2024Windows安全工具手册.docx

WindOWS安全工具锦集PE工具%PEiDPEiD是一款著名的PE侦壳工具，可以检测PE常见的一些壳，但是目前已经无法从官网获得：iPEiDv.95File:Q檄EXEInfoPE这是一个PE侦壳工具,PEiD的加强版，可以查看EXE/D1.1.文件编译器信息、是否加壳、入口点地址、输出表/输入表等等PE信息：Diagnose*1.amerInfb-HdpHint-Unpackinfo一，Scan/tExeinfoPE-ver.0.0.5.6by-1044+78sign2019.04.10-×File:EntryPoin=ileOffcet.inkerInfice,J,:I口<EPSection:FirstBytes:t：|I：I_IizzJPlUg会>：IjSubsystemPEFieSize:Overlay:下载地址：http:/www.exeinfo.xn.pl/与DetectItEasyDetectItEaSy是开源的PE侦壳工具，支持跨平台使用,有WindoWs、1.inux.MacOS多个可用版本：,M3etectItEasy1.01Filename:.ScanScriptsPlugins1.ogBOptionsAboutMiiiiiiiiiiiiiIiiBaoiOMD%深信服千里目安鳏室。CFFExplorer一款优秀的PE32&PE64编辑工具，使用CFFEXPlorer查看和编辑PE文件是极其方便的，并且它完全支持.NET文件格式：3CFFExplorerVlllIuciodallaCFileSettings?陵40IscografiacompleteIuciodalla-dtcografiacom-××PropertyValueIPIetdFileNameFileTypeC:Users30537AppData1.ocalTempBNZ.5d882d4d146ab32.1)DosHeader国NtHeaders1国RteHeaderMSiJOptionalHeader'UDataDIreCtofleS卜JSectionHeaders国uJExportDirectory口ImportDrecto<y昌ResourceDirectory口DebugDirectory'zAddressConverter*bDependencyWdker一HexQftor-Idertifier,.ImPOftAdderAzQuckDisassemblerRetxiilderResourceEdNor->UPXUtilHyPortableExecutable32FileInfoMicrosoftVisualC+8FileSize6.25MB(6549824bytes)PESize207KB(211968bytes)CreatedMonday12August2019,16.04.29ModifiedMonday05August2019,19.49.21AccessedMonday23September2019,10.26.26MD5D6D388E0883F8CFEA196BA1C8FB32043SHA-1EC69A9B5D7DA3085C2BBC852BA590F64757EDEBFPropertyValueEmptyNoadditionalinfoavailable深信服千里目安全实验室檄StudyPEStUdyPE是一个PE32&PE64查看分析集成工具，具有强大的PE结构处理分析功能，但其查壳方面的功能略显薄弱：.StudyPE+(×86)1.09beta0>Iudodalla-discografiacompleta.exe调试/反编译工具。OIIyDbgRing3级调试器，支持插件扩展功能，唯一不足的是OD是一个32位调试器，不支持调试64位程序。官方给出的原版程序是无插件的，有需要的童鞋可以在吾爱破解论坛自行搜索：jfOlIyDbg-Iuciodalla-discografiacompleta.exe-CPU-mainthread,moduleIUCiO_dICFileViewDebugOptionsWindowHelp-TfilX同UX上IjlIUil到/四里I9j因回回;旦I三U0041D98B$E885630008CA1.1.Iucioda.0423D15RPOiGtQrG(FPlB41D99000410995.E978FEFFFFS8BFFJMPlucio.da.041D80DMOUEDUEDIECX7621116200000000kerel32.Bas041D9970041D998.55.8BECPUSHEBPMOUEBP,ESPEDXEBX041D98B7FFDE00012FF8C012FF94lucio_da.<Mo0041D99O0041D99B.56.8D4508PUSHESI1.EflEOXrDWORDPTRSS:CEBP+8ESPFRP041D99E.50PUSHEOXArglE041D99F8BF1MOUESUECXEllI00000000041D9A1.E882FCFFFFCO1.1.Iucioda.41D6281.lucio_d0041D9A6.C70638B2420MOUDWORDPTRDS:CESI,Iucioda.042B23:EIP041D98Blucio-da.<Mc041D9AC41D9fiE041D9AF041D9B0041D9B33BC6.SE50I.C20400.C7138B2420MOUEQXrESIPOPESIPOPEBPRETN4MOUDWORDPTRDSxCECXlr1.ucio_da.42B23?7介ZAPCQl019ES0023CS01BSS0023DS02332bit0(FFFF32bit0(FFFF32bit(FFFF32bit0(FFFF32bit7FFDFNU1.1.041D9B9.E937FDFFFFJMPIucioda.41D6F5T0D00GS00041D9BE8BFFMOUEDI,EDI0041D9C041D9C1.55.8BECPUSHEBPMOUEBPrESP1.astErrERRCIR_SUCCES041D9C3.56PUSHESIEF1.00000246(NO,NB,E,BE,0041D9C4041D9C6.8BF1.C70638B2420HoUESIECXMOUDWORDPTRDSstESIJ,1.ucio.da.0042B23C<I1_1_AAA4C/1.1.STSTlenpty0.0enpty0.000423D15=lucida.00423D15ST2empty0.0ST3enty.0SI4enpty0.STSenpty.0AddressHedumpASCIIG»12FF8H762111747FFDE000012FFD47737B3F57FFDE007775B4BD00000000000000007FFDE00yy00000000000000000000临唐黎RETURNtokwRETURNtont043000004300800430010043018004302004300280043005O04303801143C411004300480U4300SU04300580B24202E3F41575F45584968Q6420076933F4380917E25Al2C12El00F2CO4F68R6420。292945454629292901111050003452415254440DD0E8917CZD032B074IF8A09COC8815FFFFFFFF06464646094646462929290146464645.7AW4RAR_EXlTh.?V?CW2?J"Nt逐."0h.÷FFF)EE.FFFF)<ktFFFEuu<r-r>u0012FF94012FF988012FF9C012FFfi0012FFfl40012FFA812FFRC0012FFB012FFB4012FFB8Analysinglucio_da:800heuristicalprocedures,519callstoknown,525callstoguessedfunctionsPaused强WinDbg支持WindoWS平台,用户态和内核态的调试器，有图形界面和命令行两种调试方式。其强大的内核调试功能收获了众多的追捧者：FileEditViewDebugWindowHelpI瞄即国党蕤加科干介IM(DE)R回口比国口口因其)拨IAA圜Xommand*1* Syabolloadingmaybeunreliablewithoutasymbolsearchpath* Use.symfitohavethedebuggerchooseasymbolpath.* Aftersettingyoursymbolpathzuse.reloadtorefreshsymbolIoc*3ExecutablesearchMod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:0040000077320000761c000075510000740900007633000077500000757d0000774f00007594000075770000758a0000766d000076580000759e00007662000075b50000762a0000pathis:004570007745c000762940007555a0007422e000763dc0007754e00075899000774fa000759dd000757c70007591b0007731900076620000759f9000766cl00075cac0007632f000(794.ec4):BreakinstructionUINRAR.SFXntdll.dllC:Vndowssystem32kernel32,dllC:Undowssystem32KERHE1.BASE.dllC:WndowsWinSxS86_microsoft.WindOiC:Windows×system32msvert.dllC:Windowssystem32×GDI32.dllC:Uindowssystem32MJSER32,dllC:Windowssystem321.PKdllC:Wmdowssystem32USP10dllC:Windowssystem32SH1.VAPI.dllC:Windows×system32×COMD1.G32.dllC:7JindOWS'system32'SHE1.1.32.dllC:Windowssystem32ADVAPI32.dllC:WindowsSYSTEM32sechost.dllC:Undowssystem32RPCRT4,dllC:Wndowssystem32ole32.dllC:Wmdowssystem32O1.EAUT32.dllexception-code80000003(firstchanteax=00000000ebx=00000000ecx=0012fb0cedx=773664f4esi=fffffffeeceip=773be60eesp=0012fb28ebp=0012fb54iopl=0cs001bss=0023ds0023es=0023fs003bgsaOOOOnvupeiplzei*»»ERROR:Sy三bolfilecouldnotbefoundDefaultedtoexportSylntdll!1.drVerifyIWageMatchesChecksuM+0x633:773be60eccintr*BUSY*IMemoryRegistersVirtual:$scopeipDisplayformatByte773be60e773be611773be614773be617773b61a773be61d773be620773be623773be626773be629773be62c773be62f773be632773be635773be638773be63bccfC33c3©8fcffd6ff909055838002OO89ebc8bc7feff85c3908b8bec3dfe74Next75Oe4036545e8fa9090ffecU10ec7f11IiIPreVioUSA当桀歌鼾邕目2全实验空1.nO,ColOSys0:<1.ocal>Proc000:794Thrd00ftec4ASMCVRCAPSNUMx32dbgx64dbg一款开源的调试器，在界面和操作的使用上和OD相似，支持32位和64位应用程序的调试。这款调试器解决了OD对64位应用程序调试上的缺陷：彩32dbg-文件:ShareFOlderMOnitOr.exe-PID:45D4-槿块:ntdll.dll-主线程61CX文件(F)视图调试插件收藏夹选项都助（三）Mtr292017aQIMf三二嗣U+四圜<13夕程承“q|加8尊喜亳图*筋牖CPU流程图日志工笔记断点日内存布局口调用雄桂,SE啕出脚本闽符号。源代码串J3B-÷7731F1497731F1487731F14C7731F14O>7731F1507731F1577731F15C7731F15D7731F1637731F1657731F16B7731F1717731F173r7731F1767731F1781.-X7731F17D7731F17F7731F1807731F1827731F1837731F1S57731F18S773IFlSE7731F193771P1Qq<H蕤海萎执行ntdll.7731F15O.text：7731F14711tdll3O3B7834399884833BSB3113Q34C8CEC63888373C85888A3AEDFF8C2EFSSSD64«344OF19OO885EOAca00409CQ7，67C19O38034F76>FC4CO44FEEEGCAjmpntdll.7731FlSOxoreax,eax1nceaxretmovesp,dwordptrss:ebp-订movdwordptrssxtebp-4j,=-=,FFEcallntdll.772F43C9retmoveax,dwordptr:30xorecx,ecxmovdwordptrd：.：77391G441,ecxmovdwordptri：:7739164j,ecxmovbyteptrds:ea×,clCmPbyteptrds:eax+2,cljentd11.7731F17Dcallntd11.7731FllBxoreax,eaxret11>vedi,edipushebpmovebp,espandSp,FFFFFFF8subes,i70moveax,dwordptrds:77396360xoreax,espmcHvunrdnrruvMvc+ldavEAXooooooEBXOOeECOOOECXE8A3OOOOEDX000000EBP008FF4C8ESP008FF49CESI00991C00EDI772837EC"1.drplnitializeProcEIP773IFI47ntdll.7731F147EF1.AGf00000246ZF1PF1AFOOFOSFODFOCFOTFOIF11.astErroroooooooz(ERROR_FI1.E_NOT_FOUACcc,auvnnc5量认GtdCaID；5，口解锁1：esp+4772837EC"1.drpinitializePro(.dll：SAF147*AE547esp+8100991C00es+c006EC000esp+ooooooooesp+148FF49C也内存1内存2008FF49C培址十六送利77271000就.。口“38QO7727101028OO2AOO77271020IEOO20OO7727103018OOIAOO7727104030OO32OO7727105020OO22OO7727106010OO12OO77271070OEOO10OO08C327D8ZQ.77ICOOIEOO70C427776.S.三A,W.pA7734OO36OOOCC42777(.*.DA,W4.6.AIAOOICOODOCa2777.A,w.DA7720OO22OO90C32777.A'w.".A772COO2EOO2CC327770.2.A'w,.A7718OOIAOOECC22777.,.A,w.1A77OOOO02OO90SD277.0,w77OCOOOEOO10822777ASCIIECCa27B4C32一003FF4A0008FF4A4008FF4A8008FF4AC008FF4B0008FF4B4008FF4BS008FF4BC008FF4C0008FF4C408345596772837EC00991C00006EC000000000018FF49C008FF4C4008FF714772E86D07F8C364600000000',1.drplnitializeProcess',至WSEHJaCordE1.的雷针ntd11.772E86D0命令:深信月密售西歹至为¾三>1己蓍停已到达系统断点!已温冗时间：0：00仞：06。dnSpy一款针对.NET程序的开源逆向程序的工具。具包含了反汇编器，调试器和汇编编辑器等功能组件，支持插件功能：9Mi89Vndf*"hb(4000)> 0Sn<»K000)> 。Srat三Core(4000)> °SEUl(4000)»(95尸9X3(4000)> tfVa4MB«OOO)> 0r=M3”r(OOO)> 0FretealatiMJttfkowk(40.0O)> 0teMlGOOO)> MbOOOO)> dPs>76os0),深信服千里目安全实验室。IDAPro该软件名全称：InteractiveDisassemblerProfessional,交互式反汇编器专业版，它是目前最棒的静态反编译工具，是众多安全人士的首选：IDA-ShareFolderMorutor.exeC:Users3053AOesktopShareFolderMonitor.exefileEditIUrnPSearchyiewDebuggerQptionsWindowsHelp*H»*i侬口区，、：,蜀。"木曲后J卡硒X1.ooJVindo«dobyr屹冷圄t*,'1.ibraryfunctionRegular£wmetionInstructionDataUn«xplor«dExtamftlsymbol7FunctionsVindOV,×啕IDAVi«v"AQ回HeXVie*-l同Stmctur"EnxmzImportsZxports-FunctionnameqjJtlVnind7jSZH.epilogiJj_SD1.epiloffi-GSfjSD1.prolog47jSZH_prolo®4_(Sfjj-j-,null三ub2fjnull三ublTfj-nullsub_2fj-nullsub_3fj-nullsub_4fj-nullxub6fjnull三ub6fnullsub.te×t:e431762A.text:06431762.text:06431762;Attributes:thunk.text:06431762.text:00431762publicstart.te×tze431762startprocnear.text:06431762jmpstart.text:00431762startend.text:06431762.tcxt：ee431767.text:06431767.text:00431767;=：.-:thunk.text:06431767.text:06431767sub431767procnear;COOEXREF:sub-467143+2F4pfnullsubJ?fnullsub_3fnull三ub-4/XUlllMUb_6,7nnllsub-6DStMt1SttrjOWzub-431019W三ub-43101E1三ub.431O28Jsub.431O3?Wsub_43lO41Wsub_43lO55N三ub-43106Al三ub.431064J三ub.431069R4431062v<>.text:431767sub-431767endp.text:60431767.textJ643176C;.textie43176CjnpIoc4434EC.text:00431771；.text:06431771j“loc491376.text:6431776;.text:96431776jmploc_46AG«.tcxt;43177B.text:80431770UBROUTIHE.textz43177B.textz43177B;Attributes：thunktext:00431778.text:06431770sub-43177Bprocnear;COOEXREF:sub45139B÷08p.textz43177Bj”sub45SEE3.text:043177Bsub.43177Bendptext:00431778.texte043178;.text:00431780jploc448154*k1.ine38of293200000B620000000000431762:start(SynchronizedwithHexView-IjvmOutputwindow×I器逐;也曳然WMdOW二Ok混号筋异星且安全实验雪二MidleDOVnDisk:5网&VBDecompilerVBDeComPiIer是针对ViSUalBasic5.0/6.0开发的程序反编译器：mVBDecompilerv112-RegisteredtoDotFixSoftware福案IR插件茶助槽案名：D:ProgramPictureVIEWER_PCode.exeSobtJone×pkxefP-CodeI3程序分析器和微化器vProjectV OFormsQMain0RssswordOSearchV OUsefControIsPictureVieverif11o0cv(SlCodeVMain夕PictureVievef1.UnknownE'夕PicwreViever1.UnknownE'fForm.1.oad.412160/Form_Activate_411568夕Form.KeyPress_413EE8VOAlphablendQAlphablendirg_412BF4令Pro<,1.1.410FKvnClsASMpic PictureBox_41274C AlltoDraVV_410784令AutoDraw_40F5l8 DrawNow_40FBF8 AsM_ROtate_412358 ASM.PaEffects_4113E4令ASM_PiXeIEffeCtS_413614 ASM.IrrementalPalEffect ASM,CoorXEffects_41336QAqMMaCnifV411F反编法等反藁福十六掷帆IiS器PrivateSubFor11-1.oad()'412160,DataTable:402D6CDimvar_D0AsVariantDimvarBOAsVariantloc_411FD8:IOC二411FFO:1。C二41200E：1。C二41201F:IoC二412047:IOC二41204B:1。C二412089:loc41209A:1。C二4120A6:loc4120BC:IoC二4120C2:IOC二412OEC:IOC二4120FD：loc312106:1O<41211D:loc_412122:IoC二41214A:loc41215E:IoC二41215F:EndSubOnErrorRsumNxtPassword.Show1,var_B0VaJCO=CVar(GetSetting("PictureVIEWER","Path","Count",VbNullString)IfCBool(var_C0<>VbNullString)Thenvar_BO=CVar(CByt(Val(CStr(var_C0)Forvar114=1TovarBO:varE4=var'Byte114tVariantvar_124=CVar(GetSetting("PictureVIEWER","Path",CStr(CVar("Path"Svar_D0(Vajl240pnCStr(var_D0)Gt1,1,Var二8EClose1Me.Collection.Add÷"SHS.ShackS")ForBinaryAs11.nHSHFFNextVaJlI4,VariantElseSearch.Show1,var_B0EndZfMe.Filel.PathCStr(Me.Collection.Item(1)ExitSubErrorvar_124,ChrS(C1.ng(var_8E),var_D0,var_134匕深信服千里目安全工验M反里为完成应急工具1.B志相关缴SysmonWindowsSySinternaIS出品的一款SySintemaIS系列中的工具。它以系统服务和设备驱动程序的方法安装在系统上，并保持常驻性。用来监褥口记录系统活动，并记录到WindC)WS事件日志，可以提供有关进程创建，网络链接和文件创建时间更改的详细信息：文件(F)撮作（八）查看(V)乐助（三）*，1力困；团雇>；Shell-Connecte(>>口Shell-Core>iSheIlCommon->J3SmartCard-Auc>SmartCard-D>一SmartCard-TPh>SmartScreen>口SMBCIient>SMBDirect>一SMBServer>SMBWitnessCli>一StateRepositor>StickyNotes>.Storage-Tierin<>StorageManag>一StorageSpaces>jStorageSpaces>StorageSpaces>iStorDiag>:Store>1.StorPortV口SysmonIjOperationa>,SystemSettings>TaskScheduIer>刀TCPIP>一TerminalServic*>:TerminalServia>一TerminalServiav>日Smh闻颊Wt：ID589A信息2019/9/2014:52:56Sysmon3Network.信息2019/9/2014:52:56Sysmon3Network.信息2019/9/2014:52:52Sysmon3Network.信息2019/9/2014:52:52Sysmon3Network.信息2019/9/2014:52:51Sysmon3Network.信息2019/9/2014:52:50Sysmon3Network.信息2019/9/2014:52:50Svsmon3Network.v事件3»Sysmon×常现详细信息Networkconnectiondetected:RuIeName:UtcTime:2019-09-2006:52:54.671ProcessGuid:98O7be6e-f355-5d82-O(XX)-1OObO200)Processld:2692日志名称(M):Microsoft-Windows-SysmonZOperationaI褓：Sysmon记录时间(D)：2019/9/201452:56事件D(E):3任务类别(Y)：NetworkconnectiondetecSlSlI(1.):信息关簿字(K)：用户(U):SYSTEM计算机(R)：DESKTOP-IHB1.MC7操作代码(0):信息更多信息：事件日志联机精助Operational打开保存的日志T创建自定义视图导入自定义视同.清除日志Y筋选当前日志.国展性祟用日志典直找.N将所有事件另存为将任部初0到此日志.且鬲新Q辞助事件3,Sysmon,Etl事件雇性回将任务附加到此事件.j宸制U朝蹒李他.向刷新密助Q房信朋千翠目安全工验空-1.astActivityView这是一款电脑操作记录查看器，直接调用系统日志，显示安装软件、系统启动、关机、网络连接、执行exe的发生时间和路径：FileEditViewOptionsHelp.2,C2-WActionTimeDescriptionFilenameFullPathMoreInformationFileExtensionZ)2019/9/209:42.Run.EXEfileconsentexeC:WindowsSystem32consentexeMicrosoftCorporatio.exeO2019/9/209:42.Run.EXEfileBandizip.exeC:PROGRAMR1.ESBandizipBandizip.Bandisoftcom,BandiZe×e02019/9/209:42.