Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linternals SysInternals for Linux

Published byMonica Rodgers Modified over 6 years ago

Similar presentations

Presentation on theme: "Linternals SysInternals for Linux"— Presentation transcript:

1 Linternals SysInternals for Linux
A set of tool for system analysis and malware hunting on Linux Idan Mosseri & Roy Regev Supervisor: Mr. Shlomi Boutnaru

2 What is Linternals? A tool set for monitoring and managing the Linux operation system Linternals may be remotely deployed, enabling a network admin to monitor activity in multiple computer endpoints and servers remotely. Linternals may be used for a verity of purposes including active malware analysis and detection, debugging and performance analysis. While the Linux shell employs many useful tools for such purposes, Linternals graphic UI and data arrangement allows its user access and asses its data with greater ease and without a need to be present at the monitored system vicinity. Linternals Monitoring API may used in the future together with AI to achieve big scale data analysis and malware hunting.

3 Linternals main tools are
Process Explorer - A set of tool to observe and manage the Linux System. Process Monitor – An efficient Monitoring tool for seeing every little detail of the systems live activity. 3

4 Process Explorer What does it do? How does it help the user?
Process Explorer displays real time information on all the processes currently running in the system. I further allows the user to obtain more detailed information about processes of interest. How does it help the user? This data may be used to asses the systems resource management and inspect processes of interest, asses the processes data and CPU usage, target specific information and even inspect its environment and strings. Lets take a look at its modules.

5 Process Explorers - Main display

6 Process Explorers - Main display
This display shows a list of all the processes currently running in the system and their PID, PPID, effective user, run time and CPU and memory usage. More fields may be added and discarded and all fields support sorting and filtering according the users needs. We can kill a selected process The tabs at the bottom offer more detailed information on the currently selected process in the list. Lets take a closer look at what information they have to offer.

7 Process Explorer - Image
offers general details like the processes path and current working directory.

8 Process Explorer - Performance
Offers Performance information, like CPU usage, kernel and user CPU time, memory allocation details, io statistics and the number of file descriptors used by the given process.

9 Process Explorer - Performance Graph
This module offers similar information of that of the performance module but displayed in a graphic interface also showing the processes behavior over time.

10 Process Explorer - Network
This module shows all the network connections currently owned by the process.

11 Process Explorer - Security
Displays all the users and groups associated with the given process and their info

12 Process Explorer – Environment
Shows the processes runtime environment

13 Process Explorer - Strings
Display all the readable strings currently in the processes memory and executable.

14 Process Explorer - File Descriptors
This module shows all the file descriptors being used by the processes and their information.

15 Process Explorer - Threads
Shows all Threads running under the given process and their information

16 Process Monitor What does it do? How does it help the user?
Captures All system call and kernel events from Linux kernel How does it help the user? By capturing all system calls and kernel events the user can troubleshoot or debug a process performance by seeing its system activity. It may be used to monitor a users or a suspicious processes activity and find animalities. Monitoring network and file system – we can see exactly what has been transferred/written by who and when has it happened. Filters may be used to refine the search for an anomality.

17 Process Monitor

18 Technologies and concepts
Data retrieval Most of the data we use is obtained by reading, parsing and cross examining the /proc pseudo file system and other Linux databases and file pseudo file systems like /etc. data in the process monitor is obtained using sysdig. Technologies The back end Monitor (performs the data retrieval and parsing) is written in Node.js allowing efficient and easy access IO. For the front end Client we use Angular 4 which allows us to efficiently compartmentalize the UI and bind the data received form the monitor the UI. Thus showing live data with no need to refresh the page and allowing us to easily add more modules in the future if need be. Throughout the whole code we used RxJS streams, observables, subjects and promises to allow concurrent execution of asynchronous operations such as reading files and manipulating data. Thus minimizing reaction time and improving performance.

19 Challenges and overcoming them
Parallel and asynchronous behaviors. Dealing with lots and lots of asynchronous calls and multiple sets of data and once while preserving parallelism of asynchronous calls is a tricky thing. It took us a long time to fully understand and master the correct use of observables, streams and promises in order to accomplish these tasks The Linux kernel Navigating and understanding the Linux kernel in not an easy task. For that we want to thank our Supervisor Shlomi, for guiding us through it all. Making everything look as it should It often goes unmentioned but making everything look nice and tidy and making the UI user friendly is also a challenge by its self.

20 Possible Additions and the modularity
This program is written in such a way that the monitoring (data mining) and displays are independent of each other. This makes it essay to add further modules in the future such as AI modules that may automatically asses the data report anomality's and perform complex data analysis on it. A Database framework may be added to allow inspection of historic data and log the systems activity.

21 Linternals SysInternals for Linux
Thank you for listening! A set of tool for system analysis and malware hunting on Linux Idan Mosseri & Roy Regev Supervisor: Mr. Shlomi Boutnaru

Download ppt "Linternals SysInternals for Linux"

Similar presentations

Operating-System Structures

Operating-System Structures
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 10 Performance Tuning.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 10 Performance Tuning.
The Path to Multi-core Tools Paul Petersen. Multi-coreToolsThePathTo 2 Outline Motivation Where are we now What is easy to do next What is missing.

The Path to Multi-core Tools Paul Petersen. Multi-coreToolsThePathTo 2 Outline Motivation Where are we now What is easy to do next What is missing.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
MCTS Guide to Microsoft Windows 7

MCTS Guide to Microsoft Windows 7
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
What’s new in Kentico CMS 5.0 Michal Neuwirth Product Manager Kentico Software.

What’s new in Kentico CMS 5.0 Michal Neuwirth Product Manager Kentico Software.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
Distributed System Concepts and Architectures 2.3 Services Fall 2011 Student: Fan Bai

Distributed System Concepts and Architectures 2.3 Services Fall 2011 Student: Fan Bai
$aveZone Milestone 2 - Update $aveZone Milestone 2 - Update Fifth team: Dima Reshidko Oren Gafni Shiko Raboh Harel Cohen.

$aveZone Milestone 2 - Update $aveZone Milestone 2 - Update Fifth team: Dima Reshidko Oren Gafni Shiko Raboh Harel Cohen.
Silberschatz, Galvin and Gagne  2002 3.1 Operating System Concepts UNIT II Operating System Services.

Silberschatz, Galvin and Gagne  Operating System Concepts UNIT II Operating System Services.
Wednesday NI Vision Sessions

Wednesday NI Vision Sessions
1.3 Operating system services An operating system provide services to programs and to the users of the program. It provides an environment for the execution.

1.3 Operating system services An operating system provide services to programs and to the users of the program. It provides an environment for the execution.
Linux & UNIX OS Overview Fort Collins, CO Copyright © XTR Systems, LLC Overview of the Linux & UNIX Operating Systems Instructor: Joseph DiVerdi, Ph.D.,

Linux & UNIX OS Overview Fort Collins, CO Copyright © XTR Systems, LLC Overview of the Linux & UNIX Operating Systems Instructor: Joseph DiVerdi, Ph.D.,
 1- Definition  2- Helpdesk  3- Asset management  4- Analytics  5- Tools.

 1- Definition  2- Helpdesk  3- Asset management  4- Analytics  5- Tools.
The Docker Container Approach to Build Scalable and Performance Testing Environment Pankaj Rodge, VMware.

The Docker Container Approach to Build Scalable and Performance Testing Environment Pankaj Rodge, VMware.
Introduction to threads

Introduction to threads

Similar presentations

Ads by Google