注:内容不定期补充和更新:P (last update: 2017.10.17)
0x00 引子
现今互联网已经很发达了,网络上的学习资料也是多不胜数,如果你足够有心把这些资源利用好,那么对于自身技术成长还是很有裨益的。很多时候我们不要只看到大牛们的光环,而忽略了前辈们曾经所付出的努力。
0x01 基础知识
简言之,即“计算机知识”+“二进制逆向知识”,下面罗列一下这方面的资料:
0 安全会议,主要是相关的ppt和paper,链接是各个会议整理后的内容,建议直接去对应会议的官网查看
c45K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6A6L8X3k6G2j5$3!0F1i4K6u0W2L8%4u0Y4i4K6u0r3j5$3!0F1M7#2)9J5c8R3`.`.
1 计算机课程学习
656K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6p5k6i4k6W2L8r3!0H3k6i4u0Q4x3X3c8k6i4K6u0r3j5%4y4Q4x3X3c8$3K9h3c8W2L8#2)9J5k6r3y4G2N6i4u0K6k6i4x3`.
2 Awesome Hacking相关
53aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6X3k6r3W2$3M7Y4m8Q4x3V1k6S2N6$3g2K6L8$3#2W2i4K6u0V1M7X3g2$3k6i4u0K6K9h3&6Y4
a31K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8X3c8V1L8#2)9J5c8X3q4%4k6i4y4G2L8h3g2Q4x3X3c8%4K9h3&6V1L8%4N6K6i4K6u0V1k6i4S2H3L8r3!0A6N6r3q4@1K9h3!0F1
622K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6r3j5h3u0A6L8@1u0S2M7X3!0F1K9g2)9J5c8X3q4%4k6i4y4G2L8h3g2Q4x3X3c8W2P5s2m8D9L8$3W2@1i4K6u0V1k6r3g2$3k6h3I4G2M7r3#2W2L8Y4b7`.
3 IT Security Catalog
e04K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2A6N6q4)9J5k6s2y4W2j5#2)9J5k6r3y4S2N6r3q4D9L8$3N6Q4x3X3g2A6L8X3k6G2i4K6u0r3
4 Security Research from the MSRC
9f7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6y4K9h3y4J5L8%4y4G2k6Y4c8Q4x3V1k6y4f1#2u0o6i4K6u0V1f1$3g2U0N6i4u0A6N6s2W2Q4x3X3c8d9k6i4y4W2j5i4u0U0K9l9`.`.
5 Blog
ee8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4k6^5K9Y4g2E0M7q4)9J5k6h3&6W2N6l9`.`.
55cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3N6&6L8Y4k6S2k6h3I4Q4x3X3g2U0L8$3I4V1N6$3W2F1k6q4)9J5k6i4m8D9i4K6u0r3i4K6y4r3j5X3I4G2k6H3`.`.
实际上,上面链接中的知识量已经很丰富了,再配合论坛上相关的精华帖学习起来还是很方便的,此外,可以多关注国内外安全大牛们的twitter和blog。
特别需要注意一点,在学习的过程中一定要有实际的动手实践。
0x02 浏览器漏洞
Pwn2Own黑客大赛对浏览器漏洞的研究起了很大的推动作用,越来越多的分析人员开始加入到Internet Explorer、Microsoft Edge、Google Chrome、Firefox和Safari的利用研究中,当然,黑灰产也算是另一个推动力,最常见的就是借助这些漏洞来进行网页挂马。下面我们就给出一些这方面的学习资料:
0 浏览器安全白皮书
X41 Browser Security White Paper
Cure53 Browser Security White Paper
1 安全会议ppt和paper
The Origin Of Array Symbol Species Slides
Shell On Earth From Browser To System Compromise Slides
Shell On Earth From Browser To System Compromise White Paper
Understanding The Attack Surface And Attack Resilience Of Project Spartans New EdgeHTML Rendering Engine Slides
Understanding The Attack Surface And Attack Resilience Of Project Spartans New EdgeHTML Rendering Engine White Paper
Thinking Outside The Sandbox Violating Trust Boundaries In Uncommon Ways Slides
Thinking Outside The Sandbox Violating Trust Boundaries In Uncommon Ways White Paper
WebKit Everywhere Secure Or Not Slides
WebKit Everywhere Secure Or Not White Paper
Digging for Sandbox Escapes Finding sandbox breakouts in Internet Explorer Slides
2 Blog
SkyLined, focus on browser security
0x03 文档型漏洞
这里我们所讨论的文档型漏洞指的是Office文档(含RTF)和PDF文档,这类漏洞主要用作钓鱼,尤其是在一些APT攻击中扮演着重要角色,是近年来一直很受关注的漏洞研究方向,此外,Exploit Kit工具也对其青睐有加。下面我们给出一些相关的学习资料:
0 文档型漏洞攻击研究报告
a40K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6J5k6h3g2T1N6h3k6Q4x3X3g2U0L8$3#2Q4x3V1k6F1k6i4N6K6i4K6u0r3x3e0x3&6x3o6p5@1i4K6u0W2K9s2c8E0L8l9`.`.
1 Slides
Attacking Interoperability: An OLE Edition
Analysis of the Attack Surface of Microsoft Office from a User's Perspective
Moniker Magic: Running Scripts Directly in Microsoft Office
VBA Macros Pest Control
Next Gen Office Malware
2 Blog
47bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6B7N6i4y4@1K9r3q4A6k6X3g2A6x3g2)9J5k6h3u0D9L8$3N6K6M7r3!0@1i4K6u0W2j5$3!0E0i4K6u0r3
891K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2Y4M7X3g2&6K9r3q4@1K9r3q4U0K9$3g2J5i4K6u0W2L8X3g2@1i4K6u0r3
3 Analyzing Cheat Sheet
d9dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6*7k6h3I4@1M7$3g2J5i4K6u0W2j5$3!0E0i4K6u0r3j5h3&6S2L8s2W2*7K9h3&6Y4i4K6u0V1L8h3q4D9K9h3y4A6L8%4g2K6i4K6u0V1k6r3!0U0N6h3#2W2L8Y4c8K6i4K6u0r3
4 分析文章
手把手教你如何构造office漏洞EXP - CVE-2012-0158
手把手教你如何构造office漏洞EXP - CVE-2013-3906
手把手教你如何构造office漏洞EXP - CVE-2014-1761
手把手教你如何构造office漏洞EXP - CVE-2015-1641
CVE-2015-1641 Word 利用样本分析
CVE-2015-2545 Word 利用样本分析
An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability
CVE-2017-8570: "Bypassing" Microsoft's Patch for CVE-2017-0199
Analysis and exploitation of CVE-2017-8759 along with further refinements
0x04 内核漏洞
近年来内核漏洞利用一直呈增长的趋势,最有可能是为了应对Internet Explorer,Google Chrome和Adobe Reader等流行应用程序在安全性上的增强,它们中的大多数都实现了沙箱功能,所以必须借助逃逸技术才能获得程序端的控制权。下面我们给出一些这方面的学习资料:
0 安全会议ppt
Taking Windows 10 Kernel Exploitation To The Next Level - Leveraging Write What Where Vulnerabilities In Creators Update
I know where your page lives: Derandomizing the latest Windows 10 Kernel
LPE exploits on Windows 10 with allowances to the latest security updates
Abusing GDI for ring0 exploit primitives
The State of Kernel-Mode RCE Defense
Kernel Exploit Hunting and Mitigation
Advanced Heap Manipulation in Windows 8
1 EoP相关
Token Privilege Research
windows-kernel-exploits Windows平台提权漏洞集合
Linux kernel and its insides
linux-kernel-exploits Linux平台提权漏洞集合
2 Blog
Windows Internals, Thoughts on Security, and Reverse Engineering
Coding, reverse engineering, OS internals covered one more time
General reverse engineering, security research, Windows internals, and system architecture
Reverse Engineering, Security Research, Windows Kernel
3 Paper
Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities
0x05 Fuzzing
fuzzing是一种将无效、未知以及随机数据作为目标用例输入的自动化或半自动化软件测试技术,现今大多用在漏洞挖掘上,按输入用例的不同可分为基于突变的dumb fuzzing、基于生成的smart fuzzing和基于进化算法的fuzzing。下面我们给出这方面的学习资料:
0 Fuzzing Resources
Awesome Fuzzing Resources
1 安全会议ppt
Harnessing Intel Processor Trace on Windows for fuzzing and dynamic analysis
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking
Effective file format fuzzing - Thoughts, techniques and results
Automated Testing of Crypto Software Using Differential Fuzzing
Evolutionary Kernel Fuzzing
Dig Into The Attack Surface of PDF and Gain 100+ CVEs in 1 Year
2 Paper
kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
VUzzer: Application-aware Evolutionary Fuzzing
3 相关文章
The Great DOM Fuzz-off of 2017
Fuzzing the MSXML6 library with WinAFL
Fuzzing mimikatz with WinAFL&Heatmaps
An informative guide on using AFL and libFuzzer
A guide to fuzzing OpenSSH using AFL
4 符号执行
A Survey of Symbolic Execution Techniques
Quick introduction into SAT/SMT solvers and symbolic execution
History of symbolic execution
5 插桩技术
DynamoRIO - Dynamic Instrumentation Tool Platform
Valgrind - an instrumentation framework for building dynamic analysis tools
Pin - A Dynamic Binary Instrumentation Tool
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
谢谢分享
