Tuesday, December 17, 2024

Learning on Processes in different Operating systems

To grasp the inner workings of processes in Linux, macOS, or BSD, we must delve into their lifecycle and the critical role of the fork() system call in generating new processes. This exploration will highlight key distinctions from Windows, with a focus on the fundamental mechanics of process creation in Unix-like systems.

How Process Creation works in Linux/macOS/BSD

  1. Initial Process (init or systemd)
    • The first user-space process is typically init or systemd in Linux and macOS. It's started by the kernel after bootstrapping the system.
    • On Linux: Modern distributions often use systemd, which is responsible for initializing the system.
    • On macOS: launchd acts similarly to init or systemd.
  2. The Role of fork()
    • In Unix-like systems, process creation relies on fork():
      • fork(): Creates a new process by cloning the current process (parent process).
      • The new process (child) gets its own PID but shares the same memory layout as the parent until memory writes occur (Copy-On-Write mechanism).
      • After the child is created, the parent and child processes can execute concurrently.
    • Followed by:
      • exec(): The child process often calls exec() to replace its memory space with a new program.

Example Workflow:

pid_t pid = fork();

if (pid == 0) {

    // Child process

    execlp("program", "program", (char *)NULL);

} else if (pid > 0) {

    // Parent process

    wait(NULL); // Wait for the child to finish

}

  1. Kernel Process and Cloning
    • Unix systems have kernel processes that run in the background, such as:
      • kthreadd: The kernel thread manager.
      • kworker: Handles asynchronous tasks in the kernel.
    • Kernel processes like kthreadd are cloned to create new kernel-level threads or processes.
    • clone():
      • Linux-specific system call for process/thread creation.
      • More flexible than fork() as it allows sharing of resources (e.g., memory, file descriptors).
  2. User-Space Processes
    • Once the kernel spawns init or systemd, it creates all other user-space processes, including:
      • Login shells (getty, bash, zsh).
      • Daemons (background services like cron, sshd).

 

Comparison with Windows Process Creation

Feature

Linux/macOS/BSD

Windows

Initial Process

init/systemd/launchd

System (PID 4)

Process Creation

fork() followed by exec()

CreateProcess() API

Kernel Involvement

kthreadd, kernel forks/clones process

smss.exe handles session/process management

Service Manager

Daemons managed by init/system

svchost.exe

Threading

clone() for threads and processes

Windows Threads

 

Things we need to look up for future blogposts:

  1. Fork Mechanism
    • Explore the fork() and exec() workflow.
    • Understand Copy-On-Write memory management.
  2. Kernel Processes
    • Study kernel-level threads (kthreadd, kworker).
    • Learn about process scheduling and task switching.
  3. System Calls for Process Management
    • Linux: fork(), execve(), clone(), wait(), exit().
    • macOS/BSD: Similar process creation APIs with slight differences in syscall conventions.
  4. Process States
    • Linux/macOS: Process states (Running, Sleeping, Zombie).
    • Check the /proc filesystem for process information.
  5. Process Tree Visualization
    • Tools: pstree, htop, ps.
    • Understand parent-child relationships in the process tree.
  6. Init Systems
    • Systemd: Unit files, dependency handling.
    • Launchd: Service management on macOS.
  7. Thread Management
    • Difference between kernel threads and user threads.
    • Use of pthread library in Linux.

 

My suggestion on enhancing the understanding of these discussed concepts, please follow up on the given exercises:

  1. Fork and Exec Programming
    • Write a program that forks a child, where the child runs a new command using exec().
  2. Process Tree Exploration
    • Use pstree to view the relationship between init/systemd and other processes.
  3. Kernel Process Monitoring
    • Use top or htop to observe kernel threads (use k option in htop).
  4. MacOS Daemon Study
    • Use launchctl to view and manage launchd processes.

 

 Post by

newWorld

No comments:

Papers on Reverse Engineering Malware

Discover the Best Papers on Reverse Engineering Reverse engineering has always been a fascinating and vital aspect of cybersecurity. Wheth...