Programming for Info Sec, Test 2

What is compilation?

Compilation converts source code into object code containing machine-language instructions. Memorize: Converts source code into object code.

What is linking?

Linking combines object files into a single executable and resolves external function references and libraries. Memorize: Linking builds the final executable.

What is static linking?

Static linking embeds library code into the executable at compile/link time

Why is static linking self-contained?

Because all required library code is included inside the final .exe at link time. Memorize: Everything is bundled into the EXE.

Role of header files in static linking

Header files tell the compiler about available functions

Role of function prototypes in static linking

Prototypes allow the compiler to verify function calls use the correct parameters and return types. Memorize: Prototypes validate function usage.

What is dynamic linking?

Dynamic linking loads the library at runtime instead of compile time and requires external DLLs to be present. Memorize: DLL loads at runtime.

When does dynamic linking occur?

During program execution

Static vs Dynamic: Binary Size

Static: Larger executable because library code is embedded. Dynamic: Smaller executable since library stays external. Memorize: Static big

Static vs Dynamic: Portability

Static: Highly portable

Static vs Dynamic: Memory Usage

Static: Each process loads its own copy of the library. Dynamic: DLL code can be shared in memory across processes. Memorize: Static = separate copies

Static vs Dynamic: Updates & Security

Static: Must rebuild full .exe to update libraries. Dynamic: Update DLL once and all programs use the new version. Memorize: Static needs rebuild

Static vs Dynamic: Performance

Static: Slightly faster (no dynamic loading). Dynamic: Minor overhead to load/resolve functions. Memorize: Static faster startup.

Static vs Dynamic: Reverse Engineering

Static: Harder to isolate library code inside exe. Dynamic: Exported functions in DLL easier to inspect. Memorize: DLL exports are visible.

Static vs Dynamic: Versioning

Static: No version conflicts. Dynamic: Risk of “DLL Hell” (wrong DLL version). Memorize: Dynamic may cause version issues.

Events to handle in dynamic linking

"Must handle: missing DLL, incorrect version, LoadLibrary failure, GetProcAddress failure, runtime dependency issues. Memorize: Must handle DLL load + version failures."Also consider: thread safety, symbol resolution errors, and security vulnerabilities.

How to statically link

"Uncommon library: #pragma comment(lib, ""<libname>""). Common library: just #include <library>. Memorize: Use #pragma or #include." Linking an external library during the compile time by specifying it directly in the code using compiler directives. This ensures that all necessary code from the library is included in the resulting executable.

What does LoadLibrary do?

Loads a DLL into memory at runtime so functions can be accessed. Memorize: Loads DLL at runtime.

What does GetProcAddress do?

Retrieves the address of an exported function from a loaded DLL so it can be called. Memorize: Gets function address from DLL.

When is DLLMain called?

DLLMain runs when the DLL loads, unloads, and when threads attach/detach. Memorize: Runs on load/unload and thread events.It is invoked by the system during the initialization and termination of the DLL lifecycle.

Exported vs non-exported functions

Exported functions can be called outside the DLL; non-exported functions remain internal and private. Memorize: Exported = public, non-exported = private.

How to export a function

"Use: extern ""C"" __declspec(dllexport) before the function definition. Memorize: Use __declspec(dllexport) to export."

How to call a function dynamically

"Load DLL, create function pointer, assign with GetProcAddress, then call through pointer. Memorize: Load DLL → GetProcAddress → call via pointer."

What is the role of the OS in process management?

The OS manages creation scheduling execution and termination of processes. It allocates CPU time memory and IO resources and ensures isolation and coordination between processes. Memorize: OS controls process creation scheduling and resource allocation.

What are the states a process can be in?

New Ready Running Waiting or Blocked and Terminated. Memorize: New to Ready to Running to Waiting to Terminated.

What are process scheduling algorithms and why do they exist?

They decide which process gets CPU time and when to ensure efficiency fairness response time and throughput. Memorize: Algorithms decide CPU order for fairness and efficiency.

Role of the Process Control Block (PCB)

The PCB stores info the OS needs to manage a process including PID process state parent and child IDs CPU register values memory info scheduling info and IO status. Memorize: PCB holds all process info.

Why the PCB matters for forensics

PCBs show process lineage resources and behavior. Investigators can track parent child relationships malicious origins and execution evidence. Memorize: Shows what ran and who spawned it.

Difference between processes and threads

Processes have separate memory and resources while threads share memory within a process. Memorize: Processes independent and Threads shared memory.

Difference in how processes vs threads are managed

Processes require full context switching and separate memory while threads are lighter with shared memory and need synchronization. Memorize: Processes heavier and threads lighter but need sync.

IPC mechanisms and how they are implemented

IPC includes pipes shared memory message queues sockets and semaphores. Linux uses pipe shared memory and semaphores while Windows uses named pipes mailslots shared memory events and semaphores. Memorize: IPC pipes shared memory semaphores queues.

Classic concurrency problems

Producer consumer dining philosophers and reader writer. Use semaphores locks ordering or read write locks to avoid conflicts. Memorize: Race condition problems solved with locks and semaphores.

What is deadlock?

A circular wait where processes are stuck holding resources others need and none can proceed. Memorize: Deadlock circular wait.

How is deadlock managed?

Use prevention avoidance detection and recovery methods. Memorize: Prevent avoid detect recover.

Windows vs Linux creating processes

Linux uses fork to clone a process then exec to replace the program. Windows uses CreateProcess to start a new process with configuration parameters. Memorize: Linux fork and exec and Windows CreateProcess.

How Linux differentiates parent and child after fork

The fork call returns the child PID to the parent returns 0 to the child and returns negative one if creation fails. Memorize: Parent gets PID and child gets zero.

Windows vs Linux IPC

Linux uses pipes shared memory and semaphores. Windows adds named pipes mailslots events and system wide IPC naming. Memorize: Windows IPC includes named pipes.

How Windows IPC helps forensics

Named IPC objects let investigators track inter process communication and detect malicious or unusual connections. Memorize: Naming lets us trace communications.

How exec family works

exec replaces the current process image with a new program. The PID stays the same but code and memory change. Variants differ in how program path and arguments are passed. Memorize: exec replaces current process with new one.

What does Listen do?

Listen marks a socket as passive and ready to accept incoming connection requests. Memorize: Listen prepares socket to accept connections.

What does Bind do?

Bind assigns an IP address and port to a socket. Memorize: Bind attaches socket to IP and port.

What does Accept do?

Accept waits for and establishes an incoming connection on a listening socket and returns a new socket for communication. Memorize: Accept returns new socket for client.

What does Connect do?

Connect requests a connection to a remote server socket. Memorize: Connect initiates connection to server.

What does Send do?

Send transmits data over a connected socket. Memorize: Send sends data.

What does Recv do?

Recv receives data from a connected socket. Memorize: Recv receives data.

Which networking functions show observable behavior in Wireshark or netstat?

Connect causes SYN packets and connection attempts and Listen and Accept create listening or established states visible in netstat. Memorize: Connect Listen and Accept visible in tools.

Which functions cause observable behavior?

Connect triggers SYN and ACK traffic and Listen creates LISTEN state in netstat and Accept creates ESTABLISHED state. Memorize: Connect and Listen and Accept visible.

Which networking function calls are blocking?

Accept waits for incoming connection and Recv waits for data and Connect may block during handshake. Memorize: Accept Recv and sometimes Connect block.

Why server side sockets spawn client side sockets?

Because the listening socket is only for receiving connection requests so each client needs a separate socket for communication. Memorize: Listen socket stays separate and each client gets new socket.

Why servers use threads for managing network connections?

To handle multiple client sockets at the same time without blocking and to allow concurrency. Memorize: Threads allow multiple clients at once.

Why clients do not need threads for managing connections?

Clients normally handle only one connection at a time so no need for multiple threads. Memorize: Only one server connection so no threads needed.