As a part of my job at Cybereason, I find myself writing a lot of research tools. Most of them are for my personal use in our research lab but some of these tools are really helpful and it would be a shame not to share them with the world.
So I’ve decided to release some of these tools as open source on our new GitHub page.
The first tool we’re releasing is called Plumber. It’s a simple Python wrapper for the Linux Ftrace infrastructure to trace execve()/fork() calls. I wrote this tool because I wanted a Python-based instrumentation tool that will be grep and “piping” friendly (hence the name Plumber).
Plumber is a great way to track what processes are being launched by malware. Because you’re not using the regular procfs API, which can only be queried by polling, you’re getting the information directly from the kernel as it happens - even if a command spawns a very short lived process. If execve/fork is called, you’ll see it. I’ll add more functionality to Plumber so check that repository frequently.
Plumber is inspired by Brandan Gregg’s awesome work and research. Yes, I could use Brandan’s perf tools, but I wanted something that I can work with more easily, which is why I chose Python over his shell-script based tools (although they are absolutely brilliant).
Plumber is a text based application. It displays new executions in green and process termination in red. It’s available on our GitHub page and is released under the AGPL license. You are more than welcome to fork it, submit cool features via pull requests and so on.
One last note: Some people may find my code messy. I’ve never claimed to be a decent coder.
Feel free to contact me on Twitter @0xAmit.
