Hal Pomeranz · Nov 12, 2022 · 1:47 PM UTC

Hal Pomeranz · Nov 12, 2022 · 1:47 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

12 Nov 2022

For today's #Linux #DFIR #CommandLine #Trivia I want a command to produce a sorted list of the executable paths for all running processes on the system.

Nov 12, 2022 · 1:47 PM UTC

Hal Pomeranz · Nov 13, 2022 · 3:27 PM UTC

Hal Pomeranz @hal_pomeranz

13 Nov 2022

The first and best answer to yesterday's #Linux #DFIR #CommandLine #Trivia comes from Linkavych: readlink -f /proc/＊/exe | sort The first lesson here is never be afraid to get the answers you need directly from /proc. This saves a lot of… infosec.exchange/@hal_pomera…

Hal Pomeranz (@hal_pomeranz@infosec.exchange)

The first and best answer to yesterday's #Linux #DFIR #CommandLine #Trivia comes from @Linkavych@twitter.com: readlink -f /proc/*/exe | sort The first lesson here is never be afraid to get the...

infosec.exchange

Jeff Miller · Nov 12, 2022 · 6:32 PM UTC

Jeff Miller @jwmwi

12 Nov 2022

Replying to @hal_pomeranz

fun! I started with a find, but it seemed clunky.. for loop unnecessary as well, but I like to be able to add ideas once I think of more stuff.. for exe in /proc/[0-9]*/exe do readlink $exe done | sort -u

Wayne Kirk Schmidt · Nov 13, 2022 · 4:51 AM UTC

Wayne Kirk Schmidt @wayne_k_schmidt

13 Nov 2022

Replying to @hal_pomeranz

egrep -v /dev/null /proc/*/exe | while read magic type myfile result; do pid=$( basename $( dirname $myfile ) ); exepath=$( readlink $myfile ); ech o $pid $exepath; done

Wayne Kirk Schmidt · Nov 13, 2022 · 4:52 AM UTC

Wayne Kirk Schmidt @wayne_k_schmidt

13 Nov 2022

Replying to @hal_pomeranz

Admittedly somewhat baroque, but you get the context ( pid and exepath ) and then you can filter out the self process.

Adam Link · Nov 12, 2022 · 4:32 PM UTC

Adam Link @Linkavych

12 Nov 2022

Replying to @hal_pomeranz

Maybe: /usr/bin/readlink -f /proc/*/exe | grep -v readlink | sort