Ubuntu on Windows, one of the hot issues in Build 2016, can now be seen in the Insider Preview.
I am looking around lightly after installation.
First of all, check the /usr/bin path through bash on Ubuntu on Windows and cmd on Native Windows.
And I ran the vi editor in the background.
Can you see the init, bash, and vi in the left mouse explorer?
You can not see the initial, bash, or vi, in the Process Manager’s Process List, except for bars.f bash shell to execute the initial bash shell.
(Note that Bash.exe and Bash are operating as others.)
In addition, you can not see the process image path of the process except Bash.exe in Process Explorer!
If you actually check at the kernel level, all of them have a process object, but all of the information, such as process image path, name, etc, is empty.
What this suggests is that when someone running on Ubuntu on Windows is performing certain acts (process execution, file modifications, network communications), it’s hard to specifically define the behavior of a particular person.
Even the people of Ubuntu on Windows, except for the initial bars.exe, do not have prefetch.
The following screenshot shows the process monitor when creating a file in the C :\Windows\System32\ path from the Bash shell.
If Windows 10 Redstone is officially released this summer, it will be very annoying for forensics or security programs!
I’ve been looking at Ubuntu on a little bit more about Ubuntu on the next day.
Today I’m going to talk about a window account and a little bit about the file system on Ubuntu on Ubuntu.
The reason for this is that because Ubuntu on Windows is not a typical virtualization concept, it can happen.
First, where is the file created in Ubuntu on the Windows environment stored in the actual Windows host file system?
(Actually, I should have told you this yesterday, but I forgot to mention it.)
First of all, in the context of Ubuntu on Windows, the environment on the Linux subsystem is independent of Windows accounts.
In other words, a window user named A has root account on Ubuntu on Ubuntu, and Windows users on the same machine have root accounts with Ubuntu on Ubuntu on the same machine.
In this situation, the root user’s account and the space used by the user’s root account are located in a different path on the actual host.
Even if the user installed the Bash shell, the Bash download and installation of the Bash are being downloaded to enable the user to use the Bash shell.
This Ubuntu on Windows will have the default path to the %LOCALAPPDATA% lxss path on the host file system.
Here is the core component of Ubuntu, and we’ll talk about it later.
Here are the steps to access the files on the ‘ Hover ‘ account in the machine file system that are stored on the host file system and stored in the host file system via the / mnt directory on the machine.
Can you see it?
At first, the ” hopper ” file is approaching the ” tester ” !!! You can even modify it !!!
To do this, you need the privilege ” tester ” to access the user directory of the ” hopper “, but by default, you can do so by running the Bash.
How did it feel? Doesn’t it sound like anything independent? Haha
Now … Now there’s another part of the security solution that needs to be addressed.
For example, we have implemented ” self-protection ” that prevents us from tampering with our files without permission.
Identify the processes that are accessing our files and block them from unauthorized processes.
But do you remember that the guys who ran on the bash in yesterday’s shoes exist to have process objects, but the process image path and image file name information are empty?
Because if you ask us to ” write ” the ” image path ” of the ” process path ” that accesses our own protection files, we won’t be able to identify what they’ve done in Ubuntu on Windows. There’s no path information! Hahaha
So what should we do? Of course there’s a way. I’ll talk about it next time.
As mentioned, the process name of the Linux subsystem can not be imported based on the ‘ Process Image Path ‘ information on the kernel process object.
This means that you can not verify the process name in the ‘ Task Manager ‘, which is written by the ‘ Process Image Path ‘ information.
So what should we do?
Fortunately there are many ways.
There are two ways of using them already, and I’m going to give you a couple of ways to use them interchangeably in both kernel-mode mode.
(The rest of the way is later ……
It’s all you know!
The method is called … NtQuerySystemInformation() API call.
It’s too easy, right? Hahaha
If you specify the NtQuerySystemInformation() API call, you can see the SystemProcessInformation class for the process information.
You can view the process name by viewing the ImageName information while traveling.
Here are the programs you’ve created in the environment that let you run the programs you created through Bash.
The names of the initiatives appearing in the left-side process Explorer, the bash, and the color processing process are also well printed in the programs that I wrote in the upper-right corner.
On the other hand, you can see that the Task Manager is not in the position where the init process should be located. (The other two guys can’t see them in the Task Manager.)
Now … Well, now you’re wondering.
How do theNtQuerySystemInformation() API get the name of the process?
The answer is in the Linux subsystem kernel implementation.
I think it’s time to talk about Ubuntu on the Linux on the Linux subsystem.
Sorry for bad english.