08 2021 档案

autoElevate
摘要:Get-ChildItem "C:\Windows\System32\*.exe" | Select-String -pattern "<autoElevate>true</autoElevate>" bthudtask.exe:81: <autoElevate>true</autoElevate> 阅读全文
posted @ 2021-08-30 14:15 DirWangK 阅读(144) 评论(0) 推荐(0)
UPX(-)[modified] 脱壳
摘要:查壳:UPX(-)[modified] 脱壳 入口点,经典pushad指令,可以根据esp定律跟oep,这里直接搜索popad指令 ctrl+f --popad,搜到2条 第一条popad下断,f9运行 跳过循环,jmp处下断,f9运行 f7步进来到OEP 使用scylla插件dump 发现一条无效 阅读全文
posted @ 2021-08-24 20:21 DirWangK 阅读(786) 评论(3) 推荐(1)
PECompact(3.02.2)脱壳记录
摘要:1.查壳 2.find OEP 3.dump 4.fix die查壳: x32dbg调试脱壳,找OEP: 入口点: mov eax,idaprohelper.44B51C push eax push dword ptr fs:[0] mov dword ptr fs:[0],esp xor eax, 阅读全文
posted @ 2021-08-11 21:25 DirWangK 阅读(949) 评论(0) 推荐(0)
cobalt strike Artifact.exe分析
摘要:main 1do_401840 1.1CreateThread 1.1.1WriteShellcodeToPipe_401648 1.2RecvShellcode_4017E2 1.2.1ReadPipeContent_401732 1.2.2DecryptoAndRunShellcode_4015 阅读全文
posted @ 2021-08-06 22:35 DirWangK 阅读(333) 评论(0) 推荐(0)
ida findcrypt报错yara.libyara_wrapper.YaraSyntaxError
摘要:参考链接:https://blog.csdn.net/qq_34905587/article/details/115264740 python脚本插件:https://github.com/polymorf/findcrypt-yara 报错yara.libyara_wrapper.YaraSynt 阅读全文
posted @ 2021-08-05 14:55 DirWangK 阅读(456) 评论(0) 推荐(0)
"Software\Hex-Rays\IDA" exists, but no "Python3TargetDLL" value found No Python installations were found
摘要:idapyswitch参数: 指定python.dll所在路径: idapyswitch.exe --force-path .\python3.dll 修改的注册表位置: 计算机\HKEY_CURRENT_USER\Software\Hex-Rays\IDA 阅读全文
posted @ 2021-08-05 14:47 DirWangK 阅读(6307) 评论(0) 推荐(2)