pspy - Monitoring linux processes without root permissions.

pspy – Monitoring linux processes without root permissions.

pspy is a command line tool designed to snoop on processes without needing root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of linux systems in CTFs.

The tool gathers it’s info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to increase the chance of catching short-lived processes.


How it works?
+ Several tools exist to list all processes executed on Linux systems, including those that have finished. For instance there is forkstat. It receives notifications from the kernel on process-related events such as fork and exec.

+ Unfortunately, the tool requires root privileges so you cannot use it to right away. However, nothing stop you in general from snooping on the processes running on the system. All data is visible as long as the process is running. The only problem is you have to catch short-lived processes in the very short time span in which they are alive. Scanning the /proc directory for new PIDs in an infinite loop does the trick but consumes a lot of CPU.

+ A stealthier way is to use the following trick. Process tend to access files such as libraries in /usr, temporary files in /tmp, log files in /var, … Without root permissions, you can get notifications whenever these files are touched. The API for this is called inotify. While we cannot monitor processes directly, but we can monitor their interactions with the file system.

+ We can use the file system events as a trigger to scan /proc, hoping that we can do it fast enough to catch the processes. This is what pspy does. Thus, there is no guarantee you won’t miss one, but chances seem to be good in my experiments. In general, the longer the processes run, the bigger the chance of catching them is.

+ Besides using the events, pspy will also scan /proc every 100ms, just to be sure. CPU usage seems to be quite low for this interval. Making the interval configurable is on the roadmap.

Use and Download: