proc
The /proc filesystem is a virtual kernel interface that exposes live process, scheduler, memory, and system state information. It provides read-only and writable files used to inspect and tune kernel behavior without relying on userland tools.
Each directory contains the following information:
| /proc/PID/ | Process-specific information |
|---|---|
| /proc/PID/cmdline | Contains the command-line arguments used to start the process. Arguments are stored as a NUL (0)–separated string and may differ from what is shown by tools like ps if the process overwrites its argv |
| /proc/PID/cwd | A symbolic link to the process’s current working directory |
| /proc/PID/environ | Contains the environment variables of the process as NUL-separated NAME=value strings. Access may be restricted for non-privileged users |
| /proc/PID/exe | A symbolic link to the executable file that was originally used to start the process. If the executable has been deleted or replaced, the link will still exist but may show (deleted) |
| /proc/PID/fd/ | A directory containing symbolic links for each open file descriptor of the process. Each link points to the file, socket, pipe, or device associated with that descriptor |
| /proc/PID/fdinfo/ | Contains per-file-descriptor information such as file position, access mode, and flags |
| /proc/PID/maps | A text file describing the process’s virtual memory mappings, including mapped files, shared libraries, heap, stack, and anonymous memory regions |
| /proc/PID/mem | A binary interface to the process’s virtual memory. Reading from or writing to this file requires appropriate privileges and typically an active ptrace attachment |
| /proc/PID/root | A symbolic link to the root directory as seen by the process. Normally this points to /, but it may differ for processes running in a chroot or container environment |
| /proc/PID/status | Provides a human-readable summary of process state and attributes, including execution state, memory usage, UID/GID, and namespace information |
| /proc/PID/task/ | A directory containing subdirectories for each thread (task) belonging to the process, identified by thread IDs (TIDs) |
Non-process-related system information
The /proc filesystem also includes non-process-related system information, including:
| Option | Description |
|---|---|
| /proc/cmdline | Provides the boot options passed to the kernel |
| /proc/loadavg | Contains statistics about the system’s load average over the last minutes |
| /proc/meminfo | Summarizes how the kernel is managing its memory |
| /proc/modules | Contains a list of currently loaded kernel modules and some indication of their dependencies |
| /proc/mounts | A symlink to self/mounts, listing currently mounted devices, their mount points, and filesystem types |
| /proc/net/ | A directory containing useful information about the network stack |
When working with Linux systems, understanding the processes running on your system is crucial. The ps command is a powerful tool for this purpose, offering various options for viewing and filtering process information. On Linux, the ps (Process Status) command retrieves data by reading files in the proc filesystem.
To see how ps operates in a Linux environment, you can use strace (System call Monitoring). strace is a diagnostic, debugging, and instructional userspace utility for Linux that monitors interactions between processes and the Linux kernel, including system calls, signal deliveries, and changes in process state. This functionality is made possible by the kernel feature known as ptrace.
To examine the data accessed by the ps command, you can use strace -e openat ps.
Can processes be hidden by manipulating the proc filesystem?
So what happens when an attempt is made to remove a process ID from /proc/? As illustrated below, the kernel prevents users, including root, from removing process IDs from /proc/.
But what happens when we mount an empty folder with the same directory of the /proc/?
Since Linux 2.4.0, it has been possible to remount a part of the file hierarchy to a different location using the following command:
mount –bind olddir newdir
Or the shorter option:
/olddir /newdir none bind
In the /etc/fstab file, this can be configured as:
/olddir /newdir none bind
After this command, the same contents will be accessible from both locations. It is also possible to remount a single file. This operation affects only part of the filesystem and does not include submounts.
And there you have it. We managed to hide a process from the administrator. This tactic is also employed by an unclassified threat actor group. Traditional incident response (IR) triage typically relies on script lists, but this technique can be used for security evasion.
Commands
Print kernel command line
cat /proc/cmdline
Print kernel settings
zcat /proc/config.gz
Print supported crypto
cat /proc/crypto
Print all kernel modules that is in use
cat /proc/modules
Print date and timestamp by using date
date -d "$(cut -d' ' -f1 /proc/uptime) seconds ago"
Show uptime in minutes
awk '{print int($1/3600)"h", int(($1%3600)/60)"m"}' /proc/uptime
Show load similiar as we can see in uptime
awk '{print $1, $2, $3}' /proc/loadavg
Print uptime from uptime and timestamp
awk '{printf "%d days %02d:%02d:%02d\n",
int($1/86400),
int($1%86400/3600),
int($1%3600/60),
int($1%60)}' /proc/uptime
Print date and timestamp by using date
date -d "$(cut -d' ' -f1 /proc/uptime) seconds ago"
Print Linux version we are currently using
cat /proc/version
Export config.gz and send it to /usr/src/linux/.config
zcat /proc/config.gz > /usr/src/linux/.config
Command line of current process
cat /proc/$$/cmdline
Information about current shell process
ls /proc/$$
Environment variables
cat /proc/$$/environ
Dump cpu info
cat /proc/cpuinfo
Print a random uuid each time we reading the file
cat /proc/sys/kernel/random/uuid
Find maximum number of processes
cat /proc/sys/kernel/pid_max
Trigger kernel crash
echo c > /proc/sysrq-trigger