Add T1036.004 linux test rename process comm using prctl PR_SET_NAME (#2458)

* Add T1036.004 linux test rename process comm using prctl PR_SET_NAME * fixing test to work with invoke-atomic --------- Co-authored-by: Hare Sudhan <code@0x6c.dev>
2023-06-15 22:54:21 -05:00
parent 2b77bcb303
commit 98bcc73b89
2 changed files with 44 additions and 0 deletions
@@ -27,3 +27,30 @@ atomic_tests:
      sc delete win32times
    name: command_prompt
    elevation_required: true
+- name: linux rename /proc/pid/comm using prctl
+  description: |
+    Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm value to "totally_legit".  This will show up as process name in simple 'ps' listings.
+  supported_platforms:
+  - linux
+  input_arguments:
+    exe_path:
+      description: Output Binary Path
+      type: path
+      default: /tmp/T1036_004_prctl_rename
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      #{exe_path} must be exist on system.
+    prereq_command: |
+      stat #{exe_path}
+    get_prereq_command: |
+      cc -o #{exe_path} PathToAtomicsFolder/T1036.004/src/prctl_rename.c
+  executor:
+    name: sh
+    command: |
+      #{exe_path} & ps
+      TMP=`ps | grep totally_legit`
+      if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
+      exit 0
+    cleanup_command: |
+      rm -f #{exe_path}
@@ -0,0 +1,17 @@
+#include        <sys/prctl.h>
+#include        <unistd.h>
+#include        <stdio.h>
+
+int
+main (int argc, const char* const argv[])
+{
+	const char *new_name = "totally_legit";
+
+        if (prctl(PR_SET_NAME, new_name, 0, 0, 0) < 0) {
+                perror("prctl");
+                return 4;
+        }
+	usleep(3*1000000);
+
+        return 0;
+}