This is just a short note about a useful little idiom that a lot of people I run into seem to have never seen before. You're all aware that the /proc file system contains a great deal of information about processes that's useful in an incident response situation. However, when you start looking at this data it can sometimes be difficult to read:
$ cd /proc/self $ cat environ GNOME_KEYRING_SOCKET=/tmp/keyring-r8yNJT/socketLOGNAME=halGDMSESSION=default...
Yuck! All of the environment variables are jammed together in an unreadable mess.
The reason the output appears this way is that the various strings in the /proc structures use nulls (ASCII zero) instead of newlines as terminal characters (just like strings in C). You don't usually see the nulls because they're non-printable characters.
But with a little help from the "tr" command you can convert the nulls to newlines and make everything much more readable:
$ cat environ | tr \\000 \\n GNOME_KEYRING_SOCKET=/tmp/keyring-r8yNJT/socket LOGNAME=hal GDMSESSION=default [...]
Notice the use of double backslashes in the command above — the extra backwhack makes sure that the arguments to "tr" end up being \000 and \n after being interpolated by the shell (or you could use single quotes).
I hope you find this little trick useful. I find myself using it constantly.
Hal Pomeranz is an independent IT/Computer Security consultant and a SANS Faculty Fellow. He spends far too much of his life herding Unix/Linux systems.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
