i been wondering.
   consider if program executes this call
   
   execl("/bin/sh", "echo", NULL);
   
   Say this was remote backdoor then the "echo" is used to mask the fact
   that there is a shell running.
   I tried this but ps program displayed.   echo (sh)
   I wonder where that (sh)  came from.

it comes from the p_comm field of struct proc.  see <sys/proc.h>

   Also is there an easy way to circumvent addition of that (sh)?  What if
   process forks does it stay?

sorry, you can't change it.  i believe it stays the same after fork().


.mrg.