listps: Detecting hidden processes.


listps detects hidden processes on *nix-based operating systems which support the /proc filesystem. It is important to clarify what is meant, here, by hidden processes. If a process, in any defined process state, on a system is hidden from view of the standard ps utility, it is, in effect, a hidden process.

listps detects hidden processes in an awfully simple way. It exploits several features of the /proc filesystem to its advantage to determine whether a process is hidden or not. The /proc filesystem maintains separate directories for each process existing in any of the defined process states. The name of these directories correspond with the process IDs (PIDs) of the corresponding processes. listps loops through the range 1 to 33000, inclusive, and for each number in that range, it tries to discern whether the /proc filesystem has a directory entry corresponding to that number. Having found an existing directory, listps descends into the directory and reads the name of the process from two files, “cmdline” and “stat”. At the end of the loop, listps lists down all the processes it found as having a directory entry in the /proc filesystem heirarchy, highlighting those that are hidden.

Nothing fancy!

One thought on “listps: Detecting hidden processes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s