command line shown by ps
uunet!bria!mike
uunet!bria!mike
Fri Feb 22 04:59:08 AEST 1991
In an article, hammer.idsila.com!jockc (PRIV Account) writes:
>How can a process change or obscure the command line that
>ps (and other programs like w or whodo) show for it?
>
>This could obviously be desirable for security reasons, but also for
>informational purposes. For example, when a program forks a child
>process to do something, the child proc might want to change
>its "command line" (what ps shows, which by now probably has little
>meaning) to something more descriptive of what its doing.
In a general sense, what you need to do is read the kernel namelist,
get the symbol value for _proc which is the offset into /dev/kmem. Read
the proc table, and determine if the process is in core or swapped; if it
is in core, read /dev/mem, otherwise read /dev/swap, seeking to the u block
forthat process (the address of the u block is in the proc table). Once
you have the proc table entry and the u block for that process, you can
proceed to alter u_comm and/or u_psargs to your heart's content.
Obviously, you must be root to do these wonderful things. Further note that
your swap device is probably not called /dev/swap.
Cheers,
--
Michael Stefanik, MGI Inc., Los Angeles| Opinions stated are not even my own.
Title of the week: Systems Engineer | UUCP: ...!uunet!bria!mike
-------------------------------------------------------------------------------
Remember folks: If you can't flame MS-DOS, then what _can_ you flame?
More information about the Comp.unix.questions
mailing list