A curated list of awesome materials powered by Radare2（逆向分析框架 Radare2）

c55K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6V1N6h3E0W2j5X3q4J5L8h3q4F1i4K6u0r3j5i4N6W2M7$3!0E0k6g2)9J5k6s2u0S2k6r3q4J5k6e0t1`.

Windows System Call Tables（Windows 系统调用表）

73eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6B7x3o6m8J5N6g2)9J5c8Y4N6A6L8X3c8G2N6%4y4Q4x3X3c8K6P5i4y4U0j5h3I4D9M7H3`.`.

Lightweight hypervisor-based kernel protector（基于 Hypervisor 的内核保护）

e9bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6C8K9$3q4E0j5h3N6#2K9g2)9J5c8Y4y4Z5j5h3c8G2N6#2)9J5k6r3u0G2P5q4)9J5k6r3k6G2M7W2)9J5k6s2R3^5y4R3`.`.

BlackHat USA 2018 briefings（议题简述）

27bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2T1L8r3q4U0K9$3S2S2N6q4)9J5k6h3y4G2L8g2)9J5c8Y4g2K6i4K6u0V1x3e0S2Q4x3V1k6T1M7X3W2W2k6X3W2F1k6%4y4Q4x3X3g2Z5N6r3#2D9

KLEE Workshop 2018, slides（符号执行）

1d0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6M7X3N6Q4x3X3g2V1L8$3y4Q4x3X3g2A6j5#2)9J5k6h3q4U0i4K6u0W2N6h3E0Q4x3V1k6C8L8r3g2W2x3e0S2Q4x3V1k6K6j5$3S2W2k6s2g2D9k6g2)9J5k6h3S2@1L8h3H3`.

Effective Memory Safety Mitigations, slides（内存破坏漏洞利用防护）

930K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6K6N6s2u0#2j5%4c8Q4x3V1k6J5k6i4y4W2j5i4u0U0K9q4)9J5c8X3u0D9L8$3u0Q4x3V1k6E0j5i4y4@1k6i4u0Q4x3V1k6q4k6X3k6W2j5%4c8A6N6X3g2Q4y4h3k6y4k6h3#2G2M7Y4W2Q4y4h3k6e0j5h3k6W2N6s2W2Q4y4h3k6y4K9i4c8A6k6$3q4@1K9h3!0F1M7#2)9J5k6i4m8V1k6R3`.`.

Proving un-exploitability of parsers, slides（非可利用解析器证明）

da8K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1L8$3y4K6i4K6u0W2k6$3!0G2k6$3I4W2i4K6u0W2j5$3!0E0i4K6u0r3M7s2u0W2M7$3g2F1N6r3q4@1K9h3!0F1i4K6u0r3k6q4)9J5c8U0q4a6c8r3y4*7g2p5A6F1j5h3A6W2M7p5I4Q4x3X3c8f1b7$3g2z5i4K6u0V1z5f1!0T1i4K6g2X3b7f1W2^5P5p5W2*7h3e0c8$3h3q4q4$3e0U0g2X3e0o6f1@1x3@1q4U0i4K6u0r3

Stories of a simple logic bug and where to find it, slides（与 PID 相关的安全问题）

d71K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6j5h3g2D9L8#2)9J5k6h3N6A6N6r3S2#2j5W2)9J5k6h3W2G2i4K6u0r3M7s2u0W2M7$3g2F1N6r3q4@1K9h3!0F1M7#2)9J5c8Y4N6S2M7X3y4G2L8U0p5^5i4K6g2X3k6r3!0F1N6q4)9#2k6Y4c8J5N6i4y4@1i4K6g2X3N6r3S2W2i4K6g2X3M7r3W2V1i4K6u0W2M7r3c8X3

Spurious #DB exceptions with the "MOV SS" and "POP SS" instructions（CVE-2018-8897 漏洞的 whitepaper）

9f5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2@1M7X3W2H3L8r3g2X3j5i4g2D9N6q4)9J5k6h3W2G2i4K6u0r3x3U0l9I4z5q4)9J5c8U0l9#2i4K6u0r3M7%4m8#2M7X3W2G2N6i4y4Q4x3X3c8V1j5W2)9J5k6r3g2^5j5$3g2H3N6r3W2G2L8Y4y4Q4x3X3c8%4K9i4c8Z5i4K6u0V1M7r3!0H3i4K6u0V1M7%4y4Q4x3X3g2Z5N6r3#2D9

Analysis and mitigation of speculative store bypass（CVE-2018-3639 CPU 漏洞）

2e7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4M7#2)9J5k6i4c8W2j5$3S2F1k6i4c8Q4x3X3g2E0K9h3y4J5L8%4y4G2k6Y4c8Q4x3X3g2U0L8$3#2Q4x3V1k6K6M7X3c8Q4x3V1j5J5x3o6p5^5i4K6u0r3x3o6g2Q4x3V1j5J5x3g2)9J5c8X3q4F1j5h3I4&6M7$3W2K6i4K6u0V1j5h3&6V1i4K6u0V1L8h3W2@1K9h3N6S2N6r3W2G2L8W2)9J5k6r3!0X3i4K6u0V1M7%4m8W2j5%4g2D9j5i4c8A6N6X3g2Q4x3X3c8K6N6r3!0J5k6g2)9J5k6r3u0&6M7r3q4K6M7#2)9J5k6r3y4$3k6g2)9J5k6o6t1H3x3e0S2Q4x3X3b7K6y4U0x3&6i4K6u0r3

Dell SupportAssist Driver - Local Privilege Escalation（Dell 驱动 LPE）

db1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2S2N6s2u0A6L8%4c8Q4x3X3g2Y4K9i4c8Z5N6h3u0Q4x3X3g2A6L8#2)9J5c8X3u0D9L8$3N6Q4x3V1j5J5x3o6p5^5i4K6u0r3x3o6g2Q4x3V1j5I4y4#2)9J5c8X3c8W2L8r3I4Q4x3X3c8K6N6i4m8H3L8%4u0@1j5i4y4K6K9i4y4@1i4K6u0V1L8r3!0U0j5h3I4Q4x3X3c8H3M7X3W2$3K9h3I4W2k6$3g2Q4x3X3c8W2M7$3y4S2L8r3q4@1K9h3!0F1i4K6u0r3

Malicious Intent using Adobe Acrobat's OCG setIntent（Acrobat CVE-2018-4910 RCE 漏洞）

ab1K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2*7k6i4u0G2k6r3q4&6K9h3&6A6N6r3W2S2N6r3W2$3k6g2)9J5k6h3y4G2L8g2)9J5c8X3u0D9L8$3N6Q4x3V1j5J5x3o6p5^5i4K6u0r3y4g2)9J5c8U0t1&6i4K6u0r3L8h3q4D9K9h3y4A6L8%4g2K6i4K6u0V1K9h3&6@1k6h3&6@1i4K6u0V1N6i4y4A6L8X3N6Q4x3X3c8S2k6r3!0T1k6g2)9J5k6r3q4U0M7X3!0T1j5i4c8K6i4K6u0V1L8$3y4Y4i4K6u0V1M7$3g2@1K9h3&6@1k6h3&6@1

Root cause analysis of the latest Internet Explorer zero day（IE CVE-2018-8174 UAF 漏洞原理）

902K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6k6h3y4#2M7X3g2D9K9i4y4@1i4K6u0W2j5$3!0E0i4K6u0r3M7X3!0G2N6q4)9J5k6r3y4S2N6i4y4W2i4K6u0V1j5h3&6S2L8s2W2K6K9i4y4Q4x3X3c8G2k6W2)9J5k6r3y4$3k6g2)9J5k6o6t1H3x3e0S2Q4x3X3b7^5x3e0M7@1i4K6u0r3z5o6f1@1z5o6k6Q4x3V1j5`.

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge（利用 JIT 绕过 Edge 保护措施）

5faK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4L8$3!0Y4L8r3g2H3M7X3!0B7k6h3y4@1P5X3g2J5L8#2)9J5k6h3u0D9L8$3N6K6M7r3!0@1i4K6u0W2j5$3!0E0i4K6u0r3x3U0l9I4z5q4)9J5c8U0l9#2i4K6u0r3j5Y4W2H3j5i4y4K6K9h3&6Y4i4K6u0V1L8h3W2@1K9h3N6S2N6r3W2G2L8Y4y4Q4x3X3c8T1P5g2)9J5k6r3q4@1N6r3q4U0K9$3W2F1k6#2)9J5k6r3A6A6N6q4)9J5k6h3S2@1L8h3H3`.

VMWare and Virtualization using Binary Translation（基于二进制转译的虚拟化）

355K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6j5h3k6W2M7Y4N6S2L8r3I4Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3!0Y4i4K6u0r3N6X3W2J5N6s2g2S2L8r3W2*7j5i4c8A6L8$3&6Q4x3X3c8A6L8Y4c8W2M7X3&6S2L8s2y4Q4x3X3c8H3j5i4u0@1i4K6u0V1x3W2)9J5k6s2k6E0N6$3q4J5k6g2)9J5k6r3q4F1k6q4)9J5k6s2k6A6M7Y4c8#2j5h3I4A6P5X3q4@1K9h3!0F1i4K6u0V1N6i4y4A6L8X3N6Q4x3X3c8T1K9h3&6S2M7Y4W2Q4x3X3c8@1M7X3q4F1M7$3I4S2N6r3W2G2L8R3`.`.

Hypervisor-Based Active Data Protection（基于 Hypervisor 的内核数据保护）

291K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6A6k6$3!0J5K9$3!0J5K9$3W2F1i4K6u0W2j5X3I4G2k6%4y4H3L8%4c8Q4x3X3g2U0L8$3#2Q4x3V1j5J5x3o6p5^5i4K6u0r3x3o6y4Q4x3V1k6Z5P5i4m8W2M7Y4k6A6M7$3!0J5i4K6u0V1j5X3q4K6k6h3c8Q4x3X3c8S2j5%4c8A6N6X3g2Q4x3X3c8V1j5i4c8S2i4K6u0V1M7s2u0G2N6r3g2U0N6r3W2G2L8W2)9J5k6h3S2@1L8h3H3`.

A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan（RIG EK 之 Grobios 木马）

71fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2X3K9i4u0W2k6i4W2W2i4K6u0W2j5$3!0E0i4K6u0r3j5X3I4G2k6#2)9J5c8Y4c8Z5M7X3g2S2N6q4)9J5k6s2u0W2M7$3g2S2M7X3y4Z5i4K6u0r3x3U0l9I4z5q4)9J5c8U0l9#2i4K6u0r3k6r3g2W2M7q4)9J5k6r3c8A6N6X3g2Q4x3X3c8A6L8Y4c8G2i4K6u0V1M7X3W2Y4i4K6u0V1k6i4S2H3L8r3!0A6N6q4)9J5k6r3E0A6N6q4)9J5k6r3c8W2L8r3W2$3k6i4u0A6L8X3N6Q4x3X3c8Y4M7X3!0T1K9h3!0K6i4K6u0V1N6s2u0G2K9X3q4F1i4K6u0W2K9s2c8E0L8l9`.`.

Enumerate the Windows System Call Tables using IDA Python（枚举 Windows 系统调用）

8abK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2*7k6i4u0G2k6r3q4&6K9h3&6A6N6r3W2S2N6r3W2$3k6g2)9J5k6h3y4G2L8g2)9J5c8X3u0D9L8$3N6Q4x3V1j5J5x3o6p5^5i4K6u0r3y4g2)9J5c8U0t1I4i4K6u0r3L8h3W2F1k6s2y4Z5j5i4u0W2i4K6u0V1N6$3q4D9K9$3W2F1k6#2)9J5k6s2c8Z5k6g2)9J5k6s2N6A6L8X3c8G2N6%4y4Q4x3X3c8C8k6i4u0F1k6h3I4Q4x3X3c8%4K9i4c8Z5i4K6u0V1K9h3c8S2i4K6u0V1M7s2W2@1K9r3!0F1

MDN documentation on the Fuzzing Interface for Firefox（Firefox 的 Fuzzing 接口）

a5cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1k6i4k6W2L8r3!0H3k6i4u0Q4x3X3g2E0L8%4A6A6L8r3I4S2i4K6u0W2L8%4u0Y4i4K6u0r3k6h3&6Q4x3X3c8g2f1#2)9J5c8X3c8G2j5%4y4Q4x3V1k6y4L8%4A6A6L8r3I4S2i4K6u0r3g2r3g2K6N6r3W2F1k6#2)9J5c8V1k6#2P5Y4A6A6L8X3N6Q4y4h3k6u0L8Y4c8W2M7X3k6S2j5$3f1`.

Perform a DMA attack against a Windows 10 workstation（DMA 攻击）

93cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2K6P5h3&6S2j5$3E0@1K9i4k6Q4x3X3g2U0L8$3#2Q4x3V1k6H3L8%4y4@1M7#2)9J5c8Y4m8W2L8Y4c8W2M7%4c8Q4x3V1k6H3M7X3q4U0N6r3W2U0j5h3I4Q4x3X3c8V1L8h3q4Q4x3X3c8S2N6s2c8S2j5$3E0Q4x3X3c8G2L8W2)9J5k6s2N6A6L8X3c8G2N6%4y4Q4x3X3b7I4x3q4)9J5k6h3S2@1L8h3H3`.

PS4 5.0x kernel exploit, slides（PS4 的 Hacking）

dbcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4J5j5h3y4C8i4K6u0W2j5X3q4J5k6$3q4A6L8Y4y4Q4x3V1j5H3x3Y4t1H3i4K6u0W2M7r3c8X3

Practical Decompilation of Ethereum Smart Contracts（以太坊智能合约逆向）

186K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0D9L8$3N6Q4x3X3g2J5k6i4b7J5i4K6u0W2K9h3!0Q4x3V1j5J5x3o6p5^5i4K6u0r3x3o6g2Q4x3V1j5I4y4W2)9J5c8Y4m8J5j5h3y4@1K9h3y4S2L8q4)9J5k6r3g2@1K9q4)9J5k6r3c8W2j5$3!0E0M7r3W2D9j5i4c8A6L8$3&6Q4x3V1j5`.

Software Security: Principles, Policies, and Protection（一本软件安全的书）

9e2K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2F1k6h3u0W2L8s2N6W2L8s2c8Q4x3X3g2F1k6i4c8Q4x3V1k6e0f1K6y4b7i4K6u0r3

[培训]科锐逆向工程师培训第53期2025年7月8日开班！