<font size='4'>漏洞編號</font> CVE-2020-0796 <font size='4'>簡述</font> 研究人員發現SMBv3存在安全漏洞(CVE-2020-0796)，遠端攻擊者可對目標系統之SMBv3服務發送特製請求或架設惡意的SMBv3伺服器誘騙受害者進行連線，導致遠端執行任意程式碼。 A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.

Info 題目敘述 We discovered this tool in the E.T. toolkit which they used to encrypt and exfiltrate files from infected systems. Can you help us recover the files? 能力 靜態分析exe檔 動態分析提取dll檔 靜態分析dll檔

題目給定一個PE檔，執行時出現的字串在IDA string找不到，可能性包含 該字串加密存在於檔案中 因此當我執行x32dbg時，執行程式會出現 sub_402840 查看這個檔案會發現前面做了很多debug檢查 isDebugger

 CVE-2019-1181 & CVE-2019-1182 實驗虛擬機：Windows 10 Version 1809 for x64-based Systems 根據微軟該漏洞更新報告抓取更新包，根據版本抓取4511553更新檔 :link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 這個是一個提權漏洞 主要漏洞發生在遠端桌面協定(Remote Desktop Protocol,RDP)的動態虛擬通道(Dynamic virtual channels,DVC)傳送資料過程 主要漏洞存在動態鏈結檔rdpbase.dll

A technical survey of common and trending process injection techniques. Author: Ashkan Hosseini Source: https://www.elastic.co/cn/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process Summary Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another process. Process injection improves stealth, and some techniques also achieve persistence. Although there are numerous process injection techniques, in this blog I present ten techniques seen in the wild that run malware code on behalf of another process. I additionally provide screenshots for many of these techniques to facilitate reverse engineering and malware analysis, assisting detection and defense against these common techniques. 1.CLASSIC DLL INJECTION VIA CREATEREMOTETHREAD AND LOADLIBRARY