Login

Register

Login

Register

#microsoft | #microsoftsecurity | Microsoft releases open-source Linux version of Procmon tool – | #cybersecurity | #informationsecurity


Microsoft has ported the popular Sysinternals Procmon utility to Linux so that users can monitor running processes’ activity.

Procmon is a Windows utility that monitors the system calls, Registry access, and file activity for processes running in the operating system.

This monitoring of processes allows users to diagnose problems with programs crashing, heavy resource utilization, and even potential malware infections.

Procmon for Windows
Procmon for Windows

This week Microsoft has released a Linux version of the popular Procmon utility that Linux users can monitor running processes, as shown in the demo below.

Caption

When using Procmon on Linux, you can specify the process IDs that you would like to monitor or specific system calls using the following arguments:

Usage: procmon [OPTIONS]
   OPTIONS
      -h/--help                Prints this help screen
      -p/--pids                Comma separated list of process ids to monitor
      -e/--events              Comma separated list of system calls to monitor
      -c/--collect [FILEPATH]  Option to start Procmon in a headless mode
      -f/--file FILEPATH       Open a Procmon trace file

For example, to monitor the process IDs 738 and 2657.

sudo procmon -p 738,2657

To monitor PID 738 for listed all read and write calls, you would use the following command.

sudo procmon -p 738 -e read,write

For more information on how to use Procmon in Linux, you can see its GitHub page.

Building Procmon for Linux

Microsoft provides instructions on building Procmon in on their GitHub page, which we have slightly modified to include all requirements.

To compile Procmon for Linux, Microsoft states that you will need to be running Ubuntu 18.04 LTS or later, have CMake 3.13 or later, and libsqlite3-dev installed.

To set up the development environment to compile Procmon, you should run the following 

sudo apt-get update
sudo apt-get -y install bison build-essential flex git libedit-dev libllvm6.0 llvm-6.0-dev libclang-6.0-dev python zlib1g-dev libelf-dev cmake libsqlite3-dev

Now you need to build BCC using the following commands:

git clone --branch tag_v0.10.0 https://github.com/iovisor/bcc.git
mkdir bcc/build
cd bcc/build
cmake .. -DCMAKE_INSTALL_PREFIX=/usr
make
sudo make install

Finally, you can build Procmon with these commands:

cd ../..
git clone https://github.com/Microsoft/Procmon-for-Linux
cd Procmon-for-Linux
mkdir build
cd build
cmake ..
make
make install

Once Procmon is compiled, it will be installed to /usr/bin/procmon.

Unfortunately, Procmon cannot be compiled under WSL due to the lack of Kernel event tracing.

______________________________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.



Source link
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
HACKER FOR HIRE MURDERS
 

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW