/proc forensics — a cookbook

Overview

/proc is the kernel's introspection API as a filesystem. It is the most concentrated forensic resource on Linux — and the building block of ps, lsof, netstat, ss, top.

Why it matters

Defenders who can read /proc directly don't need ten different tools — they can answer any "what's running" question with a small C program and a fopen.

Core concepts

/proc/PID/maps — virtual memory regions and their permissions. /proc/PID/fd/ — symlinks to every open file, socket, pipe. /proc/PID/status — VmRSS, threads, parent PID, capabilities. /proc/PID/cmdline — argv joined with NULs. /proc/PID/environ — the inherited environment (NUL-separated). /proc/net/tcp[6]/udp[6] — every IPv4/IPv6 TCP/UDP socket on the system. /proc/self/... — refers to the calling process; convenient.

Pentester mindset. A scan of /proc/net/tcp for LISTEN sockets bound to 0.0.0.0 finds every publicly-exposed service. Pair with /proc/PID/cmdline to identify the process.

Defensive coding habit. Always check fopen return; some files are restricted (/proc/PID/environ of other users requires CAP_SYS_PTRACE). Always cap line length when reading.

Syntax notes

Plain text files; fopen + fgets is the universal pattern.

Lesson

On Linux, /proc is a virtual filesystem the kernel exposes for introspection. Every running process has a directory at /proc/PID/ with its memory map, open file descriptors, environment, command line, and more. Forensic tools are built on this; learning to read it directly is the foundation of defender tooling.

Code examples

/* What's listening on TCP? */
FILE *fp = fopen("/proc/net/tcp", "r");
char line[1024];
while (fgets(line, sizeof line, fp)) { /* skip header; parse local_address + state */ }

Line by line

FILE *fp = fopen("/proc/self/status", "r");
char line[256];
while (fgets(line, sizeof line, fp)) {
    if (strncmp(line, "VmRSS:", 6) == 0) printf("%s", line);
}
fclose(fp);

Common mistakes

• Reading /proc files with seek/pread. Many are 'cursor-driven' — read sequentially.

Debugging tips

Compare your parser against ps, ss, top, cat /proc/.... If your output diverges, it's a parse bug.

Memory safety

Lines in /proc/* are bounded but defensive code caps at 4 KB anyway.

Real-world uses

auditd, osquery, falco, every Linux observability agent, every container introspection tool.

Practice tasks

1. Print every process's PID + cmdline. 2. Flag any LISTEN on 0.0.0.0. 3. Print the RSS of /proc/self.

Summary

/proc is the kernel's introspection filesystem. The forensic Swiss Army knife for Linux defenders.

Practice with these exercises

• Parse a /proc/net/tcp line and detect a public LISTEN
• Parse a /proc/self/maps line
• Decide whether an fd-target string is suspicious
• Extract VmRSS from /proc/self/status