当前位置:网站首页>Circumvention Technology: Registry
Circumvention Technology: Registry
2022-07-07 23:03:00 【For the rest of Kali's life】
Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path
Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path
Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path
Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path
Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path
Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path
Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia
边栏推荐
- Comparison of various development methods of applets - cross end? Low code? Native? Or cloud development?
- 软件测评中心▏自动化测试有哪些基本流程和注意事项?
- 行测-图形推理-1-汉字类
- 行测-图形推理-5-一笔画类
- Microservice Remote debug, nocalhost + rainbond microservice Development second Bomb
- Sword finger offer 28 Symmetric binary tree
- Why is network i/o blocked?
- [record of question brushing] 3 Longest substring without duplicate characters
- Digital transformation: five steps to promote enterprise progress
- PHP method of obtaining image information
猜你喜欢
微服務遠程Debug,Nocalhost + Rainbond微服務開發第二彈
安踏DTC | 安踏转型,构建不只有FILA的增长飞轮
行测-图形推理-1-汉字类
聊聊 Dart 的空安全 (null safety) 特性
Early childhood education industry of "screwing bar": trillion market, difficult to be a giant
PCL .vtk文件与.pcd的相互转换
DTC社群运营怎么做?
ASP.NET Core入门五
Line test - graphic reasoning - 1 - Chinese character class
Form组件常用校验规则-2(持续更新中~)
随机推荐
Sword finger offer 28 Symmetric binary tree
Microbial health network, how to restore microbial communities
This time, let's clear up: synchronous, asynchronous, blocking, non blocking
Debezium系列之:mysql墓碑事件
Sword finger offer 63 Maximum profit of stock
行测-图形推理-5-一笔画类
How pyGame rotates pictures
Force deduction - question 561 - array splitting I - step by step parsing
行测-图形推理-8-图群类
The PHP source code of the new website + remove authorization / support burning goose instead of pumping
【测试面试题】页面很卡的原因分析及解决方案
聊聊 Dart 的空安全 (null safety) 特性
ADC采样率(HZ)是什么怎么计算
Line test - graphic reasoning - 2 - black and white lattice class
详解全志V853上的ARM A7和RISC-V E907之间的通信方式
Install mxnet GPU version
Unity technical notes (I) inspector extension
Cascade-LSTM: A Tree-Structured Neural Classifier for Detecting Misinformation Cascades-KDD2020
数字藏品加速出圈,MarsNFT助力多元化文旅经济!
Explain in detail the communication mode between arm A7 and risc-v e907 on Quanzhi v853