Linux 找出隐藏进程
原理
在top ps 等命令被改写时,利用Linux一切皆文件。找出被隐藏的进程。
以下为python脚本
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
def get_max_pid():
out = os.popen('cat /proc/sys/kernel/pid_max')
content = out.readline().strip('\n')
if content.isdigit():
return int(content)
def get_ps_proc_list():
pid_list = []
out = os.popen('ps -e --no-header')
lines = out.readlines()
for line in lines:
parts = line.split(' ')
for part in parts:
if part == '':
parts.remove(part)
pid = int(parts[0])
pid_list.append(pid)
return pid_list
def get_ps_lwp_list():
lwp_list = []
out = os.popen('ps --no-header -eL o lwp')
lines = out.readlines()
for line in lines:
tid = int(line)
lwp_list.append(tid)
return lwp_list
def print_badpid_info(pid):
out = os.popen('ls -l /proc/%d/exe' % pid)
lines = out.readlines()
print(lines)
def main():
max_pid = get_max_pid()
#print('max pid is %d' % max_pid)
if max_pid < 0 or max_pid > 50000:
return
ps_pid_list = get_ps_proc_list()
ps_lwp_list = get_ps_lwp_list()
self_pid = os.getpid()
for pid in range(2, max_pid):
#print("handle pid: %d" % pid)
if pid == self_pid:
continue
if pid in ps_pid_list or pid in ps_lwp_list:
continue
if not os.path.exists('/proc/' + str(pid)):
continue
print("found process not in ps list: %d" % pid)
print_badpid_info(pid)
if __name__ == '__main__':
main()