Linternals SysInternals for Linux

Slides:



Advertisements
Similar presentations
Operating-System Structures
Advertisements

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 10 Performance Tuning.
The Path to Multi-core Tools Paul Petersen. Multi-coreToolsThePathTo 2 Outline Motivation Where are we now What is easy to do next What is missing.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
MCTS Guide to Microsoft Windows 7
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
What’s new in Kentico CMS 5.0 Michal Neuwirth Product Manager Kentico Software.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
Distributed System Concepts and Architectures 2.3 Services Fall 2011 Student: Fan Bai
$aveZone Milestone 2 - Update $aveZone Milestone 2 - Update Fifth team: Dima Reshidko Oren Gafni Shiko Raboh Harel Cohen.
Silberschatz, Galvin and Gagne  Operating System Concepts UNIT II Operating System Services.
Wednesday NI Vision Sessions
1.3 Operating system services An operating system provide services to programs and to the users of the program. It provides an environment for the execution.
Linux & UNIX OS Overview Fort Collins, CO Copyright © XTR Systems, LLC Overview of the Linux & UNIX Operating Systems Instructor: Joseph DiVerdi, Ph.D.,
 1- Definition  2- Helpdesk  3- Asset management  4- Analytics  5- Tools.
The Docker Container Approach to Build Scalable and Performance Testing Environment Pankaj Rodge, VMware.
Introduction to threads
Kai Li, Allen D. Malony, Sameer Shende, Robert Bell
Lecture 1-Part 2: Operating-System Structures
Project Target Develop a Web Based Management software suit that will enable users to control Hardware using standard HTTP & Java Applet compatible web.
Troubleshooting Tools
Working in the Forms Developer Environment
Threads vs. Events SEDA – An Event Model 5204 – Operating Systems.
2. OPERATING SYSTEM 2.1 Operating System Function
Operating Systems : Overview
Selected topic in computer science (1)
KeePass Password Safe Dan Koller Jesse Cowan.
Pilot Walktour Operation Guide V3.5 (Android)
A Cross-Device Testing and Report System for Large-Scale Real-Time Wireless Networks Tao Gong, Huayi Ji, Tianyu Zhang, Chuancai Gu, Song Han, Xiaobo.
CSE 775 – Distributed Objects Submitted by: Arpit Kothari
GWE Core Grid Wizard Enterprise (
MCTS Guide to Microsoft Windows 7
Chapter 2: System Structures
Operating System (013022) Dr. H. Iwidat
Introduction to Operating System (OS)
Pilot Walktour Operation Guide V3.4 (Android)
HR Portal Team Dr. Ashraf Armoush Supervisor Ala’eddeen Awwad
#01 Client/Server Computing
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 2 Database System Concepts and Architecture.
Top Reasons to Choose Angular. Angular is well known for developing robust and adaptable Single Page Applications (SPA). The Application structure is.
Chapter 2: Operating-System Structures
Operating Systems : Overview
2P13 Week 2.
Chapter 2: System Structures
Operating Systems Bina Ramamurthy CSE421 11/27/2018 B.Ramamurthy.
Mixed Reality Server under Robot Operating System
Operating Systems : Overview
What is Concurrent Programming?
Introduction to Operating Systems
Operating Systems : Overview
CSCE 313 – Introduction to UNIx process
Operating Systems : Overview
Operating Systems : Overview
Operating Systems : Overview
Multithreaded Programming
Operating Systems : Overview
Operating Systems : Overview
Operating Systems : Overview
Operating Systems : Overview
Operating Systems : Overview
Chapter 2: Operating-System Structures
Database System Concepts and Architecture
CS703 - Advanced Operating Systems
Operating System Overview
Light-Weight Process (Threads)
WHAT ARE THE ADVANTAGES AND CHALLENGES OF MICROSOFT SQL SERVER.
#01 Client/Server Computing
Presentation transcript:

Linternals SysInternals for Linux A set of tool for system analysis and malware hunting on Linux Idan Mosseri & Roy Regev Supervisor: Mr. Shlomi Boutnaru

What is Linternals? A tool set for monitoring and managing the Linux operation system Linternals may be remotely deployed, enabling a network admin to monitor activity in multiple computer endpoints and servers remotely. Linternals may be used for a verity of purposes including active malware analysis and detection, debugging and performance analysis. While the Linux shell employs many useful tools for such purposes, Linternals graphic UI and data arrangement allows its user access and asses its data with greater ease and without a need to be present at the monitored system vicinity. Linternals Monitoring API may used in the future together with AI to achieve big scale data analysis and malware hunting.

Linternals main tools are Process Explorer - A set of tool to observe and manage the Linux System. Process Monitor – An efficient Monitoring tool for seeing every little detail of the systems live activity. 3

Process Explorer What does it do? How does it help the user? Process Explorer displays real time information on all the processes currently running in the system. I further allows the user to obtain more detailed information about processes of interest. How does it help the user? This data may be used to asses the systems resource management and inspect processes of interest, asses the processes data and CPU usage, target specific information and even inspect its environment and strings. Lets take a look at its modules.

Process Explorers - Main display

Process Explorers - Main display This display shows a list of all the processes currently running in the system and their PID, PPID, effective user, run time and CPU and memory usage. More fields may be added and discarded and all fields support sorting and filtering according the users needs. We can kill a selected process The tabs at the bottom offer more detailed information on the currently selected process in the list. Lets take a closer look at what information they have to offer.

Process Explorer - Image offers general details like the processes path and current working directory.

Process Explorer - Performance Offers Performance information, like CPU usage, kernel and user CPU time, memory allocation details, io statistics and the number of file descriptors used by the given process.

Process Explorer - Performance Graph This module offers similar information of that of the performance module but displayed in a graphic interface also showing the processes behavior over time.

Process Explorer - Network This module shows all the network connections currently owned by the process.

Process Explorer - Security Displays all the users and groups associated with the given process and their info

Process Explorer – Environment Shows the processes runtime environment

Process Explorer - Strings Display all the readable strings currently in the processes memory and executable.

Process Explorer - File Descriptors This module shows all the file descriptors being used by the processes and their information.

Process Explorer - Threads Shows all Threads running under the given process and their information

Process Monitor What does it do? How does it help the user? Captures All system call and kernel events from Linux kernel How does it help the user? By capturing all system calls and kernel events the user can troubleshoot or debug a process performance by seeing its system activity. It may be used to monitor a users or a suspicious processes activity and find animalities. Monitoring network and file system – we can see exactly what has been transferred/written by who and when has it happened. Filters may be used to refine the search for an anomality.

Process Monitor

Technologies and concepts Data retrieval Most of the data we use is obtained by reading, parsing and cross examining the /proc pseudo file system and other Linux databases and file pseudo file systems like /etc. data in the process monitor is obtained using sysdig. Technologies The back end Monitor (performs the data retrieval and parsing) is written in Node.js allowing efficient and easy access IO. For the front end Client we use Angular 4 which allows us to efficiently compartmentalize the UI and bind the data received form the monitor the UI. Thus showing live data with no need to refresh the page and allowing us to easily add more modules in the future if need be. Throughout the whole code we used RxJS streams, observables, subjects and promises to allow concurrent execution of asynchronous operations such as reading files and manipulating data. Thus minimizing reaction time and improving performance.

Challenges and overcoming them Parallel and asynchronous behaviors. Dealing with lots and lots of asynchronous calls and multiple sets of data and once while preserving parallelism of asynchronous calls is a tricky thing. It took us a long time to fully understand and master the correct use of observables, streams and promises in order to accomplish these tasks The Linux kernel Navigating and understanding the Linux kernel in not an easy task. For that we want to thank our Supervisor Shlomi, for guiding us through it all. Making everything look as it should It often goes unmentioned but making everything look nice and tidy and making the UI user friendly is also a challenge by its self.

Possible Additions and the modularity This program is written in such a way that the monitoring (data mining) and displays are independent of each other. This makes it essay to add further modules in the future such as AI modules that may automatically asses the data report anomality's and perform complex data analysis on it. A Database framework may be added to allow inspection of historic data and log the systems activity.

Linternals SysInternals for Linux Thank you for listening! A set of tool for system analysis and malware hunting on Linux Idan Mosseri & Roy Regev Supervisor: Mr. Shlomi Boutnaru