Today while browsing Twitter I came across a tool which I found pretty amazing and as a system admin(well sort off) I find tools like these pretty amazing.
So what exactly is xpid.
Well, as the creator describes it, "It's nmap but for pids".
xpid supports the following
USAGE:
xpid [flags] -o [output] <query>
Investigate pid 123 and write the report to out.txt
xpid 123 > out.txt
Find all container processes on a system
# Looks for /proc/[pid]/ns/cgroup != /proc/1/ns/cgroup
xpid -c <query>
Find all processes running with eBPF programs at runtime.
# Looks for /proc/[pid]/fdinfo and correlates to /sys/fs/bpf
xpid --ebpf <query>
Find all processes between specific values
xpid <flags> +100 # Search pids up to 100
xpid <flags> 100-2000 # Search pids between 100-2000
xpid <flags> 65000+ # Search pids 65000 or above
Find all "hidden" processes on a system
# Looks for chdir, opendir, and dent in /proc
xpid -x <query>
Find all possible pids on a system, and investigate each one (slow). The --all flag is default.
xpid > out.txt
Investigate all pids from 0 to 1000 and write the report to out.json
xpid -o json 0-1000 > out.json
The following flags are supported
GLOBAL OPTIONS:
--verbose, -v (default: false)
--output value, -o value, --out value
--all, -A (default: false)
--fast, -f (default: true)
--probe, --bpf, --ebpf, -b (default: false)
--hidden, -x (default: false)
--threads, -t, --thread (default: false)
--proc, -P (default: false)
--container, -c, --containers (default: false)
--help, -h show help (default: false)
Let's try these out
For example I'm running a httpd
container here.
podman run -d docker.io/httpd
Now I want to see the processes run by that container.
xpid -c
I tried creating a hidden process, but I was not able to(I'm not that well versed with cybersec), if anyone knows how to create one I'd be happy to check that.
To check the running threads you can do xpid -t
To view eBPF programs you can use
xpid -b -v
INFO[0001] Query : 1-4194304
Overall this is a pretty good tool to troubleshoot servers where things don't seem to be right.
This tool is opensource, the code is available on Github
Thank you for reading, happy hunting.
I love DevOps, and security stuff my Twitter Handle is @mediocredevops