Linternals SysInternals for Linux A set of tool for system analysis and malware hunting on Linux Idan Mosseri & Roy Regev Supervisor: Mr. Shlomi Boutnaru

What is Linternals? A tool set for monitoring and managing the Linux operation system Linternals may be remotely deployed, enabling a network admin to monitor activity in multiple computer endpoints and servers remotely. Linternals may be used for a verity of purposes including active malware analysis and detection, debugging and performance analysis. While the Linux shell employs many useful tools for such purposes, Linternals graphic UI and data arrangement allows its user access and asses its data with greater ease and without a need to be present at the monitored system vicinity. Linternals Monitoring API may used in the future together with AI to achieve big scale data analysis and malware hunting.

Linternals main tools are Process Explorer - A set of tool to observe and manage the Linux System. Process Monitor – An efficient Monitoring tool for seeing every little detail of the systems live activity. 3

Process Explorer What does it do? How does it help the user? Process Explorer displays real time information on all the processes currently running in the system. I further allows the user to obtain more detailed information about processes of interest. How does it help the user? This data may be used to asses the systems resource management and inspect processes of interest, asses the processes data and CPU usage, target specific information and even inspect its environment and strings. Lets take a look at its modules.

Process Explorers - Main display

Process Explorers - Main display This display shows a list of all the processes currently running in the system and their PID, PPID, effective user, run time and CPU and memory usage. More fields may be added and discarded and all fields support sorting and filtering according the users needs. We can kill a selected process The tabs at the bottom offer more detailed information on the currently selected process in the list. Lets take a closer look at what information they have to offer.

Process Explorer - Image offers general details like the processes path and current working directory.

Process Explorer - Performance Offers Performance information, like CPU usage, kernel and user CPU time, memory allocation details, io statistics and the number of file descriptors used by the given process.

Process Explorer - Performance Graph This module offers similar information of that of the performance module but displayed in a graphic interface also showing the processes behavior over time.

Process Explorer - Network This module shows all the network connections currently owned by the process.

Process Explorer - Security Displays all the users and groups associated with the given process and their info

Process Explorer – Environment Shows the processes runtime environment

Process Explorer - Strings Display all the readable strings currently in the processes memory and executable.

Process Explorer - File Descriptors This module shows all the file descriptors being used by the processes and their information.

Process Explorer - Threads Shows all Threads running under the given process and their information

Process Monitor What does it do? How does it help the user? Captures All system call and kernel events from Linux kernel How does it help the user? By capturing all system calls and kernel events the user can troubleshoot or debug a process performance by seeing its system activity. It may be used to monitor a users or a suspicious processes activity and find animalities. Monitoring network and file system – we can see exactly what has been transferred/written by who and when has it happened. Filters may be used to refine the search for an anomality.

Process Monitor

Technologies and concepts Data retrieval Most of the data we use is obtained by reading, parsing and cross examining the /proc pseudo file system and other Linux databases and file pseudo file systems like /etc. data in the process monitor is obtained using sysdig. Technologies The back end Monitor (performs the data retrieval and parsing) is written in Node.js allowing efficient and easy access IO. For the front end Client we use Angular 4 which allows us to efficiently compartmentalize the UI and bind the data received form the monitor the UI. Thus showing live data with no need to refresh the page and allowing us to easily add more modules in the future if need be. Throughout the whole code we used RxJS streams, observables, subjects and promises to allow concurrent execution of asynchronous operations such as reading files and manipulating data. Thus minimizing reaction time and improving performance.

Challenges and overcoming them Parallel and asynchronous behaviors. Dealing with lots and lots of asynchronous calls and multiple sets of data and once while preserving parallelism of asynchronous calls is a tricky thing. It took us a long time to fully understand and master the correct use of observables, streams and promises in order to accomplish these tasks The Linux kernel Navigating and understanding the Linux kernel in not an easy task. For that we want to thank our Supervisor Shlomi, for guiding us through it all. Making everything look as it should It often goes unmentioned but making everything look nice and tidy and making the UI user friendly is also a challenge by its self.

Possible Additions and the modularity This program is written in such a way that the monitoring (data mining) and displays are independent of each other. This makes it essay to add further modules in the future such as AI modules that may automatically asses the data report anomality's and perform complex data analysis on it. A Database framework may be added to allow inspection of historic data and log the systems activity.

Linternals SysInternals for Linux Thank you for listening! A set of tool for system analysis and malware hunting on Linux Idan Mosseri & Roy Regev Supervisor: Mr. Shlomi Boutnaru