mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
fix
This commit is contained in:
parent
a18cdcf1bf
commit
4aa53ac3bf
@ -223,7 +223,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis](doc/8.25_angr.md)
|
||||
* [8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution](doc/8.26_driller.md)
|
||||
* [8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](doc/8.27_firmalice.md)
|
||||
* [8.28 Cross-Architecture Bug Search in Binary Executables](doc/8.28_cross_arch_bug_search.md)
|
||||
* [8.28 Cross-Architecture Bug Search in Binary Executables](doc/8.28_cross_arch_bug.md)
|
||||
* [8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data](doc/8.29_dynamic_hooks.md)
|
||||
* [8.30 Preventing brute force attacks against stack canary protection on networking servers](doc/8.30_prevent_brute_force_canary.md)
|
||||
* [8.31 WYSINWYX What You See Is Not What You eXecute](doc/8.31_wysinwyx.md)
|
||||
@ -239,6 +239,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
||||
* [8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time](doc/8.41_intpatch.md)
|
||||
* [8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](doc/8.42_taintcheck.md)
|
||||
* [8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation](doc/8.43_dta++.md)
|
||||
* [8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics](doc/8.44_multiverse.md)
|
||||
* [九、附录](doc/9_appendix.md)
|
||||
* [9.1 更多 Linux 工具](doc/9.1_Linuxtools.md)
|
||||
* [9.2 更多 Windows 工具](doc/9.2_wintools.md)
|
||||
|
@ -8,7 +8,7 @@
|
||||
- [求解器引擎](#求解器引擎)
|
||||
- [程序状态](#程序状态)
|
||||
- [模拟管理器](#模拟管理器)
|
||||
- [VEX IR 翻译器](#vex-ir-翻译)
|
||||
- [VEX IR 翻译器](#vex-ir-翻译器)
|
||||
- [扩展工具](#扩展工具)
|
||||
- [CTF 实例](#ctf-实例)
|
||||
- [参考资料](#参考资料)
|
||||
@ -783,7 +783,7 @@ t1
|
||||
'Ijk_Ret'
|
||||
```
|
||||
|
||||
到这里 angr 的核心概念就介绍得差不多了,更多更详细的内容还是推荐查看官方教程和 API 文档。
|
||||
到这里 angr 的核心概念就介绍得差不多了,更多更详细的内容还是推荐查看官方教程和 API 文档。另外在我的博客里有 angr 源码分析的笔记。
|
||||
|
||||
|
||||
## 扩展工具
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.10 AEG: Automatic Exploit Generation
|
||||
|
||||
|
||||
论文:http://security.ece.cmu.edu/aeg/aeg-current.pdf
|
||||
|
||||
## 简介
|
||||
- 这篇论文向我们展示了如何将控制流劫持攻击的漏洞利用生成模型化为一个形式化验证问题。
|
||||
- 提出了预处理符号执行,这是一种新的符号执行技术。
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.11 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software
|
||||
|
||||
|
||||
论文:https://www.acsac.org/2006/papers/44.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.12 ASLR on the Line: Practical Cache Attacks on the MMU
|
||||
|
||||
|
||||
论文:https://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.13 New Frontiers of Reverse Engineering
|
||||
|
||||
|
||||
论文:http://reversingproject.info/project_repository/reversing_references/pdf/new_frontiers_of_reverse_engineering.pdf
|
||||
|
||||
## What is your take-away message from this paper?
|
||||
This paper briefly presents an overview of the field of reverse engineering, reviews main achievements and areas of application, and highlights key open research issues for the future.
|
||||
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.14 Who Allocated My Memory? Detecting Custom Memory Allocators in C Binaries
|
||||
|
||||
|
||||
论文:https://www.cs.vu.nl/~herbertb/papers/membrush_wcre13.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.15 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning
|
||||
|
||||
|
||||
论文:https://pure.qub.ac.uk/portal/files/127232616/IWSPA_codaspy_2017.pdf
|
||||
|
||||
## What is your take-away message from this paper?
|
||||
The authors present an investigation of machine learning based malware detection using dynamic analysis on real devices.
|
||||
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.16 DynaLog: An automated dynamic analysis framework for characterizing Android applications
|
||||
|
||||
|
||||
论文:https://pure.qub.ac.uk/portal/files/93998809/DynaLog_2016.pdf
|
||||
|
||||
## What is your take-away message from this paper?
|
||||
The authors presented DynaLog, a framework that enable automated mass dynamic analysis of applications in order to characterize them for analysis and potential detection of malicious behaviour.
|
||||
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.17 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls
|
||||
|
||||
|
||||
论文:http://waset.org/publications/10005499
|
||||
|
||||
## What is your take-away message from this paper?
|
||||
The paper put forward a machine learning detection method that based on the actually used Permissions Combination and API calls.
|
||||
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.18 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models
|
||||
|
||||
|
||||
论文:http://discovery.ucl.ac.uk/1532047/1/Stringhini_mamadroid.pdf
|
||||
|
||||
## What is your take-away message from this paper?
|
||||
This paper presented an Android malware detection system based on modeling the sequences of API calls as Markov chains.
|
||||
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.19 DroidNative: Semantic-Based Detection of Android Native Code Malware
|
||||
|
||||
|
||||
论文:http://pages.cs.wisc.edu/~vrastogi/static/papers/aqrcr17.pdf
|
||||
|
||||
## What is your take-away message from this paper?
|
||||
The paper proposed DroidNative for detection of both bytecode and native code Android malware variants.
|
||||
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
|
||||
|
||||
|
||||
论文:https://hovav.net/ucsd/dist/geometry.pdf
|
||||
|
||||
## 简介
|
||||
论文提出了一种 return-into-libc 的攻击方法,以对抗针对传统代码注入攻击的防御技术(W⊕X)。它不会调用到完整的函数,而是通过将一些被称作 gadgets 的指令片段组合在一起,形成指令序列,以达到任意代码执行的效果。这一技术为返回导向编程(Return-Oriented Programming)奠定了基础。
|
||||
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.20 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware
|
||||
|
||||
|
||||
论文:https://www.cse.cuhk.edu.hk/~cslui/PUBLICATION/TRUST13DROIDANALYTICS.pdf
|
||||
|
||||
## What is your take-away message from this paper?
|
||||
The authors present DroidAnalytics, an Android malware analytic system for malware collection, signature generation, information retrieval, and malware association based on similarity score. Furthermore, DroidAnalytics can efficiently detect zero-day repackaged malware.
|
||||
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.21 Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks
|
||||
|
||||
|
||||
论文:https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cristalli.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.22 Practical Memory Checking With Dr. Memory
|
||||
|
||||
|
||||
论文:http://groups.csail.mit.edu/commit/papers/2011/bruening-cgo11-drmemory.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.23 Evaluating the Effectiveness of Current Anti-ROP Defenses
|
||||
|
||||
|
||||
论文:https://www.syssec.rub.de/media/emma/veroeffentlichungen/2014/05/09/TR-HGI-2014-001_1_1.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.24 How to Make ASLR Win the Clone Wars: Runtime Re-Randomization
|
||||
|
||||
|
||||
论文:https://www.cs.umd.edu/class/fall2017/cmsc818O/papers/aslr-clone-wars.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1,5 +1,8 @@
|
||||
# 8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis
|
||||
|
||||
|
||||
论文:https://www.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf
|
||||
|
||||
## 简介
|
||||
这篇文章提出了一个二进制分析框架,并实现了许多现有的分析技术。通过将这些技术系统化地实现,可以让其他研究人员直接利用并开发新的技术。此外,在统一框架中实现这些技术可以更直接地进行比较,并确定各自的优缺点。
|
||||
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution
|
||||
|
||||
|
||||
论文:http://cs.ucsb.edu/~chris/research/doc/ndss16_driller.pdf
|
||||
|
||||
## 简介
|
||||
这篇文章提出了 Driller,这是一种混合漏洞挖掘工具,它以互补的方式将模糊测试和选择性混合执行结合起来,以发现隐藏更深的漏洞。模糊测试用于探索程序空间的不同区间,并使用混合执行来生成满足不同区间的输入。
|
||||
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware
|
||||
|
||||
|
||||
论文:https://seclab.cs.ucsb.edu/media/uploads/papers/firmalice.pdf
|
||||
|
||||
## 简介
|
||||
这篇文章提出了 Firmalice,一种二进制分析框架,以支持对嵌入式设备上所运行的固件进行分析。Firmalice 构建在符号执行引擎之上,并且提供了程序切片之类的技术来提高其可扩展性。此外,Firmalice 构建了一种新型的认证旁路漏洞模型,基于攻击者的能力来确定执行特权操作所需要的输入。
|
||||
|
||||
|
10
doc/8.28_cross_arch_bug.md
Normal file
10
doc/8.28_cross_arch_bug.md
Normal file
@ -0,0 +1,10 @@
|
||||
# 8.28 Cross-Architecture Bug Search in Binary Executables
|
||||
|
||||
|
||||
论文:https://christian-rossow.de/publications/crossarch-ieee2015.pdf
|
||||
|
||||
## 简介
|
||||
|
||||
## 方法
|
||||
|
||||
## 实现
|
@ -1 +0,0 @@
|
||||
# 8.28 Cross-Architecture Bug Search in Binary Executables
|
@ -1 +1,6 @@
|
||||
# 8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data
|
||||
|
||||
|
||||
论文:https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-vogl.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.2 Return-Oriented Programming without Returns
|
||||
|
||||
|
||||
论文:https://www2.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf
|
||||
|
||||
## 简介
|
||||
论文提出了一种不依赖于使用 return 指令的 ROP 技术。这种攻击方法是在 libc 中找到一些特定的指令序列,来替代 return 指令,完成和 return 同样的工作。这些指令具备图灵完备性,已经在 (x86)Linux 和 (ARM)Android 中被证实。
|
||||
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.30 Preventing brute force attacks against stack canary protection on networking servers
|
||||
|
||||
|
||||
论文:http://hmarco.org/data/Preventing_brute_force_attacks_against_stack_canary_protection_on_networking_servers.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.31 WYSINWYX What You See Is Not What You eXecute
|
||||
|
||||
|
||||
论文:http://research.cs.wisc.edu/wpis/papers/wysinwyx.final.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.32 Unleashing MAYHEM on Binary Code
|
||||
|
||||
|
||||
论文:http://www.cse.psu.edu/~trj1/cse597-s13/docs/binary_mayhem_oakland_12.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.33 Under-Constrained Symbolic Execution: Correctness Checking for Real Code
|
||||
|
||||
|
||||
论文:https://cseweb.ucsd.edu/~dstefan/cse291-winter18/papers/ucklee.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.34 Enhancing Symbolic Execution with Veritesting
|
||||
|
||||
|
||||
论文:https://users.ece.cmu.edu/~aavgerin/papers/veritesting-icse-2014.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.35 Q: Exploit Hardening Made Easy
|
||||
|
||||
|
||||
论文:http://static.usenix.org/legacy/events/sec11/tech/full_papers/Schwartz.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.36 A Survey of Symbolic Execution Techniques
|
||||
|
||||
|
||||
论文:http://season-lab.github.io/papers/survey-symbolic-execution-preprint-CSUR18.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.37 CUTE: A Concolic Unit Testing Engine for C
|
||||
|
||||
|
||||
论文:http://mir.cs.illinois.edu/marinov/publications/SenETAL05CUTE.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.38 TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking
|
||||
|
||||
|
||||
论文:http://people.eecs.berkeley.edu/~dawnsong/papers/2011%20tainteraser%20p142-zhu.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.39 DART: Directed Automated Random Testing
|
||||
|
||||
|
||||
论文:https://web.eecs.umich.edu/~weimerw/2011-6610/reading/p213-godefroid.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
|
||||
|
||||
|
||||
论文:https://www.usenix.org/legacy/event/sec09/tech/full_papers/hund.pdf
|
||||
|
||||
## 简介
|
||||
本论文设计并实现了一个能够自动化构建 ROP 指令序列的攻击系统。由于系统使用的指令序列来自内核已有的代码,而不需要进行代码注入,所以能够绕过内核代码完整性保护机制。
|
||||
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.40 EXE: Automatically Generating Inputs of Death
|
||||
|
||||
|
||||
论文:https://web.stanford.edu/~engler/exe-ccs-06.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time
|
||||
|
||||
|
||||
论文:https://llvm.org/pubs/2010-09-ESORICS-FixOverflows.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
|
||||
|
||||
|
||||
论文:http://valgrind.org/docs/newsome2005.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation
|
||||
|
||||
|
||||
论文:http://bitblaze.cs.berkeley.edu/papers/dta%2B%2B-ndss11.pdf
|
||||
|
||||
## 简介
|
||||
|
6
doc/8.44_multiverse.md
Normal file
6
doc/8.44_multiverse.md
Normal file
@ -0,0 +1,6 @@
|
||||
# 8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics
|
||||
|
||||
|
||||
http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_05A-4_Bauman_paper.pdf
|
||||
|
||||
## 简介
|
@ -1,6 +1,8 @@
|
||||
# 8.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks
|
||||
|
||||
|
||||
论文:https://www.ei.ruhr-uni-bochum.de/media/trust/veroeffentlichungen/2010/12/14/HGI-TR-2010-001.pdf
|
||||
|
||||
## 简介
|
||||
论文设计并实现了工具 ROPdefender,可以动态地检测传统的 ROP 攻击(基于return指令)。ROPdefender 可以由用户来执行,而不依赖于源码、调试信息等在现实中很难获得的信息。
|
||||
|
||||
|
@ -1,4 +1,6 @@
|
||||
# 8.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks
|
||||
|
||||
|
||||
论文:https://www.comp.nus.edu.sg/~shweta24/publications/dop_oakland16.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.6 Hacking Blind
|
||||
|
||||
|
||||
论文:http://www.scs.stanford.edu/~sorbo/brop/bittau-brop.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.7 What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses
|
||||
|
||||
|
||||
论文:https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_maisuradze.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1 +1,6 @@
|
||||
# 8.8 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
|
||||
|
||||
|
||||
论文:https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf
|
||||
|
||||
## 简介
|
||||
|
@ -1,6 +1,8 @@
|
||||
# 8.9 Symbolic Execution for Software Testing: Three Decades Later
|
||||
|
||||
|
||||
论文:https://people.eecs.berkeley.edu/~ksen/papers/cacm13.pdf
|
||||
|
||||
## 简介
|
||||
近几年符号执行因其在生成高覆盖率的测试用例和发现复杂软件漏洞的有效性再次受人关注。这篇文章对现代符号执行技术进行了概述,讨论了这些技术在路径探索,约束求解和内存建模方面面临的主要挑战,并讨论了几个主要从作者自己的工作中获得的解决方案。
|
||||
|
||||
|
@ -30,7 +30,7 @@
|
||||
* [8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis](8.25_angr.md)
|
||||
* [8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution](8.26_driller.md)
|
||||
* [8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](8.27_firmalice.md)
|
||||
* [8.28 Cross-Architecture Bug Search in Binary Executables](8.28_cross_arch_bug_search.md)
|
||||
* [8.28 Cross-Architecture Bug Search in Binary Executables](8.28_cross_arch_bug.md)
|
||||
* [8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data](8.29_dynamic_hooks.md)
|
||||
* [8.30 Preventing brute force attacks against stack canary protection on networking servers](8.30_prevent_brute_force_canary.md)
|
||||
* [8.31 WYSINWYX What You See Is Not What You eXecute](8.31_wysinwyx.md)
|
||||
@ -46,3 +46,4 @@
|
||||
* [8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time](8.41_intpatch.md)
|
||||
* [8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](8.42_taintcheck.md)
|
||||
* [8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation](8.43_dta++.md)
|
||||
* [8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics](8.44_multiverse.md)
|
||||
|
Loading…
Reference in New Issue
Block a user