Hunting hidden PIDs, eBPF and much more using xpid

Leon Nunes - Apr 30 '22 - - Dev Community

Today while browsing Twitter I came across a tool which I found pretty amazing and as a system admin(well sort off) I find tools like these pretty amazing.

So what exactly is xpid.

Well, as the creator describes it, "It's nmap but for pids".

xpid supports the following

USAGE:
   xpid [flags] -o [output] <query>

   Investigate pid 123 and write the report to out.txt
     xpid 123 > out.txt

   Find all container processes on a system
     # Looks for /proc/[pid]/ns/cgroup != /proc/1/ns/cgroup
     xpid -c <query>

   Find all processes running with eBPF programs at runtime.
     # Looks for /proc/[pid]/fdinfo and correlates to /sys/fs/bpf
     xpid --ebpf <query>

   Find all processes between specific values
     xpid <flags> +100      # Search pids up to 100
     xpid <flags> 100-2000  # Search pids between 100-2000
     xpid <flags> 65000+    # Search pids 65000 or above

   Find all "hidden" processes on a system
     # Looks for chdir, opendir, and dent in /proc
     xpid -x <query>

   Find all possible pids on a system, and investigate each one (slow). The --all flag is default.
     xpid > out.txt

   Investigate all pids from 0 to 1000 and write the report to out.json
     xpid -o json 0-1000 > out.json
Enter fullscreen mode Exit fullscreen mode

The following flags are supported

GLOBAL OPTIONS:
   --verbose, -v                          (default: false)
   --output value, -o value, --out value
   --all, -A                              (default: false)
   --fast, -f                             (default: true)
   --probe, --bpf, --ebpf, -b             (default: false)
   --hidden, -x                           (default: false)
   --threads, -t, --thread                (default: false)
   --proc, -P                             (default: false)
   --container, -c, --containers          (default: false)
   --help, -h                             show help (default: false)
Enter fullscreen mode Exit fullscreen mode

Let's try these out

For example I'm running a httpd container here.

podman run -d docker.io/httpd
Enter fullscreen mode Exit fullscreen mode

Now I want to see the processes run by that container.

xpid -c
Enter fullscreen mode Exit fullscreen mode

xpid containers image

I tried creating a hidden process, but I was not able to(I'm not that well versed with cybersec), if anyone knows how to create one I'd be happy to check that.

To check the running threads you can do xpid -t
xpid -t shows threads

To view eBPF programs you can use

xpid -b -v
INFO[0001] Query : 1-4194304
Enter fullscreen mode Exit fullscreen mode

Overall this is a pretty good tool to troubleshoot servers where things don't seem to be right.

This tool is opensource, the code is available on Github

Thank you for reading, happy hunting.

I love DevOps, and security stuff my Twitter Handle is @mediocredevops

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .