Today while browsing Twitter I came across a tool which I found pretty amazing and as a system admin(well sort off) I find tools like these pretty amazing.
Well, as the creator describes it, "It's nmap but for pids".
xpid supports the following
USAGE: xpid [flags] -o [output] <query> Investigate pid 123 and write the report to out.txt xpid 123 > out.txt Find all container processes on a system # Looks for /proc/[pid]/ns/cgroup != /proc/1/ns/cgroup xpid -c <query> Find all processes running with eBPF programs at runtime. # Looks for /proc/[pid]/fdinfo and correlates to /sys/fs/bpf xpid --ebpf <query> Find all processes between specific values xpid <flags> +100 # Search pids up to 100 xpid <flags> 100-2000 # Search pids between 100-2000 xpid <flags> 65000+ # Search pids 65000 or above Find all "hidden" processes on a system # Looks for chdir, opendir, and dent in /proc xpid -x <query> Find all possible pids on a system, and investigate each one (slow). The --all flag is default. xpid > out.txt Investigate all pids from 0 to 1000 and write the report to out.json xpid -o json 0-1000 > out.json
The following flags are supported
GLOBAL OPTIONS: --verbose, -v (default: false) --output value, -o value, --out value --all, -A (default: false) --fast, -f (default: true) --probe, --bpf, --ebpf, -b (default: false) --hidden, -x (default: false) --threads, -t, --thread (default: false) --proc, -P (default: false) --container, -c, --containers (default: false) --help, -h show help (default: false)
For example I'm running a
httpd container here.
podman run -d docker.io/httpd
Now I want to see the processes run by that container.
I tried creating a hidden process, but I was not able to(I'm not that well versed with cybersec), if anyone knows how to create one I'd be happy to check that.
To view eBPF programs you can use
xpid -b -v INFO Query : 1-4194304
Overall this is a pretty good tool to troubleshoot servers where things don't seem to be right.
This tool is opensource, the code is available on Github
Thank you for reading, happy hunting.
I love DevOps, and security stuff my Twitter Handle is @mediocredevops