Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!samsung!uunet!bria!mike Newsgroups: comp.unix.questions Subject: Re: command line shown by ps Message-ID: <478@bria> Date: 21 Feb 91 17:59:08 GMT References: Reply-To: uunet!bria!mike Distribution: usa Organization: MGI Group International, Los Angeles, CA Lines: 27 Followup-To: Keywords: In an article, hammer.idsila.com!jockc (PRIV Account) writes: >How can a process change or obscure the command line that >ps (and other programs like w or whodo) show for it? > >This could obviously be desirable for security reasons, but also for >informational purposes. For example, when a program forks a child >process to do something, the child proc might want to change >its "command line" (what ps shows, which by now probably has little >meaning) to something more descriptive of what its doing. In a general sense, what you need to do is read the kernel namelist, get the symbol value for _proc which is the offset into /dev/kmem. Read the proc table, and determine if the process is in core or swapped; if it is in core, read /dev/mem, otherwise read /dev/swap, seeking to the u block forthat process (the address of the u block is in the proc table). Once you have the proc table entry and the u block for that process, you can proceed to alter u_comm and/or u_psargs to your heart's content. Obviously, you must be root to do these wonderful things. Further note that your swap device is probably not called /dev/swap. Cheers, -- Michael Stefanik, MGI Inc., Los Angeles| Opinions stated are not even my own. Title of the week: Systems Engineer | UUCP: ...!uunet!bria!mike ------------------------------------------------------------------------------- Remember folks: If you can't flame MS-DOS, then what _can_ you flame?