Hunting hidden PIDs, eBPF and much more using xpid

Today while browsing Twitter I came across a tool which I found pretty amazing and as a system admin(well sort off) I find tools like these pretty amazing.

So what exactly is xpid.

Well, as the creator describes it, "It's nmap but for pids".

xpid supports the following

USAGE: xpid [flags] -o [output] <query> Investigate pid 123 and write the report to out.txt xpid 123 > out.txt Find all container processes on a system # Looks for /proc/[pid]/ns/cgroup != /proc/1/ns/cgroup xpid -c <query> Find all processes running with eBPF programs at runtime. # Looks for /proc/[pid]/fdinfo and correlates to /sys/fs/bpf xpid --ebpf <query> Find all processes between specific values xpid <flags> +100 # Search pids up to 100 xpid <flags> 100-2000 # Search pids between 100-2000 xpid <flags> 65000+ # Search pids 65000 or above Find all "hidden" processes on a system # Looks for chdir, opendir, and dent in /proc xpid -x <query> Find all possible pids on a system, and investigate each one (slow). The --all flag is default. xpid > out.txt Investigate all pids from 0 to 1000 and write the report to out.json xpid -o json 0-1000 > out.json

The following flags are supported

GLOBAL OPTIONS: --verbose, -v (default: false) --output value, -o value, --out value --all, -A (default: false) --fast, -f (default: true) --probe, --bpf, --ebpf, -b (default: false) --hidden, -x (default: false) --threads, -t, --thread (default: false) --proc, -P (default: false) --container, -c, --containers (default: false) --help, -h show help (default: false)

Let's try these out

For example I'm running a httpd container here.

podman run -d docker.io/httpd

Now I want to see the processes run by that container.

xpid -c

I tried creating a hidden process, but I was not able to(I'm not that well versed with cybersec), if anyone knows how to create one I'd be happy to check that.

To check the running threads you can do xpid -t