0

I am using a Debian 9.13. Trough ps -aux | grep NaughtyProcessName i can find information about a given process that interests me in the format:

user.name [ID] [CPU USAGE] [%MEM] VSZ RSS TTY STAT START TIME COMMAND

Where command shows something like:

path/to/interpreter ./file_name.cmd

So i suppose some user was inside a mysterious directory which had file_name.cmd inside it and spawned a process by doing ./file_name.cmd. The process uses the interpreter found in path/to/interpreter.

I want to know in which directory this file is. The only thing i know that i could try is

cd /
find -iname file_name.cmd

But that takes time and could find duplicates. Is there anything better and more straight to the point?

ctrl-alt-delor
  • 27,993
Marco Montevechi Filho
  • 85

1 Answers1

1

Given a process id <pid>, then /proc/<pid>/cwd is a symlink to the working directory for that process. That is, if I run python ./example.py from ~/tmp/python, in ps I will see:

$ ps -f -p 118054
UID          PID    PPID  C STIME TTY          TIME CMD
lars      118054    6793  0 09:16 pts/1    00:00:00 python ./example.py

And in /proc/118054/cwd, I see:

$ ls -l /proc/118054/cwd
lrwxrwxrwx. 1 lars lars 0 Aug 31 09:16 /proc/118054/cwd -> /home/lars/tmp/python

So you can use that information to infer that ./example.py refers to /home/lars/tmp/python/example.py.

Note, however, that you cannot trust the information you see in the output of ps. Consider this simple C program:

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv[]) {
    pid_t pid = getpid();
    printf("pid %d\n", pid);


memset(argv[0], ' ', strlen(argv[0]));
strcpy(argv[0], &quot;ls&quot;);
sleep(600);
return 0;



}

If we run this:

$ ./example
pid 119217

And then look at ps:

$ ps -f -p 119217
UID          PID    PPID  C STIME TTY          TIME CMD
lars      119217    6793  0 09:25 pts/1    00:00:00 ls

It looks like we're running something completely innocuous.

larsks
  • 34,737