EXIF Capturing and Forensics

first and foremost, today is the Persian ancient new year (Nowruz), the first day of spring. Happy new year to all Persians.

but let me get back to our post title, oh Exif, a simple data structure which can reveal so many great information to intruders or investigators. needless to say, EXIF ( the exchangeable image file format ) normally contains some key information regarding the camera model, the place of taken picture and other precious data. with the advent of social medias and sharing the unlimited number of pictures on the internet, this is a good idea to investigate through countless of pictures to see What else can be taken except the content of the image. as our previous post's code was written in python, I follow the same programming language.  you need to download and install Python Image library first at this URL: http://www.pythonware.com/products/pil/

Then you need to take to the second step, test whether your library is installed properly or not.

run this code in python interactive terminal or save it into a file and run it.

from PIL.EXIFTags import GPSTAGS
gps ¼ GPSTAGS.items()
gps.sort()
print gps

taking a deeper look at what we got from the result is a dictionary of GPSTAGS. some of the key important items are GPSLONGITUDEREF and GPSLATITUDEREF which we need to take a look at it later on. Then, we need to know more about GPSTAGS, here is a brief introduction of what they are. the text below is quoted from Python Forensics Book: 

"GPSLatitudeRef: Latitude is specified by either the North or South position in degrees from the equator. Those points that are north of the equator range from 0 to 90 degrees. Those points that are south of the equator range from 0 to -90 degrees. Thus this reference value is used to define where the latitude is in relationship to the equator. Since the value latitude is specified in EXIF as a positive integer, if the Latitude Reference is “S” or South, the integer value must be converted to a

negative value.

GPSLatitude: Indicates the latitude measured in degrees. The EXIF data specify these as whole degrees, followed by minutes and then followed by seconds. GPSLongitudeRef: Longitude is specified by either the east or west position in degrees. The convention is based on the Prime Meridian which runs through the Royal Observatory in Greenwich, England, which is defined as longitude zero degrees. Those points that are west of the Prime Meridian range from 0 to -180 degrees. Those points that are east of the Prime Meridian range from 0 to 180 degrees. Thus this reference value is used to define where the longitude value is in relationship to Greenwich. Since the value of longitude is specified in EXIF as a positive integer, if the Longitude Reference is west or “W,” the integer value must be converted to a negative value.

GPSLongitude: Indicates the longitude measured in degrees. The EXIF data specify these as whole degrees, followed by minutes and then followed by seconds. "

for making large advances, always you need to follow other works and then make some modification into it and avoid reinventing the wheel. the source code below is intended to scan a path and gives you some information on which picture contains EXIF data.  when the for loop iterates, each of those pictures will be sent to a function of a class named _modEXIF which is responsible for the calculation of longitude and latitude and to see is there any EXIF tag or not to proceed the rest.

import os
import _modEXIF

TS = 0
MAKE = 1
MODEL = 2

# define a directory to scan
scanDir = "C:\\pics\\"
try:
        picts = os.listdir(scanDir)
except:
        print "error invalid directory"
        exit(0)
for aFile in picts:
        targetFile = scanDir + aFile
        if os.path.isfile(targetFile):
                gpsDictionary, EXIFList = _modEXIF.ExtractGPSDictionary(targetFile)
                if (gpsDictionary):
                        # Converted to degrees
                        dCoor = _modEXIF.ExtractLatLon(gpsDictionary)
                        lat = dCoor.get("Lat")
                        latRef = dCoor.get("LatRef")
                        lon = dCoor.get("Lon")
                        lonRef = dCoor.get("LonRef")
                        
                        if ( lat and lon and latRef and lonRef):
                                print targetFile + ":" + EXIFList[TS] + ":"  + EXIFList[MAKE]+ ":" +
                                EXIFList[MODEL]+ ":" +  str(lat)+','+str(lon)
                        else:
                                print "WARNING", "no GPS EXIF Data for "
                else:
                        print "no dictionary found in " + targetFile

and the class goes like this

import os # Standard Library OS functions
from PIL import Image
from PIL.ExifTags import TAGS, GPSTAGS
import sys
def ExtractGPSDictionary(fileName):
        try:
                pilImage = Image.open(fileName)
                EXIFData = pilImage._getexif()
        except Exception:
                print sys.exc_info()[0]
                return None, None
        imageTimeStamp = "NA"
        CameraModel = "NA"
        CameraMake = "NA"
        gpsDictionary = {}
        if EXIFData:
                for tag, theValue in EXIFData.items():
                           tagValue = TAGS.get(tag, tag)
                           if tagValue =='DateTimeOriginal':
                                imageTimeStamp = EXIFData.get(tag)
                           if tagValue == "Make":
                                CameraMake = EXIFData.get(tag)
                           if tagValue =='Model':
                                CameraModel = EXIFData.get(tag)
                        # check the tag for GPS
                           if tagValue == "GPSInfo":
                                # Found it !
                                # Now create a Dictionary to hold the GPS Data
                                for curTag in theValue:
                                        gpsTag = GPSTAGS.get(curTag, curTag)
                                        gpsDictionary[gpsTag] = theValue[curTag]
                basicEXIFData = [imageTimeStamp, CameraMake,CameraModel]
                return gpsDictionary, basicEXIFData

        else:
                return None, None

def ExtractLatLon(gps):
        # to perform the calculation at least lat, lon, latRef and lonRef are needed
        if (gps.has_key("GPSLatitude") and gps.has_key("GPSLongitude")
        and gps.has_key("GPSLatitudeRef") and gps.has_key
        ("GPSLatitudeRef")):
                latitude = gps["GPSLatitude"]
                latitudeRef = gps["GPSLatitudeRef"]
                longitude = gps["GPSLongitude"]
                longitudeRef = gps["GPSLongitudeRef"]
                lat = ConvertToDegrees(latitude)
                lon = ConvertToDegrees(longitude)
                if latitudeRef == "S":
                        lat = 0 - lat
                # Check Longitude Reference
                # If West of the Prime Meridian in
                # Greenwich then the Longitude value is negative
                if longitudeRef == "W":
                        lon = 0- lon
                gpsCoor = {"Lat": lat, "LatRef":latitudeRef, "Lon": lon,
                "LonRef": longitudeRef}
                return gpsCoor
        else:
                return None

def ConvertToDegrees(gpsCoordinate):
        d0 = gpsCoordinate[0][0]
        d1 = gpsCoordinate[0][1]
        try:
                degrees = float(d0) / float(d1)
        except:
                degrees = 0.0
        m0 = gpsCoordinate[1][0]
        m1 = gpsCoordinate[1][1]
        try:
                minutes = float(m0) / float(m1)
        except:
                minutes=0.0
        s0 = gpsCoordinate[2][0]
        s1 = gpsCoordinate[2][1]
        try:
                seconds = float(s0) / float(s1)
        except:
                seconds = 0.0
        floatCoordinate = float (degrees + (minutes / 60.0)+(seconds /
3600.0))
        return floatCoordinate

to sum up, you can check out the below link to find out which location those numbers refer to.
http://www.latlong.net/Show-Latitude-Longitude.html

Network Forensics - python scripting

as a practice and establishing a baseline in our blog posts, it is better to start off with python scripting. regarding the title of this post, numerous articles are on the internet and so many great books have been written in python security. the idea behind such an approach ( python scripting ) is to cover up the deficiencies of some custom or creative tools on security field. whenever you want to think about network forensics, you should consider about sockets, the fundamental building block which allows interacting with other devices. The socket API which most operation systems use today is based on Berkeley sockets. Berkeley sockets were used for the first time with UNIX BSD version in 1993. later, they released a free version that is used in nowadays use across different operation system.
for more information related to Berkeley socket, you can check out Wikipedia page.
for instance, if you have ever tried to write a client/server TCP application, the following flowchart must be observed by the programmer.

some methods or functions which commonly use in Socket programming by many today programming languages are presented in the above illustration.  you can find more information about how these methods and how to build network programs in python or any other languages on network programming books.

if I want to write about socket programming in python, it may more cumbersome for readers to read about it in a single post and I would prefer to write a simple code which does some sneaky information gathering through network access. this program is developed to collect information about open ports on a local or remote machine.  as you know for sure, many well-known ports are used by famous services and programs and that's why we need to specify them in an array. each try may take several seconds or minutes and we set a timeout for connection in socket object. in this code, two functions are responsible for getting the work done. first is to call check_port and second if the result indicates the port is open, then check_port will check what that port is for. this is a sample of running the code.

for more investigation, you can manipulate the code in any way or make it parallel for speeding it up

 
#!/usr/bin/python

# developed by Mansoor (manz@digitz.org)
# insecurebytes.blogspot.com

import socket,sys,time,datetime,argparse,os

line = "+" * 80


ip = socket.gethostbyname("127.0.0.1")


openports = []
common_ports = {

        '21': 'FTP',
        '22': 'SSH',
        '23': 'TELNET',
        '25': 'SMTP',
        '53': 'DNS',
        '69': 'TFTP',
        '80': 'HTTP',
        '109': 'POP2',
        '110': 'POP3',
        '123': 'NTP',
        '137': 'NETBIOS-NS',
        '138': 'NETBIOS-DGM',
        '139': 'NETBIOS-SSN',
        '143': 'IMAP',
        '156': 'SQL-SERVER',
        '389': 'LDAP',
        '443': 'HTTPS',
        '546': 'DHCP-CLIENT',
        '547': 'DHCP-SERVER',
        '995': 'POP3-SSL',
        '993': 'IMAP-SSL',
        '2086': 'WHM/CPANEL',
        '2087': 'WHM/CPANEL',
        '2082': 'CPANEL',
        '2083': 'CPANEL',
        '3306': 'MYSQL',
        '8443': 'PLESK',
        '10000': 'VIRTUALMIN/WEBMIN',
        '135' : 'unknown'
}

starting_time = time.time()
print "+" * 40
print "\tSimple Port Scanner..!!!"
print "+" * 40


print "Scanning started at %s" %(time.strftime("%I:%M:%S %p"))

def check_port(host, port, result = 1):
        try:
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                sock.settimeout(0.5)
                r = sock.connect_ex(("127.0.0.1", port))        
                if r == 0:
                        result = r
                sock.close()
        except Exception, e:
                pass

        return result

def get_service(port):
        port = str(port)
        if port in common_ports: 
                return common_ports[port]
        else:
                return 0


try:
        print "Scan in progress.."
        print "Connecting to Port: ",


        for p in sorted(common_ports):
                p = int(p)
                print p,        
                response = check_port("127.0.0.1", p)
                if response == 0:
                        openports.append(p)

        print "\nScanning completed at %s" %(time.strftime("%I:%M:%S %p"))
        ending_time = time.time()
        total_time = ending_time - starting_time
        print "=" * 40
        print "\tScan Report: 127.0.0.1"
        print "=" * 40
        
        total_time = str(round(total_time, 2))
        print "Scan Took %s seconds" %(total_time)

                
        if openports:
                print "Open Ports: "
                for i in sorted(openports):
                        service = get_service(i)
                        if not service:
                                service = "Unknown service"
                        print "\t%s %s: Open" % (i, service)
        else:
                print "Sorry, No open ports found"

except KeyboardInterrupt:            
        sys.exit(1)

A Survey of Reverse Engineering Tools for windows platform - part two

in addition to my previous post, let's add more info regarding reverse engineering tools. so far you have read about what the categories of reverse engineering tools are. before digging into the heart of the matter and introduce some tools of each section, let's take a look at a comprehensive reverse engineering process.

you can comprehend how the flow goes from the beginning step ( having an executable ).

hex editors:

hex editors as we mentioned earlier, give you this ability to make some changes to executables and DLL files. they mainly come handy when you need to change a specific piece of instruction or a string. for instance, you might want to change messageBox call to No-OP ( no operation )  - more info. for understanding these functions or System API such as messageBox if you wonder how you can find them, you need to check some references out to get some information about these APIs. most of these functions are located in Native DLLs such as kernel32.dll or USER32.dll. 

an advanced hex editor which is worthy to know is WinHex, as you can see in the following figure, hexadecimal and ASCII equivalents of a sample binary program are displayed.

however, another Hex editor named Hex workshop is out there which is capable of doing some mathematical operations. the aforementioned editor is able to interpret little-endian(intel x86)  and big-endian (power PC) and has some features such as character distribution and data visualizer as well.

Debugger / Disassembler:

many believe that most two well-known programs in this category are OllyDbg and IDA pro. OllyDbg is an application-level debugger which is used mainly on different versions of windows operation systems.  it is hard to mention all of its features but some of the most frequent ones are disassembly section, hex dump, stack window and the lovely CPU register window. OllyDbg supports for setting conditional breakpoint, memory dumping and bypassing the IsDebuggerPresent API. on the other side, IDA Pro provides accurate analyzes, disassembling of the binary program in color-coded. well-organized and easy-to-read way and like Ollydbg, it can give you some common options such as import and export viewing, hex editting, string extraction.

even so, they are some other debuggers or disassemblers which can be found as a good choice sometimes such as SoftIce, TRW or some language-specific debuggers like DeDe, VBReFormer.

Decompiler:

decompilers are so fancy because they open the doors of fortunate to you in a second without any efforts. as a first example, JAD is a java decompiler which is written in C++ but it has its own drawbacks while decompilation process. the second example is JODE which sometimes it performs better than JAD on java files. we just covered some decompilers related to JAVA language but you can find many on the internet regarding other languages to help you to get the main source code if everything is not meant to stop you.

source code obfuscators:

when you send your source-code to an obfuscator, mostly obfuscator gives back an obfuscated output of your file. clearly, you should do this when you want to give a compiled version of your binary file to a customer. in a simple obfuscation process, they would change variable and function names to something very short or meaningless. you previous indentation and space will be removed to make your code less readable in case of decompilation. as an example, PreEmptive solutions offers obfuscator for both dot.NET and Java languages.

some binary obfuscators which frequently used encryption and packing, they add a decryption routine to the executable to achieve decryption at run time. at the moment, the pure binary is visible in the memory and this is a good chance to manipulate the binary on the fly or clone it somewhere on your hard drive.  as an example, ASProtect uses a technique called stolen bytes. Stolen bytes refers to an anti-memory dumping technique that requires the deletion of a section of code quickly after it is executed

                           

A Survey of Reverse Engineering Tools for windows platform - part one

interestingly, reverse engineering will captivate you after learning tips and tricks of it. as my first post regarding reverse engineering, it is better to explain what reverse engineering is. in fact, reverse engineering consists of several steps or processes to extract knowledge or comprehend the design flow of a human-made product. this product can be anything in this world. from industrial machines to tiny software such as a MP3 converter program. designers or it is better to be said, programmers ( not a significant number of them ) in our context, do their best to place some preventive mechanism to stop crackers. on the other hand, virus writers would obfuscate their runtime behaviour to deceive reverse engineer analysists while examination or to slip sneakily under the radar of anti-viruses. reverse engineer in software context defined by Chikosfky. as they published a research paper, they state: "Reverse engineering is the process of analysing a subject system to create representations of the system at a higher level of abstraction." 

obfuscation is a famous terminology in software design and reverse engineering which is referred many times by books, articles and so on. in essence, obfuscation or anti-tempering techniques would protect and guard your program against those ones whose intent is to modify your application or somehow re-engineer it. 

additionally, there are many fruitful tools which can be handy in different circumstances. to understand the behaviour of a specific program, you need to choose a debugger or disassembler at first to identify or gain the basic knowledge of it. once you figure out the program is obfuscated or dimmed, the next step must be the identification of obfuscator whether it is a ready-made one or a custom personal one is. some PE editors would recognise and do the responsibility.  to restore everything to a normal state, an unpacker must be used and in those odd cases when you confront with a custom personal scheme, you should do the process of unpacking manually while this requires high skill. 

after defeating the obfuscation phase, a debugger goes for the rest of way. it is important to realise that by using a debugger or disassembler, you can change the Strings, Trace some outgoing API calls and input/output functionality. typically, you would select your debuggers or disassembler based on the programming language of that executable. therefore, if you have a program which is written in VB6 and another one is written in C#, evidently, two different disassemblers would be used in this situation.

each one presents some unique features to ease the process of disassembling. you may often see that program is resistant to making any changes and within itself, some preventive mechanisms such as debugger detection, checksums add some trouble and hardship. 

categories of Reverse engineering tools

after all, an arsenal of tools has been developed over the recent years and in the following four main categories, most of them can be included.

Hex editors: they provide a representational of base-16 or hexadecimal format of the binary data. they will also show the equivalent of base-16 in different ways, for instance: ASCII or Unicode 

Disassembler/Debugger: these programs translate base-16 into assembly language while debuggers would run a program and give the user facility of terminating or pausing the application at a certain point. in most cases, these two kinds of software would be in a single product.

Decompilers: these programs would translate the executable program directly into source code.

Related tools: tiny programs which play an important role such as obfuscators, PE editors, memory analyser and dumper, packers and unpackers 

.NET Threading in action part-2

as we discussed threading earlier and gave a very brief introductory post regarding threading in. NET , I managed to record a video about major simple tasks which can be implemented via threading and posted on my youtube channel. anyway, i have recently created this channel and perhaps I would post more videos there from now on.
this video describes sleep(), join() and interrupt() methods as well as threadpriority.can check it out on youtube at the following URL, hope it will be useful enough to start and spark something in your mind if you are not still familiar with threading, particularly in .NET framework.
https://www.youtube.com/watch?v=aNWyHRkhUaE

Perl GUI Programming

hi, today I want to explain how can you write a GUI app in Perl language. maybe after some months no writing, come back with some nice notes about perl.i’m sure that you somewhat tired of boring console apps.first of all you have to know that if ya wanna write something in Perl that is requires some extra modules, you have two choices to find & install them. one of them is PPM ( Perl package manager) that let you install packages in an easy way. another way is Cpan.it also exists in windows & Unix . with this command you can install packages: install ( package name ) .we use TK module for creating GUI forms .so lets go to the heart of matter.the main thing that you got to pay attention to it is that, its totally look like other modules in languages such as ( PHP – python ) that contain some steps like creating a new main window then place some widgets & starting off the event loop

use TK;

$mh = mainWindow->new();
$mh->title(“salam”);

$mh->label(-text=>”just for testing”)->pack; mainloop;

let's run this program & see your first GUI application in Perl.Yes! that was so much easy to accomplish the first mission.one note is there.pack at the end of the label code is for giving a default location on the main form to it.for placing some buttons on the form we use the following example:

$mh->button(-text=>”test”)->pack;

but you might think why it doesn’t return anything to me ? yes you didn’t define any event for it.

$mh->button(-text=>”test”)->pack;
mainloop;
sub m2h {

}

print “button clicked”;

full source code to help you out and ease the process of learning

#!/usr/bin/perl
use Tk;


my $window = MainWindow->new;

$window->title("Welcome to mH-diary.ir");

$window->Label(-text => "welcome to my website")->pack;

$window->Label(-text => "lets see how can we write something like that")->pack;
#$window->Button(-text => "Print a value", -command => \&but )->pack;

#$window->Button(-text => "Double the value", -command => sub {$val*=2} )->pack;
#$window->Button(-text => "This is a quit button ", -command => \&finito )->pack;
$window->Label(-text => "")->pack;

$window->Button(-text => "::Exit::",-command => \&m2h )->pack;
$window->Button(-text => "About me ",-command => \&m2h )->pack;
$window->Label(-text => "")->pack;
MainLoop;

###############################################

sub but {


print "value is $val\n";
}

sub m2h {
print "test button clicked\n";
}
sub finito{
print "going away ...\n";
print "final value is $val\n";
exit;
}

sub BEGIN {
$val = 2;

}

there is a screenshot which i found it on my previous website ( in 2008 ).

.NET Threading in action part-1

I want to use C# as my default language for some consecutive posts but later on, I will try to post different languages threading tips and tricks. C# has an extensive Task Parallel Library which has been improving and enhancing through the time. I want to explain how to spawn a new worker thread and also some of its issues in console application programming which differs a bit from GUI based application.
Firstly, let's focus on Thread Class which represents the main Class of our post. This class lets us do everything that we have discussed earlier like suspending, aborting, starting, prioritising and so on. I will demonstrate the rest of material in a video clip. some complementary information about the lifecycle of Threads in C#:

1. Aborted - The thread is in the stopped state
2. AbortRequested - The Abort() method has been called but the thread has not yet received the System.Threading.ThreadAbortexception that will try to terminate it - the thread is not stopped but soon will be.
3. Background - The thread is being executed in the background
4. Running - The thread has started and is not blocked
5. Stopped - The thread has completed all its instructions and stopped
6. Suspended - The thread has been suspended
7. WaitSleepJoin - The thread has been blocked by a call to Wait(), Sleep(), or Join() 
8. Unstarted - The Start() method has not yet been called on the thread

for the first try, it is better to start off with a very simple code to see how two threads can work simultaneously. in this code sample, we have a Class called "work" that contains two methods. 

the first thread works on the first method and the second one goes for the second method.

the difference between these two methods is, one meant for being used as a static method and another one is meant for using by an object of the class. after running both threads, their state becomes running till they finish. so the following code is all about the main function of our console application.

     static void Main()

        {

          

           ThreadStart x = new ThreadStart(Work.DoWork);
            Thread newThread = new Thread(x);
            Work w = new Work();
            w.Data = 42;
            ThreadStart x2 = new ThreadStart(w.DoMoreWork);
            Thread newThread2 = new Thread(x2);
            newThread.Start();
            newThread2.Start();
            Console.ReadLine();

        }

now it is the time for implementing our desired class ( word ).

 class Work 
    {
        public static void DoWork() 
        {
            Console.WriteLine("Static thread procedure has run"); 
        }
        public int Data;
        public void DoMoreWork() 
        {
            Console.WriteLine("Instance thread procedure. data=> {0}", Data); 
        }
    }

if you run this program for several times, you may get several outputs as threads are not executing in the same order. hope this short tutorial would be beneficial to you guys.

references: C# threading handbook 

Threading Basics

generally speaking , A thread is a special object that is part of the general multitasking abilities of an OS and allows a part of the application to run independently from the execution of other objects. this commonly happens in every millisecond of our daily life. at first, we can to  take a quick glance at what threading is , some comparisons related to threading models, how they are managed and controlled and so on but not maybe all of the topics will be included in this post lol. 

as you can guess , multitasking refers to an ability of an OS which can run more than one application at a time. for instance , you can surf my website while listening to music and also running photoshop behind the browser or split your monitor and work simultaneously. if we want to talk about processes also , process means that when an application  is launched, memory and any other resource for that application are allocated. The physical separation of this memory and resources is called a process. one important note is , application and process are not the same. as you can see in the windows task manager , your system processes go under processes tab . 

Threads

You will also notice that the Task Manager has summary information about process CPU utilisation. This is because the process also has an execution sequence that is used by the computer's processor. This execution sequence is known as a thread. This thread is defined by the registers in use on the CPU, the stack used by the thread, and a container that keeps track of the thread's current state. The container mentioned in the last sentence is known as Thread Local Storage. The concepts of registers and stacks should be familiar to any of you used to dealing with low-level issues like memory allocation.  each process has at least one thread within itself. the main thread is responsible at the run time of the process . for example in most programming languages, the primary thread is started in the Static main () method. threads can access the isolated data within a process and run on the processor as required.

Time Slices

the operating system grants each application a period to execute before interrupting that application and allowing another one to execute. This is not entirely accurate. The processor actually grants time to the process. The period that the process can execute is known as a time slice or a quantum. The period of this time slice is unknown to the programmer and unpredictable to anything besides the operating system. Each operating system and each processor may have a different time allocated. You may spawn some threads in order to do some background work, such as accessing a network or querying a database or something which if you don't, your application ( main thread ) will freeze . for this sake, they are commonly known as worker threads. These threads share the process's memory space that is isolated from all the other processes on the system. The concept of spawning new threads within the same process is known as free threading.  there is something which is called apartment threading model. this model used in VB 6.0 . with this model each process was granted its own copy of the global data needed to execute. Each thread spawned was spawned within its own process, so that threads could not share data in the process's memory.this model is vastly and totally different from free-threading. each thread is taking its turn to execute, we might be reminded of that frustrating wait in line at the bank teller. However, remember that these threads are interrupted after a brief period. At that point, another thread, perhaps one in the same process, or perhaps a thread in another process, is granted execution.  you can find some columns related to threads in task manager shown in the below figure.

Interrupts and Thread Local Storage 

When one thread runs out of time in its allocated time slice, it doesn't just stop and wait its turn again. Each processor can only handle one task at a time, so the current thread has to get out of the way. However, before it jumps out of line again, it has to store the state information that will allow its execution to start again from the point it left earlier. this is a function of Thread Local Storage (TLS). The TLS for this thread,  contains the registers, stack pointers, scheduling information, address spaces in memory, and information about other resources in use. One of the registers stored in the TLS is a program counter that tells the thread which instruction to execute next. Windows knows when it needs to make a decision about thread scheduling by using interrupts. actually, an interrupt is a mechanism that causes the normally sequential execution of CPU instructions to branch elsewhere in the computer memory without the knowledge of the execution program. Windows determines how long a thread has to execute and places an instruction in the current thread's execution sequence. This period can differ from system to system and even from thread to thread on the same system. Since this interrupt is obviously placed in the instruction set, it is known as a software interrupt. This should not be confused with hardware interrupts, which occur outside the specific instructions being executed. Once the interrupt is placed, Windows then allows the thread to execute. When the thread comes to the interrupt, Windows uses a special function known as an interrupt handler to store the thread's state in the TLS. The current program counter for that thread, which was stored before the interrupt was received, is then stored in that TLS. As you may remember, this program counter is simply the address of the currently executing instruction.

Thread Sleep and Interrupt

a program may have yielded execution to another thread so it can wait on some outside resource. However, the resources may not be available the next time the thread is brought back to execute. In fact, it may not be available the next 20 times a thread is executed. The programmer may wish to take this thread out of the execution queue for a long period so that the processor doesn't waste time switching from one thread to another just to realise it has to yield execution again. When a thread voluntarily takes itself out of the execution queue for a period, it is said to sleep. When a thread is put to sleep, it is again packed up into TLS, but this time, the TLS is not placed at the end of the running queue; it is placed on a separate sleep queue. In order for threads on a sleep queue to run again, they are marked to do so with a different kind of interrupt called a clock interrupt. When a thread is put into the sleep queue, a clock interrupt is scheduled for the time when this thread should be awakened. When a clock interrupt occurs that matches the time for a thread on the sleep queue, it is moved back to the runnable queue where it will again be scheduled for execution. we will see later on our video illustration.

Thread Abort

a thread can be interrupted, and also goes to sleep. However, like all other good things in life, threads must die. Threads can be stopped explicitly as a request during the execution of another thread. When a thread is ended in this way, it is called an abort. Threads also stop when they come to the end of their execution sequence. In any case, when a thread is ended, the TLS for that thread is de-allocated. The data in the process used by that thread does not go away, however, unless the process also ends. Threads can be suspended or resumed in some cases.

Thread Priorities

as we have seen how a thread can be interrupted, sleep, aborted, there is something left in our explanation. The last thing we need to cover for the basic concept of threading is how threads prioritise themselves. Using the analogy of our own lives, we understand that some tasks we need to do take priority over other tasks.Windows prioritises threads on a scale of 0 to 31, with larger numbers meaning higher priorities. also as a programmer, you can set the priority of threads by yourself. the process also takes priority.  in  Windows, as long as threads of a higher priority exist, threads in lower priority are not scheduled for execution. The processor will schedule all threads at the highest priority first. Each thread of that same priority level will take turns executing in a round-robin fashion. After all threads in the highest priority have completed, then the threads in the next highest level will be scheduled for execution.

 References: C# Threading Handbook

Establishment of my blog after 8 years

hello dear readers,

in 2003, I established my first blog on 7p.com. later on, as my second attempt in 2008, I ran my website on MH-diary.ir ( still some signs of it exist on archive.org lol ) but I had no intention of running those virtual places for a long period.

at the moment, I'm totally determined to make this blog as part of my weekly or perhaps daily life...

mH