CN113434863B - Method and device for realizing remote control of host based on PE file structure - Google Patents
Method and device for realizing remote control of host based on PE file structure Download PDFInfo
- Publication number
- CN113434863B CN113434863B CN202110714351.9A CN202110714351A CN113434863B CN 113434863 B CN113434863 B CN 113434863B CN 202110714351 A CN202110714351 A CN 202110714351A CN 113434863 B CN113434863 B CN 113434863B
- Authority
- CN
- China
- Prior art keywords
- file
- shellcode
- target
- blank area
- remote control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method and a device for realizing remote control of a host based on a PE file structure, wherein the method comprises the following steps: acquiring PE files of a Windows operating system, and determining target PE files according to preset conditions; searching a blank area of the target PE file, and injecting shellcode into the searched blank area; taking the starting address of the shellcode as an entry point of the target PE file; after the shellcode is executed, jumping to the original entry point of the PE file; the invention has the advantages that: the method for concealing the remote control host computer is provided, so that the client side is prevented from being checked and killed, and the situation that the host computer authority is lost due to remote control failure is reduced.
Description
Technical Field
The invention relates to the field of remote control of hosts, in particular to a method and a device for realizing remote control of a host based on a PE file structure.
Background
The related regulations of the network security exercise of the platform are issued by the network security law in 2016: the operator of the critical information infrastructure should "formulate a network security event emergency plan and perform the exercise on a regular basis. The network security actual combat attack and defense exercise is used as a national level to promote the smooth construction of important information systems of various industries, strengthen the network security protection of key information infrastructures, promote emergency response level and other key works, and promote the network security guarantee capability promotion in actual combat, countermeasure and other modes, so that the method has very important significance.
Along with the development of large-scale attack and defense exercise actions, how to effectively implement exercise, the red and blue attack and defense anti-exercise effect is improved, and the defense makes more accurate judgment when the actions are performed, so that the method becomes the focus of attention of a large number of users. In the process of attack and defense exercise, common attack means (such as weak password attack, DDOS attack, violent cracking and the like) can be known from the view angle of an attacker, and the security protection, attack monitoring and emergency disposal capability of a participating unit and a target system can be fully checked by the attack means in the attack and defense exercise. After an attacker takes the authority of a remote host through a series of conventional vulnerabilities, how to continuously control the remote host, and then move laterally, is a difficult problem.
After the conventional attacker takes the rights, the host is often remotely controlled by using a C2 tool, the most common tool is a GUI framework type penetration test tool based on Metasplot, and port forwarding, service scanning, automatic overflow, multimode port monitoring, exe, powershell Trojan generation and the like are integrated. Fishing attacks may also be performed including: web cloning, target information acquisition, java execution, browser attack and the like. The CS is mainly used for group collaboration, and can enable a plurality of attackers to be connected to a group server at the same time to share information. The application method generally comprises the steps of generating shellcode, loading on a remote host by using a loader or a powershell and the like, and further achieving the mode of remotely controlling the host. However, this method is gradually known by the blue team, and the powershell script and the loader can be effectively checked and killed through multiple defense means such as a firewall and edr equipment, so that the situation that the client is checked and killed to cause remote control failure and lose the host authority easily occurs in the current method for remotely controlling the host.
The "Windows system security attack and defense technology" issued by the hundred degree library 2019 in3 months and 5 days introduces the contents of the basic structure of the Windows operating system, the core structure and components of the Windows system, the process and thread management of Windows, the memory management of Windows, the Windows file system, the PE file format, the registry of Windows, the Windows security and the like, but does not introduce the method of remote control host related to the Windows system security attack and defense technology. Therefore, there is a need to design a new method for remotely controlling a host.
Disclosure of Invention
The technical problem to be solved by the invention is that the method for remotely controlling the host computer in the prior art is gradually familiar to defenders, and the situation that the client side is checked and killed to cause remote control failure and lose the host computer authority easily occurs.
The invention solves the technical problems by the following technical means: a method for implementing remote control of a host based on a PE file structure, the method comprising:
acquiring PE files of a Windows operating system, and determining target PE files according to preset conditions;
searching a blank area of the target PE file, and injecting shellcode into the searched blank area;
taking the starting address of the shellcode as an entry point of the target PE file;
after the shellcode is executed, jumping to the original entry point of the PE file.
According to the invention, the shellcode is injected into the blank area of the PE file, the position of the entry point of the PE file is modified to point to the shellcode, and the shellcode is executed to jump back to the entry point of the PE file, so that the PE file function is not influenced, the shellcode can be hidden and operated, a hidden remote control host mode is achieved, the client can be prevented from being checked and killed, and the situation that the host authority is lost due to remote control failure is reduced.
Further, the step of searching the blank area of the target PE file and injecting shellcode into the searched blank area includes:
gradually searching the position of the target PE file section table through a PE structure pointer;
aligning all the sections of the target PE file, and taking the part of each section outside the position of the actual data after alignment as the blank area;
determining a start address of the shellcode in the blank area according to the size of the shellcode;
the shellcode is injected into the blank area by a writing program.
Further, the PE file includes a DOS portion, a PE file header, a section table, and a plurality of sections.
Further, the preset conditions include: the operating frequency of the PE file; the step of determining the target PE file according to the preset condition comprises the following steps: and when the running frequency of the PE file is greater than a preset threshold value, determining the PE file as a target PE file.
Further, the shellcode is generated by an aggressor tool coblt Strike.
The invention also provides a device for realizing the remote control of the host based on the PE file structure, which comprises:
the target PE file acquisition module is used for acquiring PE files of the Windows operating system and determining the target PE files according to preset conditions;
the Shellcode injection module is used for searching the blank area of the target PE file and injecting Shellcode into the searched blank area;
the entry point acquisition module of the target PE file is used for taking the starting address of the shellcode as the entry point of the target PE file;
and the jump module is used for jumping to the original entry point of the PE file after the shellcode is executed.
Further, the Shellcode injection module is also configured to:
gradually searching the position of the target PE file section table through a PE structure pointer;
aligning all the sections of the target PE file, and taking the part of each section outside the position of the actual data after alignment as the blank area;
determining a start address of the shellcode in the blank area according to the size of the shellcode;
the shellcode is injected into the blank area by a writing program.
Further, the PE file comprises a DOS part, a PE file header, a section table and a plurality of sections.
Further, the preset conditions include: the operating frequency of the PE file; the step of determining the target PE file according to the preset condition comprises the following steps: and when the running frequency of the PE file is greater than a preset threshold value, determining the PE file as a target PE file.
Further, the shellcode is generated by an aggressor tool coblt Strike.
The invention has the advantages that: according to the invention, the shellcode is injected into the blank area of the PE file, the position of the entry point of the PE file is modified to point to the shellcode, and the shellcode is executed to jump back to the entry point of the PE file, so that the PE file function is not influenced, and the shellcode can be hidden and operated, thereby achieving a hidden remote control host mode.
Drawings
FIG. 1 is a flowchart of a method for implementing remote control of a host based on a PE file structure according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a PE file structure in a method for implementing remote control of a host based on the PE file structure according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
As shown in fig. 1, a method for implementing remote control of a host based on a PE file structure, the method includes:
s1: acquiring PE files of a Windows operating system, and determining target PE files according to preset conditions; the preset condition is the running frequency of the PE file; the step of determining the target PE file according to the preset condition comprises the following steps: and when the running frequency of the PE file is greater than a preset threshold value, determining the PE file as a target PE file.
S2: searching a blank area of the target PE file, and injecting shellcode into the searched blank area; the specific process is as follows:
gradually searching the position of the target PE file section table through a PE structure pointer;
aligning all the sections of the target PE file, and taking the part of each section outside the position of the actual data after alignment as the blank area;
determining a start address of the shellcode in the blank area according to the size of the shellcode;
the shellcode is injected into the blank area by a writing program.
S3: taking the starting address of the shellcode as an entry point of the target PE file;
s4: after the shellcode is executed, jumping to the original entry point of the PE file.
The method provided by the invention is based on the PE file structure of the Windows operating system bottom layer, PE, namely Portable Executable, is an executable file format carried by the win32 environment, and part of characteristics are inherited from the COFF (Common Object File Format) file format of Unix. The PE indicates that the file format is cross-Win 32 platform, and even if Windows runs on a non-Intel CPU, the PE loader of any Win32 platform can identify and use the file in the file format. All Win32 executives (except VxD and 16 bit DLL) use PE file formats, such as EXE files, DLL files, etc., including NT kernel mode drivers (Kernel Mode Driver).
As shown in FIG. 2, the PE file is composed of a DOS header, a PE file header, a section table and a plurality of sections, and one PE file at least comprises two sections, namely a data section and a code section. The Windows NT application has 9 predefined sections, respectively the. Text,. Bss,. Rdata,. Data,. Pdata and. Debug sections, which are not all necessary, although more sections (such as some shell programs) may be defined as desired. The most commonly occurring segments in an application are the following 6:
CODE section execution, typically. text (Microsoft) or CODE (Borland) naming;
DATA section, commonly named DATA, rdata or bss (Microsoft), DATA (Borland);
resource section, commonly named;
export tables, typically named;
import tables, commonly named idata;
debug information section, commonly named;
because the sections are required to be aligned, a blank area is generated, the operation of PE files is not affected by modifying the content of the blank area, the blank area can be used for injecting shellcode, shellcode can be injected in a new section adding mode, and shellcode with any length can be injected in the mode. The shellcode is an executable independent code, can be written by an engineer according to actual application conditions, and can be automatically generated by an attacker tool Cobalt string. The code functions corresponding to the Shellcode are different according to different attack and defense exercise requirements. The invention adopts a white-plus-black mode to realize the control of a remote host, wherein white-plus-black is a term of a security ring, and refers to a mode that white list files (defending software cannot be intercepted, such as a program calculator, a notepad, a common software word, a WeChat and the like carried by windows) and black list files (specific files used for controlling the host and acquiring host information, such as Trojan horse files) are mixed to bypass defending software. The method flow provided by the invention is demonstrated below by a windows self-contained computer program.
And opening the PE file by using a 16-system editor 010editor, looking up through the beginning of the second section, and if the section appears continuous 00, the area corresponding to the continuous 00 is a blank area corresponding to the section. The invention aims to inject shellcode into a blank area, and the injection is tested by a harmless shellcode for the purpose of clear demonstration effect, and the shellcode has the function of only one spring frame. Shellcode is as follows:
\x64\xA1\x30\x00\x00\x00\x8B\x40\x0C\x8B\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72\x65\x75\xE2\x8B\x72\x24\x03\xF3\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3\x8B\x14\x8E\x03\xD3\x33\xC9\x53\x52\x51\x68\x61\x72\x79\x41\x68\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C\x51\x68\x33\x32\x2E\x64\x68\x75\x73\x65\x72\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24\x04\x33\xC9\x51\xB9\x6F\x78\x41\x00\x51\x68\x61\x67\x65\x42\x68\x4D\x65\x73\x73\x54\x50\xFF\xD2\x83\xC4\x10\x6A\x65\x68\x74\x69\x74\x6C\x8B\xCC\x68\x65\x6E\x74\x00\x68\x63\x6F\x6E\x74\x8B\xDC\x6A\x00\x51\x53\x6A\x00\xFF\xD0\x83\xC4\x10\x83\xC4\x0C。
because some complex address computation is required, it is not practical to copy-paste Shellcode directly, so injection is achieved by a writer, key code and steps are as follows:
the first step: finding the position of the section table step by step through the PE structure pointer
PIMAGE_DOS_HEADER pDosHeader=(PIMAGE_DOS_HEADER)pImageBuffer;
PIMAGE_NT_HEADERS pNtHeader=(PIMAGE_NT_HEADERS)((DWORD)pImageBuffer+pDosHeader->e_lfanew);
PIMAGE_FILE_HEADER pPEHeader=(PIMAGE_FILE_HEADER)((DWORD)pNtHeader+4);
PIMAGE_OPTIONAL_HEADER32 pOptionalHeader=(PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader+IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER pSectionHeader=(PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader+pPEHeader->SizeOfOptionalHeader);
And a second step of: calculating the position of adding shellcode, copying shellcode, and adding code of jumping back to the entry point
char*codeBegin=(char*)((DWORD)pImageBuffer+pSectionHeader->VirtualAddress+pSectionHeader->Misc.VirtualSize);
memcpy(codeBegin,code,codesize);
memcpy(codeBegin+codesize-1,e9,5);
And a third step of: computing and modifying jump addresses and modifying entry points
DWORD enterPoint=imageBase+(DWORD)pOptionalHeader->AddressOfEntryPoint;*(PDWORD)(codeBegin+codesize)=enterPoint-((DWORD)(codeBegin+codesize+4)-(DWORD)pImageBuffer+imageBase);
pOptionalHeader->AddressOfEntryPoint=(DWORD)codeBegin-(DWORD)pImageBuffer;
After the shellcode is successfully injected, a new file generated after the injection can be seen, the file is operated, and if the shellcode is normally operated and the function of the shellcode is operated (the shellcode is a popup window, and the function of the shellcode is a popup window under the normal operation condition), the shellcode is successfully injected. It should be noted that the code of the shellcode and the code involved in the shellcode injection process are given as examples for facilitating understanding, and the given code is not in the protection scope, and is nothing to be understood by those skilled in the art, and is not explained in any greater detail herein.
According to the technical scheme, the shellcode is injected into the blank area of the PE file, the entry point of the PE file is modified to point to the position of the shellcode, the shellcode is executed and then the entry point of the PE file is jumped back, so that the function of the PE file is not affected, the shellcode can be hidden and operated, a hidden remote control host mode is achieved, the client can be prevented from being checked and killed, and the situation that the host authority is lost due to remote control failure is reduced.
Example 2
Based on embodiment 1 of the present invention, embodiment 2 of the present invention further provides a device for implementing remote control of a host based on a PE file structure, where the device includes:
the target PE file acquisition module is used for acquiring PE files of the Windows operating system and determining the target PE files according to preset conditions;
the Shellcode injection module is used for searching the blank area of the target PE file and injecting Shellcode into the searched blank area;
the entry point acquisition module of the target PE file is used for taking the starting address of the shellcode as the entry point of the target PE file;
and the jump module is used for jumping to the original entry point of the PE file after the shellcode is executed.
Further, the Shellcode injection module is also configured to:
gradually searching the position of the target PE file section table through a PE structure pointer;
aligning all the sections of the target PE file, and taking the part of each section outside the position of the actual data after alignment as the blank area;
determining a start address of the shellcode in the blank area according to the size of the shellcode;
the shellcode is injected into the blank area by a writing program.
Further, the PE file comprises a DOS part, a PE file header, a section table and a plurality of sections.
Further, the preset conditions include: the operating frequency of the PE file; the step of determining the target PE file according to the preset condition comprises the following steps: and when the running frequency of the PE file is greater than a preset threshold value, determining the PE file as a target PE file.
Further, the shellcode is generated by an aggressor tool coblt Strike.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (6)
1. A method for implementing remote control of a host based on a PE file structure, the method comprising:
acquiring PE files of a Windows operating system, and determining target PE files according to preset conditions; the preset conditions include: the operating frequency of the PE file; the step of determining the target PE file according to the preset condition comprises the following steps: when the running frequency of the PE file is greater than a preset threshold value, determining the PE file as a target PE file;
searching a blank area of the target PE file, and injecting shellcode into the searched blank area; the specific process is as follows: gradually searching the position of the target PE file section table through a PE structure pointer;
aligning all the sections of the target PE file, and taking the part of each section outside the position of the actual data after alignment as the blank area;
determining a start address of the shellcode in the blank area according to the size of the shellcode;
injecting the shellcode into the blank area by a writing program;
taking the starting address of the shellcode as an entry point of the target PE file;
after the shellcode is executed, jumping to the original entry point of the PE file.
2. The method for implementing remote control of a host based on a PE file structure according to claim 1, wherein the PE file includes a DOS portion, a PE file header, a section table, and a plurality of sections.
3. The method for implementing remote control of a host based on a PE file structure according to claim 1, wherein the shellcode is generated by an attacker tool Cobalt string.
4. A device for implementing remote control of a host based on a PE file structure, the device comprising:
the target PE file acquisition module is used for acquiring PE files of the Windows operating system and determining the target PE files according to preset conditions; the preset conditions include: the operating frequency of the PE file; the step of determining the target PE file according to the preset condition comprises the following steps: when the running frequency of the PE file is greater than a preset threshold value, determining the PE file as a target PE file;
the Shellcode injection module is used for searching the blank area of the target PE file and injecting Shellcode into the searched blank area; the Shellcode injection module is also for:
gradually searching the position of the target PE file section table through a PE structure pointer;
aligning all the sections of the target PE file, and taking the part of each section outside the position of the actual data after alignment as the blank area;
determining a start address of the shellcode in the blank area according to the size of the shellcode;
injecting the shellcode into the blank area by a writing program;
the entry point acquisition module of the target PE file is used for taking the starting address of the shellcode as the entry point of the target PE file;
and the jump module is used for jumping to the original entry point of the PE file after the shellcode is executed.
5. The remote control device for implementing a host based on a PE file structure according to claim 4, wherein the PE file includes a DOS portion, a PE file header, a section table, and a plurality of sections.
6. The remote control device for implementing a host based on a PE file structure according to claim 4, wherein the shellcode is generated by an aggressor tool Cobalt string.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110714351.9A CN113434863B (en) | 2021-06-25 | 2021-06-25 | Method and device for realizing remote control of host based on PE file structure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110714351.9A CN113434863B (en) | 2021-06-25 | 2021-06-25 | Method and device for realizing remote control of host based on PE file structure |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113434863A CN113434863A (en) | 2021-09-24 |
| CN113434863B true CN113434863B (en) | 2023-11-24 |
Family
ID=77754780
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110714351.9A Active CN113434863B (en) | 2021-06-25 | 2021-06-25 | Method and device for realizing remote control of host based on PE file structure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113434863B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101504656A (en) * | 2009-03-26 | 2009-08-12 | 成都磐石软件有限责任公司 | Combined execution method for PE document code |
| CN102930005A (en) * | 2012-10-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for binding file in host file |
| CN102982073A (en) * | 2012-10-29 | 2013-03-20 | 北京奇虎科技有限公司 | Bundle method and device for file to host file |
| CN104077527A (en) * | 2014-06-20 | 2014-10-01 | 珠海市君天电子科技有限公司 | Method and device for generating virus detection machine and method and device for virus detection |
| CN109918912A (en) * | 2019-03-27 | 2019-06-21 | 深信服科技股份有限公司 | A kind of Ile repair method and relevant device for computer virus |
| CN111475229A (en) * | 2020-04-09 | 2020-07-31 | 广州锦行网络科技有限公司 | Dll injection method and system under Windows platform |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100942795B1 (en) * | 2007-11-21 | 2010-02-18 | 한국전자통신연구원 | Malware detection device and method |
| KR101029112B1 (en) * | 2008-12-15 | 2011-04-13 | 한국전자통신연구원 | Determination method of execution compression of PE file and recording medium on which the determination program is recorded |
-
2021
- 2021-06-25 CN CN202110714351.9A patent/CN113434863B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101504656A (en) * | 2009-03-26 | 2009-08-12 | 成都磐石软件有限责任公司 | Combined execution method for PE document code |
| CN102930005A (en) * | 2012-10-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for binding file in host file |
| CN102982073A (en) * | 2012-10-29 | 2013-03-20 | 北京奇虎科技有限公司 | Bundle method and device for file to host file |
| CN104077527A (en) * | 2014-06-20 | 2014-10-01 | 珠海市君天电子科技有限公司 | Method and device for generating virus detection machine and method and device for virus detection |
| CN109918912A (en) * | 2019-03-27 | 2019-06-21 | 深信服科技股份有限公司 | A kind of Ile repair method and relevant device for computer virus |
| CN111475229A (en) * | 2020-04-09 | 2020-07-31 | 广州锦行网络科技有限公司 | Dll injection method and system under Windows platform |
Non-Patent Citations (3)
| Title |
|---|
| Windows Shellcode自动构建方法研究;朱帅;罗森林;柯懂湘;;信息网络安全(04);全文 * |
| 基于Windows环境的计算机病毒防治技术研究及其检测设计;慈庆玉;《中国优秀硕士学位论文全文数据库》;20051015;第2005年卷(第6期);正文第20-29页 * |
| 对PE文件修改的一种解决方案PEPatch;纪芩等;《计算机与现代化》;20090615(第06期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113434863A (en) | 2021-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12013940B2 (en) | Automatic detection of software that performs unauthorized privilege escalation | |
| Halfond et al. | Using positive tainting and syntax-aware evaluation to counter SQL injection attacks | |
| Shahriar et al. | Mitigating program security vulnerabilities: Approaches and challenges | |
| Lindorfer et al. | Lines of malicious code: Insights into the malicious software industry | |
| Ma et al. | Research on sql injection attack and prevention technology based on web | |
| US8074281B2 (en) | Malware detection with taint tracking | |
| US20160300063A1 (en) | Software vulnerabilities detection system and methods | |
| Russinovich et al. | Troubleshooting with the Windows Sysinternals tools | |
| Filho et al. | Evasion and countermeasures techniques to detect dynamic binary instrumentation frameworks | |
| CN109376530B (en) | Process mandatory behavior control method and system based on mark | |
| Muralee et al. | {ARGUS}: A Framework for Staged Static Taint Analysis of {GitHub} Workflows and Actions | |
| US8645706B2 (en) | Preventing error in an access protocol | |
| Zhu et al. | Shadowblock: A lightweight and stealthy adblocking browser | |
| Yu et al. | Security defect detection via code review: A study of the openstack and qt communities | |
| Chen et al. | A Survey on the Safety and Security Threats of Computer-Using Agents: JARVIS or Ultron? | |
| CN113434863B (en) | Method and device for realizing remote control of host based on PE file structure | |
| Alnaeli et al. | On the evolution of mobile computing software systems and C/C++ vulnerable code: Empirical investigation | |
| Cavallaro et al. | Taint-enhanced anomaly detection | |
| US20060070041A1 (en) | Constrained execution regions | |
| Pisu et al. | A survey of the overlooked dangers of template engines | |
| US11663333B2 (en) | Cloud-based systems and methods for detecting and removing rootkit | |
| Hu et al. | A detection approach for vulnerability exploiter based on the features of the exploiter | |
| Dao et al. | Idea: Automatic Security Testing for Web Applications | |
| US20250053645A1 (en) | Memory Hybrid-Dynamic Vulnerability Assessment | |
| Piessens | Software Security Knowledge Area |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |