How to Find an Anomalous Process and Capture Memory Bytes to a File on Linux?

Let’s look into another example. Consider a Linux host is suspected to be compromised. You have been asked to inspect the machine. As a security analyst, it’s your task to find a running anomalous process and capture the bytes from the memory to a file for further analysis.

For the demo, let’s amuse htop as an anomalous process running background without the owner’s permission.

Let’s run htop command on the 1st terminal.

A screenshot of an htop interactive process viewer in a terminal window on a Linux system, displaying various system processes and their resource usage.

Now our task is to find the process and capture the bytes directly from the memory.

Identify the process to investigate

Let’s see the process running on the terminal session.

ps
A screenshot of a Linux terminal displaying the result of the 'ps' command, listing process IDs and execution times for bash and ps.

No suspicious process is apparently running. Let’s see the complete list of the process.

ps -e

or

ps aux
A screenshot of a Linux terminal displaying the output of the 'ps aux' command, listing active processes and their respective resource usage.

You see an anomaly process running. Now, you want to investigate more about that specific process. In our case it’s htop. You capture the process ID number of the process. You can directly capture the process ID number from the ‘ps aux’ command.

Alternatively, you can capture using ‘pgrep’ command if you know the name of the process.

pgrep htop
Screenshot of a Linux terminal where the 'pgrep htop' command has been run, showing the process ID '13908' in the output.

The next step should be to find the parent-child tree structure of the process. You can see that using the pstree command. Scroll up for more information about the command.

pstree command shows all the process including the process not running now but running in the past as a tree structure. You can add -g, -p, -a, -u flags for more detailed information.

If you want to display only the tree structure of a specific process, you can run the pstree command with the process ID number.

pstree
pstree 13908 -g -p -a -u
Screenshot of a Linux terminal where the user has executed the 'pstree' command to visualize the process hierarchy of the 'htop' command.

This shows the process is running directly under systemd process. The command displays the process name, process ID of the process, group ID of the process, and the user who ran the process. Since in this case, the process is running directly underneath systemd, which is the parent of all processes, no parent is shown here.

See also  Step-By-Step Procedure to Export a Certificates With a Private Key From a Windows Server

How to Read the Process Tree Structure?

If you see the output of the pstree command it something looks like this. Systemd is the process parent of all the process. Apache2 is the child of systemd process running with the process ID 1204 and the group id 1204. Underneath that there is another apache2 process 1207, and several other apache2 process 1219, 1246, 1247, so forth.

Screenshot of a Linux terminal displaying the 'pstree' command output, highlighting the process tree for the Apache server with its child processes.

If I want to see the process tree of the group ID 1204, I can do that with this command.

pstree 1204 -g -p -a -u
Screenshot of a Linux terminal showing the output of the 'pstree' command, which illustrates the process tree of the Apache web server.

Capture Bytes of the Running Process to a File

There is a special directory called proc underneath ‘/’ directory. This holds all the information on running and previously run processes. If you list the files and directories of the proc directory. there you see a lot of sub-directories with numbers. These numbers are nothing but the process ID numbers. These are auto-created directories created when there a process is created with new process IDs. These directories contain processes that were running and ran in the past.

In this example, we should find the directory with the name ‘13908’ underneath ‘proc’.

ls /proc/13908
A terminal snapshot showing a list of files within the /proc/13908 directory on a Linux system.

Now you say, there is no htop process underneath this directory. Let’s find the running processes in this list.

ls -l /proc/13908
Linux terminal output showing the 'ls -l' command used to list the detailed contents of the /proc/13908 directory, indicating the running 'htop' process.

‘exe’ is the process that is running ‘htop’. Now let’s see the content of ‘exe’ with the help of cat command.

cat /proc/13908/exe
A Linux terminal showing garbled characters as a result of executing the 'cat /proc/13908/exe' command, which attempts to display the in-memory image of an executable.

Anyways, you can’t completely read the content of memory. However, you can capture it as a file.

cat /proc/13908/exe >> /home/arunkl/htop_memorydump

I captured the memory dump of ‘htop’ to ‘htop_memorydump’ file in my home directory.

A screenshot of a Linux terminal where the user has redirected the contents of a process's executable file from '/proc/13908/exe' to a file named 'htop_memorydump' in their home directory.

You can see the content of the file or even execute it.

cat /home/arunkl/htop_memorydump

To execute it.

chmod +x htop_memorydump
./htop_memorydump
A user on a Linux terminal granting executable permissions to a file named 'htop_memorydump' and then attempting to execute it.

As soon as you run the ‘htop_memorydump’ file you should see the htop output, which shows the list of all running processes.

A screenshot of an htop session in a Linux terminal, displaying system processes and resource usage, with one process 'htop_memorydump' being highlighted.

Two htop processes are running on the screen. the first one is 13908 which is the old process running, and the second one is with process ID 14305 with the name ‘htop_memorydump’.

See also  Discovering Wireshark: 7 Features to Analyze a PCAP File Using Wireshark

You can use the ‘htop_memorydump’ file for further analysis. You can repeat the same process to identify the parent-child processes and further analyze them. That’s it.

Leave a Reply

Your email address will not be published. Required fields are marked *