linux process that changes its own name

In one of our earlier articles, we learned how command line arguments are accessed from within the code. Here in this article, we will see how these command line arguments can be used by a Linux process to change its own name.

Linux process that changes its own name

The concept

Well, the concept behind this logic is simple. The first element of the array ‘argv’ (second argument to main() function) points to the process name. Now, if the content of this element is changed, then the process name could be changed.

An example

Lets take an example :

#include<stdio.h>
#include<unistd.h>

int main(int argc, char *argv[])
{
    int counter = 0;
    printf("\n The number of command line arguments passed to this executable is [%d]\n",argc);
    printf("\n The arguments are :\n");

    for(;counter<argc;counter++)
    {
        printf("[%s] ",argv[counter]);
        fflush(stdout);
    }

    // Introduce a delay
    sleep(5);

    argv[0][3] = 'c';

    printf("\n Updated arguments are :\n");

    counter =0;
    for(;counter<argc;counter++)
    {
        printf("[%s] ",argv[counter]);
        fflush(stdout);
    }

    sleep(5);
    return 0;
}

In the code above, we try to change the second character of the process name with ‘c’. The sleep function that is used twice in the code used so that the user can get time to run the ps command to check the original and updated name of the process.

Here is how the above code is compiled :

$ gcc -Wall cmd.c -o cmd

Now, lets run the code :

$ ./cmd

 The number of command line arguments passed to this executable is [1]

 The arguments are :

 [./cmd]

The above partial output is displayed and then the program waits for 5 seconds. So we see that the program says that the process name is ‘./cmd’. Within these 5 seconds, lets quickly confirm this by running the ps command :

$ps -aef
...
...
...
tarun  2857  2209  0 22:47 pts/0    00:00:00 ./cmd
tarun  2858  2841  0 22:47 pts/1    00:00:00 ps -aef

So we see that indeed there is a process in our Linux system with the same name.

Now, 5 seconds wait gets over and the output proceeds :

$ ./cmd

 The number of command line arguments passed to this executable is [1]

 The arguments are :

 [./cmd] 

 Updated arguments are :

 [./ccd]

So we see that now the code says that the process name has been changed to ‘./ccd’. Lets quickly confirm it while the execution is waiting for next 5 seconds. Again we use the ps command for this :

$ps -aef
...
...
...
tarun  2857  2209  0 22:47 pts/0    00:00:00 ./ccd
tarun  2859  2841  0 22:47 pts/1    00:00:00 ps -aef

So we see that the process name changed. So this is how we can tweak the array ‘argv’ and can change the process name from within the process itself.

NOTE: As of now I cannot figure out any practical usage of this hack but I think this can be used in some virus or malware so that process can change its name frequently to remain hidden in the Linux system.