Presentation is loading. Please wait.

Presentation is loading. Please wait.

RUN TIME PROGRAM BEHAVIOUR

Similar presentations


Presentation on theme: "RUN TIME PROGRAM BEHAVIOUR"— Presentation transcript:

1 RUN TIME PROGRAM BEHAVIOUR
Course Code: CSCI-620 Course Description: OPERATING SYSTEMS SECURITY Exercise 2: Session: 1 Duration: min Lecture Unit: CSN1 Topic: Process Parameter Tracking, Interrupts and Process Killing Author: Prof. R. A. Mihajlović Exercise 2 Copyright © R. A. Mihajlovic, Brooklyn, NY, USA, Reproduction is prohibited

2 CSCI-620 Operating systems security
Exercises Running program inspection Standard utilities/tool, (Windows Task Manager) Non standard tools, (Russinovich’s Process Explorer). Running program environment Tracking down running program original file User mode and kernel execution mode Process “killing” Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

3 Exercise 1: Windows Task Manager
On your Windows computer press Ctl-Alt-Del, produce keyboard-generated-interrupt which starts Windows Task Manager utility. CSCI-620 Operating systems security

4 CSCI-620 Operating systems security
Exercise 1 Start a new program Start | Run | notepad.exe Observe a new task running on the list. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

5 Exercise 1: Task Parameters
Processes option displays default set of parameters: Image (memory image of a program) name User name, CPU usage, and Memory usage Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

6 CSCI-620 Operating systems security
Exercise 1 Performance option shows very low CPU usage. Typical infected or viral program would show maximal CPU usage. Exercise 2 Copyright © R. A. Mihajlovic CSCI-620 Operating systems security

7 Exercise 1: Customize View
Default parameter list may be changed, (Task Manager may be reconfigured). Select: View | Select Columns Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

8 CSCI-620 Operating systems security
What is Security? Change default selection to new list of parameters to track. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

9 CSCI-620 Operating systems security
Exercise 1 New list shows some I/O activity of notepad.exe. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

10 CSCI-620 Operating systems security
Question 1 What are the above selected process parameters? (Hint: Use google or any other literature and write definitions of all of the above running program parameters). Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

11 Exercise 2: ProcessExplorer
Download non standard Windows (3rd Party supplied) utility ProcessExplorer from: Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

12 CSCI-620 Operating systems security
Exercise 2: Programs are loaded into the memory from the systems mass storage. Programs may be loaded into the system memory from the remote networked source. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

13 Exercise 2: Remote Code Source
Loading programs for “far away”, across Internet is dangerous. Some programs like Mark Russinovich’s great Windows system utility programs are exception. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

14 Exercise 2: Load remote Program
Just to experiment down-load ProcExp.exe tool. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

15 CSCI-620 Operating systems security
Exercise 2: Accept security and legal warnings. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

16 CSCI-620 Operating systems security
Exercise 2 Start notepad.exe test program. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

17 CSCI-620 Operating systems security
Exercise 2 Inspect test program parameters. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

18 CSCI-620 Operating systems security
Exercise 2 Inspect test program parameters. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

19 Exercise 2: Program Environment
Inspect program execution environment. OS provides to all running program a number of environment variable values. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

20 Exercise 2: User, Kernel & Lib Code
This running program executes three sorts of code: Own (User) code, OS or kernel service code, and Dynamic library (DLL) code. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

21 Exercise 2: Kernel’s File Location
To find the executable file of a kernel that supports running program with services select Module. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

22 CSCI-620 Operating systems security
Question 2.1 Find location of all program team members. Where are in the file system programs: notepad.exe ntdll.dll, and kernel32.dll Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

23 CSCI-620 Operating systems security
Question 2.2 Use your system. How many items are there on the run time stack of notepad.exe ? Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

24 CSCI-620 Operating systems security
Question 2.2 Use your system. How much time does your application notepad.exe has spent in: User mode, and Kernel mode? Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

25 Exercise 3: “Killing” a Process
Killing a process means sending a message to a running program to execute some sort of exit/EXIT system call and self terminate. UNIX C programming system API library provides system service call function exit(n) that self interrupts running program and calls IST/IH which knows how to terminate the process. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

26 Exercise 3: “Killing” a Process
Select notepad.exe process. Select property Window and Bring to Front Bring your application to the foreground, (Top Window) Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

27 Exercise 3: “Killing” a Process
Select from your process property menu Kill Process option. Watch as your application window disapear. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

28 Exercise 4: “Killing” a Process
Download custom process CLI utilities from: Un-archive all tools in C:\pstools directory Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

29 Exercise 4: “Killing” a Process
Un-archive all tools in C:\pstools directory, and start a test application program notepad.exe. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

30 Exercise 4: “Killing” a Process
Verify that notepad.exe nis running and run pslist.exe utility to get basic process parameters. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

31 Exercise 4: “Killing” a Process
Using UNIX-like command pskill.exe “Kill” application PID=4048 process. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

32 CSCI-620 Operating systems security
Question 4 Test all pslist and pskill options on the sample application program like notepad.exe. Can application be pskill-ed remotly, (On a remote computer)? Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security

33 CSCI-620 Operating systems security
The End Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security 33


Download ppt "RUN TIME PROGRAM BEHAVIOUR"

Similar presentations


Ads by Google