当前位置:网站首页>Circumvention Technology: Registry
Circumvention Technology: Registry
2022-07-07 23:03:00 【For the rest of Kali's life】
Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address :Evasions: Registry (checkpoint.com)
Original title :Evasions: Registry Updated date :2021 year 5 month 17 Late Japanese article : Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows : There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in :RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers:NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path (registry path) details ( If any )[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example : list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks : It can be uppercase or lowercase . Code samples :/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample :pafish project Identification flag if the following function contains a list Registry path Second parameter of :NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of :NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string ( Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator ( Registry string from table ) Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia
边栏推荐
- Database daily question --- day 22: last login
- Digital transformation: five steps to promote enterprise progress
- It's no exaggeration to say that this is the most user-friendly basic tutorial of pytest I've ever seen
- De la famille debezium: SET ROLE statements supportant mysql8
- Gazebo import the mapping model created by blender
- 小程序多种开发方式对比-跨端?低代码?原生?还是云开发?
- Debezium series: introducing support for the final operator
- Unity与WebGL的相爱相杀
- Loki, the "open source star picking program", realizes the efficient management of harbor logs
- Talk about DART's null safety feature
猜你喜欢
What does the model number of asemi rectifier bridge kbpc1510 represent
Apple further entered the financial sector through the 'virtual card' security function in IOS 16
「开源摘星计划」Loki实现Harbor日志的高效管理
Yarn cannot view the historical task log of yarn after enabling ACL user authentication. Solution
The author of LinkedList said he didn't use LinkedList himself
PCL . VTK files and Mutual conversion of PCD
行测-图形推理-8-图群类
Microservice Remote debug, nocalhost + rainbond microservice Development second Bomb
Redis cluster installation
双非大厂测试员亲述:对测试员来说,学历重要吗?
随机推荐
行测-图形推理-9-线条问题类
Yarn cannot view the historical task log of yarn after enabling ACL user authentication. Solution
The wonderful relationship between message queue and express cabinet
Line test - graphic reasoning - 3 - symmetric graphic class
Build an "immune" barrier in the cloud to prepare your data
安踏DTC | 安踏转型,构建不只有FILA的增长飞轮
Database daily question --- day 22: last login
CTF exercise
知识点滴 - PCB制造工艺流程
微生物健康網,如何恢複微生物群落
Cascade-LSTM: A Tree-Structured Neural Classifier for Detecting Misinformation Cascades-KDD2020
「开源摘星计划」Loki实现Harbor日志的高效管理
PCL . VTK files and Mutual conversion of PCD
Gazebo import the mapping model created by blender
行測-圖形推理-4-字母類
Debezium系列之: 支持在 KILL 命令中使用变量
Yarn开启ACL用户认证之后无法查看Yarn历史任务日志解决办法
Sword finger offer 28 Symmetric binary tree
Micro service remote debug, nocalhost + rainbow micro service development second bullet
Quick sort (diagram +c code)