Archive

Archive for the ‘OS’ Category

Process behavior in Windows and Linux

September 22, 2014 Leave a comment

Everyday, we see the processes running in our machines. In Windows we can see them in the task manager and in Linux, for example in Ubuntu we can see them either by giving the ps command in the console or by looking the “System Monitor” window. As a computer science student we may have studied about “Process and Threads” in our operating system course. One major point we have to remember while studying OS course is, the processes running in an OS ( say Windows) will exhibit completely a different behavior when compared to a process running in Linux. I came to know the differences when I was reading a book on Window system internals. They mentioned about this at the beginning of the 1st chapter. In this article, after a short definition, I am going to demonstrate a simple difference between the processes running in Windows and as well as in Linux.

A common and a simple definition is “Process is a program in execution”. Some say “Process is a set of tasks which achieves a particular result by consuming the system resources”. Let me put in this way! “Process is a container for a set resources used when executing an instance of a program, where a program is a sequence of instructions”. Typically the points mentioned below are some of the components of a process in Windows,

1. Unique process ID. (PID)

2. Threads (at least one)

3. Private virtual address in which a process is executed and later it will mapped to the physical memory

4.. List of open handles to system resources like files, semaphore and communication ports.

5. Access tokens, which contains information to prevent executing the process from a non privileged user account.

There are some properties which are common for all OS ‘s like they can communicate with other processes using a shared object or through a pipe, they can create threads, child process etc. However there are differences, I would like to tell a simple difference between the processes running in Windows and Linux.

1. In Linux, if the parent process is closed then all the associated child process are forced to exit along with their parent. But still you can make it work like in Windows.

2. In Windows, it is the other way around. Even when you close a parent process the child processes will be continuing with what they were doing.

3. In Windows, the child process will contain only one information ( parent PID ) about their parent. They will not store any information about a process which created their parent process.

To illustrate the above point we will assume there are 3 processes running P1, P2 and P3 where P1 is the parent of P2 and P2 is the parent of P3. As mentioned above the grant child process ( P3 ) will not store any information about process P1, but they keep an information (PID) of their parent process P2. Quite a few of us may not have noticed the difference. Well, will illustrate with an example. First let us start from Windows!  Like I said before in point 2, even when you close the parent process, the child process will be continuing to execute as a process with no parent. In other words, it is executes as a parent process with no child process. Now check out this in your windows machine.

1. Open a command prompt. This will be a parent process. Optionally you can give a title for your cmd prompt using the “> title” command. I have given the title as “Parent”.

2. In the same command prompt window, start another application of your choice. I have opened “mspaint” by typing “> start mspaint”. This will be 1st the child process for the parent process cmd.

Process_Blog1

 

3. You can see the tree view in the above image, depicting the parent child relation using an application called “Process Explorer”.

4. Now select the cmd task from task manager, right click and select “End process”  or just close the cmd application.

Process_Blog_pic2

5. If you see the above picture, we can notice the mspaint application running perfectly without getting closed. It became a parent with no child process. So this proves point number (2).

Now will see the next difference. For this example also we will create 3 processes namely P1, P2, and P3, where P1 (cmd.exe) is the parent of P2 (cmd.exe) and P2 is the parent of P3(mspaint). Now, here it is,

PROCESS

1. If you terminate the parent process by selecting “End Process Tree” then all the child process will be forced to exit. But closing the parent process by selecting “End Process” will make P2 as the parent process and P3 will be continuing to run.

2. Try this, don’t close P1 now. Close the process P2 ( cmd.exe), the process P3 (mspaint) will be executing as an independent process.

process_pt3

3. Now even when you give “End Process Tree” on process P1, you may see the process P3 will be continuing to run as an independent process. So it’s clear that it is able to run without terminating since it is not holding any information about process P1.

Finally let us do the same with Linux. We will create process 3 process as mentioned above. Here, P1 P2 will be terminator console and P3 will be firefox browser. Try closing the P1 you can see all the process will be closed along with P1.

process_linux

 

You should be able to differentiate them now! So this article may not be great, but definitely you may not discussed about it very much. Anyway I found it interesting! 😉

Internal and External Commands

January 12, 2013 Leave a comment

Internal Commands:

As part of my OS Security Course, we had an assignment about differentiating Internal  and External commands in Linux. Internal commands are those which are built inside the shell, i.e they are already loaded into the system. It is directly executed in the system. They don’t require a separate process to execute them. They are PATH independent and they are not coded in files. PATH is represented as “$PATH”,  and it is an environment variable that tells the shell, which directories to search for executables, which are provided by the user. Just type and check, $PATH and env in your terminal. Oh…. btw env is an 32-bit LSB executable file, where we can see a list of current environmental variables, and their values for the current user. “env” file can be found in /usr/bin directory. We can locate the PATH variable inside the env executable by using grep command and with a pipe.


shankie@ubuntu:~/Desktop$ env | grep "$PATH"
PATH=/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

OK coming back to the topic, in Linux we can differentiate the Linux commands, using the type command. If it is an internal command, type command will pop a message, that it is shell built-in. Else it will mention the directory of the command, i.e the directory where the executable is located.

shankie@ubuntu:~/Desktop$ type cd
cd is a shell builtin

External commands are not executed directly in the system. More clearly they are not loaded into the system. For Eg. cat, ifconfig, firefox( if installed) .They will have an individual process. They seek the help of the $PATH variable. Usually, normal linux commands are found in /bin or in /sbin. If the path of a particular command provided by the user is not mentioned in the variable means, it won’t be executed.

shankie@ubuntu:~/Desktop$ type ifconfig
ifconfig is hashed (/sbin/ifconfig)
shankie@ubuntu:~/Desktop$ type cat
cat is hashed (/bin/cat)
shankie@ubuntu:~/Desktop$ type firefox
firefox is /usr/bin/firefox

So this is the assignment, implemented in Python, HOPE IT IS COMPLETE NOW! given a list of terminal commands, which sorts the terminal commands issued by the user, based on internal and external commands and executes the terminal commands. You can also download the below code with a Sample Input from my Repository.


#!/usr/bin/python

'''
Variable Descriptions:

List:
commands ( Terminal commands issued by the User )
final ( STDOUT of the terminal commands, issued by user )

'''

#Header File
import os

# User Input
commands,final = [],[]
no = input("Enter the number of commands:")
for i in range(no):
    commands.append(raw_input("Enter the commands:"))

# STDOUT READER
for i in range(no):
    dif = 'type '
    temp = commands[i]
    temp = dif+temp
    output = os.popen(temp).readlines()
    final.append(output)

# Special Case: Directory execution
def SHELL(catch):

#Generalization of Getting HOME DIR
    path = '/home/shankie'
    path = 'env|grep "HOME"'
    path = os.popen(path).readlines()
    path = str(path)
    end  = path.find('\\n')
    path = '/' + path[8:end]

# Normal Commands Other Than CD
if 'cd' not in catch:
    os.system(catch)

# Moving Forward
else:
    if len(catch) == 2:
        os.chdir(path)
        print "Your Directory is Changed! Select a option!"
        print "1. List the files and Subdirectory"
        print "2. Print the Path"
        catch = input()
        if catch == 1:
            os.system('ls')
        elif catch == 2:
            os.system('pwd')
        else:
            print "Wrong Option"

# Moving Backward
    else:
        strip = catch[3:]
        os.chdir(strip)
        print "Your Directory has Changed! Now you are inside the path!"
        os.system("pwd")

# Classifying Internal or External Command
i=0
while i < no:
    temp = str(final[i])
    index = temp.find('shell')
    if index > 0:
        print commands[i]+ ' is Internal Command'
    else:
        print commands[i]+ ' is External Command'
    temp = commands[i]
    SHELL(temp)
    i+=1

bi0s

CTF | Amrita

Thoughts - always free of cost !!

Simple words gr8 thoughts ...

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......