Download presentation
Presentation is loading. Please wait.
1
RUN TIME PROGRAM BEHAVIOUR
Course Code: CSCI-620 Course Description: OPERATING SYSTEMS SECURITY Exercise 2: Session: 1 Duration: min Lecture Unit: CSN1 Topic: Process Parameter Tracking, Interrupts and Process Killing Author: Prof. R. A. Mihajlović Exercise 2 Copyright © R. A. Mihajlovic, Brooklyn, NY, USA, Reproduction is prohibited
2
CSCI-620 Operating systems security
Exercises Running program inspection Standard utilities/tool, (Windows Task Manager) Non standard tools, (Russinovich’s Process Explorer). Running program environment Tracking down running program original file User mode and kernel execution mode Process “killing” Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
3
Exercise 1: Windows Task Manager
On your Windows computer press Ctl-Alt-Del, produce keyboard-generated-interrupt which starts Windows Task Manager utility. CSCI-620 Operating systems security
4
CSCI-620 Operating systems security
Exercise 1 Start a new program Start | Run | notepad.exe Observe a new task running on the list. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
5
Exercise 1: Task Parameters
Processes option displays default set of parameters: Image (memory image of a program) name User name, CPU usage, and Memory usage Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
6
CSCI-620 Operating systems security
Exercise 1 Performance option shows very low CPU usage. Typical infected or viral program would show maximal CPU usage. Exercise 2 Copyright © R. A. Mihajlovic CSCI-620 Operating systems security
7
Exercise 1: Customize View
Default parameter list may be changed, (Task Manager may be reconfigured). Select: View | Select Columns Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
8
CSCI-620 Operating systems security
What is Security? Change default selection to new list of parameters to track. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
9
CSCI-620 Operating systems security
Exercise 1 New list shows some I/O activity of notepad.exe. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
10
CSCI-620 Operating systems security
Question 1 What are the above selected process parameters? (Hint: Use google or any other literature and write definitions of all of the above running program parameters). Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
11
Exercise 2: ProcessExplorer
Download non standard Windows (3rd Party supplied) utility ProcessExplorer from: Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
12
CSCI-620 Operating systems security
Exercise 2: Programs are loaded into the memory from the systems mass storage. Programs may be loaded into the system memory from the remote networked source. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
13
Exercise 2: Remote Code Source
Loading programs for “far away”, across Internet is dangerous. Some programs like Mark Russinovich’s great Windows system utility programs are exception. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
14
Exercise 2: Load remote Program
Just to experiment down-load ProcExp.exe tool. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
15
CSCI-620 Operating systems security
Exercise 2: Accept security and legal warnings. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
16
CSCI-620 Operating systems security
Exercise 2 Start notepad.exe test program. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
17
CSCI-620 Operating systems security
Exercise 2 Inspect test program parameters. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
18
CSCI-620 Operating systems security
Exercise 2 Inspect test program parameters. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
19
Exercise 2: Program Environment
Inspect program execution environment. OS provides to all running program a number of environment variable values. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
20
Exercise 2: User, Kernel & Lib Code
This running program executes three sorts of code: Own (User) code, OS or kernel service code, and Dynamic library (DLL) code. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
21
Exercise 2: Kernel’s File Location
To find the executable file of a kernel that supports running program with services select Module. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
22
CSCI-620 Operating systems security
Question 2.1 Find location of all program team members. Where are in the file system programs: notepad.exe ntdll.dll, and kernel32.dll Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
23
CSCI-620 Operating systems security
Question 2.2 Use your system. How many items are there on the run time stack of notepad.exe ? Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
24
CSCI-620 Operating systems security
Question 2.2 Use your system. How much time does your application notepad.exe has spent in: User mode, and Kernel mode? Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
25
Exercise 3: “Killing” a Process
Killing a process means sending a message to a running program to execute some sort of exit/EXIT system call and self terminate. UNIX C programming system API library provides system service call function exit(n) that self interrupts running program and calls IST/IH which knows how to terminate the process. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
26
Exercise 3: “Killing” a Process
Select notepad.exe process. Select property Window and Bring to Front Bring your application to the foreground, (Top Window) Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
27
Exercise 3: “Killing” a Process
Select from your process property menu Kill Process option. Watch as your application window disapear. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
28
Exercise 4: “Killing” a Process
Download custom process CLI utilities from: Un-archive all tools in C:\pstools directory Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
29
Exercise 4: “Killing” a Process
Un-archive all tools in C:\pstools directory, and start a test application program notepad.exe. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
30
Exercise 4: “Killing” a Process
Verify that notepad.exe nis running and run pslist.exe utility to get basic process parameters. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
31
Exercise 4: “Killing” a Process
Using UNIX-like command pskill.exe “Kill” application PID=4048 process. Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
32
CSCI-620 Operating systems security
Question 4 Test all pslist and pskill options on the sample application program like notepad.exe. Can application be pskill-ed remotly, (On a remote computer)? Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security
33
CSCI-620 Operating systems security
The End Exercise 2 Copyright © R. A. Mihajlovic, 2009 CSCI-620 Operating systems security 33
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.