Module proc_cmdline 

Pure-logic process command-line parsing and forensic classification.

Parses /proc/<pid>/cmdline-style byte slices (NUL-separated argv fields) into a structured ProcessCmdline and provides heuristic classifiers for common attacker-controlled process patterns (SSH tunnels, cryptominers).

Structs

ProcessCmdline

Parsed process command line.

Functions

is_miner_cmdline

Returns true if this cmdline looks like a cryptominer.

is_ssh_tunnel_cmdline

Returns true if this cmdline looks like an SSH port-forwarding tunnel.

parse_proc_cmdline

Parse a /proc/<pid>/cmdline byte slice (NUL-separated fields) into a ProcessCmdline.