Modify process name under Linux __linux

Original

Http://www.cnblogs.com/LittleHann/p/4991600.htm

Catalog

1. Application Scenario
2. Modify process name via Linux Prctl
3. Modify the process name by modifying the process argv[0]
4. Modify the CmdLine information for a process through the Bash EXEC command

1. Application Scenarios

1. Identify the parent-child process name to prevent manslaughter
2. Constructs the false process name and the parameter, guides the illegal entry personnel to the Honeypot system, the Evidence
3. The malicious program, the Trojan will pass "erases" own process name, causes the PS time to display is a name-free process, Delete files on the process's corresponding disk at the same time

L relevant Link:

Http://blog.chinaunix.net/uid-29482215-id-4120748.html

2. Modify process name via Linux Prctl

While Linux abstracts all resource objects for files, special custom API sets are specifically tailored to some special-purpose files, and Prctl is one example

Prctl-operations on a process
#include <sys/prctl.h>
int prctl (int option, unsigned long arg2, unsigned lo Ng arg3,unsigned long arg4, unsigned long arg5);

Prctl () is called with a-a-argument describing what to does (with values defined in <linux/prctl.h>), and further Arguments with a significance depending on the one. The argument can be:

1. Pr_capbset_read 2. Pr_capbset_drop 3. Pr_set_child_subreaper 4. Pr_get_child_subreaper 5. Pr_set_dumpable 6. Pr_set_endian 7. Pr_get_endian 8. Pr_set_fpemu 9. Pr_get_fpemu 10. Pr_set_fpexc 11. Pr_get_fpexc 12. Pr_set_keepcaps 13. Pr_get_keepcaps 14.  
	Pr_set_name 1) SET The NAME of the calling thread, using the value in the location pointed to by (char *) arg2. 2) The name can is up to bytes long, including the terminating null byte. 
	(If the length of the string, including the terminating null byte, exceeds bytes, the string is silently truncated.)  
	3 This is the same attribute, which can be set via PTHREAD_SETNAME_NP and retrieved using PTHREAD_GETNAME_NP.
4) The attribute is likewise accessible via/proc/self/task/[tid]/comm, where Tid is the name of the calling thread. Pr_get_name 16. Pr_set_no_new_privs 17. Pr_get_no_new_privs 18. Pr_set_pdeathsig 19. Pr_get_pdeathsig 20. Pr_set_ptracer 21. Pr_set_seccomp 22. Pr_get_seccomp 23. Pr_set_securebiTS 24. Pr_get_securebits 25. Pr_set_thp_disable 26. Pr_get_thp_disable 27. Pr_get_tid_address 28. Pr_set_timerslack 29. Pr_get_timerslack 30. Pr_set_timing 31. Pr_get_timing 32. Pr_task_perf_events_disable 33. Pr_task_perf_events_enable 34. PR_SET_TSC 35. PR_GET_TSC 36. Pr_set_unalign 37. Pr_get_unalign 38. Pr_mce_kill 39. Pr_mce_kill_get 40. PR_SET_MM 41.
 Pr_mpx_enable_management, Pr_mpx_disable_management

0x1:code Example

/*
gcc changetitle.c-o changetitle
* *
#include <stdio.h>
#include <sys/prctl.h>
int main (int argc, char *argv[], char *envp[])
{
	char *new_name = "Littlehann-program";
	GetChar ();
	Prctl (Pr_set_name, new_name);
	GetChar ();
	return 0;
}

However, the PRCTL modified process name can only be 16 bytes (including ' "), while the Ps-aux view, the process name has not changed, the change is only/prco/$ (PID)/stat and/prco/$ (PID)/status values, and/prco/$ ( PID)/cmdline did not change relevant Link:

http://man7.org/linux/man-pages/man2/prctl.2.html
http://blog.csdn.net/dahailantian1/article/details/ 5950824
http://www.cppblog.com/beautykingdom/archive/2009/11/08/100419.aspx

3. Modify process name by modifying process argv[0]

/*
gcc test.c-o Test
*/
#include <stdio.h>
#include <string.h>
extern char **environ ;
int main (int argc, char *argv[])
{
	int i;
	printf ("argc:%d\n", argc);
	for (i = 0; i < argc ++i)
	{
		printf ("argv[%d] (0x%x):%s\n", I, (unsigned int) argv[i], argv[i]);
	printf ("evriron=0x%x\n", (unsigned int) environ[0]);
	return 0;
}

By running the results of the code we can see that we only need to modify the contents of the memory space that argv[0] points to when the process is started, we can modify the process name

1. If the new name is smaller than the argv[0], we can modify it directly and put the extra parts to 0
2. If the new name is longer than the argv[0] we need two steps 
    1) Request new memory Save environment variable information and argv[1...argc-1] parameter information
    2) Modify Argv[0], put the new name back to the last item of environ 0

0x1:code Example

/* gcc changetitle.c-o changetitle/#include <unistd.h> #include <stdio.h> #include <stdarg.h> #inclu
De <string.h> #include <stdlib.h> #include <sys/prctl.h> # define maxline 2048 extern char **environ;	static char **g_main_argv = NULL;	/* Pointer to argument vector */static char *g_main_lastargv = NULL;
	/* End of argv/void setproctitle_init (int argc, char **argv, char **envp) {int i;
	for (i = 0; envp[i]!= NULL; i++)//Calc envp num continue; Environ = (char * *) malloc (sizeof (char *) * (i + 1));
		malloc envp pointer for (i = 0; envp[i]!= NULL; i++) {Environ[i] = malloc (sizeof (char) * strlen (Envp[i)));
	strcpy (Environ[i], envp[i]);
	} Environ[i] = NULL;
	G_MAIN_ARGV = ARGV;
	if (i > 0) g_main_lastargv = envp[i-1] + strlen (envp[i-1));
else G_MAIN_LASTARGV = argv[argc-1] + strlen (argv[argc-1));
} void Setproctitle (const char *FMT, ...)
	{char *p;
	int i;
	Char Buf[maxline];
	extern char **g_main_argv; extern CHar *g_main_lastargv;
	Va_list ap;
	p = buf;
	Va_start (AP, FMT);
	vsprintf (p, FMT, AP);
	Va_end (AP);
	i = strlen (BUF);
		if (i > g_main_lastargv-g_main_argv[0]-2 {i = g_main_lastargv-g_main_argv[0]-2;
	Buf[i] = ' the ';
	}//Modify argv[0] (void) strcpy (g_main_argv[0], buf);
	p = &g_main_Argv[0][i];
	while (P < g_main_lastargv) = ' *p++ ';
	G_MAIN_ARGV[1] = NULL;
Call Prctl Prctl (PR_SET_NAME,BUF);
	int main (int argc, char *argv[]) {char Argv_buf[maxline] = {0};//save argv paramters int i;
		for (i = 1; i < argc i++) {strcat (Argv_buf, argv[i]);
	strcat (Argv_buf, "");
	 }//Modify the contents of the memory space pointed to by Argv[0 Setproctitle_init (argc, argv, environ);