pspy - process monitoring / cron job detection

I’ve seen multiple machines now that require you to “guess” some cron job that is hidden in root’s crontab. My respect to everyone who is clever enough to do this. Since I am not that gifted, I wrote a little tool to detect these things. Worked on shrek. Might be useful for other people as well, so here it is: GitHub - DominicBreuker/pspy: Monitor linux processes without root permissions

Basically it’s a little command line app that will scan /proc/ regularly to find processes (with their cmdline). To scan in the right moment, it sets up lots of inotify file system watchers all over the system. Most importantly it watches /usr, which many processes access on execution. Using the events as a trigger, it can catch many short-lived processes.

Once started, you will see most of the processes run on the system printed out on stdout, with PID, UID and cmdline. There is no guarantee though you don’t miss one.

Optionally, you can also print out the inotify events, which can give more information. But beware, there will be many.

The tool did work in my few experiments and also on Shrek, where is nicely finds the cron job. I would not say though it’s well tested :wink:

See this video for an example:
youtube_video

Very cool! Looking forward to trying this out!

Nice tool ! Thx !

Thank for this, well done

Hi, I also write a simple bash script to log process history, it’s simple but effect.

root@kali:~/pentest# wget pentest-script/ps_history.sh at master · xiaoxiaoleo/pentest-script · GitHub
root@kali:~/pentest# bash ps_history.sh
root@kali:~/pentest# cat ps_history

Cool. I was thinking about creating a similar tool but didn’t really get into it :+1:

How can i configure pspy? I tried with “make build-pspy32” and “make build-pspy64” but nothing happen.

just run it in the computer you want to monitor, have a look at the video :slight_smile:

Is there an actual step by step tutorial on how to build this? There’s not much information on git itself on how to build it.

@meni0n said:
Is there an actual step by step tutorial on how to build this? There’s not much information on git itself on how to build it.

You will first need to install docker, then clone the repo, cd into it and run:

  1. make build-build-image
  2. make build

You will find the four binaries in the bin directory in the cloned repo.

Great tool

Thanks, tried installing docker in Kali but no success. Have to troubleshoot that now…

on the release page, you can also just download the binaries: Releases · DominicBreuker/pspy · GitHub
should update the readme sometime…

man this tool is awesome. it was a bit tricky to get built. wish i had checked the releases!

This tool is GREAT !!!

Just used this tool today, great job. Thanks!

Yeah buddy…this is NICE!!

Works perfectly, great tool :slight_smile:

only way to make this run is just to have docker installed on the system ?

Can the binaries e.g. pspy64 from the releases link be run without Docker?

In answer to my own question - yes they can.