{"id":17255359,"url":"https://github.com/krisnova/xpid","last_synced_at":"2025-05-12T03:31:45.825Z","repository":{"id":40434814,"uuid":"484074896","full_name":"krisnova/xpid","owner":"krisnova","description":"Linux Process Discovery. C Library, Go bindings, Runtime.","archived":false,"fork":false,"pushed_at":"2022-07-20T19:49:19.000Z","size":16598,"stargazers_count":220,"open_issues_count":1,"forks_count":12,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-31T23:42:43.610Z","etag":null,"topics":["audit","forensics","hacking","kernel","linux","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/krisnova.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-04-21T14:03:06.000Z","updated_at":"2025-03-23T07:18:07.000Z","dependencies_parsed_at":"2022-08-09T20:20:47.272Z","dependency_job_id":null,"html_url":"https://github.com/krisnova/xpid","commit_stats":null,"previous_names":["kris-nova/xpid"],"tags_count":13,"template":false,"template_full_name":"krisnova/go-nova","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krisnova%2Fxpid","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krisnova%2Fxpid/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krisnova%2Fxpid/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krisnova%2Fxpid/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/krisnova","download_url":"https://codeload.github.com/krisnova/xpid/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253668064,"owners_count":21944970,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","forensics","hacking","kernel","linux","security"],"created_at":"2024-10-15T07:11:24.687Z","updated_at":"2025-05-12T03:31:45.502Z","avatar_url":"https://github.com/krisnova.png","language":"Go","readme":"# xpid \n\nIt's [`nmap`](https://nmap.org/) but for pids. 🤓\n\n---\n\nPlease help me become an independent programmer by donating directly below.\n\n[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/D1D8CXLHZ) \n\n---\n\n`xpid` gives a user the ability to \"investigate\" for process details on a Linux system.\n\nFor example a sleeping thread will have a directory `/proc/[pid]` that can be navigated to, but not listed.\n\n`xpid` will check many different places in the kernel for details about a pid. \nBy searching subsets of possible pids `xpid` will be able to check for pid details in many places in the kernel.\n\n```\nxpid [flags] -o [output] \u003cquery\u003e\n\nInvestigate all pids\n  xpid\n\nInvestigate pid 1\n  xpid 1\n\nFind all container processes on a system\n  xpid -c\n\nFind all processes in the same namespace(s) as pid 1\n  xpid --ns-in [mnt, net, pid, ipc, cgroup]\n\nFind all processes not in the same namespace(s) as current user\n  xpid --ns-out-user [mnt, net, pid, ipc, cgroup]\n\nFind all processes running with eBPF programs as JSON\n  xpid --ebpf -o json \u003cpid-query\u003e\n\nFind all processes running with eBPF programs, in a container, in /proc\n  xpid -b -c -p\n\nFind all processes between specific values (Query syntax)\n  xpid \u003cflags\u003e +100      # Search pids up to 100\n  xpid \u003cflags\u003e 100-2000  # Search pids between 100-2000 \n  xpid \u003cflags\u003e 65000+    # Search pids 65000 or above\n\nFind all hidden processes on a system (slow)\n  xpid -x \u003cpid-query\u003e\n\n```\n\n## Container pids (xpid -c) 📦\n\n`xpid` will lookup container processes at runtime. 🎉\n\nThis works by reading the link in [`/proc/[pid]/ns/@cgroup`](https://man7.org/linux/man-pages/man7/namespaces.7.html#:~:text=/proc/%5Bpid%5D/ns/cgroup) and correlating it back to the value in `/proc/1/[pid]/ns/@cgroup`.\n\nRegardless of the pid namespace context, if there is a \"container\" that is unique from the current pid 1, `xpid` will find it.\n\n## eBPF pids (xpid -b) 🐝\n\n`xpid` will find pids that have eBPF programs loaded at runtime.\n\nThis works by correlating the file descriptor info from [`/proc/[pid]/fdinfo/*`](https://man7.org/linux/man-pages/man5/proc.5.html#:~:text=file%20descriptor%200.-,/proc/%5Bpid%5D/fdinfo/,-(since%20Linux%202.6.22)) back to `/sys/fs/bpf/progs.debug`. \nIf a pid has an eBPF program loaded, `xpid` will find it.\n\n## Hidden pids (xpid -x) 🙈\n\nBecause of the flexibility with kernel modules and eBPF in the kernel, it can be possible to prevent the [`proc(5)`](https://man7.org/linux/man-pages/man5/proc.5.html) filesystem from listing pid details in traditional ways.\n\n`xpid` uses a variety of tactics to search for pids in the same way `nmap` will use different tactics to port scan a target.\n\n## Go runtime\n\n`xpid` is a Go runtime utility that depends on `libxpid`.\nInstall `libxpid` first (below), and then compile the Go runtime.\n\n```bash\ngit clone https://github.com/kris-nova/xpid.git\ncd xpid\nmake\nsudo make install\n```\n\n## Xpid C library (libxpid)\n\n`libxpid` is written in C, as it will leverage [`ptrace(2)`](https://man7.org/linux/man-pages/man2/ptrace.2.html) and eBPF code directly. \nThis means that the `xpid` executable is NOT entirely statically linked. \nYou must first have `libxpid` installed on your system, before the `xpid` Go program will run.\n\n```bash \ngit clone https://github.com/kris-nova/xpid.git\ncd xpid/libxpid\n./configure\ncd build\nmake\nsudo make install\n```\n\n","funding_links":["https://ko-fi.com/D1D8CXLHZ"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkrisnova%2Fxpid","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkrisnova%2Fxpid","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkrisnova%2Fxpid/lists"}