Module deleted_exe 

Detect processes running from deleted executables.

When malware deletes its binary after execution, the process keeps running but the /proc/<pid>/exe symlink (backed by mm->exe_file->f_path->dentry->d_name) shows (deleted). This is a strong indicator of malicious activity.

MITRE ATT&CK: T1070.004 — Indicator Removal: File Deletion.

Legitimate cases include package manager upgrades (apt, dpkg, yum, dnf, rpm) where the old binary is replaced while the process is still running, and kernel threads with empty exe paths.

Re-exports

pub use crate::heuristics::classify_deleted_exe;

Structs

DeletedExeFinding

A lightweight finding produced by the pure-logic deleted-exe classifier, suitable for use without a full memory-image reader.

DeletedExeInfo

Information about a process whose executable may have been deleted.

Functions

is_deleted_exe

Returns true if exe_path carries a (deleted) suffix.

strip_deleted_suffix

Returns the path with any (deleted) suffix stripped, trimming trailing whitespace that the kernel inserts before the marker.

walk_deleted_exe

Walk the task list and detect processes running from deleted executables.