当前位置:网站首页>Circumvention Technology: Registry
Circumvention Technology: Registry
2022-07-07 23:03:00 【For the rest of Kali's life】
Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia
边栏推荐
- Debezium系列之:支持 mysql8 的 set role 語句
- Micro service remote debug, nocalhost + rainbow micro service development second bullet
- Qt Graphicsview图形视图使用总结附流程图开发案例雏形
- 开发那些事儿:Go加C.free释放内存,编译报错是什么原因?
- Online interview, how to better express yourself? In this way, the passing rate will be increased by 50%~
- Debezium系列之: 支持在 KILL 命令中使用变量
- Unity FAQ (I) lack of references
- Two minutes, talk about some wrong understandings of MySQL index
- 聊聊 Dart 的空安全 (null safety) 特性
- Cascade-LSTM: A Tree-Structured Neural Classifier for Detecting Misinformation Cascades-KDD2020
猜你喜欢
Cascade-LSTM: A Tree-Structured Neural Classifier for Detecting Misinformation Cascades-KDD2020
Digital transformation: five steps to promote enterprise progress
不夸张地说,这是我见过最通俗易懂的,pytest入门基础教程
![[environment] pycharm sets the tool to convert QRC into py file](/img/4f/d1c811dea23e3695a8b6d04b938bb5.jpg)
[environment] pycharm sets the tool to convert QRC into py file
行測-圖形推理-4-字母類
Microbial health network, how to restore microbial communities
「开源摘星计划」Loki实现Harbor日志的高效管理
面试百问:如何测试App性能?
PCL .vtk文件与.pcd的相互转换
What is fake sharing after filling the previous hole?
随机推荐
Take full control! Create a "leading cockpit" for smart city construction
The PHP source code of the new website + remove authorization / support burning goose instead of pumping
ASP.NET Core入门五
数据库每日一题---第22天:最后一次登录
行测-图形推理-7-相异图形类
Some parameters of Haikang IPC
Use JfreeChart to generate curves, histograms, pie charts, and distribution charts and display them to JSP-1
Redis官方ORM框架比RedisTemplate更优雅
肠道里的微生物和皮肤上的一样吗?
行测-图形推理-8-图群类
ADC采样率(HZ)是什么怎么计算
Unity local coordinates and world coordinates
LeetCode206. Reverse linked list [double pointer and recursion]
Nx10.0 installation tutorial
【测试面试题】页面很卡的原因分析及解决方案
Unity与WebGL的相爱相杀
6-3 find the table length of the linked table
线上面试,该如何更好的表现自己?这样做,提高50%通过率~
Debezium系列之:源码阅读之SnapshotReader
Apple further entered the financial sector through the 'virtual card' security function in IOS 16