It's nmap
but for pids. π€
xpid
gives a user the ability to "investigate" for process details on a Linux system.
For example a sleeping thread will have a directory /proc/[pid]
directoy that can be navigated to, but not listed.
xpid
will check many different places in the kernel for details about a pid.
By searching subsets of possible pids xpid
will be able to check for pid details in many places in the kernel.
xpid [flags] -o [output] <query>
Investigate pid 123 and write the report to out.txt
xpid 123 > out.txt
Find all container processes on a system
# Looks for /proc/[pid]/ns/cgroup != /proc/1/ns/cgroup
xpid -c <query>
Find all processes running with eBPF programs at runtime.
# Looks for /proc/[pid]/fdinfo and correlates to /sys/fs/bpf
xpid --ebpf <query>
Find all processes between specific values
xpid <flags> +100 # Search pids up to 100
xpid <flags> 100-2000 # Search pids between 100-2000
xpid <flags> 65000+ # Search pids 65000 or above
Find all "hidden" processes on a system
# Looks for chdir, opendir, and dent in /proc
xpid -x <query>
Find all possible pids on a system, and investigate each one (slow). The --all flag is default.
xpid > out.txt
Investigate all pids from 0 to 1000 and write the report to out.json
xpid -o json 0-1000 > out.json
xpid
will lookup container processes at runtime π
This works by reading the link in /proc/[pid]/ns/@cgroup
and correlating it back to the value in /proc/1/[pid]/ns/@cgroup
.
Regardless of the pid namespace context, if there is a "container" that is unique from the current pid 1, xpid
will find it.
xpid
will find pids that have eBPF programs loaded at runtime.
This works by correlating the file descriptor info from /proc/[pid]/fdinfo/*
back to /sys/fs/bpf/progs.debug
.
If a pid has an eBPF program loaded, xpid
will find it.
Hidden pids (xpid -x) π
Because of the flexibility with kernel modules, and eBPF in the kernel it can be possible to prevent the proc(5)
filesystem from listing pid details in traditional ways.
xpid
uses a variety of tactics to search for pids in the same way nmap
will use different tactics to port scan a target.
xpid
is a Go runtime utility that depends on libxpid
.
Install libxpid
first, and then compile the Go runtime.
git clone https://github.com/kris-nova/xpid.git
cd xpid
make
sudo make install
libxpid
is written in C as it will leverage ptrace(2) and eBPF code directly.
This means that the xpid
executable is NOT entirely statically linked.
You must first have libxpid
installed on your system, before the xpid
Go program will run.
git clone https://github.com/kris-nova/xpid.git
cd xpid/libxpid
./configure
cd build
make
sudo make install