当前位置:网站首页>Circumvention Technology: Registry
Circumvention Technology: Registry
2022-07-07 23:03:00 【For the rest of Kali's life】
Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia
边栏推荐
- 安踏DTC | 安踏转型,构建不只有FILA的增长飞轮
- 微服务远程Debug,Nocalhost + Rainbond微服务开发第二弹
- Leetcode interview question 02.07 Linked list intersection [double pointer]
- 今日创见|企业促进创新的5大关键要素
- Unity local coordinates and world coordinates
- 0-5vac to 4-20mA AC current isolated transmitter / conversion module
- 软件测评中心▏自动化测试有哪些基本流程和注意事项?
- 0-5VAC转4-20mA交流电流隔离变送器/转换模块
- 线上面试,该如何更好的表现自己?这样做,提高50%通过率~
- 行测-图形推理-4-字母类
猜你喜欢
消费品企业敏捷创新转型案例
![Cause analysis and solution of too laggy page of [test interview questions]](/img/33/2c2256fd98b908ddaf5573f644ad7f.png)
Cause analysis and solution of too laggy page of [test interview questions]
Common verification rules of form components -2 (continuously updating ~)
There is another problem just online... Warm
![LeetCode206. Reverse linked list [double pointer and recursion]](/img/3c/84351e771ac9763c1e5f7b4921c099.jpg)
LeetCode206. Reverse linked list [double pointer and recursion]
Redis集群安装
行测-图形推理-8-图群类
“拧巴”的早教行业:万亿市场,难出巨头
行测-图形推理-1-汉字类
Unity与WebGL的相爱相杀
随机推荐
Cause analysis and solution of too laggy page of [test interview questions]
The PHP source code of the new website + remove authorization / support burning goose instead of pumping
Why is network i/o blocked?
Line test - graphic reasoning - 3 - symmetric graphic class
每日一题——PAT乙级1002题
微生物健康網,如何恢複微生物群落
DTC社群运营怎么做?
CTF练习
[problem] pytorch installation
Debezium系列之:源码阅读之SnapshotReader
Unity technical notes (I) inspector extension
Transparent i/o model from beginning to end
PHP records the pitfalls encountered in the complete docking of Tencent cloud live broadcast and im live group chat
LeetCode707. Design linked list
Line test - graphic reasoning -5- one stroke class
Years of summary, some core suggestions for learning programming
Install mxnet GPU version
GBU1510-ASEMI电源专用15A整流桥GBU1510
Understand the session, cookie and token at one time, and the interview questions are all finalized
Class implementation of linear stack and linear queue (another binary tree pointer version)