Differences
This shows you the differences between two versions of the page.
|
ep:labs:08 [2018/03/07 11:01] emilian.radoi [App.cpp] |
ep:labs:08 [2023/10/30 00:50] (current) ana.grigorescu0809 [03. Process Monitor] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 08 ====== | + | ====== Lab 08 - I/O Monitoring (Windows) ====== |
| - | ===== App.cpp ===== | ||
| - | <code> | + | ===== Objectives ===== |
| - | #include <stdio.h> | + | |
| - | #include <sys/types.h> /* open */ | + | |
| - | #include <sys/stat.h> /* open */ | + | |
| - | #include <fcntl.h> /* O_CREAT, O_RDONLY */ | + | |
| - | #include <unistd.h> /* close, lseek, read, write */ | + | |
| - | #include "Enclave_u.h" | + | * Offer an introduction to Windows I/O monitoring. |
| - | #include "sgx_urts.h" | + | * Get you acquainted with a few Windows standard monitoring tools like **Task Manager**, **Windows Performance Recorder**, **Process Monitor**, and **Process Explorer**. |
| - | #include "sgx_utils/sgx_utils.h" | + | * Learn how to monitor disk activity, identify what is generating it, and figure out what the issue is by looking at the pdbs and the code. |
| + | * Take a deeper look into how monitoring tools extract data from processes. | ||
| - | /* Global Enclave ID */ | + | <note important> |
| - | sgx_enclave_id_t global_eid; | + | |
| - | /* OCall implementations */ | + | You can download the **Windows 10 VM** via [[https://ctipub-my.sharepoint.com/:u:/g/personal/radu_mantu_upb_ro/EXSrHQMCkWBEpGYseFEmnnABCA1hyb1oGWMUhnnHx8LIdQ?e=I0pxHg | OneDrive]]. |
| - | void ocall_print(const char* str) { | + | |
| - | printf("%s\n", str); | + | |
| - | } | + | |
| - | void ocall_write_file(const char* filename, const char* buf, size_t buf_len) { | + | If you need to use VirtualBox, you can use this //.ovf// version to import the VM (just on OneDrive) |
| - | int fd; | + | [[https://ctipub-my.sharepoint.com/:u:/g/personal/cezar_craciunoiu_upb_ro/EZYR_YFyHx5GiHf5yBNuiyYB-zXhIaTNzJ8o8Ri2M8l5Mw?e=9qxrde | OneDrive]]. |
| - | ssize_t wr_bytes; | + | |
| - | fd = open(filename, O_RDWR | O_CREAT, 0644); | + | |
| - | wr_bytes = write(fd, buf, buf_len); | + | |
| - | close(fd); | + | |
| - | } | + | |
| - | void ocall_read_file(const char* filename, char* buf, size_t buf_len) { | + | There is also the option to download as a torrent {{:ep:labs:ep_win10_vm.7z.torrent.txt}}. |
| - | int fd; | + | DokuWiki is not configured to accept //.torrent// files so remove the //.txt// extension. |
| - | ssize_t no_bytes; | + | After that, you know what to do... |
| - | fd = open(filename, O_RDWR | O_CREAT, 0644); | + | |
| - | no_bytes = read(fd, buf, buf_len); | + | |
| - | buf[no_bytes] = '\0'; | + | |
| - | close(fd); | + | |
| - | } | + | |
| - | int main(int argc, char const *argv[]) { | + | Alternatively, you can install the following on your own Windows machine: |
| - | int sum_result; | + | * **[[https://go.microsoft.com/fwlink/?linkid=2120254 | ADK]]** - make sure to check //**Windows Performance Analyser**// and //**Windows Performance Recorder**//. |
| - | unsigned int rand_no; | + | * **[[https://visualstudio.microsoft.com/downloads/ | Visual Studio Community Edition]]** - select //C++ development//. |
| - | sgx_status_t status; | + | * **[[https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite | Sysinternals suite]]** |
| - | + | ||
| - | /* Enclave Initialization */ | + | |
| - | if (initialize_enclave(&global_eid, "enclave.token", "enclave.signed.so") < 0) { | + | |
| - | printf("Fail to initialize enclave.\n"); | + | |
| - | return 1; | + | |
| - | } | + | |
| - | /* Call a simple method inside enclave */ | + | </note> |
| - | status = get_sum(global_eid, &sum_result, 3, 4); | + | |
| - | if (status != SGX_SUCCESS) { | + | |
| - | printf("ECall failed.\n"); | + | |
| - | return 1; | + | |
| - | } | + | |
| - | printf("Sum from enclave: %d\n", sum_result); | + | |
| - | + | ||
| - | seal_secret(global_eid); | + | |
| - | unseal_secret(global_eid); | + | |
| - | + | ||
| - | /* TODO: Using an ECALL that generates a random unsigned int, | + | |
| - | get a random number between 3 and 42. */ | + | |
| - | status = generate_random_number(global_eid, &rand_no); | + | |
| - | printf("Rand no from enclave: %u\n", rand_no); | + | |
| - | return 0; | + | |
| - | } | + | |
| - | </code> | + | <note important> |
| + | If Visual Studio prompts you with an "Expired" message, you will have to log in with your (university) account. | ||
| + | </note> | ||
| + | ===== Contents ===== | ||
| + | {{page>:ep:labs:08:meta:nav&nofooter&noeditbutton}} | ||
| - | ===== Enclave.cpp ===== | ||
| - | <code> | + | ===== Introduction ===== |
| - | #include "sgx_trts.h" | + | As you remember from the Linux Monitoring labs there is an endless list of tools for system analysis. |
| - | #include "sgx_tseal.h" | + | |
| - | #include "string.h" | + | |
| - | #include "Enclave_t.h" | + | |
| - | #include<stdio.h> | + | |
| + | This is unfortunately not true for Windows. | ||
| + | The system is closed-source and the development of tools is much slower. | ||
| - | #define SECRET_FILE "enclave_secret" | + | The first (and probably most popular), set of tools for system analysis is [[https://docs.microsoft.com/en-us/sysinternals/ | Sysinternals]]. |
| + | This was later aquired by Microsoft and it is now their recommended tool for analysis. | ||
| + | The suite contains a wide variety of tools, but we will only concentrate on the widely used ones. | ||
| - | int get_sum(int a, int b) { | ||
| - | /* TODO: Call OCALL that prints a debug message */ | ||
| - | return a + b; | ||
| - | } | ||
| - | void printf(const char *fmt, ...) | + | ==== 01. Task Manager ==== |
| - | { | + | |
| - | char buf[BUFSIZ] = {'\0'}; | + | |
| - | va_list ap; | + | |
| - | va_start(ap, fmt); | + | |
| - | vsnprintf(buf, BUFSIZ, fmt, ap); | + | |
| - | va_end(ap); | + | |
| - | ocall_print(buf); | + | |
| - | } | + | |
| - | unsigned int generate_random_number() { | + | Shows real time information about processes and the system. |
| - | + | To start Task Manager you can use any of the following methods: | |
| - | unsigned int rand_number = 0; | + | * //**Ctrl + Shift + Esc**// |
| - | + | * Right click the taskbar and choose Task Manager | |
| - | sgx_status_t status = sgx_read_rand((unsigned char*)(&rand_number), sizeof(rand_number)); | + | * //**Ctrl + Alt + Del**// and select Task Manager |
| - | if (SGX_SUCCESS != status) { | + | |
| - | return -42; | + | |
| - | } | + | |
| - | return rand_number%42 + 1; | + | |
| - | } | + | |
| - | void unseal_secret(){ | + | **Tabs description:** |
| - | char sealed_data[1024]; | + | * **Processes** - shows all the running processes and their current resource usage in terms. |
| - | char secret[1024]; | + | * **Performance** - shows the usage level of the computer's main resources in the last minute. |
| - | uint32_t text_size = sizeof(secret); | + | * **App history** - added with Windows 8, it shows the resource consumption of metro applications. |
| - | + | * **Startup** - shows all the applications that start at start-up and their impact on the boot time. | |
| - | ocall_read_file(SECRET_FILE, sealed_data, text_size); | + | * **Users** - shows the resource consumption of every logged in user. |
| - | sgx_unseal_data((sgx_sealed_data_t *)sealed_data, NULL, NULL, (uint8_t*)secret, &text_size); | + | * **Details** - shows detailed information about each process. Right-clicking the column headers bar, offers the possibility to add or remove columns. The following columns: Handles, Threads, Image Path Name, and Command Line are useful for especially useful for this laboratory. |
| - | printf("Unsealed secret: %s\n", secret); | + | * **Services** - shows the service status for all services. A Windows service can be considered similar to a Linux daemon: a process without a visual interface, offering services to user-created processes. |
| - | } | + | |
| + | **Conclusions:** | ||
| + | * Task Manager can be used to identify which process uses a lot of RAM, CPU, accesses the disk many times or generates a lot of traffic on the network at a certain moment. | ||
| + | * It does offer some information for longer periods of time, in the Startup tab, which shows what process had higher impact at startup, but does not specify the area that was impacted. | ||
| + | * You can sort by I/O read or I/O Writes, but no there is no option to sort the results by Total I/O (combined Read & Write). | ||
| - | void seal_secret() { | + | <note> |
| - | char* secret = (char*)malloc(10); | + | To overcome Task Manager’s limitations, and to perform a thorough analysis, use the Resource Monitor (Resmon) utility, which is built into Windows. |
| - | sgx_status_t status = sgx_read_rand((unsigned char*)secret, sizeof(secret)); | + | </note> |
| - | printf("Generated secret: %s\n", secret); | + | |
| - | + | ||
| - | uint32_t text_size = sizeof(secret); | + | |
| - | uint32_t sealed_size = sgx_calc_sealed_data_size(0,text_size); | + | |
| - | + | ||
| - | sgx_sealed_data_t *sealed_data = (sgx_sealed_data_t *)malloc(sealed_size); | + | |
| - | sgx_seal_data(0, NULL, text_size, (uint8_t*)secret, sealed_size, sealed_data); | + | |
| - | + | ||
| - | ocall_write_file(SECRET_FILE, (char *)sealed_data, sealed_size); | + | |
| - | } | + | |
| - | </code> | + | ==== 02. Windows Performance Recorder & Analyzer ==== |
| + | Windows Performance Recorder (WPR) is used to record the whole activity of the system in a time frame. | ||
| + | Compared to Task Manager, this tool only captures information, without displaying it. | ||
| + | To inspect the captured data you will need to use another tool, Windows Performance Analyzer (WPA). | ||
| + | This combination of tools is most useful when running tests that take hours and constantly watching Task Manager would be impossible. | ||
| - | ===== Enclave.edl ===== | + | ==== 03. Process Monitor ==== |
| + | Process Monitor is another troubleshooting tool from Windows Sysinternals that displays the files and registry keys that applications access in real-time. | ||
| + | The results can be saved to a log file, which you can send to an expert for analyzing a problem and troubleshooting it. | ||
| - | <code> | + | **How to Use Process Monitor to Track Registry and File System Changes?** |
| - | enclave { | + | We want to write to the HOSTS file (C:\Windows\System32\drivers\etc\hosts) in order to add new rules. |
| - | //from "Sealing/Sealing.edl" import *; | + | When we try to do this we encounter an error when saving the file. |
| - | trusted { | + | Following the steps below (or the video) we can record what causes the error. |
| - | /* define ECALLs here. */ | + | Afterwards, we can send it to an expert or search for a fix ourselves. |
| - | public int get_sum(int a, int b); | + | |
| - | public unsigned int generate_random_number(void); | + | |
| - | public void seal_secret(void); | + | |
| - | public void unseal_secret(void); | + | |
| - | }; | + | |
| - | untrusted { | + | <html> |
| - | /* define OCALLs here. */ | + | <center> |
| - | void ocall_print([in, string]const char* str); | + | <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/-3JiM-PPigA" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> |
| - | void ocall_write_file([in, string]const char* filename, [in, size=buf_len]const char* buf, size_t buf_len); | + | </center> |
| - | void ocall_read_file([in, string]const char* filename, [out, size=buf_len]char* buf, size_t buf_len); | + | <center> |
| - | }; | + | <b>The video covers all 3 parts.</b> |
| - | }; | + | </center> |
| - | </code> | + | </html> |
| - | ===== sgx_utils.cpp ===== | + | ^ Part 1: Running Process Monitor & Configuring Filters ^^ |
| + | | **1.** Run the Process Monitor application. || | ||
| + | | **2.** Include the processes that you want to track the activity on. For this example, you want to include Notepad.exe in the (Include) Filters. || | ||
| + | | **3.** Click Add, and click OK. || | ||
| + | | **4.** From the Options menu, click Select Columns. || | ||
| + | | **5.** Under “Event Details”, enable Sequence Number, and click OK. || | ||
| + | <note> | ||
| + | You can add multiple entries as well, in case you want to track more processes along with Notepad.exe. | ||
| + | To keep this example simpler, let’s only track Notepad.exe. | ||
| - | <code> | + | You’ll now see the Process Monitor main window tracking the list of registry and file accesses by processes real-time, as and when they occur. |
| - | #include <cstdio> | + | </note> |
| - | #include <cstring> | + | |
| - | #include "sgx_urts.h" | + | |
| - | #include "sgx_utils.h" | + | |
| - | #ifndef TRUE | + | ^ Part 2: Capturing Events ^^ |
| - | # define TRUE 1 | + | | **6.** Open Notepad. || |
| - | #endif | + | | **7.** Switch to Process Monitor window. || |
| + | | **8.** Enable the “Capture” mode (if it’s not already ON). You can see the status of the “Capture” mode via the Process Monitor toolbar. || | ||
| + | | **9.** The highlighted button above is the “Capture” button, which is currently disabled. You need to click that button to enable capturing of events. || | ||
| + | | **10.** **Important**: Cleanup the existing events list using Ctrl + X key sequence and start afresh. || | ||
| + | | **11.** Switch back to Notepad. || | ||
| + | | **12.** To reproduce the problem, try writing to the HOSTS file and saving it. Windows offers to save the file with a different name, or in a different location. So, what happens under the hood when you save to HOSTS file? Process Monitor shows that exactly. || | ||
| + | | **13.** Switch to Process Monitor window, and turn off Capturing (Ctrl + E) as soon as you encounter the problem. **Important Note**: You need to do all that as quickly as you can in order to not record unneeded data. || | ||
| - | #ifndef FALSE | + | <note warning> |
| - | # define FALSE 0 | + | The log file above tells us that Notepad encountered an ACCESS DENIED error when writing to the HOSTS file. |
| - | #endif | + | |
| - | /* Check error conditions for loading enclave */ | + | The solution would be to simply run Notepad elevated (right-click and choose “Run as Administrator”) to be able to write to HOSTS file successfully. |
| - | void print_error_message(sgx_status_t ret) { | + | </note> |
| - | printf("SGX error code: %d\n", ret); | + | |
| - | } | + | |
| - | /* Initialize the enclave: | + | ^ Part 3: Saving the Output ^^ |
| - | * Step 1: try to retrieve the launch token saved by last transaction | + | | **14.** In the Process Monitor window, select the File menu and click Save. || |
| - | * Step 2: call sgx_create_enclave to initialize an enclave instance | + | | **15.** Select Native Process Monitor Format (PML), mention the output file name and Path, save the file. || |
| - | * Step 3: save the launch token if it is updated | + | | **16.** Right-click on the Logfile.PML file, click Send To, and choose Compressed (zipped) folder. You can now send it to an expert. || |
| - | */ | + | |
| - | int initialize_enclave(sgx_enclave_id_t* eid, const std::string& launch_token_path, const std::string& enclave_name) { | + | |
| - | const char* token_path = launch_token_path.c_str(); | + | |
| - | sgx_launch_token_t token = {0}; | + | |
| - | sgx_status_t ret = SGX_ERROR_UNEXPECTED; | + | |
| - | int updated = 0; | + | |
| - | /* Step 1: try to retrieve the launch token saved by last transaction | + | <note> |
| - | * if there is no token, then create a new one. | + | To recap, Task Manager shows what processes use the disk intensively at the current time. |
| - | */ | + | |
| - | /* try to get the token saved in $HOME */ | + | |
| - | FILE* fp = fopen(token_path, "rb"); | + | |
| - | if (fp == NULL && (fp = fopen(token_path, "wb")) == NULL) { | + | |
| - | printf("Warning: Failed to create/open the launch token file \"%s\".\n", token_path); | + | |
| - | } | + | |
| - | if (fp != NULL) { | + | Windows Performance Recorder / Windows Performance Analyzer show who used the disk during a longer time period, although they were showing the activity as belonging to the System process instead of our process. |
| - | /* read the token from saved file */ | + | |
| - | size_t read_num = fread(token, 1, sizeof(sgx_launch_token_t), fp); | + | |
| - | if (read_num != 0 && read_num != sizeof(sgx_launch_token_t)) { | + | |
| - | /* if token is invalid, clear the buffer */ | + | |
| - | memset(&token, 0x0, sizeof(sgx_launch_token_t)); | + | |
| - | printf("Warning: Invalid launch token read from \"%s\".\n", token_path); | + | |
| - | } | + | |
| - | } | + | |
| - | /* Step 2: call sgx_create_enclave to initialize an enclave instance */ | + | |
| - | /* Debug Support: set 2nd parameter to 1 */ | + | |
| - | ret = sgx_create_enclave(enclave_name.c_str(), SGX_DEBUG_FLAG, &token, &updated, eid, NULL); | + | |
| - | if (ret != SGX_SUCCESS) { | + | |
| - | print_error_message(ret); | + | |
| - | if (fp != NULL) fclose(fp); | + | |
| - | return -1; | + | |
| - | } | + | |
| - | /* Step 3: save the launch token if it is updated */ | + | Using Process Monitor we could identify our processes' entire activity and determine why one is slower than the other. |
| - | if (updated == FALSE || fp == NULL) { | + | </note> |
| - | /* if the token is not updated, or file handler is invalid, do not perform saving */ | + | |
| - | if (fp != NULL) fclose(fp); | + | |
| - | return 0; | + | |
| - | } | + | |
| - | /* reopen the file with write capablity */ | + | ==== 04. Process Explorer ==== |
| - | fp = freopen(token_path, "wb", fp); | + | Process Explorer is similar to Task Manager in many ways, as both serve the same purpose. |
| - | if (fp == NULL) return 0; | + | Process Explorer is more verbose and shows much more information about different parts of the system. |
| - | size_t write_num = fwrite(token, 1, sizeof(sgx_launch_token_t), fp); | + | |
| - | if (write_num != sizeof(sgx_launch_token_t)) | + | |
| - | printf("Warning: Failed to save launch token to \"%s\".\n", token_path); | + | |
| - | fclose(fp); | + | |
| - | return 0; | + | |
| - | } | + | |
| - | bool is_ecall_successful(sgx_status_t sgx_status, const std::string& err_msg, | + | Even if it doesn't look as pretty as Task Manager, this tool was developed for Windows 2000 initially. |
| - | sgx_status_t ecall_return_value) { | + | The Task Manager of Windows 2000 offered much fewer options than the one for Windows 10. |
| - | if (sgx_status != SGX_SUCCESS || ecall_return_value != SGX_SUCCESS) { | + | Now, Task Manager and Process Explorer are interchangeable in most cases. |
| - | printf("%s\n", err_msg.c_str()); | + | |
| - | print_error_message(sgx_status); | + | |
| - | print_error_message(ecall_return_value); | + | |
| - | return false; | + | |
| - | } | + | |
| - | return true; | + | |
| - | } | + | |
| - | </code> | + | |
| + | ==== 05. Windows API ==== | ||
| + | The previous chapters cover most cases where we encounter an error, we diagnose it, and identify it. | ||
| + | |||
| + | There is always the very rare case where a tool just doesn't cut it. | ||
| + | In this case we can use the API offered by Windows to extract what information we want from a program and/or the system. | ||
| + | |||
| + | More precisely, we are interested in the [[https://docs.microsoft.com/en-us/windows/win32/psapi/process-status-helper | Process Status API]] from Windows. | ||
| + | This offers basic functionality to extract information from the system and its processes. | ||
| + | |||
| + | We will only briefly go over the functions in the Task, so feel free to try more of the functionality of the API. | ||
| + | |||
| + | ===== Tasks ===== | ||
| + | |||
| + | <note warning> | ||
| + | The tasks can be found for the Windows sessions can be found here: | ||
| + | * New Tasks: {{:ep:laboratoare:lab08-tasks.zip|}} | ||
| + | </note> | ||
| + | |||
| + | {{namespace>:ep:labs:08:contents:tasks&nofooter&noeditbutton}} | ||
