How to Pull Modules and Libraries Associated with
a process in Linux Systems
Linux command used to pull modules history.
pmap -d <PID>
- ps aux
- top
- htop
Similar to Windows, when a Linux system exhibits unusual behavior, it is thought that an executable file, a malicious process, or a malicious library may be at play.
The analyst must be able to look at the Linux process and its related libraries during this occurrence.
When it comes to malware analysis, the most frequent disk artifacts that malware leaves behind on a compromised system are the launched processes, produced modules, and libraries.
Before we dive into main topic, let’s discuss first the difference between .dll and .so files.
DLL – Dynamic Link Library
SO – Shared Object
In Windows systems, a process’s related modules and libraries will have the.dll extension (e.g., wininit.dll)
The related modules and libraries of a process on Linux systems have the extension.so (e.g., libc.so)
These executables have a set of features that are required by the process for smooth execution.
To pull all the associated modules and libraries from a Linux process we use a built-in tool called “pmap“.
First, identify the malicious process using the command ps or top.
Next, identify the PID or Process ID.
Now, use pmap command to pull the modules.
>>script: pmap -d <PID>
