void update_display(void)
{
char start[9], *utime;
struct tm *ltime;
time_t now;
run *rptr;
proc *pptr;
int index, row, col, y, x;
now = time(NULL);
mvprintw(0, 2, "Active Jobs: %2d/%2d", ac, sc);
mvprintw(0, 28, "%s", ctime(&now));
getmaxyx(stdscr, row, col);
mvaddstr(2, 3, "START PID ST CPU COMMAND");
for (index=0, y=3; index<rc; index++) {
if (row-y <= rc-index && rptr->stage == STAGE_DONE)
continue;
rptr = runs+index;
pptr = &(rptr->pc);
if (rptr->stage == STAGE_ISSUE) {
pptr->state = '!';
proc_stat(rptr->run_pid, pptr);
attron(A_REVERSE);
}
if (rptr->stage == STAGE_ATTN)
attron(A_BLINK);
move(y++, 0);
if (rptr->stage != STAGE_FETCH) {
utime = time_string(pptr->utime);
ltime = localtime(&(pptr->start_time));
strftime(start, sizeof (start), "%T", ltime);
printw("%s %5d ", start, rptr->run_pid);
if (rptr->stage == STAGE_ISSUE)
printw(" %c %s ", pptr->state, utime);
else
printw("%3d %s ", rptr->status, utime);
}
else {
addstr(" - - ");
addstr(" - ");
}
addnstr(rptr->cmd.buffer, col-27);
for (x=27+strlen(rptr->cmd.buffer); x<col; x++)
addch(' ');
attroff(A_REVERSE);
attroff(A_BLINK);
}
move(0, col-1);
refresh();
}
int main(int argc, char **argv)
{
proc_t ps;
pid_t pid = (argc == 2 ? atoi(argv[1]) : getpid());
if (proc_stat(pid, &ps) != 0) {
printf("proc_stat(%u) failed: %m", pid);
exit(1);
}
printf("pid %u; ppid %u; state %c; uid %u/%u; gid %u/%u\n",
ps.pid, ps.ppid, ps.state, ps.uid, ps.euid, ps.gid, ps.egid);
exit(0);
}
// return current memory usage in bytes
size_t get_memory_usage_now()
{
size_t memory = 0;
#if defined(__APPLE__)
struct task_basic_info t_info;
mach_msg_type_number_t t_info_count = TASK_BASIC_INFO_COUNT;
if (KERN_SUCCESS != task_info(mach_task_self(),
TASK_BASIC_INFO,
reinterpret_cast<task_info_t>(&t_info),
&t_info_count))
{
return 0;
}
memory = t_info.resident_size;
#elif defined(__LIBCATAMOUNT__) && defined(REDSTORM_HEAP_INFO)
size_t frags;
unsigned long total_free, largest_free, total_used;
heap_info( &frags, &total_free, &largest_free, &total_used );
memory = total_used * 1024;
#elif defined(BGQ_LWK)
uint64_t heap;
Kernel_GetMemorySize(KERNEL_MEMSIZE_HEAP, &heap);
memory = heap;
#elif defined(PROCFS)
unsigned long rss_pages = 0;
// Read memory size data from /proc/pid/stat
// see "man proc" for details.
std::ifstream proc_stat("/proc/self/stat");
if (proc_stat)
{
std::string buf;
proc_stat
>> buf >> buf >> buf >> buf >> buf
>> buf >> buf >> buf >> buf >> buf
>> buf >> buf >> buf >> buf >> buf
>> buf >> buf >> buf >> buf >> buf
>> buf >> buf >> buf
>> rss_pages;
proc_stat.close();
}
memory = rss_pages * sysconf( _SC_PAGESIZE);
#endif
/* Success */
return memory;
}
void proc_parser(t_proc *proc, char *path, t_task *task, t_taupe *t)
{
(task->overall)++;
proc_status(proc, path, task);
proc_stat(proc, path, t->old);
proc_statm(proc, path, t->mem);
if (proc->status == 'S')
(task->sleep)++;
else if (proc->status == 'R')
(task->run)++;
else if (proc->status == 'Z')
(task->zombie)++;
else if (proc->status == 'T')
(task->stop)++;
}
/* Compute percent utilization.
* Initialize usage and total to zero, and first call will return percent
* cpu utilization since boot. Subsequent calls will return percent cpu
* utilization since last call.
*/
int
proc_stat2 (pctx_t ctx, uint64_t *usagep, uint64_t *totalp, double *pctp)
{
uint64_t usr, nice, sys, idle, iowait, irq, softirq;
uint64_t usage, ousage = usagep ? *usagep : 0;
uint64_t total, ototal = totalp ? *totalp : 0;
if (proc_stat (ctx, &usr, &nice, &sys, &idle, &iowait, &irq, &softirq) < 0)
return -1;
usage = usr + nice + sys + irq + softirq;
total = usr + nice + sys + idle + iowait + irq + softirq;
if (pctp) {
if (total - ototal > 0)
*pctp = (double)(usage - ousage) / (total - ototal) * 100.0;
else
*pctp = 0;
}
if (usagep)
*usagep = usage;
if (totalp)
*totalp = total;
return 0;
}
/** void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total)
* Check all the available PIDs for hidden stuff.
*/
void loop_all_pids(char *ps, pid_t max_pid, int *_errors, int *_total)
{
int _kill0 = 0;
int _kill1 = 0;
int _gsid0 = 0;
int _gsid1 = 0;
int _gpid0 = 0;
int _gpid1 = 0;
int _ps0 = -1;
int _proc_stat = 0;
int _proc_read = 0;
int _proc_chdir = 0;
pid_t i = 1;
pid_t my_pid;
char command[OS_SIZE_1024 +1];
my_pid = getpid();
for(;;i++)
{
if((i <= 0)||(i > max_pid))
break;
(*_total)++;
_kill0 = 0;
_kill1 = 0;
_gsid0 = 0;
_gsid1 = 0;
_gpid0 = 0;
_gpid1 = 0;
_ps0 = -1;
_proc_stat = 0;
_proc_read = 0;
_proc_chdir = 0;
/* kill test */
if(!((kill(i, 0) == -1)&&(errno == ESRCH)))
{
_kill0 = 1;
}
/* getsid to test */
if(!((getsid(i) == -1)&&(errno == ESRCH)))
{
_gsid0 = 1;
}
/* getpgid test */
if(!((getpgid(i) == -1)&&(errno == ESRCH)))
{
_gpid0 = 1;
}
/* proc stat */
_proc_stat = proc_stat(i);
/* proc readdir */
_proc_read = proc_read(i);
/* proc chdir */
_proc_chdir = proc_chdir(i);
/* IF PID does not exist, keep going */
if(!_kill0 && !_gsid0 && !_gpid0 &&
!_proc_stat && !_proc_read && !_proc_chdir)
{
continue;
}
/* We do not need to look at our own pid */
else if(i == my_pid)
{
continue;
}
/* Checking the number of errors */
if((*_errors) > 15)
{
char op_msg[OS_SIZE_1024 +1];
snprintf(op_msg,OS_SIZE_1024,"Excessive number of hidden processes"
". It maybe a false-positive or "
"something really bad is going on.");
notify_rk(ALERT_SYSTEM_CRIT, op_msg);
return;
}
/* checking if process appears on ps */
if(*ps)
{
snprintf(command, OS_SIZE_1024, "%s -p %d > /dev/null 2>&1",
ps,
(int)i);
/* Found PID on ps */
_ps0 = 0;
if(system(command) == 0)
_ps0 = 1;
}
/* If we are being run by the ossec hids, sleep here (no rush) */
#ifdef OSSECHIDS
sleep(2);
#endif
/* Everyone returned ok */
if(_ps0 && _kill0 && _gsid0 && _gpid0 && _proc_stat && _proc_read)
{
continue;
}
/* If our kill or getsid system call, got the
* PID , but ps didn't, we need to find if it was a problem
* with a PID being deleted (not used anymore)
*/
{
if(!((getsid(i) == -1)&&(errno == ESRCH)))
{
_gsid1 = 1;
}
if(!((kill(i, 0) == -1)&&(errno == ESRCH)))
{
_kill1 = 1;
}
if(!((getpgid(i) == -1)&&(errno == ESRCH)))
{
_gpid1 = 1;
}
_proc_stat = proc_stat(i);
_proc_read = proc_read(i);
_proc_chdir = proc_chdir(i);
/* If it matches, process was terminated */
if(!_gsid1 &&!_kill1 &&!_gpid1 &&!_proc_stat &&
!_proc_read &&!_proc_chdir)
{
continue;
}
}
#ifdef AIX
/* Ignoring AIX wait and sched programs. */
if((_gsid0 == _gsid1) &&
(_kill0 == _kill1) &&
(_gpid0 == _gpid1) &&
(_ps0 == 1) &&
(_gsid0 == 1) &&
(_kill0 == 0))
{
/* The wait and sched programs do not respond to kill 0.
* So, if everything else finds it, including ps, getpid, getsid,
* but not
* kill, we can safely ignore on AIX.
* A malicious program would specially try to hide from ps..
*/
continue;
}
#endif
if((_gsid0 == _gsid1)&&
(_kill0 == _kill1)&&
(_gsid0 != _kill0))
{
/* If kill found, but getsid and getpgid didnt', it may
* be a defunct process -- ignore.
*/
if(!((_kill0 == 1)&&(_gsid0 == 0)&&(_gpid0 == 0)&&(_gsid1 == 0)))
{
char op_msg[OS_SIZE_1024 +1];
snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from "
"kill (%d) or getsid (%d). Possible kernel-level"
" rootkit.", (int)i, _kill0, _gsid0);
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
(*_errors)++;
}
}
else if((_kill1 != _gsid1)||
(_gpid1 != _kill1)||
(_gpid1 != _gsid1))
{
/* See defunct process comment above. */
if(!((_kill1 == 1)&&(_gsid1 == 0)&&(_gpid0 == 0)&&(_gsid1 == 0)))
{
char op_msg[OS_SIZE_1024 +1];
snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from "
"kill (%d), getsid (%d) or getpgid. Possible "
"kernel-level rootkit.", (int)i, _kill1, _gsid1);
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
(*_errors)++;
}
}
else if((_proc_read != _proc_stat)||
(_proc_read != _proc_chdir)||
(_proc_stat != _kill1))
{
/* checking if the pid is a thread (not showing on proc */
if(!noproc && !check_rc_readproc((int)i))
{
char op_msg[OS_SIZE_1024 +1];
snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from "
"/proc. Possible kernel level rootkit.", (int)i);
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
(*_errors)++;
}
}
else if(_gsid1 && _kill1 && !_ps0)
{
/* checking if the pid is a thread (not showing on ps */
if(!check_rc_readproc((int)i))
{
char op_msg[OS_SIZE_1024 +1];
snprintf(op_msg, OS_SIZE_1024, "Process '%d' hidden from "
"ps. Possible trojaned version installed.",
(int)i);
notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
(*_errors)++;
}
}
}
}