In one of our earlier articles, we learned how command line arguments are accessed from within the code. Here in this article, we will see how these command line arguments can be used by a Linux process
to change its own name.
Linux process that changes its own nameThe concept
Well, the concept behind this logic is simple. The first element of the array ‘argv’ (second argument to main() function) points to the process name. Now, if the content of this element is changed, then
the process name could be changed.
An example
Lets take an example :
#include<stdio.h>#include<unistd.h>int main(int argc, char *argv[]){ int counter = 0; printf("\n The number of command line arguments passed to this executable is [%d]\n",argc); printf("\n The arguments are :\n"); for(;counter<argc;counter++) { printf("[%s] ",argv[counter]); fflush(stdout); } // Introduce a delay sleep(5); argv[0][3] = 'c'; printf("\n Updated arguments are :\n"); counter =0; for(;counter<argc;counter++) { printf("[%s] ",argv[counter]); fflush(stdout); } sleep(5); return 0;}
In the code above, we try to change the second character of the process name with ‘c’. The sleep function that is used twice in the code used so that the user can get time to run the ps command to check
the original and updated name of the process.
Here is how the above code is compiled :
$ gcc -Wall cmd.c -o cmd
Now, lets run the code :
$ ./cmd The number of command line arguments passed to this executable is [1] The arguments are : [./cmd]
The above partial output is displayed and then the program waits for 5 seconds. So we see that the program says that the process name is ‘./cmd’. Within these 5 seconds, lets quickly confirm this by
running the ps command :
$ps -aef.........tarun 2857 2209 0 22:47 pts/0 00:00:00 ./cmdtarun 2858 2841 0 22:47 pts/1 00:00:00 ps -aef
So we see that indeed there is a process in our Linux system with the same name.
Now, 5 seconds wait gets over and the output proceeds :
$ ./cmd The number of command line arguments passed to this executable is [1] The arguments are : [./cmd] Updated arguments are : [./ccd]
So we see that now the code says that the process name has been changed to ‘./ccd’. Lets quickly confirm it while the execution is waiting for next 5 seconds. Again we use the ps command for this :
$ps -aef.........tarun 2857 2209 0 22:47 pts/0 00:00:00 ./ccdtarun 2859 2841 0 22:47 pts/1 00:00:00 ps -aef
So we see that the process name changed. So this is how we can tweak the array ‘argv’ and can change the process name from within the process itself.
NOTE: As of now I cannot figure out any practical usage of this hack but I think this can be used in some virus or malware so that process can change its name frequently
to remain hidden in the Linux system.