Memory Forensics: Harvesting Windows Credentials from Volatile Storage

Total Page:16

File Type:pdf, Size:1020Kb

Memory Forensics: Harvesting Windows Credentials from Volatile Storage MEMORY FORENSICS: HARVESTING WINDOWS CREDENTIALS FROM VOLATILE STORAGE Haider M. al-Khateeb, Carsten Maple {haider.alkhateeb, carsten.maple}@beds.ac.uk Department of Computer Science and Technology, University of Bedfordshire, UK Abstract In forensic investigations, it is a challenge to recover objective evidence through means of research then attribute the relevant artefacts to an individual. In this series of articles and within the context of volatility memory forensic investigation, we set our scope on recovering user credentials which could be essential not only to unlock hidden and/or encrypted data but also to identify recent users and analyse their unique characteristics. These can then be used to establish a connection between digital evidence and a user of the system. That being said, the article also aims to critically discuss the significance of memory forensics, in addition to demonstrating tools and techniques used to carry out the process of memory acquisition and analysis. Keywords: Memory Forensics; Windows; Volatile; Volatility; Incident Response; Digital Investigation Introduction What artefacts can be extracted from the volatility memory in Windows? And, What makes memory a significant part of any digital forensic methodology? The best way to answer these questions is through a reasonably brief demonstration of what the computer memory is used for. Foremost, volatile storage maintains data as long as power is available and data is erased/lost when power is interrupted or the computer is switched off. It allows fast CPU read/write access to data compared to non-volatile memory such as Hard Disk Drives (HDDs) where data originally reside. Hence, data-bytes are always moved from non- volatile memory to volatile memory for processing. The Performance tab in Windows Task Manager gives an overview of what seems to be different memory space allocations measures in Mega Bytes as shown in Figure-1. In our context, another term to use is Random Access Memory (RAM) which is the traditional example of a volatile memory. However, other Windows terminology includes Physical Memory or just Memory! Figure 1: The different allocations of Memory spaces, and sizes in MB as displayed by Windows 7 Task Manager The final version of this article has been published in the Digital Forensics Magazine (https://www.digitalforensicsmagazine.com/). Full reference: al-Khateeb, H. M., Maple, C. (2014) ‘Memory Forensics: Harvesting Windows Credentials From Volatile Storage’, Digital Forensics Magazine, 2014(19): 32-36. Physical memory is what is stored on RAM chips lined up in built-in notches on the motherboard, hence the term reflects the total amount of real storage, e.g. if two 1GB memory modules are installed, then the physical memory is 2GB. Figure 1 shows 2047 MB of total physical memory usable by the Operating System, at this point, it is important to bear in mind that the value here can be different from the actual RAM installed in scenarios such as when a machine has the Redundant Memory feature or Memory Mirroring enabled in the BIOS. These options are used as a failover mechanism for the system and can reduce the total RAM available to Windows. A forensic investigator must recognise such technical detail because every memory space is a potential source of digital evidence. While some RAM spaces featured in the Task Manager such as ‘Available’ and ‘Free’ has more of a usability effect on the system, ‘Cached’ is highlighted to be of a forensic interest to us. It reports the amount of RAM used for the most recently accessed data. To boost performance, software and other data remain in the cache even after they have been closed by the user; this is because, future data access requests can be served faster from the cache! In addition to what has been discussed so far, the computer structure is designed in way that part of the RAM will be strictly reserved and dedicated for the Kernel. This space will be used to load essential system processes during start-up and then keep them running separately in what is known as a ‘Nonpaged’ area (in contrast to ‘Paged’ which is a virtual memory that will be discussed later). Such implementation maintains high availability of physical space to the core processes responsible to keep the OS running and also keeps it safe and isolated from RAM manipulated by other hosted software. Why Windows 7? The discussion and demonstration of the tools and techniques in this article were performed on Windows 7. This was not a random choice, but rather influenced by results published in early 2014 by market share statistics reporters such as netmarketshare.com showing that Windows 7 dominates around 47% of the usage share of Desktop Operating Systems followed by Windows XP at around 30%. While the accuracy of such results can be challenged and argued about, it does give a good indication on the type of Operating System a forensic investigator will most likely be dealing with. Virtual Memory What happens if the physical memory is exhausted in a busy machine where many applications are running simultaneously? In this case, the OS can compensate using a simulating technique that extends RAM virtually to a utilised area in the HDD called a Paging File, this will release some RAM space for other prioritised applications, hence the name: Virtual Memory. As such, if you observe the value of the ‘Available’ physical memory shown in Figure 1, it should never be zero since some processes will always be moved to the virtual memory on the HDD. Similarly, the ‘Paged’ value subtitled within the Kernel Memory refers to the part of the virtual memory dedicated to the Kernal. By default, Windows automatically adjusts the Paging File but it also gives users the privilege to manually determine the size of their Paging File or even stop using this feature, these settings can be changed from Control Panel System and Security System Advanced System Settings Advanced Performance, Settings Advanced tab Change If a Paging File is used (which is strongly recommended), the OS will continuously swap processes between the RAM and virtual memory which implies that an investigator should consider the data in both. In Windows 7, this file is called pagefile.sys and is stored in the %SystemDrive%\ which usually happens to be the C:\ drive as shown in Figure 2. But to actually see it, make sure you - Navigate to Windows Explorer Tools Folder options View - Select ‘Show hidden files, folder, and drives’ - And, unstick ‘Hide protected operating system files (Recommended)’ - Note that pagefile.sys can not be simply copy-pasted because the OS keeps it open and therefore protected from user access. Hence, special purpose tools such as FTK Imager or Forensic Get (FGET) must be used to perform the task. Analysis of this file is beyond the scope of this article but it is important to mention that the standard page size in Paging Files is 4KB. This implies that data moved from the RAM are split into small chunks of data which might only be meaningful if mapped back correctly to the memory to reconstruct existing objects. The final version of this article has been published in the Digital Forensics Magazine (https://www.digitalforensicsmagazine.com/). Full reference: al-Khateeb, H. M., Maple, C. (2014) ‘Memory Forensics: Harvesting Windows Credentials From Volatile Storage’, Digital Forensics Magazine, 2014(19): 32-36. Figure 2: The Paging File is a hidden system file used as a virtual memory to support RAM and can be located at %SystemDrive%\pagefile.sys Memory dump A memory dump is an acquired copy of the volatility memory data-bytes, those were originally moved from the Hard Drive for processing. Hence, this image must be taken from a running machine which is why memory forensics is also referred to as ‘Live Forensics’. Memory dumps can be taken for various reasons, for instance a windows user might be facing a Blue Screen error and require technical support to solve this issue, a memory dump in this case can be sent to a service provider such as McAfee for analysis. Although, in our work we are more interested in extracting evidence from the captured memory. There are different file formats for the memory dump used to distinguish between the outputs of different tools. For instance: - Windows creates a .dmp file - DumpIt creates a .raw file - In a virtual machine, VMware tools creates a .vmem file. Further, the snapshot method creates a .vmsn file in the virtual machine directory and a suspended VM saves .vmss file. And since some analysis tools were designed to support specific files, tools such as the vmss2core utility can be used to accomplish that. However, conversion might not always be needed especially when a tool such as Bulk extractor is used. This is because it scans and extracts information without parsing the file system in a given image, which makes it compatible to work with various artefacts from memory dumps to Solid State Drives (SSDs) and HDDs. The output of Bulk extractor includes credit Card numbers, email addresses and wordlists that can be imported into a password- cracking software, which is why it is reverent to this series of articles and will be covered in further detail later. Nevertheless, we discussed that the RAM is split into a space reserved and secured for the Kernel and a larger space for the hosted applications. Now if the acquisition considers both then it is a complete memory dump, otherwise there can be different types of smaller memory dumps as shown below: - Complete: contains the fill physical memory. - Kernel memory dump: limited to the memory in use by the Kernel - Small and mini memory dumps: includes selected parts of memory associated with one or more processes; this is clearly not very sufficient for analysis unless the forensic investigation is intestinally scoped on a particular process Significance of the Volatile Memory Well-trained criminals attempt to eliminate their footprints on the hard drive which increases the importance of the data stored on the volatile memory.
Recommended publications
  • Technical Evaluation and Legal Opinion of Warden: a Network Forensics Tool, Version 1.0 Author(S): Rod Yazdan, Newton Mccollum, Jennifer Ockerman, Ph.D
    NCJRS O FFICE OF JU STI CE PR OG RAM Se ~ N ATIONAL C RIMINAL JUSTICE REFERENCE SERVICE QJA BJS N/J OJJF OVC SMART '~ ..) The author(s) shown below used Federal funding provided by the U.S. Department of Justice to prepare the following resource: Document Title: Technical Evaluation and Legal Opinion of Warden: A Network Forensics Tool, Version 1.0 Author(s): Rod Yazdan, Newton McCollum, Jennifer Ockerman, Ph.D. Document Number: 252944 Date Received: May 2019 Award Number: 2013-MU-CX-K111 This resource has not been published by the U.S. Department of Justice. This resource is being made publically available through the Office of Justice Programs’ National Criminal Justice Reference Service. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. nl JOHNS HOPKINS ..APPLIED PHYSICS LABORATORY 11100 Johns Hopkins Road • Laurel, Maryland 20723-6099 AOS-18-1223 NIJ RT&E Center Project 15WA October 2018 TECHNICAL EVALUATION AND LEGAL OPINION OF WARDEN: A NETWORK FORENSICS TOOL Version 1.0 Rod Yazdan Newton McCollum Jennifer Ockerman, PhD Prepared for: r I I Nation~/ Institute Nl.I of Justice STRENGTHEN SCIENCE. ADVANCE JUSTICE. Prepared by: The Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins Rd. Laurel, MD 20723-6099 Task No.: FGSGJ Contract No.: 2013-MU-CX-K111/115912 This project was supported by Award No. 2013-MU-CX-K111, awarded by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice.
    [Show full text]
  • Windows Operations Agent User Guide
    Windows Operations Agent User Guide 1.6 VMC-WAD VISUAL Message Center Windows Operations Agent User Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Copyright Notice Copyright © 2013 Tango/04 All rights reserved. Document date: August 2012 Document version: 2.31 Product version: 1.6 No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic mechani- cal, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of Tango/04. Trademarks Any references to trademarked product names are owned by their respective companies. Technical Support For technical support visit our web site at www.tango04.com. Tango/04 Computing Group S.L. Avda. Meridiana 358, 5 A-B Barcelona, 08027 Spain Tel: +34 93 274 0051 Table of Contents Table of Contents Table of Contents.............................................................................. iii How to Use this Guide.........................................................................x Chapter 1 Introduction ......................................................................................1 1.1. What You Will Find in this User Guide............................................................2 Chapter 2 Configuration ....................................................................................3 2.1. Monitor Configuration......................................................................................3
    [Show full text]
  • Lecture 4: September 13 4.1 Process State
    CMPSCI 377 Operating Systems Fall 2012 Lecture 4: September 13 Lecturer: Prashant Shenoy TA: Sean Barker & Demetre Lavigne 4.1 Process State 4.1.1 Process A process is a dynamic instance of a computer program that is being sequentially executed by a computer system that has the ability to run several computer programs concurrently. A computer program itself is just a passive collection of instructions, while a process is the actual execution of those instructions. Several processes may be associated with the same program; for example, opening up several windows of the same program typically means more than one process is being executed. The state of a process consists of - code for the running program (text segment), its static data, its heap and the heap pointer (HP) where dynamic data is kept, program counter (PC), stack and the stack pointer (SP), value of CPU registers, set of OS resources in use (list of open files etc.), and the current process execution state (new, ready, running etc.). Some state may be stored in registers, such as the program counter. 4.1.2 Process Execution States Processes go through various process states which determine how the process is handled by the operating system kernel. The specific implementations of these states vary in different operating systems, and the names of these states are not standardised, but the general high-level functionality is the same. When a process is first started/created, it is in new state. It needs to wait for the process scheduler (of the operating system) to set its status to "new" and load it into main memory from secondary storage device (such as a hard disk or a CD-ROM).
    [Show full text]
  • Process Scheduling & Synchronization Intro
    Process Scheduling & Synchronization intro CS 241 February 29, 2012 Copyright © University of Illinois CS 241 Staff 1 Announcements Mid-semester feedback survey (linked off web page) MP4 due Friday (not Tuesday) Midterm • Next Tuesday, 7-9 p.m. • Study guide released this Wednesday • Next Monday’s lecture: review session 2 Today Interactive scheduling • Round robin • Priority scheduling • How long is a quantum? Synchronization intro 3 Process scheduling Deciding which process/thread should occupy each resource (CPU, disk, etc.) at each moment Scheduling is everywhere... • disk reads • process/thread resource allocation • servicing clients in a web server • compute jobs in clusters / data centers • jobs using physical machines in factories 4 Scheduling algorithms Batch systems • Usually non-preemptive: running process keeps CPU until it voluntarily gives it up . Process exits . Switches to blocked state • First come first serve (FCFS) • Shortest job first (SJF) (also preemptive version) Interactive systems • Running process is forced to give up CPU after time quantum expires . Via interrupts or signals (we’ll see these later) • Round robin These are some of the important ones to • Priority know, not a comprehensive list! 5 Thus far: Batch scheduling FCFS, SJF, SRPT useful when fast response not necessary • weather simulation • processing click logs to match advertisements with users • ... What if we need to respond to events quickly? • human interacting with computer • packets arriving every few milliseconds • ... 6 Interactive Scheduling Usually preemptive • Time is sliced into quanta, i.e., time intervals • Scheduling decisions are made at the beginning of each quantum Performance metrics • Average response time • Fairness (or proportional resource allocation) Representative algorithms • Round-robin • Priority scheduling 7 Round-robin One of the oldest, simplest, most commonly used scheduling algorithms Select process/thread from ready queue in a round-robin fashion (i.e., take turns) 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 ..
    [Show full text]
  • System Calls & Signals
    CS345 OPERATING SYSTEMS System calls & Signals Panagiotis Papadopoulos [email protected] 1 SYSTEM CALL When a program invokes a system call, it is interrupted and the system switches to Kernel space. The Kernel then saves the process execution context (so that it can resume the program later) and determines what is being requested. The Kernel carefully checks that the request is valid and that the process invoking the system call has enough privilege. For instance some system calls can only be called by a user with superuser privilege (often referred to as root). If everything is good, the Kernel processes the request in Kernel Mode and can access the device drivers in charge of controlling the hardware (e.g. reading a character inputted from the keyboard). The Kernel can read and modify the data of the calling process as it has access to memory in User Space (e.g. it can copy the keyboard character into a buffer that the calling process has access to) When the Kernel is done processing the request, it restores the process execution context that was saved when the system call was invoked, and control returns to the calling program which continues executing. 2 SYSTEM CALLS FORK() 3 THE FORK() SYSTEM CALL (1/2) • A process calling fork()spawns a child process. • The child is almost an identical clone of the parent: • Program Text (segment .text) • Stack (ss) • PCB (eg. registers) • Data (segment .data) #include <sys/types.h> #include <unistd.h> pid_t fork(void); 4 THE FORK() SYSTEM CALL (2/2) • The fork()is one of the those system calls, which is called once, but returns twice! Consider a piece of program • After fork()both the parent and the child are ..
    [Show full text]
  • Processes and Threads
    Lecture Notes for CS347: Operating Systems Mythili Vutukuru, Department of Computer Science and Engineering, IIT Bombay 2. Processes and Threads 2.1 Life cycle of a process • Recall that the process is a basic unit of execution in an OS. The main job of any OS is to run processes, while managing their lifecycle from creation to termination. Processes are typically created in Unix-like systems by forking from an existing process. The OS starts the first init process after bootup, and all subsequent processes are descendents of this process. • A process can create a child process using the fork system call. After the fork, the memory image of the child process is a complete copy of the memory image of the parent (the child and parent memory images may diverge subsequently). The fork system call returns in both the parent and child processes, with different return values. In the parent, it returns the pid of the new child process. In the child, it returns 0. Both processes then resume execution from the instruction right after fork, and can be scheduled as independent entities by the CPU scheduler. • A typical use case of fork is to create a child and run the exec system call in the child. The exec system call loads a new executable into the memory image of the process calling it, enabling the child process to do something different from what the parent is already doing. All processes (beyond the first process) are created with this fork+exec combination in Unix-like operating systems. • A simple OS would create a complete copy of the parent’s memory image for the child.
    [Show full text]
  • The Operating System Kernel: Implementing Processes and Threads
    “runall” 2002/9/23 page 105 CHAPTER 4 The Operating System Kernel: Implementing Processes and Threads 4.1 KERNEL DEFINITIONS AND OBJECTS 4.2 QUEUE STRUCTURES 4.3 THREADS 4.4 IMPLEMENTING PROCESSES AND THREADS 4.5 IMPLEMENTING SYNCHRONIZATION AND COMMUNICATION MECHANISMS 4.6 INTERRUPT HANDLING The process model is fundamental to operating system (OS) design, implementation, and use. Mechanisms for process creation, activation, and termination, and for synchroniza- tion, communication, and resource control form the lowest level or kernel of all OS and concurrent programming systems. Chapters 2 and 3 described these mechanisms abstractly from a user’s or programmer’s view, working at the application level of a higher level of an OS. However, these chapters did not provide details of the internal structure, representations, algorithms, or hardware interfaces used by these mechanisms. In this chapter, we present a more complete picture, discussing, for example, how a process is blocked and unblocked. We start with an overview of possible kernel functions, objects, and organizations. The remaining sections are concerned with implementation aspects of the kernel. First, we outline the various queue data structures that are pervasive throughout OSs. The next two sections elaborate on the most widely used adaptation of processes, namely, threads, and show how processes and threads are built. Internal representations and code for important interaction objects, including semaphores, locks, monitors, and messages are then discussed; a separate subsection on the topic of timers also appears. The last section presents the lowest-level kernel task, interrupt handling, and illustrates how this error-prone, difficult function can be made to fit naturally into the process model.
    [Show full text]
  • Windows Processes and Threads (And Environment Variables)
    www.installsetupconfig.com Windows Processes and Threads (and Environment Variables) What do we have in this session? Brief Intro Processes and Threads Multitasking Advantages of Multitasking When to Use Multitasking Multitasking Considerations Scheduling Scheduling Priorities Priority Class Priority Level Base Priority Context Switches Priority Boosts Priority Inversion Multiple Processors Thread Affinity Thread Ideal Processor NUMA Support NUMA Support on Systems with More Than 64 Logical Processors NUMA API Thread Ordering Service Multimedia Class Scheduler Service Registry Settings Thread Priorities Processor Groups Multiple Threads Creating Threads (With Code Example) Thread Stack Size Thread Handles and Identifiers Suspending Thread Execution Synchronizing Execution of Multiple Threads Multiple Threads and GDI Objects 1 www.installsetupconfig.com Thread Local Storage Creating Windows in Threads Terminating a Thread How Threads are Terminated Thread Security and Access Rights Protected Processes Child Processes Creating Processes (With Code Example) Setting Window Properties Using STARTUPINFO Process Handles and Identifiers Process Enumeration Obtaining Additional Process Information Inheritance Inheriting Handles Inheriting Environment Variables Inheriting the Current Directory Environment Variables Terminating a Process How Processes are Terminated Process Working Set Process Security and Access Rights Protected Processes Thread Pools Thread Pool Architecture Best Practices Job Objects User-Mode Scheduling UMS Scheduler UMS Scheduler
    [Show full text]
  • What Is a Process?
    B – Processes and Threads What is a Process? Answer 1: ● A process is an abstraction of a program in execution. Answer 2: ● an address space ● one or more threads of execution ● resources associated with the running program, such as: ● open files ● sockets ● locks held by the program A process with one thread is a sequential process. A process with more than one thread is a concurrent process. CS350 – Operating Systems Stefan Buettcher University of Waterloo, Fall 2006 <[email protected]> B – Processes and Threads What is an Address Space? A process' address space is its view of the computer's primary memory (RAM). It contains the process' code, its data, and stack space for each of its threads. It can also contain other data, such as the content of entire files, via memory mapping (mapping files into an address space: mmap). CS350 – Operating Systems Stefan Buettcher University of Waterloo, Fall 2006 <[email protected]> B – Processes and Threads What is a Thread? A thread represents the control state of an executing program. Each thread has a context: ● the contents of the processor's registers, including program counter and stack pointer ● other state information, such as priority level and execution privileges ● a stack (located in the process' address space) Multiple threads within the same process can be thought of as processes that share their address space (code, data, open files, etc.). Whether there is an implementation difference between a thread and a process depends on the OS. Nachos: Yes. Linux: Usually no. CS350 – Operating Systems Stefan Buettcher University of Waterloo, Fall 2006 <[email protected]> B – Processes and Threads Execution Privileges and the OS Kernel In most systems, there are two types of processes: ● ordinary user processes without special privileges; ● kernel processes with full access to the whole system.
    [Show full text]
  • Process and Signals Introduction
    Process and signals Introduction 1. Processes and signals form a fundamen- tal part of the UNIX operating environ- ment. They control almost all activities performed by UNIX computer system. 2. An understanding of how UNIX manages processes will hold any systems program- mer, applications programmer or system administrator in good stead. 3. We will look at how processes are han- dled in the Linux environment and how to find out what computer is doing at any given time. And how to start and stop process, how to make process cooperates with each other, how to avoid zombies(in which parents died before children). 1 Process What is process? • 1. An address space with one or more threads executing within that address space, and the required system resources for those threads. (the Single UNIX specification, version 2) 2. A process is a program in execu- tion and can identified by its unique PID (process identification) num- ber. 3. The kernel controls and manages pro- cesses. Multiple processes are running and monitored by the Linux kernel, al- locating each of the processes a little slice of the CPU in a way that is un- noticeable to the user. Structure • 2 A process consists of the executable program, its data and stack, variables(occupying system memory), open files(file descrip- tor) and an environment. UNIX allows many users to access the system at the same time. Each user can run many programs, or even many instances of the same program, at the same time. The system itself runs other programs to manage system resources and control user access.
    [Show full text]
  • Assignment 1
    Assignment 1 Teaching Assistant: Michalis Pachilakis ( [email protected]) System Calls If a process is running a user program in user mode and needs a system service, such as reading data from a file, it has to execute a trap instruction to transfer control the operating system. Application –USER SPACE System call KERNEL SPACE System Calls A system call is a request for service that a program makes of the kernel. The service is generally something that only the kernel has the privilege to do, such as doing I/O. SYSTEM CALLS PROCESS CONTROL fork(), wait(), exec(),exit() FILE open(), close(), MANIPULATION read(), write() DIRECTORIES mkdir(),rmdir(), MANAGEMENT mount(),link() OTHER chdir(),chmod(), kill(),time() Fork() Fork creates a new process(child process). It creates an exact duplicate of the original process, including all the file descriptors, registers etc. The fork is called once, but returns twice! After the fork, the original process and the copy(the parent and the child) go their separate ways. The fork call returns a value, which is zero in the child and equal to the child’s process identifier (PID) in the parent. Now consider how fork is used by the shell. When a command is typed, the shell forks off a new process. This child process must execute the user command. Fork() – PID (Process IDentity) pid < 0 the creation of a child process was unsuccessful. pid == 0 the newly created child. pid > 0 the process ID of the child process passes to the parent Consider the program: #include <unistd.h> P1 fork() C1 PID:28 PID:34 pid_t pid = fork(); printf(“PID:%d\n”,pid); … The parent will print: PID:34 The child will always print: PID:0 Fork() #define TRUE 1 while (TRUE) { /* repeat forever */ type_prompt(); /* display prompt on the screen */ read_command(command, parameters); /* read input from terminal */ if (fork() != 0) { /* fork off child process */ /* Parent code.
    [Show full text]
  • OS Structure, Processes & Process Management Don Porter Portions
    OS Structure, Processes & Process Management Don Porter Portions courtesy Emmett Witchel 1 What is a Process? A process is a program during execution. Ø Program = static file (image) Ø Process = executing program = program + execution state. A process is the basic unit of execution in an operating system Ø Each process has a number, its process identifier (pid). Different processes may run different instances of the same program Ø E.g., my javac and your javac process both run the Java compiler At a minimum, process execution requires following resources: Ø Memory to contain the program code and data Ø A set of CPU registers to support execution 2 Program to Process We write a program in e.g., Java. A compiler turns that program into an instruction list. The CPU interprets the instruction list (which is more a graph of basic blocks). void X (int b) { if(b == 1) { … int main() { int a = 2; X(a); } 3 Process in Memory What is in memory. Program to process. main; a = 2 What you wrote Stack X; b = 2 void X (int b) { if(b == 1) { Heap … void X (int b) { int main() { if(b == 1) { int a = 2; … X(a); int main() { } int a = 2; X(a); What must the OS track for a process? } Code 4 Processes and Process Management Details for running a program A program consists of code and data On running a program, the loader: Ø reads and interprets the executable file Ø sets up the process’s memory to contain the code & data from executable Ø pushes “argc”, “argv” on the stack Ø sets the CPU registers properly & calls “_start()” Program starts running at _start() _start(args) { initialize_java(); ret = main(args); exit(ret) } we say “process” is now running, and no longer think of “program” When main() returns, OS calls “exit()” which destroys the process and returns all resources 5 Keeping track of a process A process has code.
    [Show full text]