{"id":3543,"date":"2017-08-18T20:50:29","date_gmt":"2017-08-18T12:50:29","guid":{"rendered":"https:\/\/ixyzero.com\/blog\/?p=3543"},"modified":"2017-08-18T20:50:29","modified_gmt":"2017-08-18T12:50:29","slug":"windows%e5%ae%89%e5%85%a8%e7%9b%b8%e5%85%b3%e5%b7%a5%e5%85%b7%e8%b5%84%e6%96%99%e6%94%b6%e9%9b%86","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/3543.html","title":{"rendered":"Windows\u5b89\u5168\u76f8\u5173\u5de5\u5177\/\u8d44\u6599\u6536\u96c6"},"content":{"rendered":"

=Start=<\/p>\n

\u7f18\u7531\uff1a<\/h4>\n

\u6536\u96c6\u3001\u6574\u7406\u4e00\u4e9b\u5e38\u89c1\u548cWindows\u5b89\u5168\u76f8\u5173\u7684\u5de5\u5177\u3001\u8d44\u6599\uff0c\u65b9\u4fbf\u4ee5\u540e\u5728\u9700\u8981\u7528\u5230\u7684\u65f6\u5019\u80fd\u591f\u5feb\u901f\u68c0\u7d22\u3002<\/p>\n

\u6b63\u6587\uff1a<\/h4>\n

\u53c2\u8003\u89e3\u7b54\uff1a<\/h5>\n

Windows \u6f0f\u6d1e\u4ef7\u503c\u5206\u7c7b\u6392\u540d\uff0c\u6765\u81ea yuange<\/strong>
\nhttp:\/\/www.4byte.cn\/learning\/44312.html<\/a><\/p>\n

\u7b80\u5355\u65b9\u6cd5\u907f\u514d\u88ab\u5b89\u88c5\u540e\u95e8<\/strong>
\nhttp:\/\/www.weibo.com\/ttarticle\/p\/show?id=2309404140771757432459<\/a><\/p>\n

\u9501\u5b9a\u6ce8\u518c\u8868\u952e\u6709\u51e0\u79cd\u65b9\u6cd5\uff1f\u9632\u6b62\u5176\u4ed6\u7528\u6237\u6216\u8fdb\u7a0b\u4fee\u6539\u6216\u8005\u5220\u9664
\nhttps:\/\/tyranidslair.blogspot.com\/2017\/07\/locking-your-registry-keys-for-fun-and.html<\/a><\/p>\n

\u5f88\u591a\u6076\u610f\u8f6f\u4ef6\u90fd\u4f9d\u8d56\u6ce8\u518c\u8868\u5b9e\u73b0 fileless \u653b\u51fb\uff0c\u8fd9\u7bc7 Blog \u4ecb\u7ecd\u57fa\u4e8e PSReflect \u7684\u6ce8\u518c\u8868\u9690\u85cf\u6280\u672f
\nhttps:\/\/posts.specterops.io\/hiding-registry-keys-with-psreflect-b18ec5ac8353<\/a><\/p>\n

\u6e17\u900f\u6280\u5de7\u2014\u2014Windows\u65e5\u5fd7\u7684\u5220\u9664\u4e0e\u7ed5\u8fc7<\/strong>
\nhttps:\/\/3gstudent.github.io\/3gstudent.github.io\/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4%E4%B8%8E%E7%BB%95%E8%BF%87\/<\/a><\/p>\n

BeRoot – Windows \u672c\u5730\u63d0\u6743\u5de5\u5177\uff0c\u5bfb\u627e\u672c\u5730\u673a\u5668\u914d\u7f6e\u4e0a\u7684\u758f\u6f0f\u5b9e\u73b0\u63d0\u6743
\nhttps:\/\/github.com\/AlessandroZ\/BeRoot<\/a><\/p>\n

\u6765\u81ea Project Zero \u7684 Windows \u6f0f\u6d1e\u5229\u7528\u6280\u5de7\u7cfb\u5217\u6587\u7ae0\uff0c\u5982\u4f55\u5c06\u4efb\u610f\u76ee\u5f55\u521b\u5efa\u6f0f\u6d1e\u8f6c\u5316\u6210\u4efb\u610f\u6587\u4ef6\u8bfb
\nhttps:\/\/googleprojectzero.blogspot.com\/2017\/08\/windows-exploitation-tricks-arbitrary.html<\/a><\/p>\n

Windows\u73af\u5883\u4e0b\u7684\u4fe1\u606f\u6536\u96c6<\/strong>
\nhttps:\/\/mp.weixin.qq.com\/s\/37xtTdjVetMg5P1WaJvYvA<\/a><\/p>\n

\u901a\u8fc7\u5411 Windows Scripting Host (WSH) \u5df2\u7b7e\u540d\u811a\u672c\u4e2d\u6ce8\u5165\u4ee3\u7801\uff0c\u7ed5\u8fc7 Windows \u5bf9 WSH \u6587\u4ef6\u7b7e\u540d\u624d\u80fd\u6267\u884c\u7684\u4fdd\u62a4
\nhttps:\/\/enigma0x3.net\/2017\/08\/03\/wsh-injection-a-case-study\/<\/a><\/p>\n

WMIMon – \u7528\u4e8e\u76d1\u63a7 Windows WMI \u884c\u4e3a\u7684\u5de5\u5177
\nhttps:\/\/github.com\/luctalpe\/WMIMon<\/a><\/p>\n

Windows \u5185\u6838\u6f0f\u6d1e\u5229\u7528\uff1a\u6808\u6ea2\u51fa
\nhttps:\/\/rootkits.xyz\/blog\/2017\/08\/kernel-stack-overflow\/<\/a><\/p>\n

\u7ed5\u8fc7\u6740\u6bd2\u8f6f\u4ef6\u4e0e\u4e3b\u673a\u5165\u4fb5\u9632\u5fa1\u7cfb\u7edf\u5bf9\u6d41\u91cf\u7684\u68c0\u6d4b
\nhttps:\/\/pentestlab.blog\/2017\/07\/26\/bypassing-antivirus-host-intrusion-prevention-systems\/<\/a><\/p>\n

Awesome Vulnerability Research – \u6f0f\u6d1e\u7814\u7a76\u65b9\u9762\u7684\u8d44\u6599\u6574\u7406
\nhttps:\/\/github.com\/re-pronin\/Awesome-Vulnerability-Research<\/a><\/p>\n

powershell \u901a\u8fc7IE\u4e0b\u8f7d\u6587\u4ef6\uff0c\u6765\u81ea Evi1cg’s blog
\nhttps:\/\/evi1cg.me\/archives\/Downloader_byIE.html<\/a><\/p>\n

\u57fa\u4e8e Neo4j \u7684 Windows \u65e5\u5fd7\u53ef\u89c6\u5316\u5206\u6790
\nhttps:\/\/haveyousecured.blogspot.ca\/2017\/07\/visualize-windows-logs-with-neo4j.html<\/a><\/p>\n

\u591a\u79cd DLL \u6ce8\u5165\u6280\u672f\u539f\u7406\u4ecb\u7ecd
\nhttp:\/\/blog.deniable.org\/blog\/2017\/07\/16\/inject-all-the-things\/<\/a><\/p>\n

\u5229\u7528 JS \u52a0\u8f7d .Net \u7a0b\u5e8f
\nhttps:\/\/3gstudent.github.io\/3gstudent.github.io\/%E5%88%A9%E7%94%A8JS%E5%8A%A0%E8%BD%BD.Net%E7%A8%8B%E5%BA%8F\/<\/a><\/p>\n

\u5229\u7528MS17-010\u8865\u4e01\u5bf9\u6bd4\u53d1\u73b0\u7684\u4e5d\u4e2a\u6f0f\u6d1e
\nhttp:\/\/www.freebuf.com\/articles\/system\/139481.html<\/a><\/p>\n

Windows \u51e0\u4e2a\u6f0f\u6d1e\u7684 PoCs\uff0c\u5927\u90e8\u5206\u662f\u5185\u6838\u6f0f\u6d1e\uff0c\u5305\u62ec CVE-2012-0217\uff0cCVE-2016-3309\uff0cCVE-2016-3371\uff0cCVE-2016-7255\uff0cCVE-2017-0213
\nhttps:\/\/github.com\/WindowsExploits\/Exploits<\/a><\/p>\n

\u521d\u5b66Windows\u5185\u6838\u6f0f\u6d1e\u5229\u7528\uff08\u4e00\uff09\uff1a\u642d\u5efa\u5b9e\u9a8c\u73af\u5883
\nhttp:\/\/mp.weixin.qq.com\/s\/v6BsjpLU9dpYHEXsFkIUfg<\/a>
\n\u521d\u5b66Windows\u5185\u6838\u6f0f\u6d1e\u5229\u7528\uff08\u4e8c\uff09\uff1a\u719f\u6089HEVD
\nhttp:\/\/mp.weixin.qq.com\/s\/URed13WhcF0_GgtGxoBgBA<\/a><\/p>\n

Windows Ring 0 \u4ee3\u7801\u6267\u884c\u7684\u79d8\u5bc6\uff0c\u6765\u81ea\u5bf9 Shadow Brokers \u6cc4\u6f0f\u6837\u672c\u7684\u9006\u5411
\nhttps:\/\/zerosum0x0.blogspot.com\/2017\/07\/puppet-strings-dirty-secret-for-free.html<\/a><\/p>\n

Windows Keylogger Part 2: Defense against user-land
\nhttps:\/\/eyeofrablog.wordpress.com\/2017\/06\/27\/windows-keylogger-part-2-defense-against-user-land\/<\/a><\/p>\n

\u4ece Windows XP \u5230 Windows 10\uff0c\u5404\u4e2a\u7248\u672c\u7684 Syscall Table \u4fe1\u606f
\nhttps:\/\/github.com\/tinysec\/windows-syscall-table<\/a><\/p>\n

NTFS \u6587\u4ef6\u683c\u5f0f\u7684\u53d6\u8bc1\u3001\u6076\u610f\u6ee5\u7528\u4e0e\u6f0f\u6d1e\u5206\u6790<\/strong>
\nhttps:\/\/drive.google.com\/file\/d\/0B3P18M-shbwrM1E2V24tTVFUU3M\/view<\/a><\/p>\n

\u4ee5DoublePulsar Shellcode \u4e3a\u4f8b\u8bb2\u89e3\u5982\u4f55\u4f7f\u7528 Windbg \u52a0\u8f7d\u5e76\u8c03\u8bd5 Windows \u5185\u6838 Shellcodes
\nhttps:\/\/vallejo.cc\/2017\/06\/23\/loading-and-debugging-windows-kernel-shellcodes-with-windbg-debugging-doublepulsar-shellcode\/<\/a><\/p>\n

\u57fa\u4e8e James Forshaw \u7684 Blog\uff0cPowerShell-Suite \u5957\u4ef6\u4e2d\u7684\u4e00\u4e2a UAC Bypass PoC
\nhttps:\/\/github.com\/FuzzySecurity\/PowerShell-Suite\/blob\/master\/UAC-TokenMagic.ps1<\/a><\/p>\n

Revoke-Obfuscation – PowerShell \u4ee3\u7801\u7684\u6df7\u6dc6\u4e5f\u5f00\u59cb\u51fa\u73b0\u4e86\uff0c\u6765\u81ea FireEye \u5728 BlackHat \u4f1a\u8bae\u7684\u6f14\u8bb2
\nhttps:\/\/www.fireeye.com\/blog\/threat-research\/2017\/07\/revoke-obfuscation-powershell.html<\/a>\u00a0https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/blog\/pdfs\/revoke-obfuscation-report.pdf<\/a><\/p>\n

\u5fae\u8f6f\u7684 PowerShell \u56e2\u961f\u5f00\u53d1\u4e86\u4e00\u4e2a PowerShell Module Browser \u5de5\u5177\uff0c\u652f\u6301\u5bf9\u5b89\u88c5\u7684 PS \u6a21\u5757\u548c\u5de5\u5177\u8fdb\u884c\u641c\u7d22
\nhttps:\/\/docs.microsoft.com\/en-us\/teamblog\/announcing-unified-powershell-experience<\/a><\/p>\n

\u4f7f\u7528 Active Directory \u7684 Powershell \u6a21\u5757\u6536\u96c6\u57df\u4fe1\u606f
\nhttps:\/\/adsecurity.org\/?p=3719<\/a><\/p>\n

\u53c2\u8003\u94fe\u63a5\uff1a<\/h5>\n