Report: Processes
A process is a running instance of an executable. More specifically, it is an entry in a Linux kernel data structure consisting of the program instruction set and dependent code, along with data read in from a file, network socket, or other input, and a set of one or more threads that execute instructions on the data.
Report Data: Processes
Following are the processes running at the time the memory snapshot was taken of the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).
The following table describes each column of the reported data.
| Column | Description | Notes |
|---|---|---|
| Pid | The process ID | |
| Ppid | The parent process's process ID | Identifies the process from which this process was spawned |
| Comm | ||
| Real/Suid/Effective | ||
| Arg | Command line submitted to the executable at start time | Can be found via cat .proc/{pid}/cmdline for each process |
| Cwd | Current working directory of the process | Can be found via sudo ls -l /proc/{pid}/cwd for each process |
| Details | [This is a link to process details described below] |
Report Data: Process Detail
Following is a sample of the process detail for each process from the
list above at the time the memory snapshot was taken of the
centos 6 - 2.6.32-696.28.1.el6.x86_64
image from the samples gallery (requires authentication).
Details
Environment Variables
Page Tables (userland only)
| Column | Description | Notes |
|---|---|---|
| Addr | ||
| Size | ||
| Offset | ||
| Flags | ||
| Name |
Forensic Hints
The same set of processes can be obtained from a running Linux
system via the ps -e command; any difference between the set
(a) read from usermode and (b) derived from memory inspection should be
investigated, as discussed here.