扫描系统上正在运行的进程以查找给定映射(共享库、可执行文件)或打开的文件描述符的应用程序
findProcessesUsing的Python项目详细描述
扫描主机上所有正在运行的应用程序,以识别那些使用共享库、可执行文件、某些其他映射或打开的文件描述符的应用程序。
这个应用程序在unix派生系统(linux、bsd、cygwin等)上工作。例如,您可以使用它来扫描使用某个共享库版本或在某个解释器下运行的进程。它可以打印摘要视图,也可以打印所有匹配映射。
此应用程序还可以扫描打开的文件(完全限定或部分限定)。
这可以与https://pypi.python.org/pypi/remote_copy_and_execute配合使用,对网络上许多计算机上运行的软件/库使用情况进行审核。
您必须是root才能扫描所有正在运行的进程,否则这将只扫描在当前用户下运行的进程。
用法
Usage: findProcessesUsing (options) [search portion]
Searches all running processes for those containing a given mapping, or an open file (with -f).
Mappings include running executables (like python), or a shared library, or a device.
Options:
Modes:
-m or –mappings Scan for mappings (default)
-c or –cwd Scan for cwd
-f or –files Scan for open files instead of mappings. This should not be a symbolic link.
修饰语:
-v or –verbose Also print mapping lines containing the given pattern, or matched filenames when given -f.
-e or –exact Require exact match. Default is to allow partial matches
-p or –pids-only Only print pids, one per line
-i or –ignore-case Search case-insensitively. By default, case must be an exact match.
—version Print the version
-h or –help Display this message and quit注意:可以指定多个模式
示例:
使用libpython2.7查找进程;扫描链接到任何包含“libpython2.7”的进程
findprocessusing-f/var/lib/data.db;扫描任何打开“/var/lib/data.db”句柄的进程
查找进程使用-f-c/mnt/otherdrive在“/mnt/otherdrive”中扫描任何具有CWD或打开文件的进程
建议以根用户身份运行此进程,否则只能扫描自己的进程。
示例用法
扫描libc的映射
]$ sudo findProcessesUsing libc | head -n 20 | tail -n5
Found libc in 803 (john) [ -bash ]
Found libc in 1060 (john) [ /usr/lib/tracker/tracker-extract ]
Found libc in 1062 (www) [ /usr/bin/httpd ]
Found libc in 808 (frankl) [ /bin/sh /usr/bin/startx ]
Found libc in 1065 (frankl) [ /usr/lib/tracker/tracker-miner-user-guides ]
扫描“/mnt/otherdrive”中的任何CWD或打开的文件
]$ sudo findProcessesUsing -f -c /mnt/otherdrive
Found /mnt/otherdrive {cwd=/mnt/otherdrive} in 2927 (tim) [ -/bin/bash ]
Found /mnt/otherdrive {cwd=/mnt/otherdrive} in 3943 (root) [ bash ]
Found /mnt/otherdrive {fd=3} in 19636 (root) [ vim z ]
Found /mnt/otherdrive {cwd=/mnt/otherdrive} in 19636 (root) [ vim z ]
扫描pty的打开文件描述符
]$ ./findProcessesUsing -f -v pty
Found pty {fd=0,1,2,31} in 2384 (user1) [ /bin/bash ]
0 = “/dev/pty1”
1 = “/dev/pty1”
2 = “/dev/pty1”
31 = “/dev/pty1”
在5732(user1)[screen]中找到pty{fd=3}
3 = “/dev/pty0”在6184(user1)[屏幕]中找到pty{fd=0,1,2}
0 = “/dev/pty0”
1 = “/dev/pty0”
2 = “/dev/pty0”
在5772(user1)[python]中找到pty{fd=0,1,2}
0 = “/dev/pty2”
1 = “/dev/pty2”
2 = “/dev/pty2”
在6672中找到pty{fd=0,1,2,31}(user1)[-bash]
0 = “/dev/pty0”
1 = “/dev/pty0”
2 = “/dev/pty0”
31 = “/dev/pty0”
在6072中找到pty{fd=0,1,2,31}(user1)[/bin/bash]
0 = “/dev/pty3”
1 = “/dev/pty3”
2 = “/dev/pty3”
31 = “/dev/pty3”
在4796中找到了pty{fd=0,1,2,31}(user1)[/bin/bash]
0 = “/dev/pty2”
1 = “/dev/pty2”
2 = “/dev/pty2”
31 = “/dev/pty2”
库
findprocessusing是python库ProcessMappingScanner的前端。如果要在应用程序中使用FindProcessMapping功能,可以考虑直接使用该库,而不是分析FindProcessMapping的输出。
欢迎加入QQ群-->: 979659372
