xpid

package module

v1.3.2 Latest Latest Go to latest Published: May 19, 2022 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kris-nova/xpid

Links

Open Source Insights

README ¶

xpid

It's nmap but for pids. 🤓

xpid gives a user the ability to "investigate" for process details on a Linux system.

For example a sleeping thread will have a directory /proc/[pid] that can be navigated to, but not listed.

xpid will check many different places in the kernel for details about a pid. By searching subsets of possible pids xpid will be able to check for pid details in many places in the kernel.

xpid [flags] -o [output] <query>

Investigate all pids
  xpid

Investigate pid 1
  xpid 1

Find all container processes on a system
  xpid -c

Find all processes in the same namespace(s) as pid 1
  xpid --ns-in [mnt, net, pid, ipc, cgroup]

Find all processes not in the same namespace(s) as current user
  xpid --ns-out-user [mnt, net, pid, ipc, cgroup]

Find all processes running with eBPF programs as JSON
  xpid --ebpf -o json <pid-query>

Find all processes running with eBPF programs, in a container, in /proc
  xpid -b -c -p

Find all processes between specific values (Query syntax)
  xpid <flags> +100      # Search pids up to 100
  xpid <flags> 100-2000  # Search pids between 100-2000 
  xpid <flags> 65000+    # Search pids 65000 or above

Find all hidden processes on a system (slow)
  xpid -x <pid-query>

Container pids (xpid -c) 📦

xpid will lookup container processes at runtime. 🎉

This works by reading the link in /proc/[pid]/ns/@cgroup and correlating it back to the value in /proc/1/[pid]/ns/@cgroup.

Regardless of the pid namespace context, if there is a "container" that is unique from the current pid 1, xpid will find it.

eBPF pids (xpid -b) 🐝

xpid will find pids that have eBPF programs loaded at runtime.

This works by correlating the file descriptor info from /proc/[pid]/fdinfo/* back to /sys/fs/bpf/progs.debug. If a pid has an eBPF program loaded, xpid will find it.

Hidden pids (xpid -x) 🙈

Because of the flexibility with kernel modules and eBPF in the kernel, it can be possible to prevent the proc(5) filesystem from listing pid details in traditional ways.

xpid uses a variety of tactics to search for pids in the same way nmap will use different tactics to port scan a target.

Go runtime

xpid is a Go runtime utility that depends on libxpid. Install libxpid first (below), and then compile the Go runtime.

git clone https://github.com/kris-nova/xpid.git
cd xpid
make
sudo make install

Xpid C library (libxpid)

libxpid is written in C, as it will leverage ptrace(2) and eBPF code directly. This means that the xpid executable is NOT entirely statically linked. You must first have libxpid installed on your system, before the xpid Go program will run.

git clone https://github.com/kris-nova/xpid.git
cd xpid/libxpid
./configure
cd build
make
sudo make install

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	Name        string
	Version     string
	Copyright   string
	License     string
	AuthorName  string
	AuthorEmail string
)

Functions ¶

func Banner ¶

func Banner() string

Types ¶

This section is empty.

Source Files ¶

View all Source files

meta.go

Directories ¶

Path	Synopsis
cmd
pkg
api/v1
encoders
encoders/json
encoders/raw
encoders/table
filters
libxpid
procfs
procx

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL