- 论坛徽章:
- 0
|
近发现,当一个被编译成二进制的shell脚本执行的时候,ps -ef|grep 脚本中的一个字符串,控制台上将显示整个命令列表,类似于:
kevin ~ # ps -Aelf|grep md5
0 S root 3664 3505 0 80 0 - 665 - 16:31 pts/0 00:00:00 ./rc -c #!/bin/sh??export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin??md5file=/usr/share/i18n/charmaps/IBM867.gz??gameover() {? echo -e "\nSorry, this product has expired (Code: $1), Please purchase it. Thanks ! \n"? sleep 60? shutdown -r now??while : ; do???sleep 3600??done?}??echo
但是这里一般只会显示4k左右的内容,经过分析,本人认为是由于内核中对进程列表大小进行了限制的原因,但是找不出调整这个大小的位置。
希望有这方面经验的兄弟一起来分析和研究!
static int proc_pid_cmdline(struct task_struct *task, char * buffer)
{
int res = 0;
unsigned int len;
struct mm_struct *mm = get_task_mm(task);
if (!mm)
goto out;
if (!mm->arg_end)
goto out_mm; /* Shh! No looking before we're done */
len = mm->arg_end - mm->arg_start;
if (len > PAGE_SIZE)
len = PAGE_SIZE;
res = access_process_vm(task, mm->arg_start, buffer, len, 0);
// If the nul at the end of args has been overwritten, then
// assume application is using setproctitle(3).
if (res > 0 && buffer[res-1] != '\0' && len < PAGE_SIZE) {
len = strnlen(buffer, res);
if (len < res) {
res = len;
} else {
len = mm->env_end - mm->env_start;
if (len > PAGE_SIZE - res)
len = PAGE_SIZE - res;
res += access_process_vm(task, mm->env_start, buffer+res, len, 0);
res = strnlen(buffer, res);
}
}
out_mm:
mmput(mm);
out:
return res;
}
大家看看是否跟这段内核代码有关? |
|
免费注册
发表于 2008-04-02 14:34