Skip to content

bad-antics/nullsec-procspy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
procspy.fs
procspy.fs
 
 

Repository files navigation

NullSec ProcSpy

    ███▄    █  █    ██  ██▓     ██▓      ██████ ▓█████  ▄████▄  
    ██ ▀█   █  ██  ▓██▒▓██▒    ▓██▒    ▒██    ▒ ▓█   ▀ ▒██▀ ▀█  
   ▓██  ▀█ ██▒▓██  ▒██░▒██░    ▒██░    ░ ▓██▄   ▒███   ▒▓█    ▄ 
   ▓██▒  ▐▌██▒▓▓█  ░██░▒██░    ▒██░      ▒   ██▒▒▓█  ▄ ▒▓▓▄ ▄██▒
   ▒██░   ▓██░▒▒█████▓ ░██████▒░██████▒▒██████▒▒░▒████▒▒ ▓███▀ ░
   ░ ▒░   ▒ ▒ ░▒▓▒ ▒ ▒ ░ ▒░▓  ░░ ▒░▓  ░▒ ▒▓▒ ▒ ░░░ ▒░ ░░ ░▒ ▒  ░
   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
   █░░░░░░░░░░░░░░░░░░ P R O C S P Y ░░░░░░░░░░░░░░░░░░░░░░░░█
   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
                       bad-antics

Forth NullSec

Overview

Minimal footprint process monitor and analyzer written in Forth. The concatenative nature of Forth allows for an extremely small binary that can be easily embedded or deployed in constrained environments.

Features

  • Process Enumeration - List all running processes
  • Memory Mapping - View process memory regions
  • File Descriptor Tracking - Monitor open files and sockets
  • Environment Extraction - Dump process environment variables
  • Thread Analysis - Examine process threads
  • Injector Support - Process injection helpers
  • Minimal Footprint - Entire tool under 10KB

Requirements

  • gforth (GNU Forth) >= 0.7.3
  • Linux (uses /proc filesystem)
  • Root for full functionality

Build

# Run directly
gforth procspy.fs

# Create standalone executable
gforth -e "include procspy.fs" -e "bye"

Usage

\ Start interactive mode
gforth procspy.fs

\ List processes
list-procs

\ Analyze specific PID
1337 proc-info

\ Memory map
1337 proc-maps

\ File descriptors
1337 proc-fds

\ Environment
1337 proc-env

\ Find process by name
s" nginx" find-proc

\ Monitor process
1337 watch-proc

Commands

Command Stack Description
list-procs ( -- ) List all processes
proc-info ( pid -- ) Show process information
proc-maps ( pid -- ) Show memory mappings
proc-fds ( pid -- ) Show file descriptors
proc-env ( pid -- ) Show environment
find-proc ( c-addr u -- ) Find process by name
watch-proc ( pid -- ) Continuous monitoring
proc-inject ( pid -- ) Prepare injection

Architecture

┌────────────────────────────────────────────┐
│              ProcSpy Core                   │
├─────────────┬─────────────┬────────────────┤
│   /proc     │   syscalls  │    ptrace      │
│   reader    │   wrapper   │    interface   │
├─────────────┴─────────────┴────────────────┤
│            Stack-Based Engine              │
└────────────────────────────────────────────┘

License

NullSec Proprietary - For authorized security research only

GitHub Discord

About

Minimal footprint process monitor in Forth

Topics

linux security forensics forth process-monitor ptrace proc-filesystem security-hardened minimal-footprint nullsec

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages