index.html

<!DOCTYPE HTML>
<html>
<head>
  <meta charset="utf-8">
  <meta http-equiv="pragma" content="no-cache">
  <meta http-equiv="cache-control" content="no-cache">
  <meta http-equiv="expires" content="0">
  
  <title>0pen1的博客</title>
  <meta name="author" content="0pen1">
  
  
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">

  
  <meta property="og:site_name" content="0pen1的博客"/>

  
    <meta property="og:image" content=""/>
  

  
  
    <link href="/favicon.png" rel="icon">
  
  
  <link rel="stylesheet" href="/css/bootstrap.min.css" media="screen" type="text/css">
  <link rel="stylesheet" href="/css/font-awesome.css" media="screen" type="text/css">
  <link rel="stylesheet" href="/css/style.css" media="screen" type="text/css">
  <link rel="stylesheet" href="/css/responsive.css" media="screen" type="text/css">
  <link rel="stylesheet" href="/css/highlight.css" media="screen" type="text/css">
  <link rel="stylesheet" href="/css/google-fonts.css" media="screen" type="text/css">
  <!--[if lt IE 9]><script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]-->

  <script src="/js/jquery-2.0.3.min.js"></script>

  <!-- analytics -->
  
  <!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-70812759-1"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-70812759-1');
</script>






<meta name="generator" content="Hexo 5.4.0"></head>

 <body>  
  <nav id="main-nav" class="navbar navbar-inverse navbar-fixed-top" role="navigation">
    <div class="container">
      <button type="button" class="navbar-header navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
		<span class="sr-only">Toggle navigation</span>
        <span class="icon-bar"></span>
        <span class="icon-bar"></span>
        <span class="icon-bar"></span>
      </button>
	  <a class="navbar-brand" href="/">0pen1的博客</a>
      <div class="collapse navbar-collapse nav-menu">
		<ul class="nav navbar-nav">
		  
		  <li>
			<a href="/archives" title="All the articles.">
			  <i class=""></i>Archives
			</a>
		  </li>
		  
		  <li>
			<a href="/categories" title="All the categories.">
			  <i class=""></i>Categories
			</a>
		  </li>
		  
		  <li>
			<a href="/tags" title="All the tags.">
			  <i class=""></i>Tags
			</a>
		  </li>
		  
		  <li>
			<a href="/about" title="About me.">
			  <i class=""></i>About
			</a>
		  </li>
		  
		</ul>
      </div>
    </div> <!-- container -->
</nav>
<div class="clearfix"></div>

  <div class="container">
  	<div class="content">
    	 <div class="page-header logo">
  <h1>0pen1的博客<span class="blink-fast">|</span></h1>
</div>

<div class="row page">

	
	<div class="col-md-9">
	

		<div class="slogan">


		<i class="fa fa-heart blink-slow"></i>

		wubba lubba dub dub.

</div>    

		<div id="top_search"></div>
		<div class="mypage">
		
		<!-- title and entry -->
		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2022/02/16/Bypass-AMSI/" >Bypass AMSI</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2022-02-16  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<h1 id="Bypass-AMSI"><a href="#Bypass-AMSI" class="headerlink" title="Bypass AMSI"></a>Bypass AMSI</h1><h3 id="AMSI介绍"><a href="#AMSI介绍" class="headerlink" title="AMSI介绍"></a>AMSI介绍</h3><p>反恶意软件扫描接口（Antimalware Scan Interface）简称AMSI，是微软在Windows中阻止恶意脚本执行的解决方案。AMSI通过分析将要执行的脚本，然后根据是否发现恶意内容来决定执行或者阻止。</p>
<p>下面是微软官方的介绍：</p>
<p>引自：<a target="_blank" rel="noopener" href="https://docs.microsoft.com/zh-cn/windows/win32/amsi/antimalware-scan-interface-portal">https://docs.microsoft.com/zh-cn/windows/win32/amsi/antimalware-scan-interface-portal</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Windows反恶意软件扫描接口 (AMSI) 是一种通用接口标准，可让应用程序和服务与计算机上存在的任何反恶意软件产品集成。 AMSI 为最终用户及其数据、应用程序和工作负荷提供增强的恶意软件防护。</span><br><span class="line">AMSI 与反恶意软件供应商无关;它旨在允许当今反恶意软件产品提供的最常见恶意软件扫描和保护技术，这些反恶意软件产品可以集成到应用程序中。 它支持调用结构，允许文件和内存或流扫描、内容源 URL&#x2F;IP 信誉检查和其他技术。</span><br><span class="line">AMSI 还支持会话的概念，以便反恶意软件供应商可以关联不同的扫描请求。 例如，恶意有效负载的不同片段可以关联起来，以做出更明智的决策，仅通过单独查看这些片段，这更难到达。</span><br></pre></td></tr></table></figure>

<p>目前，在Windows10中以下组件已经集成了AMSI：</p>
<ul>
<li>用户帐户控制，或 UAC (EXE、COM、MSI 或 ActiveX的)</li>
<li>PowerShell (脚本、交互式使用和动态代码评估)</li>
<li>Windows脚本主机 (wscript.exe和cscript.exe)</li>
<li>JavaScript 和 VBScript</li>
<li>OfficeVBA 宏</li>
</ul>
<p>并且 从 Windows 10 上运行的 .NET Framework 4.8 开始，运行时通过实现反恶意软件扫描接口(AMSI) 的反恶意软件解决方案来触发扫描。<a target="_blank" rel="noopener" href="https://docs.microsoft.com/zh-cn/dotnet/framework/whats-new/">https://docs.microsoft.com/zh-cn/dotnet/framework/whats-new/</a></p>
<p>AMSI的架构（图片来自微软官方）</p>
	

	</div>
  <a type="button" href="/2022/02/16/Bypass-AMSI/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<h1 id="Bypass-AMSI"><a href="#Bypass-AMSI" class="headerlink" title="Bypass AMSI"></a>Bypass AMSI</h1><h3 id="AMSI介绍"><a href="#AMSI介绍" class="headerlink" title="AMSI介绍"></a>AMSI介绍</h3><p>反恶意软件扫描接口（Antimalware Scan Interface）简称AMSI，是微软在Windows中阻止恶意脚本执行的解决方案。AMSI通过分析将要执行的脚本，然后根据是否发现恶意内容来决定执行或者阻止。</p>
<p>下面是微软官方的介绍：</p>
<p>引自：<a target="_blank" rel="noopener" href="https://docs.microsoft.com/zh-cn/windows/win32/amsi/antimalware-scan-interface-portal">https://docs.microsoft.com/zh-cn/windows/win32/amsi/antimalware-scan-interface-portal</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Windows反恶意软件扫描接口 (AMSI) 是一种通用接口标准，可让应用程序和服务与计算机上存在的任何反恶意软件产品集成。 AMSI 为最终用户及其数据、应用程序和工作负荷提供增强的恶意软件防护。</span><br><span class="line">AMSI 与反恶意软件供应商无关;它旨在允许当今反恶意软件产品提供的最常见恶意软件扫描和保护技术，这些反恶意软件产品可以集成到应用程序中。 它支持调用结构，允许文件和内存或流扫描、内容源 URL&#x2F;IP 信誉检查和其他技术。</span><br><span class="line">AMSI 还支持会话的概念，以便反恶意软件供应商可以关联不同的扫描请求。 例如，恶意有效负载的不同片段可以关联起来，以做出更明智的决策，仅通过单独查看这些片段，这更难到达。</span><br></pre></td></tr></table></figure>

<p>目前，在Windows10中以下组件已经集成了AMSI：</p>
<ul>
<li>用户帐户控制，或 UAC (EXE、COM、MSI 或 ActiveX的)</li>
<li>PowerShell (脚本、交互式使用和动态代码评估)</li>
<li>Windows脚本主机 (wscript.exe和cscript.exe)</li>
<li>JavaScript 和 VBScript</li>
<li>OfficeVBA 宏</li>
</ul>
<p>并且 从 Windows 10 上运行的 .NET Framework 4.8 开始，运行时通过实现反恶意软件扫描接口(AMSI) 的反恶意软件解决方案来触发扫描。<a target="_blank" rel="noopener" href="https://docs.microsoft.com/zh-cn/dotnet/framework/whats-new/">https://docs.microsoft.com/zh-cn/dotnet/framework/whats-new/</a></p>
<p>AMSI的架构（图片来自微软官方）</p>
	
	</div>
  <a type="button" href="/2022/02/16/Bypass-AMSI/#more" class="btn btn-default more">Read More</a>
</div>

		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2022/02/09/net程序集内存加载执行技术/" >.net程序集内存加载执行技术</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2022-02-09  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>Cobalt Strike 从3.11开始增加了一个叫“execute-assembly”的命令，这个命令能够从内存中直接加载.net程序集执行。由于没有文件落地，十分隐蔽，在实战当中应用非常广泛。本文会对Cobalt Strike的execute-assembly命令的执行过程进行分析，并且结合现有的开源项目对此技术的原理进行简单介绍。</p>
<h2 id="基础知识"><a href="#基础知识" class="headerlink" title="基础知识"></a>基础知识</h2><h3 id="1-CLR"><a href="#1-CLR" class="headerlink" title="1.CLR"></a>1.CLR</h3><p>全称Common Language Runtime（公共语言运行时），是一个可由多种编程语言使用的运行环境</p>
<p>CLR是.NET Framework的主要执行引擎，作用之一是监视程序的运行：</p>
<ul>
<li>在CLR监视之下运行的程序属于”托管的”(managed)代码</li>
<li>不在CLR之下、直接在裸机上运行的应用或者组件属于”非托管的”(unmanaged)的代码</li>
</ul>
<h3 id="2-Unmanaged-API"><a href="#2-Unmanaged-API" class="headerlink" title="2.Unmanaged API"></a>2.Unmanaged API</h3><p>参考资料：</p>
<p><a target="_blank" rel="noopener" href="https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/">https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/</a></p>
	

	</div>
  <a type="button" href="/2022/02/09/net程序集内存加载执行技术/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>Cobalt Strike 从3.11开始增加了一个叫“execute-assembly”的命令，这个命令能够从内存中直接加载.net程序集执行。由于没有文件落地，十分隐蔽，在实战当中应用非常广泛。本文会对Cobalt Strike的execute-assembly命令的执行过程进行分析，并且结合现有的开源项目对此技术的原理进行简单介绍。</p>
<h2 id="基础知识"><a href="#基础知识" class="headerlink" title="基础知识"></a>基础知识</h2><h3 id="1-CLR"><a href="#1-CLR" class="headerlink" title="1.CLR"></a>1.CLR</h3><p>全称Common Language Runtime（公共语言运行时），是一个可由多种编程语言使用的运行环境</p>
<p>CLR是.NET Framework的主要执行引擎，作用之一是监视程序的运行：</p>
<ul>
<li>在CLR监视之下运行的程序属于”托管的”(managed)代码</li>
<li>不在CLR之下、直接在裸机上运行的应用或者组件属于”非托管的”(unmanaged)的代码</li>
</ul>
<h3 id="2-Unmanaged-API"><a href="#2-Unmanaged-API" class="headerlink" title="2.Unmanaged API"></a>2.Unmanaged API</h3><p>参考资料：</p>
<p><a target="_blank" rel="noopener" href="https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/">https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/</a></p>
	
	</div>
  <a type="button" href="/2022/02/09/net程序集内存加载执行技术/#more" class="btn btn-default more">Read More</a>
</div>

		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2021/12/29/DLL解钩技术/" >DLL解钩技术</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2021-12-29  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<p>通过从磁盘读取 ntdll.dll 的 .text 部分并将其放在映射到内存中的 ntdll.dll 的 .text 部分的顶部，可以完全解钩（unhook）加载到内存中的任何给定 DLL。这可能有助于bypass一些依赖用户态 API 挂钩的 EDR 解决方案。</p>
<h2 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h2><p>解钩DLL的过程如下面所示。假设ntdll.dll被钩（hook）住了，现在我们来演示如何解钩（unhook）:</p>
<ol>
<li>将ntdll.dll的全新副本从磁盘映射到内存。</li>
<li>找到被钩住的 ntdll.dll 的 .text 部分的虚拟地址（先找到ntdll.dll的基地址，然后用基地址加上.text部分的偏移地址就得到了.text部分的虚拟地址）。</li>
<li>找到新映射的ntdll.dll的.text部分的虚拟地址。</li>
<li>获取被挂钩模块的 .text 部分的原始内存保护</li>
<li>将 .text 部分从新映射的 dll 复制到原始（挂钩）ntdll.dll 的虚拟地址（在第 3 步中找到） - 这是解钩的主要内容，因为所有挂钩字节都被磁盘中的新字节覆盖。</li>
<li>将原始内存保护应用到原始 ntdll.dll 的解钩的 .text 部分。</li>
</ol>
<p>下面是一个简化图，说明了该技术的核心概念，其中 ntdll.dll 的挂钩 .text 部分被替换为磁盘上 ntdll.dll 的 .text 部分的干净副本：</p>
<p><img src="DLL%E8%A7%A3%E9%92%A9%E6%8A%80%E6%9C%AF.assets/assets/-LFEMnER3fywgFHoroYn/-M9b77N-cstE2jRzZI4M/-M9b7TdH_eS5azVO-Vxe/image.png" alt="img"></p>
<h2 id="代码"><a href="#代码" class="headerlink" title="代码"></a>代码</h2><p>下面的代码是解钩ntdll.dll的示例，你可以将它修改成解钩任何DLL的代码。</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&quot;pch.h&quot;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;iostream&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;Windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;winternl.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;psapi.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	HANDLE process = GetCurrentProcess();</span><br><span class="line">	MODULEINFO mi = &#123;&#125;;</span><br><span class="line">	HMODULE ntdllModule = GetModuleHandleA(<span class="string">&quot;ntdll.dll&quot;</span>);</span><br><span class="line">	</span><br><span class="line">	GetModuleInformation(process, ntdllModule, &amp;mi, <span class="keyword">sizeof</span>(mi));</span><br><span class="line">	LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;</span><br><span class="line">	HANDLE ntdllFile = CreateFileA(<span class="string">&quot;c:\\windows\\system32\\ntdll.dll&quot;</span>, GENERIC_READ, FILE_SHARE_READ, <span class="literal">NULL</span>, OPEN_EXISTING, <span class="number">0</span>, <span class="literal">NULL</span>);</span><br><span class="line">	HANDLE ntdllMapping = CreateFileMapping(ntdllFile, <span class="literal">NULL</span>, PAGE_READONLY | SEC_IMAGE, <span class="number">0</span>, <span class="number">0</span>, <span class="literal">NULL</span>);</span><br><span class="line">	LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>);</span><br><span class="line"></span><br><span class="line">	PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;</span><br><span class="line">	PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader-&gt;e_lfanew);</span><br><span class="line"></span><br><span class="line">	<span class="keyword">for</span> (WORD i = <span class="number">0</span>; i &lt; hookedNtHeader-&gt;FileHeader.NumberOfSections; i++) &#123;</span><br><span class="line">		PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));</span><br><span class="line">		</span><br><span class="line">		<span class="keyword">if</span> (!<span class="built_in">strcmp</span>((<span class="keyword">char</span>*)hookedSectionHeader-&gt;Name, (<span class="keyword">char</span>*)<span class="string">&quot;.text&quot;</span>)) &#123;</span><br><span class="line">			DWORD oldProtection = <span class="number">0</span>;</span><br><span class="line">			<span class="keyword">bool</span> isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), hookedSectionHeader-&gt;Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &amp;oldProtection);</span><br><span class="line">			<span class="built_in">memcpy</span>((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), hookedSectionHeader-&gt;Misc.VirtualSize);</span><br><span class="line">			isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), hookedSectionHeader-&gt;Misc.VirtualSize, oldProtection, &amp;oldProtection);</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line">	</span><br><span class="line">	CloseHandle(process);</span><br><span class="line">	CloseHandle(ntdllFile);</span><br><span class="line">	CloseHandle(ntdllMapping);</span><br><span class="line">	FreeLibrary(ntdllModule);</span><br><span class="line">	</span><br><span class="line">	<span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>请注意，上面的代码没有映像基址重定位。尽管 ntdll.dll 在其 .text 部分中没有任何要重定位的内容，但在处理其他 dll 时可能需要它。</p>
	

	</div>
  <a type="button" href="/2021/12/29/DLL解钩技术/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<p>通过从磁盘读取 ntdll.dll 的 .text 部分并将其放在映射到内存中的 ntdll.dll 的 .text 部分的顶部，可以完全解钩（unhook）加载到内存中的任何给定 DLL。这可能有助于bypass一些依赖用户态 API 挂钩的 EDR 解决方案。</p>
<h2 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h2><p>解钩DLL的过程如下面所示。假设ntdll.dll被钩（hook）住了，现在我们来演示如何解钩（unhook）:</p>
<ol>
<li>将ntdll.dll的全新副本从磁盘映射到内存。</li>
<li>找到被钩住的 ntdll.dll 的 .text 部分的虚拟地址（先找到ntdll.dll的基地址，然后用基地址加上.text部分的偏移地址就得到了.text部分的虚拟地址）。</li>
<li>找到新映射的ntdll.dll的.text部分的虚拟地址。</li>
<li>获取被挂钩模块的 .text 部分的原始内存保护</li>
<li>将 .text 部分从新映射的 dll 复制到原始（挂钩）ntdll.dll 的虚拟地址（在第 3 步中找到） - 这是解钩的主要内容，因为所有挂钩字节都被磁盘中的新字节覆盖。</li>
<li>将原始内存保护应用到原始 ntdll.dll 的解钩的 .text 部分。</li>
</ol>
<p>下面是一个简化图，说明了该技术的核心概念，其中 ntdll.dll 的挂钩 .text 部分被替换为磁盘上 ntdll.dll 的 .text 部分的干净副本：</p>
<p><img src="DLL%E8%A7%A3%E9%92%A9%E6%8A%80%E6%9C%AF.assets/assets/-LFEMnER3fywgFHoroYn/-M9b77N-cstE2jRzZI4M/-M9b7TdH_eS5azVO-Vxe/image.png" alt="img"></p>
<h2 id="代码"><a href="#代码" class="headerlink" title="代码"></a>代码</h2><p>下面的代码是解钩ntdll.dll的示例，你可以将它修改成解钩任何DLL的代码。</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&quot;pch.h&quot;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;iostream&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;Windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;winternl.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;psapi.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	HANDLE process = GetCurrentProcess();</span><br><span class="line">	MODULEINFO mi = &#123;&#125;;</span><br><span class="line">	HMODULE ntdllModule = GetModuleHandleA(<span class="string">&quot;ntdll.dll&quot;</span>);</span><br><span class="line">	</span><br><span class="line">	GetModuleInformation(process, ntdllModule, &amp;mi, <span class="keyword">sizeof</span>(mi));</span><br><span class="line">	LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;</span><br><span class="line">	HANDLE ntdllFile = CreateFileA(<span class="string">&quot;c:\\windows\\system32\\ntdll.dll&quot;</span>, GENERIC_READ, FILE_SHARE_READ, <span class="literal">NULL</span>, OPEN_EXISTING, <span class="number">0</span>, <span class="literal">NULL</span>);</span><br><span class="line">	HANDLE ntdllMapping = CreateFileMapping(ntdllFile, <span class="literal">NULL</span>, PAGE_READONLY | SEC_IMAGE, <span class="number">0</span>, <span class="number">0</span>, <span class="literal">NULL</span>);</span><br><span class="line">	LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>);</span><br><span class="line"></span><br><span class="line">	PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;</span><br><span class="line">	PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader-&gt;e_lfanew);</span><br><span class="line"></span><br><span class="line">	<span class="keyword">for</span> (WORD i = <span class="number">0</span>; i &lt; hookedNtHeader-&gt;FileHeader.NumberOfSections; i++) &#123;</span><br><span class="line">		PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));</span><br><span class="line">		</span><br><span class="line">		<span class="keyword">if</span> (!<span class="built_in">strcmp</span>((<span class="keyword">char</span>*)hookedSectionHeader-&gt;Name, (<span class="keyword">char</span>*)<span class="string">&quot;.text&quot;</span>)) &#123;</span><br><span class="line">			DWORD oldProtection = <span class="number">0</span>;</span><br><span class="line">			<span class="keyword">bool</span> isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), hookedSectionHeader-&gt;Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &amp;oldProtection);</span><br><span class="line">			<span class="built_in">memcpy</span>((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), hookedSectionHeader-&gt;Misc.VirtualSize);</span><br><span class="line">			isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader-&gt;VirtualAddress), hookedSectionHeader-&gt;Misc.VirtualSize, oldProtection, &amp;oldProtection);</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line">	</span><br><span class="line">	CloseHandle(process);</span><br><span class="line">	CloseHandle(ntdllFile);</span><br><span class="line">	CloseHandle(ntdllMapping);</span><br><span class="line">	FreeLibrary(ntdllModule);</span><br><span class="line">	</span><br><span class="line">	<span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>请注意，上面的代码没有映像基址重定位。尽管 ntdll.dll 在其 .text 部分中没有任何要重定位的内容，但在处理其他 dll 时可能需要它。</p>
	
	</div>
  <a type="button" href="/2021/12/29/DLL解钩技术/#more" class="btn btn-default more">Read More</a>
</div>

		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2021/12/29/SpringBoot信息泄露/" >SpringBoot信息泄露</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2021-12-29  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<h2 id="一、路由地址及接口调用详情泄漏"><a href="#一、路由地址及接口调用详情泄漏" class="headerlink" title="一、路由地址及接口调用详情泄漏"></a>一、路由地址及接口调用详情泄漏</h2><p>开发环境切换为线上生产环境时，相关人员没有更改配置文件或忘记切换配置环境，导致此漏洞</p>
<p>直接访问以下几个路由，验证漏洞是否存在：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/api-docs</span><br><span class="line">/v2/api-docs</span><br><span class="line">/swagger-ui.html</span><br></pre></td></tr></table></figure>

<p>一些可能会遇到的接口路由变形：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">/api.html</span><br><span class="line">/sw/swagger-ui.html</span><br><span class="line">/api/swagger-ui.html</span><br><span class="line">/template/swagger-ui.html</span><br><span class="line">/spring-security-rest/api/swagger-ui.html</span><br><span class="line">/spring-security-oauth-resource/swagger-ui.html</span><br></pre></td></tr></table></figure>

<p>除此之外，下面的路由有时也会包含(或推测出)一些接口地址信息，但是无法获得参数相关信息：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">/mappings</span><br><span class="line">/actuator/mappings</span><br><span class="line">/metrics</span><br><span class="line">/actuator/metrics</span><br><span class="line">/beans</span><br><span class="line">/actuator/beans</span><br><span class="line">/configprops</span><br><span class="line">/actuator/configprops</span><br></pre></td></tr></table></figure>

<p>一般来讲，直到 spring boot 应用的相关接口和传参信息并不能算是漏洞；</p>
<p>但是可以检查暴露的接口是否存在未授权访问、越权或者其他业务型漏洞。</p>
	

	</div>
  <a type="button" href="/2021/12/29/SpringBoot信息泄露/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<h2 id="一、路由地址及接口调用详情泄漏"><a href="#一、路由地址及接口调用详情泄漏" class="headerlink" title="一、路由地址及接口调用详情泄漏"></a>一、路由地址及接口调用详情泄漏</h2><p>开发环境切换为线上生产环境时，相关人员没有更改配置文件或忘记切换配置环境，导致此漏洞</p>
<p>直接访问以下几个路由，验证漏洞是否存在：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/api-docs</span><br><span class="line">/v2/api-docs</span><br><span class="line">/swagger-ui.html</span><br></pre></td></tr></table></figure>

<p>一些可能会遇到的接口路由变形：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">/api.html</span><br><span class="line">/sw/swagger-ui.html</span><br><span class="line">/api/swagger-ui.html</span><br><span class="line">/template/swagger-ui.html</span><br><span class="line">/spring-security-rest/api/swagger-ui.html</span><br><span class="line">/spring-security-oauth-resource/swagger-ui.html</span><br></pre></td></tr></table></figure>

<p>除此之外，下面的路由有时也会包含(或推测出)一些接口地址信息，但是无法获得参数相关信息：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">/mappings</span><br><span class="line">/actuator/mappings</span><br><span class="line">/metrics</span><br><span class="line">/actuator/metrics</span><br><span class="line">/beans</span><br><span class="line">/actuator/beans</span><br><span class="line">/configprops</span><br><span class="line">/actuator/configprops</span><br></pre></td></tr></table></figure>

<p>一般来讲，直到 spring boot 应用的相关接口和传参信息并不能算是漏洞；</p>
<p>但是可以检查暴露的接口是否存在未授权访问、越权或者其他业务型漏洞。</p>
	
	</div>
  <a type="button" href="/2021/12/29/SpringBoot信息泄露/#more" class="btn btn-default more">Read More</a>
</div>

		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2021/07/25/红日安全红队靶场（三）一次简单的内网渗透/" >红日安全红队靶场（三）一次简单的内网渗透</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2021-07-25  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<h1 id="红日安全红队靶场（三）一次简单的内网渗透"><a href="#红日安全红队靶场（三）一次简单的内网渗透" class="headerlink" title="红日安全红队靶场（三）一次简单的内网渗透"></a>红日安全红队靶场（三）一次简单的内网渗透</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">本文首发在个人公众号：白帽技术与网络安全</span><br></pre></td></tr></table></figure>

<h2 id="靶场介绍及配置"><a href="#靶场介绍及配置" class="headerlink" title="靶场介绍及配置"></a>靶场介绍及配置</h2><p>这是红日团队的第三套靶场（靶场下载地址见文末），本次靶场渗透涉及<strong>敏感信息泄露、暴力破解、脏牛提权、内网穿透、端口转发、以及域渗透</strong>等多种知识点。该靶场环境由5台机器组成，其中包括3台Windows机器和两台Linux机器。</p>
<p>靶场拓扑如下：</p>
<p><img src="%E7%BA%A2%E6%97%A5%E5%AE%89%E5%85%A8%E7%BA%A2%E9%98%9F%E9%9D%B6%E5%9C%BA%EF%BC%88%E4%B8%89%EF%BC%89%E4%B8%80%E6%AC%A1%E7%AE%80%E5%8D%95%E7%9A%84%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F.assets/clip_image002.png" alt="img"></p>
<p><strong>网卡配置</strong></p>
<p>在虚拟机的网络编辑器中添加两个host only网卡,ip段分别为192.168.1.0/24和192.168.93.0/24</p>
<p><img src="%E7%BA%A2%E6%97%A5%E5%AE%89%E5%85%A8%E7%BA%A2%E9%98%9F%E9%9D%B6%E5%9C%BA%EF%BC%88%E4%B8%89%EF%BC%89%E4%B8%80%E6%AC%A1%E7%AE%80%E5%8D%95%E7%9A%84%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F.assets/clip_image004.jpg" alt="img"></p>
<h2 id="服务器渗透"><a href="#服务器渗透" class="headerlink" title="服务器渗透"></a>服务器渗透</h2>
	

	</div>
  <a type="button" href="/2021/07/25/红日安全红队靶场（三）一次简单的内网渗透/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<h1 id="红日安全红队靶场（三）一次简单的内网渗透"><a href="#红日安全红队靶场（三）一次简单的内网渗透" class="headerlink" title="红日安全红队靶场（三）一次简单的内网渗透"></a>红日安全红队靶场（三）一次简单的内网渗透</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">本文首发在个人公众号：白帽技术与网络安全</span><br></pre></td></tr></table></figure>

<h2 id="靶场介绍及配置"><a href="#靶场介绍及配置" class="headerlink" title="靶场介绍及配置"></a>靶场介绍及配置</h2><p>这是红日团队的第三套靶场（靶场下载地址见文末），本次靶场渗透涉及<strong>敏感信息泄露、暴力破解、脏牛提权、内网穿透、端口转发、以及域渗透</strong>等多种知识点。该靶场环境由5台机器组成，其中包括3台Windows机器和两台Linux机器。</p>
<p>靶场拓扑如下：</p>
<p><img src="%E7%BA%A2%E6%97%A5%E5%AE%89%E5%85%A8%E7%BA%A2%E9%98%9F%E9%9D%B6%E5%9C%BA%EF%BC%88%E4%B8%89%EF%BC%89%E4%B8%80%E6%AC%A1%E7%AE%80%E5%8D%95%E7%9A%84%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F.assets/clip_image002.png" alt="img"></p>
<p><strong>网卡配置</strong></p>
<p>在虚拟机的网络编辑器中添加两个host only网卡,ip段分别为192.168.1.0/24和192.168.93.0/24</p>
<p><img src="%E7%BA%A2%E6%97%A5%E5%AE%89%E5%85%A8%E7%BA%A2%E9%98%9F%E9%9D%B6%E5%9C%BA%EF%BC%88%E4%B8%89%EF%BC%89%E4%B8%80%E6%AC%A1%E7%AE%80%E5%8D%95%E7%9A%84%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F.assets/clip_image004.jpg" alt="img"></p>
<h2 id="服务器渗透"><a href="#服务器渗透" class="headerlink" title="服务器渗透"></a>服务器渗透</h2>
	
	</div>
  <a type="button" href="/2021/07/25/红日安全红队靶场（三）一次简单的内网渗透/#more" class="btn btn-default more">Read More</a>
</div>

		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2021/07/23/Docker常用命令速查/" >Docker常用命令速查</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2021-07-23  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<h1 id="Docker常用命令速查"><a href="#Docker常用命令速查" class="headerlink" title="Docker常用命令速查"></a>Docker常用命令速查</h1><h2 id="1-查看镜像"><a href="#1-查看镜像" class="headerlink" title="1. 查看镜像"></a><strong>1. 查看镜像</strong></h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker images</span><br></pre></td></tr></table></figure>

<p>或者</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker image ls</span><br></pre></td></tr></table></figure>

<h2 id="2-查看容器"><a href="#2-查看容器" class="headerlink" title="2.查看容器"></a><strong>2.查看容器</strong></h2><p>查看运行中的容器</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker container ls</span><br></pre></td></tr></table></figure>

<p>或者</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker ps</span><br></pre></td></tr></table></figure>
	

	</div>
  <a type="button" href="/2021/07/23/Docker常用命令速查/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<h1 id="Docker常用命令速查"><a href="#Docker常用命令速查" class="headerlink" title="Docker常用命令速查"></a>Docker常用命令速查</h1><h2 id="1-查看镜像"><a href="#1-查看镜像" class="headerlink" title="1. 查看镜像"></a><strong>1. 查看镜像</strong></h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker images</span><br></pre></td></tr></table></figure>

<p>或者</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker image ls</span><br></pre></td></tr></table></figure>

<h2 id="2-查看容器"><a href="#2-查看容器" class="headerlink" title="2.查看容器"></a><strong>2.查看容器</strong></h2><p>查看运行中的容器</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker container ls</span><br></pre></td></tr></table></figure>

<p>或者</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker ps</span><br></pre></td></tr></table></figure>
	
	</div>
  <a type="button" href="/2021/07/23/Docker常用命令速查/#more" class="btn btn-default more">Read More</a>
</div>

		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2021/07/20/文件隐藏的小技巧/" >文件隐藏的小技巧</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2021-07-20  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<h1 id="文件隐藏的小技巧"><a href="#文件隐藏的小技巧" class="headerlink" title="文件隐藏的小技巧"></a>文件隐藏的小技巧</h1><p>为了渗透过程的隐蔽性，我们常常需要将文件进行隐藏处理。下面总结了几条常用的命令，以备不时之需。</p>
<p>将单个文件变成隐藏的系统文件</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">attrib &quot;文件名&quot; +s +h</span><br></pre></td></tr></table></figure>

<p>将当前目录下的所有文件和文件夹都隐藏：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">attrib +h +s * &#x2F;s &#x2F;d</span><br></pre></td></tr></table></figure>

<ul>
<li><code>attrib</code> 命令用来修改文件的属性</li>
<li><code>+s</code> 参数将文件设置为系统文件</li>
<li><code>+h</code> 参数将文件设置为隐藏文件</li>
<li>/S /D 可以对该目录下所有匹配的文件和文件夹执行属性</li>
</ul>
<p>懂一点技术的用户都知道如何显示隐藏文件，但很少会注意到要显示「隐藏受保护的操作系统文件」，而且进行取消勾选「隐藏受保护的操作系统文件」操作时，系统会弹出一个措辞颇为严厉的警告窗口，足以将大部分普通用户吓阻回去。</p>
<p>还原的命令如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">attrib &quot;文件名&quot; -s -h</span><br><span class="line">attrib -h -s * &#x2F;s &#x2F;d</span><br></pre></td></tr></table></figure>
	

	</div>
  <a type="button" href="/2021/07/20/文件隐藏的小技巧/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<h1 id="文件隐藏的小技巧"><a href="#文件隐藏的小技巧" class="headerlink" title="文件隐藏的小技巧"></a>文件隐藏的小技巧</h1><p>为了渗透过程的隐蔽性，我们常常需要将文件进行隐藏处理。下面总结了几条常用的命令，以备不时之需。</p>
<p>将单个文件变成隐藏的系统文件</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">attrib &quot;文件名&quot; +s +h</span><br></pre></td></tr></table></figure>

<p>将当前目录下的所有文件和文件夹都隐藏：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">attrib +h +s * &#x2F;s &#x2F;d</span><br></pre></td></tr></table></figure>

<ul>
<li><code>attrib</code> 命令用来修改文件的属性</li>
<li><code>+s</code> 参数将文件设置为系统文件</li>
<li><code>+h</code> 参数将文件设置为隐藏文件</li>
<li>/S /D 可以对该目录下所有匹配的文件和文件夹执行属性</li>
</ul>
<p>懂一点技术的用户都知道如何显示隐藏文件，但很少会注意到要显示「隐藏受保护的操作系统文件」，而且进行取消勾选「隐藏受保护的操作系统文件」操作时，系统会弹出一个措辞颇为严厉的警告窗口，足以将大部分普通用户吓阻回去。</p>
<p>还原的命令如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">attrib &quot;文件名&quot; -s -h</span><br><span class="line">attrib -h -s * &#x2F;s &#x2F;d</span><br></pre></td></tr></table></figure>
	
	</div>
  <a type="button" href="/2021/07/20/文件隐藏的小技巧/#more" class="btn btn-default more">Read More</a>
</div>

		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2021/07/14/脏牛提权/" >脏牛提权</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2021-07-14  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<h1 id="脏牛提权"><a href="#脏牛提权" class="headerlink" title="脏牛提权"></a>脏牛提权</h1><h3 id="漏洞原因"><a href="#漏洞原因" class="headerlink" title="漏洞原因"></a>漏洞原因</h3><p>Dirty COW漏洞是一种发生在<strong>写时复制</strong>的<strong>竞态条件</strong>漏洞。</p>
<p>详细分析参考链接</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/hbhgyu/article/details/106245182">https://blog.csdn.net/hbhgyu/article/details/106245182</a></p>
<h3 id="漏洞危害"><a href="#漏洞危害" class="headerlink" title="漏洞危害"></a>漏洞危害</h3><p>低权限用户利用该漏洞技术可以在全版本Linux系统上实现本地提权</p>
<h3 id="影响范围"><a href="#影响范围" class="headerlink" title="影响范围"></a>影响范围</h3><p> Linux kernel 2.x through 4.x before 4.8.3</p>
<h3 id="验证漏洞是否存在"><a href="#验证漏洞是否存在" class="headerlink" title="验证漏洞是否存在"></a>验证漏洞是否存在</h3>
	

	</div>
  <a type="button" href="/2021/07/14/脏牛提权/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<h1 id="脏牛提权"><a href="#脏牛提权" class="headerlink" title="脏牛提权"></a>脏牛提权</h1><h3 id="漏洞原因"><a href="#漏洞原因" class="headerlink" title="漏洞原因"></a>漏洞原因</h3><p>Dirty COW漏洞是一种发生在<strong>写时复制</strong>的<strong>竞态条件</strong>漏洞。</p>
<p>详细分析参考链接</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/hbhgyu/article/details/106245182">https://blog.csdn.net/hbhgyu/article/details/106245182</a></p>
<h3 id="漏洞危害"><a href="#漏洞危害" class="headerlink" title="漏洞危害"></a>漏洞危害</h3><p>低权限用户利用该漏洞技术可以在全版本Linux系统上实现本地提权</p>
<h3 id="影响范围"><a href="#影响范围" class="headerlink" title="影响范围"></a>影响范围</h3><p> Linux kernel 2.x through 4.x before 4.8.3</p>
<h3 id="验证漏洞是否存在"><a href="#验证漏洞是否存在" class="headerlink" title="验证漏洞是否存在"></a>验证漏洞是否存在</h3>
	
	</div>
  <a type="button" href="/2021/07/14/脏牛提权/#more" class="btn btn-default more">Read More</a>
</div>

		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2021/07/14/Linux手动安装JDK/" >Linux手动安装JDK</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2021-07-14  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<p>当Linux无法出网时，需要手动上传jdk压缩包来安装Java环境</p>
<p>创建安装目录</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mkdir &#x2F;usr&#x2F;local&#x2F;java&#x2F;</span><br></pre></td></tr></table></figure>

<p>将压缩包解压至安装目录</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tar -zxvf jdk-11.0.11_linux-x64_bin.tar.gz -C &#x2F;usr&#x2F;local&#x2F;java&#x2F;</span><br></pre></td></tr></table></figure>

<p>打开环境变量文件</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim &#x2F;etc&#x2F;profile</span><br></pre></td></tr></table></figure>

<p>在末尾追加</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">export JAVA_HOME&#x3D;&#x2F;usr&#x2F;local&#x2F;java&#x2F;jdk-11.0.11</span><br><span class="line">export JRE_HOME&#x3D;$&#123;JAVA_HOME&#125;&#x2F;jre</span><br><span class="line">export CLASSPATH&#x3D;.:$&#123;JAVA_HOME&#125;&#x2F;lib:$&#123;JRE_HOME&#125;&#x2F;lib</span><br><span class="line">export PATH&#x3D;$&#123;JAVA_HOME&#125;&#x2F;bin:$PATH</span><br></pre></td></tr></table></figure>

<p>使环境变量生效</p>
	

	</div>
  <a type="button" href="/2021/07/14/Linux手动安装JDK/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<p>当Linux无法出网时，需要手动上传jdk压缩包来安装Java环境</p>
<p>创建安装目录</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mkdir &#x2F;usr&#x2F;local&#x2F;java&#x2F;</span><br></pre></td></tr></table></figure>

<p>将压缩包解压至安装目录</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tar -zxvf jdk-11.0.11_linux-x64_bin.tar.gz -C &#x2F;usr&#x2F;local&#x2F;java&#x2F;</span><br></pre></td></tr></table></figure>

<p>打开环境变量文件</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim &#x2F;etc&#x2F;profile</span><br></pre></td></tr></table></figure>

<p>在末尾追加</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">export JAVA_HOME&#x3D;&#x2F;usr&#x2F;local&#x2F;java&#x2F;jdk-11.0.11</span><br><span class="line">export JRE_HOME&#x3D;$&#123;JAVA_HOME&#125;&#x2F;jre</span><br><span class="line">export CLASSPATH&#x3D;.:$&#123;JAVA_HOME&#125;&#x2F;lib:$&#123;JRE_HOME&#125;&#x2F;lib</span><br><span class="line">export PATH&#x3D;$&#123;JAVA_HOME&#125;&#x2F;bin:$PATH</span><br></pre></td></tr></table></figure>

<p>使环境变量生效</p>
	
	</div>
  <a type="button" href="/2021/07/14/Linux手动安装JDK/#more" class="btn btn-default more">Read More</a>
</div>

		
			
	
	<!-- display as entry -->
<div class="row">
	<div class="col-md-8">
		<h3 class="title">
			<a href="/2021/07/10/AGGRESSOR-SCRIPT官方文档翻译-3-Data-Model/" >AGGRESSOR SCRIPT官方文档翻译-3. Data Model</a>
		</h3>
		</div>
	<div class="col-md-4">
		<div class="date">post @ 2021-07-10  </div>
		</div>
	</div>
	


			<!--
<div class="entry">
  <div class="row">
	
	
		<h1 id="AGGRESSOR-SCRIPT官方文档翻译-3-Data-Model"><a href="#AGGRESSOR-SCRIPT官方文档翻译-3-Data-Model" class="headerlink" title="AGGRESSOR SCRIPT官方文档翻译-3. Data Model"></a>AGGRESSOR SCRIPT官方文档翻译-3. Data Model</h1><p>Cobalt Strike的团队服务器存储您的主机、服务、凭证和其他信息。 它还广播该信息，并使其对所有客户端可用。</p>
<h2 id="数据-API"><a href="#数据-API" class="headerlink" title="数据 API"></a>数据 API</h2><p>使用 <a target="_blank" rel="noopener" href="https://www.cobaltstrike.com/aggressor-script/functions.html#data_query">&amp;data_query</a>功能查询Cobalt Strike的数据模型。该功能可以访问Cobalt Strike客户端维护的所有状态和信息。使用<a target="_blank" rel="noopener" href="https://www.cobaltstrike.com/aggressor-script/functions.html#data_keys">&amp;data_keys</a> 来获得你可能查询的不同数据片段的列表。此示例查询Cobalt Strike数据模型中的所有数据，并将其导出到一个文本文件:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">command export &#123;</span><br><span class="line"># 注册命令</span><br><span class="line">	local(&#39;$handle $model $row $entry $index&#39;);</span><br><span class="line">	# 声明局部变量</span><br><span class="line">	$handle &#x3D; openf(&quot;&gt;export.txt&quot;);</span><br><span class="line">	# 打开一个文件句柄</span><br><span class="line">	foreach $model (data_keys()) &#123;</span><br><span class="line">	# 遍历数据模型</span><br><span class="line">		println($handle, &quot;&#x3D;&#x3D; $model &#x3D;&#x3D;&quot;);</span><br><span class="line">		println($handle, data_query($model));</span><br><span class="line">	&#125;</span><br><span class="line">	</span><br><span class="line">	closef($handle);</span><br><span class="line">	# 关闭文件句柄</span><br><span class="line">	println(&quot;See export.txt for the data.&quot;);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>控制台执行：</p>
<p><img src="AGGRESSOR-SCRIPT%E5%AE%98%E6%96%B9%E6%96%87%E6%A1%A3%E7%BF%BB%E8%AF%91-3-Data-Model.assets/image-20210710090308507.png" alt="image-20210710090308507"></p>
<p>导出的数据：</p>
<p><img src="AGGRESSOR-SCRIPT%E5%AE%98%E6%96%B9%E6%96%87%E6%A1%A3%E7%BF%BB%E8%AF%91-3-Data-Model.assets/image-20210710090246700.png" alt="image-20210710090246700"></p>
<p>Cobalt Strike提供了几个函数，可以更直观地使用数据模型。</p>
	

	</div>
  <a type="button" href="/2021/07/10/AGGRESSOR-SCRIPT官方文档翻译-3-Data-Model/#more" class="btn btn-default more">Read More</a>
</div>

-->
<div class="entry">
  <div class="row">
	
	
		<h1 id="AGGRESSOR-SCRIPT官方文档翻译-3-Data-Model"><a href="#AGGRESSOR-SCRIPT官方文档翻译-3-Data-Model" class="headerlink" title="AGGRESSOR SCRIPT官方文档翻译-3. Data Model"></a>AGGRESSOR SCRIPT官方文档翻译-3. Data Model</h1><p>Cobalt Strike的团队服务器存储您的主机、服务、凭证和其他信息。 它还广播该信息，并使其对所有客户端可用。</p>
<h2 id="数据-API"><a href="#数据-API" class="headerlink" title="数据 API"></a>数据 API</h2><p>使用 <a target="_blank" rel="noopener" href="https://www.cobaltstrike.com/aggressor-script/functions.html#data_query">&amp;data_query</a>功能查询Cobalt Strike的数据模型。该功能可以访问Cobalt Strike客户端维护的所有状态和信息。使用<a target="_blank" rel="noopener" href="https://www.cobaltstrike.com/aggressor-script/functions.html#data_keys">&amp;data_keys</a> 来获得你可能查询的不同数据片段的列表。此示例查询Cobalt Strike数据模型中的所有数据，并将其导出到一个文本文件:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">command export &#123;</span><br><span class="line"># 注册命令</span><br><span class="line">	local(&#39;$handle $model $row $entry $index&#39;);</span><br><span class="line">	# 声明局部变量</span><br><span class="line">	$handle &#x3D; openf(&quot;&gt;export.txt&quot;);</span><br><span class="line">	# 打开一个文件句柄</span><br><span class="line">	foreach $model (data_keys()) &#123;</span><br><span class="line">	# 遍历数据模型</span><br><span class="line">		println($handle, &quot;&#x3D;&#x3D; $model &#x3D;&#x3D;&quot;);</span><br><span class="line">		println($handle, data_query($model));</span><br><span class="line">	&#125;</span><br><span class="line">	</span><br><span class="line">	closef($handle);</span><br><span class="line">	# 关闭文件句柄</span><br><span class="line">	println(&quot;See export.txt for the data.&quot;);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>控制台执行：</p>
<p><img src="AGGRESSOR-SCRIPT%E5%AE%98%E6%96%B9%E6%96%87%E6%A1%A3%E7%BF%BB%E8%AF%91-3-Data-Model.assets/image-20210710090308507.png" alt="image-20210710090308507"></p>
<p>导出的数据：</p>
<p><img src="AGGRESSOR-SCRIPT%E5%AE%98%E6%96%B9%E6%96%87%E6%A1%A3%E7%BF%BB%E8%AF%91-3-Data-Model.assets/image-20210710090246700.png" alt="image-20210710090246700"></p>
<p>Cobalt Strike提供了几个函数，可以更直观地使用数据模型。</p>
	
	</div>
  <a type="button" href="/2021/07/10/AGGRESSOR-SCRIPT官方文档翻译-3-Data-Model/#more" class="btn btn-default more">Read More</a>
</div>

		

		</div>

		<!-- pagination -->
		<div>
  		<center>
		<div class="pagination">

   
    
           <a type="button" class="btn btn-default disabled"><i class="fa fa-arrow-circle-o-left"></i>Prev</a>
        

        <a href="/" type="button" class="btn btn-default"><i class="fa fa-home"></i>Home</a>
 
       <a href="/page/2/" type="button" class="btn btn-default ">Next<i class="fa fa-arrow-circle-o-right"></i></a>     
        

  
</div>

  		</center>
		</div>

		
		
	</div> <!-- col-md-9 -->

	
		<div class="col-md-3">
	<div id="sidebar">
	
			
  <div id="site_search">
   <div class="form-group">
    <input type="text" id="local-search-input" name="q" results="0" placeholder="Search" class="st-search-input st-default-search-input form-control"/>
   </div>  
  <div id="local-search-result"></div>
  </div>


		
			
	<div class="widget">
		<h4>Categories</h4>
		<ul class="tag_box inline list-unstyled">
		
			<li><a href="/categories/Cobalt-Strike/">Cobalt Strike<span>2</span></a></li>
		
			<li><a href="/categories/Java/">Java<span>1</span></a></li>
		
			<li><a href="/categories/Linux/">Linux<span>1</span></a></li>
		
			<li><a href="/categories/iptables/">iptables<span>1</span></a></li>
		
			<li><a href="/categories/vuln/">vuln<span>1</span></a></li>
		
			<li><a href="/categories/内网攻防/">内网攻防<span>2</span></a></li>
		
			<li><a href="/categories/权限提升/">权限提升<span>1</span></a></li>
		
		</ul>
	</div>

		
			
	<div class="widget">
		<h4>Tag Cloud</h4>
		<ul class="tag_box inline list-unstyled">		
		
			<li><a href="/tags/iptables/">iptables<span>2</span></a></li>
		
			<li><a href="/tags/JDK/">JDK<span>1</span></a></li>
		
			<li><a href="/tags/execute-assembly/">execute-assembly<span>1</span></a></li>
		
			<li><a href="/tags/内网渗透/">内网渗透<span>1</span></a></li>
		
			<li><a href="/tags/域/">域<span>1</span></a></li>
		
			<li><a href="/tags/免杀/">免杀<span>1</span></a></li>
		
			<li><a href="/tags/横向移动/">横向移动<span>1</span></a></li>
		
			<li><a href="/tags/Cobalt-Strike插件开发/">Cobalt Strike插件开发<span>2</span></a></li>
		
			<li><a href="/tags/SpringBoot/">SpringBoot<span>1</span></a></li>
		
			<li><a href="/tags/反编译/">反编译<span>1</span></a></li>
		
			<li><a href="/tags/CMD/">CMD<span>1</span></a></li>
		
			<li><a href="/tags/docker/">docker<span>2</span></a></li>
		
			<li><a href="/tags/AMSI/">AMSI<span>1</span></a></li>
		
			<li><a href="/tags/提权/">提权<span>1</span></a></li>
		
		 
		</ul>
	</div>


		
			
<div class="widget">
  <h4>Recent Posts</h4>
  <ul class="entry list-unstyled">
    
      <li>
        <a href="/2022/02/16/Bypass-AMSI/" ><i class="fa fa-file-o"></i>Bypass AMSI</a>
      </li>
    
      <li>
        <a href="/2022/02/09/net程序集内存加载执行技术/" ><i class="fa fa-file-o"></i>.net程序集内存加载执行技术</a>
      </li>
    
      <li>
        <a href="/2021/12/29/DLL解钩技术/" ><i class="fa fa-file-o"></i>DLL解钩技术</a>
      </li>
    
      <li>
        <a href="/2021/12/29/SpringBoot信息泄露/" ><i class="fa fa-file-o"></i>SpringBoot信息泄露</a>
      </li>
    
      <li>
        <a href="/2021/07/25/红日安全红队靶场（三）一次简单的内网渗透/" ><i class="fa fa-file-o"></i>红日安全红队靶场（三）一次简单的内网渗透</a>
      </li>
    
  </ul>
</div>

		
			
<div class="widget">
	<h4>Links</h4>
	<ul class="blogroll list-unstyled">
	
		<li><i class="false"></i><a href="https://a-fenglin.github.io/windL1n/" title="" target="_blank"]);">风林的博客</a></li>
	
	</ul>
</div>


		
	</div> <!-- sidebar -->
</div> <!-- col-md-3 -->

	
	
</div> <!-- row-fluid -->
	</div>
  </div>
  <div class="container-narrow">
  <footer> <p>
  
  &copy; 2022 0pen1's Blog
  
      powered by <a href="http://hexo.io/" target="_blank">Hexo</a>.Theme <a href="https://github.com/Ares-X/hexo-theme-freemind.bithack" target="_blank">freemind.bithack</a>  
</p>
 </footer>
</div> <!-- container-narrow -->
  


  
<a id="gotop" href="#">   
  <span>⬆︎TOP</span>
</a>

<script src="/js/jquery.imagesloaded.min.js"></script>
<script src="/js/gallery.js"></script>
<script src="/js/bootstrap.min.js"></script>
<script src="/js/main.js"></script>
<script src="/js/search.js"></script> 


<link rel="stylesheet" href="/fancybox/jquery.fancybox.css" media="screen" type="text/css">
<script src="/fancybox/jquery.fancybox.pack.js"></script>
<script type="text/javascript">
(function($){
  $('.fancybox').fancybox();
})(jQuery);
</script>



   <script type="text/javascript">      
     var search_path = "search.xml";
	 if (search_path.length == 0) {
	 	search_path = "search.xml";
	 }
	 var path = "/" + search_path;
     searchFunc(path, 'local-search-input', 'local-search-result');
   </script>

</body>
   </html>