DEV Community

Cover image for Hunting hidden PIDs, eBPF and much more using xpid
Kubernetes Community Days Chennai profile image Leon Nunes
Leon Nunes for Kubernetes Community Days Chennai

Posted on

Hunting hidden PIDs, eBPF and much more using xpid

#forensic #linux #tooling

Today while browsing Twitter I came across a tool which I found pretty amazing and as a system admin(well sort off) I find tools like these pretty amazing.

So what exactly is xpid.

Well, as the creator describes it, "It's nmap but for pids".

xpid supports the following

USAGE:
   xpid [flags] -o [output] <query>

   Investigate pid 123 and write the report to out.txt
     xpid 123 > out.txt

   Find all container processes on a system
     # Looks for /proc/[pid]/ns/cgroup != /proc/1/ns/cgroup
     xpid -c <query>

   Find all processes running with eBPF programs at runtime.
     # Looks for /proc/[pid]/fdinfo and correlates to /sys/fs/bpf
     xpid --ebpf <query>

   Find all processes between specific values
     xpid <flags> +100      # Search pids up to 100
     xpid <flags> 100-2000  # Search pids between 100-2000
     xpid <flags> 65000+    # Search pids 65000 or above

   Find all "hidden" processes on a system
     # Looks for chdir, opendir, and dent in /proc
     xpid -x <query>

   Find all possible pids on a system, and investigate each one (slow). The --all flag is default.
     xpid > out.txt

   Investigate all pids from 0 to 1000 and write the report to out.json
     xpid -o json 0-1000 > out.json
Enter fullscreen mode Exit fullscreen mode

The following flags are supported

GLOBAL OPTIONS:
   --verbose, -v                          (default: false)
   --output value, -o value, --out value
   --all, -A                              (default: false)
   --fast, -f                             (default: true)
   --probe, --bpf, --ebpf, -b             (default: false)
   --hidden, -x                           (default: false)
   --threads, -t, --thread                (default: false)
   --proc, -P                             (default: false)
   --container, -c, --containers          (default: false)
   --help, -h                             show help (default: false)
Enter fullscreen mode Exit fullscreen mode

Let's try these out

For example I'm running a httpd container here.

podman run -d docker.io/httpd
Enter fullscreen mode Exit fullscreen mode

Now I want to see the processes run by that container.

xpid -c
Enter fullscreen mode Exit fullscreen mode

xpid containers image

I tried creating a hidden process, but I was not able to(I'm not that well versed with cybersec), if anyone knows how to create one I'd be happy to check that.

To check the running threads you can do xpid -t
xpid -t shows threads

To view eBPF programs you can use

xpid -b -v
INFO[0001] Query : 1-4194304
Enter fullscreen mode Exit fullscreen mode

Overall this is a pretty good tool to troubleshoot servers where things don't seem to be right.

This tool is opensource, the code is available on Github

Thank you for reading, happy hunting.

I love DevOps, and security stuff my Twitter Handle is @mediocredevops

Top comments (0)

Read next

proflead profile image

ChatGPT Search vs Perplexity AI – A Side-by-Side Comparison

Vladislav Guzey -

hexfloor profile image

More storage for media : organize files using ChatGPT

hexfloor -

ispmanager_com profile image

8 ways to scare the hell out of a system administrator

ispmanager.com -

tavocoder profile image

DNF Cheat Sheet

Gustavo Charalla -