
- creaktive: Quem quer morar numa... Privada?! http://tinyurl.com/5qd9pq
my last del.icio.us links
- YouTube - Lenovo X300
- YouTube - SolidWorks_transmission assembly line
- Passar metade da vida pagando impostos? | Dinheirama - Economia, Investimentos e Educação Financeira ao alcance de todos
- Einstein writes of 'childish superstition' | Science | The Guardian
- Einstein: Letter to Eric Gutkind
- YouTube - Interactive Color Cube
- PC World - Elude your ISP's BitTorrent blockade
- Uhull S.A. » Blog Archive » Logotipos Infelizes
- Glitches de GTA IV | Ambrosia.com.br
- The Divine Language
Add new comment
"ps auwx" faker
"Process Stack Faker" (psf for short) is able to hide the real executable name and it's parameters from the output of "ps auwx", "ps -ef" & "top"
(on UN*X machines), without any superuser privileges. Why should one
wish to hide the stuff he/she executes is a complete different topic 
Let's take a look at the options that psf itself accepts:
$ ./psf
Process Stack Faker (a.k.a. Fucker) v0.03
Coded by Stas; (C)opyLeft by SysD Destructive Labs, 1997-2003
Usage: psf [options] command arg1 arg2 ...
Where options can be:
-s string fake process name
-p filename file to write PID of spawned process - optional
-d try to start as daemon (in background, no tty) - optional
-l DO NOT exec through link (detectable by 'top'!!!) - optional
-u uid[:gid] (format just like in chown(1)) reset UID/GID - optional
-n priority renice process - optional
Example: psf -s "pine -i" -d -n 19 ./john -session:websrv
$
psf will execute "command arg1 arg2", and it will appear to "ps" & "top" utilities as "string". All other options are... Uhm, optional! They are only useful to detach processes not designed to run as daemons. "-l"
is a 'compatibility' switch that disables the weird trick used to
override the detection of the real filename by some process listers
(notably "top"). The default option may work unexpectingly on some systems (by the way, psf works fine on FreeBSD 4.3, Linux 2.4, NetBSD 1.5 & Solaris 2.7). To test psf, try this:$ psf -s "pine -i" sleep 30 &
[1] 440
$ ps auwx
...
stas 84 0.0 0.6 2012 1232 pts/0 S 19:12 0:00 bash -rcfile .bashrc
stas 440 0.0 0.1 1204 376 tty2 S 20:09 0:00 pine -i
stas 450 0.0 0.4 2544 816 tty2 R 20:12 0:00 ps auwx
...
"sleep 30" process was spoofed as "pine -i". Please note the white line between PIDs 440 and 450. This occurs because psf uses whitespace (0x20) characters to shift the original process arguments away from the visible area To understand how does
psf works and learn how to compile it, just read the comments inside the source.stas » May 5, 2006 » 01:57
attachment » add new comment » 2493 reads