数字取证
一、简介
Forensic investigations
- 法庭取证调查
- 事件响应调查
- 黑客攻击、渗透测试留痕
什么是 forensic 科学
- 法医的、用于法庭的、辩论学、法医学
- 为了侦破案件还原事实真相,收集法庭证据的一系列科学方法
- 参考本地法律要求
- 实践操作通用原则
CSI:物理取证
- 指纹、DNA、弹道、血迹
- 无力取证的理论基础是物质交换原则
本章关注:数字取证/计算机取证
- 智能设备、计算机、手机平板、loT、有线及无线信道、数据存储
二、通用原则
- 维护证据完整性
- 数字取证比物理取证幸运的多,可以有无限数量的拷贝进行分析
- 数字HASH值验证数据完整性
- 维护监管链
- 物理证物保存在证物袋中,每次取出使用严格记录,避免破坏污染
- 数字证物原始版本写保护,使用拷贝进行分析
- 标准的操作步骤
- 证物使用严格按照按照规范流程,即使事后证明流程有误(免责)
- 取证分析全部过程记录文档
- 数字取证者的座右铭
- 不要破坏数据现场(看似简单,实际几乎无法实现)
- 寄存器、CPU缓存、I/O设备缓存等易失性数据几乎无法获取
- 系统内存是主要的非易失性存储介质取证对象,不修改无法获取其中数据
- 非易失性存储介质通常使用完整镜像拷贝保存
- 正常关机还是直接拔掉电源(数据丢失破坏)
- 证据搜索
- 数据
- 信息
- 证据
- 作为安全从业者
- 通过取证还原黑客入侵的轨迹
- 作为渗透测试和黑客攻击区分标准
- 世纪佳缘事件
- 印象笔记渗透测试事件
三、取证方法
- 活取证
- 抓取文件metadata、创建时间线、命令历史、分析日志文件、哈希摘要、转
- 存内存信息
- 使用未受感染的干净程序执行取证U盘/网络存储收集到的数据
- 死取证
- 关机后制作硬盘镜像、分析镜像(MBR、GPT、LVM)
四、取证工具
- 使用其中的 DumpIt 制作内存镜像文件,内存文件与内存大小接近或者稍微大一点。
- DumpIt.exe下载: https://www.aliyundrive.com/s/caNEzWuA8Xv
- kali安装Volatility:https://www.cnblogs.com/Jinx8823/p/16642215.html
- 注意务必使用python2(kali自带)和pip2(安装参见:https://blog.csdn.net/huayimy/article/details/128338899)
1、制作内存镜像
在win7打开几个软件,双击DumpIt.exe(建议在U盘打开,避免对取证机内存造成影响)即可。
2、Volatility分析内存文件
- 插件位置(可用--help查看支持的插件):/usr/local/lib/python2.7/dist-packages/volatility/plugins
(1)识别镜像信息(如操作系统等)
(2)查询数据库文件(注册表信息)
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 hivelist
(3)按虚内存地址查看注册表内容
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 hivedump -o 0xfffff8a000924010
(4)按具体注册表路径查看键值内容
- 示例 1:查看用户账号
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 printkey -K "SAM\Domains\Account\Users\Names"
- 示例 2:最后登录的用户
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
(5)正在运行的程序、运行过多少次、最后一次运行时间等
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 userassist
(6)进程列表及物理内存
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 pslist
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 pstree #以树形显示父子进程关系
- dump 某一具体进程相关内存信息
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 memdump -p 2584 -D Temp #-D指定保存位置
- 可以直接用 hexeditor 读取分析
hexeditor Temp/2584.dmp
- 也可提取字符串分析可疑之处(木马,病毒等)
strings Temp/2584.dmp
- 加上过滤操作分析
(7)命令历史信息
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 cmdscan
(8)网络连接信息
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 netscan #可用connscan查看已连接的
(9)IE 历史
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 iehistory
(10)提取hash
#volatility -f ***.raw/***.dmp --profile=*** hashdump -y system虚地址 -s SAM虚地址 vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a00184b160
(11)Timeline 插件
- 功能:基于时间线从多个位置收集大量系统活动信息,usn只从硬盘读写方面勾画活动情况,timeliner从多个位置收集大量信息活动信息,尽最大能力把这台主机上发生过什么事情、做过什么操作进行勾画。
vol.py -f WIN7-Z9M8R8-1-20230120-023337.raw --profile=Win7SP1x64 timeliner
3、Volatility外部插件
官方-社区插件项目:https://github.com/volatilityfoundation/community
将对应插件放置/usr/local/lib/python2.7/dist-packages/volatility/plugins目录下即可,使用方法同内部插件或参见:https://github.com/volatilityfoundation/volatility/wiki/Volatility%20Usage#specifying-additional-plugin-directories
示例:USN 日志记录插件(下载:https://github.com/tomspencer/volatility/tree/master/usnparser)
- 功能:用于跟踪硬盘内容变化(属性),如文件权限变化,但不记录具体变更的内容,如某个文件中添加的具体内容。
#直接在终端在输出 vol.py -f WIN7-Z9M8R8-1-20230125-140115.raw --profile=Win7SP1x64 usnparser #输出结果保存个文件 vol.py -f WIN7-Z9M8R8-1-20230125-140115.raw --profile=Win7SP1x64 usnparser --output=csv --output-file=usn.csv
4、Volatility案例演示
利用漏洞ms08_067通过msf控制XPSP3(建立meterpreter会话),制作内存镜像进行分析。
(1)分析查询操作系统
(2)查看可疑进程
木马,病毒等一般都会被隐藏执行,这样很难看出哪个进程有问题。
(3)检查网络连接
分析可知仅有一个1060进程建立了网络连接,可进一步分析。
(4)获取已建立网络连接进程的具体信息
示例(如果是查看多个进程就用逗号“,”分隔)
┌──(root㉿kali)-[~/Desktop] └─# vol.py -f XP_SP3-20230121-111153.raw --profile=WinXPSP3x86 getsids -p 1060,1200,1128 #拿1060,1128,1200三个svchost进程对比,更易看出端倪。 Volatility Foundation Volatility Framework 2.6.1 svchost.exe (1060): S-1-5-18 (Local System) svchost.exe (1060): S-1-5-32-544 (Administrators) svchost.exe (1060): S-1-1-0 (Everyone) svchost.exe (1060): S-1-5-11 (Authenticated Users) svchost.exe (1128): S-1-5-20 (NT Authority) svchost.exe (1128): S-1-5-20 (NT Authority) svchost.exe (1128): S-1-1-0 (Everyone) svchost.exe (1128): S-1-5-32-545 (Users) svchost.exe (1128): S-1-5-6 (Service) svchost.exe (1128): S-1-5-11 (Authenticated Users) svchost.exe (1128): S-1-5-5-0-58102 (Logon Session) svchost.exe (1128): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (1128): S-1-1-0 (Everyone) svchost.exe (1128): S-1-5-11 (Authenticated Users) svchost.exe (1128): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (1128): S-1-5-32-545 (Users) svchost.exe (1200): S-1-5-19 (NT Authority) svchost.exe (1200): S-1-5-19 (NT Authority) svchost.exe (1200): S-1-1-0 (Everyone) svchost.exe (1200): S-1-5-32-545 (Users) svchost.exe (1200): S-1-5-6 (Service) svchost.exe (1200): S-1-5-11 (Authenticated Users) svchost.exe (1200): S-1-5-5-0-58822 (Logon Session) svchost.exe (1200): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (1200): S-1-1-0 (Everyone) svchost.exe (1200): S-1-5-11 (Authenticated Users) svchost.exe (1200): S-1-2-0 (Local (Users with the ability to log in locally)) svchost.exe (1200): S-1-5-32-545 (Users)
svchost.exe默认不具备system权限,可将1060进程和1200,1128进程相比较,1060很可疑。
(5)查看可疑进程所调用的DLL库
两种情况,要么dll特别多,要么dll特别少,一种是为了减小体积而调用系统自带的dll实现自身功能,一种是如果全部调系统自身的dll那么兼容性就会变差,不同系统之间的dll文件很多是不一样的,所以直接把所需要的dll加载到恶意程序里,但是程序的体积会特别大。
┌──(root㉿kali)-[~/Desktop] └─# vol.py -f XP_SP3-20230121-111153.raw --profile=WinXPSP3x86 dlllist -p 1060,1200,1128 Volatility Foundation Volatility Framework 2.6.1 ************************************************************************ svchost.exe pid: 1060 Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs Service Pack 3 Base Size LoadCount LoadTime Path ---------- ---------- ---------- ------------------------------ ---- 0x01000000 0x6000 0xffff C:\WINDOWS\System32\svchost.exe 0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll 0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll 0x5cb70000 0x26000 0x1 C:\WINDOWS\System32\ShimEng.dll 0x6f880000 0x1ca000 0x1 C:\WINDOWS\AppPatch\AcGenral.DLL 0x7e410000 0x91000 0x303 C:\WINDOWS\system32\USER32.dll 0x77f10000 0x49000 0x1b6 C:\WINDOWS\system32\GDI32.dll 0x76b40000 0x2d000 0x11 C:\WINDOWS\System32\WINMM.dll 0x774e0000 0x13d000 0xbe C:\WINDOWS\system32\ole32.dll 0x77c10000 0x58000 0x322 C:\WINDOWS\system32\msvcrt.dll 0x77120000 0x8b000 0x86 C:\WINDOWS\system32\OLEAUT32.dll 0x77be0000 0x15000 0x1 C:\WINDOWS\System32\MSACM32.dll 0x77c00000 0x8000 0x24 C:\WINDOWS\system32\VERSION.dll 0x7c9c0000 0x817000 0x12 C:\WINDOWS\system32\SHELL32.dll 0x77f60000 0x76000 0x49 C:\WINDOWS\system32\SHLWAPI.dll 0x769c0000 0xb4000 0x12 C:\WINDOWS\system32\USERENV.dll 0x5ad70000 0x38000 0x4 C:\WINDOWS\System32\UxTheme.dll 0x773d0000 0x103000 0x9 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 0x5d090000 0x9a000 0x6 C:\WINDOWS\system32\comctl32.dll 0x77690000 0x21000 0x1 C:\WINDOWS\System32\NTMARTA.DLL 0x71bf0000 0x13000 0xf C:\WINDOWS\System32\SAMLIB.dll 0x76f60000 0x2c000 0x1e C:\WINDOWS\system32\WLDAP32.dll 0x00630000 0x2c5000 0x2 C:\WINDOWS\System32\xpsp2res.dll 0x776e0000 0x23000 0x3 c:\windows\system32\shsvcs.dll 0x76360000 0x10000 0x16 C:\WINDOWS\System32\WINSTA.dll 0x5b860000 0x55000 0x70 C:\WINDOWS\system32\NETAPI32.dll 0x7d4b0000 0x22000 0x5 c:\windows\system32\dhcpcsvc.dll 0x76f20000 0x27000 0x10 c:\windows\system32\DNSAPI.dll 0x71ab0000 0x17000 0x6f c:\windows\system32\WS2_32.dll 0x71aa0000 0x8000 0x3f c:\windows\system32\WS2HELP.dll 0x76d60000 0x19000 0x16 c:\windows\system32\iphlpapi.dll 0x68000000 0x36000 0x1 C:\WINDOWS\System32\rsaenh.dll 0x7db10000 0x8c000 0x3 c:\windows\system32\wzcsvc.dll 0x76e80000 0xe000 0x42 c:\windows\system32\rtutils.dll 0x76d30000 0x4000 0x5 c:\windows\system32\WMI.dll 0x77a80000 0x95000 0x32 C:\WINDOWS\system32\CRYPT32.dll 0x77b20000 0x12000 0x21 C:\WINDOWS\system32\MSASN1.dll 0x72810000 0xb000 0x4 c:\windows\system32\EapolQec.dll 0x76b20000 0x11000 0x22 c:\windows\system32\ATL.DLL 0x726c0000 0x16000 0x4 c:\windows\system32\QUtil.dll 0x76080000 0x65000 0x21 c:\windows\system32\MSVCP60.dll 0x478c0000 0xa000 0xd c:\windows\system32\dot3api.dll 0x76f50000 0x8000 0x12 c:\windows\system32\WTSAPI32.dll 0x606b0000 0x10d000 0x5 c:\windows\system32\ESENT.dll 0x76fd0000 0x7f000 0x8 C:\WINDOWS\System32\CLBCATQ.DLL 0x77050000 0xc5000 0x17 C:\WINDOWS\System32\COMRes.dll 0x76b70000 0x27000 0x5 C:\WINDOWS\System32\rastls.dll 0x754d0000 0x80000 0x6 C:\WINDOWS\system32\CRYPTUI.dll 0x771b0000 0xaa000 0x9 C:\WINDOWS\system32\WININET.dll 0x76c30000 0x2e000 0xa C:\WINDOWS\system32\WINTRUST.dll 0x76c90000 0x28000 0xa C:\WINDOWS\system32\IMAGEHLP.dll 0x76d40000 0x18000 0xa C:\WINDOWS\System32\MPRAPI.dll 0x77cc0000 0x32000 0xa C:\WINDOWS\System32\ACTIVEDS.dll 0x76e10000 0x25000 0xa C:\WINDOWS\System32\adsldpc.dll 0x77920000 0xf3000 0x10 C:\WINDOWS\System32\SETUPAPI.dll 0x76ee0000 0x3c000 0xe C:\WINDOWS\System32\RASAPI32.dll 0x76e90000 0x12000 0x10 C:\WINDOWS\System32\rasman.dll 0x76eb0000 0x2f000 0xf C:\WINDOWS\System32\TAPI32.dll 0x767f0000 0x27000 0x5 C:\WINDOWS\System32\SCHANNEL.dll 0x723d0000 0x1c000 0x5 C:\WINDOWS\System32\WinSCard.dll 0x76bf0000 0xb000 0xa C:\WINDOWS\System32\PSAPI.DLL 0x76bd0000 0x16000 0x3 C:\WINDOWS\System32\raschap.dll 0x77c70000 0x24000 0x1 C:\WINDOWS\system32\msv1_0.dll 0x77300000 0x33000 0x1 c:\windows\system32\schedsvc.dll 0x767a0000 0x13000 0x9 c:\windows\system32\NTDSAPI.dll 0x74f50000 0x5000 0x1 C:\WINDOWS\System32\MSIDLE.DLL 0x708b0000 0xd000 0x1 c:\windows\system32\audiosrv.dll 0x76e40000 0x23000 0x1 c:\windows\system32\wkssvc.dll 0x76ce0000 0x12000 0x1 c:\windows\system32\cryptsvc.dll 0x77b90000 0x32000 0x1 c:\windows\system32\certcli.dll 0x74f90000 0x9000 0x1 c:\windows\system32\dmserver.dll 0x74f80000 0x9000 0x1 c:\windows\system32\ersvc.dll 0x77710000 0x42000 0x3 c:\windows\system32\es.dll 0x74f40000 0xc000 0x1 c:\windows\pchealth\helpctr\binaries\pchsvc.dll 0x75090000 0x1a000 0x1 c:\windows\system32\srvsvc.dll 0x77d00000 0x33000 0x2 c:\windows\system32\netman.dll 0x76400000 0x1a5000 0x5 c:\windows\system32\netshell.dll 0x76c00000 0x2e000 0x5 c:\windows\system32\credui.dll 0x736d0000 0x6000 0x5 c:\windows\system32\dot3dlg.dll 0x5dca0000 0x28000 0x5 c:\windows\system32\OneX.DLL 0x745b0000 0x22000 0x5 c:\windows\system32\eappcfg.dll 0x5dcd0000 0xe000 0x5 c:\windows\system32\eappprxy.dll 0x73030000 0x10000 0x2 c:\windows\system32\WZCSAPI.DLL 0x662b0000 0x58000 0x6 C:\WINDOWS\System32\HNETCFG.DLL 0x722d0000 0xd000 0x1 c:\windows\system32\sens.dll 0x73d20000 0x8000 0x1 c:\windows\system32\seclogon.dll 0x7e720000 0xb0000 0x1 C:\WINDOWS\System32\SXS.DLL 0x76620000 0x13c000 0x4 C:\WINDOWS\system32\comsvcs.dll 0x75130000 0x14000 0x4 C:\WINDOWS\system32\colbact.DLL 0x750f0000 0x13000 0x4 C:\WINDOWS\system32\MTXCLU.DLL 0x71ad0000 0x9000 0x4 C:\WINDOWS\system32\WSOCK32.dll 0x76d10000 0x12000 0x3 C:\WINDOWS\System32\CLUSAPI.DLL 0x750b0000 0x12000 0x1 C:\WINDOWS\System32\RESUTILS.DLL 0x751a0000 0x2e000 0x1 c:\windows\system32\srsvc.dll 0x74ad0000 0x8000 0x1 c:\windows\system32\POWRPROF.dll 0x75070000 0x19000 0x1 c:\windows\system32\trkwks.dll 0x767c0000 0x2c000 0x3 c:\windows\system32\w32time.dll 0x71a50000 0x3f000 0x5 C:\WINDOWS\system32\mswsock.dll 0x71a90000 0x8000 0x1 C:\WINDOWS\System32\wshtcpip.dll 0x59490000 0x28000 0x1 c:\windows\system32\wbem\wmisvc.dll 0x753e0000 0x6d000 0x1 C:\WINDOWS\system32\VSSAPI.DLL 0x50000000 0x5000 0x1 c:\windows\system32\wuauserv.dll 0x50040000 0x119000 0x1 C:\WINDOWS\system32\wuaueng.dll 0x75260000 0x29000 0x1 C:\WINDOWS\System32\ADVPACK.dll 0x75150000 0x13000 0x2 C:\WINDOWS\System32\Cabinet.dll 0x600a0000 0xb000 0x1 C:\WINDOWS\System32\mspatcha.dll 0x76bb0000 0x5000 0x1 C:\WINDOWS\System32\sfc.dll 0x76c60000 0x2a000 0x2 C:\WINDOWS\System32\sfc_os.dll 0x76780000 0x9000 0x1 C:\WINDOWS\System32\SHFOLDER.dll 0x4d4f0000 0x59000 0x3 C:\WINDOWS\System32\WINHTTP.dll 0x73000000 0x26000 0x1 C:\WINDOWS\System32\WINSPOOL.DRV 0x76da0000 0x16000 0x1 c:\windows\system32\browser.dll 0x66460000 0x55000 0x1 c:\windows\system32\ipnathlp.dll 0x776c0000 0x12000 0x3 c:\windows\system32\AUTHZ.dll 0x4c0a0000 0x17000 0x1 c:\windows\system32\wscsvc.dll 0x7d1e0000 0x2bc000 0x4 c:\windows\system32\msi.dll 0x762c0000 0x85000 0x1 C:\WINDOWS\System32\Wbem\wbemcore.dll 0x75310000 0x3f000 0x4 C:\WINDOWS\System32\Wbem\esscli.dll 0x75290000 0x37000 0xf C:\WINDOWS\System32\Wbem\wbemcomn.dll 0x75690000 0x76000 0x8 C:\WINDOWS\System32\Wbem\FastProx.dll 0x75020000 0x1b000 0x1 C:\WINDOWS\system32\wbem\wmiutils.dll 0x75200000 0x2f000 0x1 C:\WINDOWS\system32\wbem\repdrvfs.dll 0x597f0000 0x6d000 0x1 C:\WINDOWS\system32\wbem\wmiprvsd.dll 0x5f770000 0xc000 0x2 C:\WINDOWS\system32\NCObjAPI.DLL 0x75390000 0x46000 0x1 C:\WINDOWS\system32\wbem\wbemess.dll 0x76de0000 0x24000 0x1 C:\WINDOWS\system32\upnp.dll 0x74f00000 0xc000 0x1 C:\WINDOWS\system32\SSDPAPI.dll 0x76fc0000 0x6000 0x1 C:\WINDOWS\System32\rasadhlp.dll 0x77b40000 0x22000 0x1 C:\WINDOWS\system32\Apphelp.dll 0x5f740000 0xe000 0x1 C:\WINDOWS\system32\wbem\ncprov.dll 0x755f0000 0x9a000 0x1 C:\WINDOWS\system32\netcfgx.dll 0x768d0000 0xa4000 0x1 C:\WINDOWS\System32\RASDLG.dll 0x74ed0000 0xe000 0x1 C:\WINDOWS\system32\wbem\wbemsvc.dll 0x6fb10000 0x9e000 0x2 C:\WINDOWS\System32\catsrvut.dll 0x6fbd0000 0x3d000 0x1 C:\WINDOWS\System32\catsrv.dll 0x61990000 0x9000 0x1 C:\WINDOWS\System32\MfcSubs.dll 0x71b20000 0x12000 0x2 C:\WINDOWS\system32\MPR.dll 0x7e1e0000 0xa2000 0x1 C:\WINDOWS\system32\urlmon.dll 0x71f80000 0x4000 0x1 C:\WINDOWS\System32\security.dll ************************************************************************ svchost.exe pid: 1128 Command line : C:\WINDOWS\system32\svchost.exe -k NetworkService Service Pack 3 Base Size LoadCount LoadTime Path ---------- ---------- ---------- ------------------------------ ---- 0x01000000 0x6000 0xffff C:\WINDOWS\system32\svchost.exe 0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll 0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll 0x5cb70000 0x26000 0x1 C:\WINDOWS\system32\ShimEng.dll 0x6f880000 0x1ca000 0x1 C:\WINDOWS\AppPatch\AcGenral.DLL 0x7e410000 0x91000 0x1a C:\WINDOWS\system32\USER32.dll 0x77f10000 0x49000 0x14 C:\WINDOWS\system32\GDI32.dll 0x76b40000 0x2d000 0x2 C:\WINDOWS\system32\WINMM.dll 0x774e0000 0x13d000 0x2 C:\WINDOWS\system32\ole32.dll 0x77c10000 0x58000 0x17 C:\WINDOWS\system32\msvcrt.dll 0x77120000 0x8b000 0x1 C:\WINDOWS\system32\OLEAUT32.dll 0x77be0000 0x15000 0x1 C:\WINDOWS\system32\MSACM32.dll 0x77c00000 0x8000 0x1 C:\WINDOWS\system32\VERSION.dll 0x7c9c0000 0x817000 0x1 C:\WINDOWS\system32\SHELL32.dll 0x77f60000 0x76000 0x3 C:\WINDOWS\system32\SHLWAPI.dll 0x769c0000 0xb4000 0x1 C:\WINDOWS\system32\USERENV.dll 0x5ad70000 0x38000 0x1 C:\WINDOWS\system32\UxTheme.dll 0x773d0000 0x103000 0x1 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 0x5d090000 0x9a000 0x1 C:\WINDOWS\system32\comctl32.dll 0x76770000 0xd000 0x1 c:\windows\system32\dnsrslvr.dll 0x76f20000 0x27000 0x1 c:\windows\system32\DNSAPI.dll 0x71ab0000 0x17000 0x7 c:\windows\system32\WS2_32.dll 0x71aa0000 0x8000 0x8 c:\windows\system32\WS2HELP.dll 0x76d60000 0x19000 0x2 c:\windows\system32\iphlpapi.dll 0x68000000 0x36000 0x1 C:\WINDOWS\system32\rsaenh.dll 0x71a50000 0x3f000 0x2 C:\WINDOWS\system32\mswsock.dll 0x662b0000 0x58000 0x1 C:\WINDOWS\system32\hnetcfg.dll 0x71a90000 0x8000 0x1 C:\WINDOWS\System32\wshtcpip.dll ************************************************************************ svchost.exe pid: 1200 Command line : C:\WINDOWS\system32\svchost.exe -k LocalService Service Pack 3 Base Size LoadCount LoadTime Path ---------- ---------- ---------- ------------------------------ ---- 0x01000000 0x6000 0xffff C:\WINDOWS\system32\svchost.exe 0x7c900000 0xaf000 0xffff C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x92000 0xffff C:\WINDOWS\system32\RPCRT4.dll 0x77fe0000 0x11000 0xffff C:\WINDOWS\system32\Secur32.dll 0x5cb70000 0x26000 0x1 C:\WINDOWS\system32\ShimEng.dll 0x6f880000 0x1ca000 0x1 C:\WINDOWS\AppPatch\AcGenral.DLL 0x7e410000 0x91000 0x41 C:\WINDOWS\system32\USER32.dll 0x77f10000 0x49000 0x36 C:\WINDOWS\system32\GDI32.dll 0x76b40000 0x2d000 0x2 C:\WINDOWS\system32\WINMM.dll 0x774e0000 0x13d000 0xe C:\WINDOWS\system32\ole32.dll 0x77c10000 0x58000 0x53 C:\WINDOWS\system32\msvcrt.dll 0x77120000 0x8b000 0x7 C:\WINDOWS\system32\OLEAUT32.dll 0x77be0000 0x15000 0x1 C:\WINDOWS\system32\MSACM32.dll 0x77c00000 0x8000 0x3 C:\WINDOWS\system32\VERSION.dll 0x7c9c0000 0x817000 0x3 C:\WINDOWS\system32\SHELL32.dll 0x77f60000 0x76000 0x7 C:\WINDOWS\system32\SHLWAPI.dll 0x769c0000 0xb4000 0x1 C:\WINDOWS\system32\USERENV.dll 0x5ad70000 0x38000 0x1 C:\WINDOWS\system32\UxTheme.dll 0x773d0000 0x103000 0x2 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 0x5d090000 0x9a000 0x1 C:\WINDOWS\system32\comctl32.dll 0x77690000 0x21000 0x1 C:\WINDOWS\system32\NTMARTA.DLL 0x71bf0000 0x13000 0x1 C:\WINDOWS\system32\SAMLIB.dll 0x76f60000 0x2c000 0x1 C:\WINDOWS\system32\WLDAP32.dll 0x00630000 0x2c5000 0x1 C:\WINDOWS\system32\xpsp2res.dll 0x74c40000 0x6000 0x1 c:\windows\system32\lmhsvc.dll 0x76d60000 0x19000 0x2 c:\windows\system32\iphlpapi.dll 0x71ab0000 0x17000 0x24 c:\windows\system32\WS2_32.dll 0x71aa0000 0x8000 0x25 c:\windows\system32\WS2HELP.dll 0x5a6e0000 0x15000 0x1 c:\windows\system32\webclnt.dll 0x771b0000 0xaa000 0x1 C:\WINDOWS\system32\WININET.dll 0x77a80000 0x95000 0x1 C:\WINDOWS\system32\CRYPT32.dll 0x77b20000 0x12000 0x1 C:\WINDOWS\system32\MSASN1.dll 0x71ad0000 0x9000 0x1 C:\WINDOWS\system32\wsock32.dll 0x76af0000 0x12000 0x1 c:\windows\system32\regsvc.dll 0x765e0000 0x14000 0x1 c:\windows\system32\ssdpsrv.dll 0x662b0000 0x58000 0x3 C:\WINDOWS\system32\hnetcfg.dll 0x76fd0000 0x7f000 0x2 C:\WINDOWS\system32\CLBCATQ.DLL 0x77050000 0xc5000 0x2 C:\WINDOWS\system32\COMRes.dll 0x71a50000 0x3f000 0x2 C:\WINDOWS\system32\mswsock.dll 0x71a90000 0x8000 0x1 C:\WINDOWS\System32\wshtcpip.dll
对比知,1060调用的DLL远超过了1200,1128进程(本应差不多),1060进程“可能”已被感染
(6)利用自身插件malfind检测可疑进程
┌──(root㉿kali)-[~/Desktop] └─# vol.py -f XP_SP3-20230121-111153.raw --profile=WinXPSP3x86 malfind -p 1060,1200,1128 -D Temp Volatility Foundation Volatility Framework 2.6.1 Process: svchost.exe Pid: 1060 Address: 0x14e0000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 32, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x00000000014e0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x00000000014e0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x00000000014e0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00000000014e0030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................ 0x00000000014e0000 4d DEC EBP 0x00000000014e0001 5a POP EDX 0x00000000014e0002 90 NOP 0x00000000014e0003 0003 ADD [EBX], AL 0x00000000014e0005 0000 ADD [EAX], AL 0x00000000014e0007 000400 ADD [EAX+EAX], AL 0x00000000014e000a 0000 ADD [EAX], AL 0x00000000014e000c ff DB 0xff 0x00000000014e000d ff00 INC DWORD [EAX] 0x00000000014e000f 00b800000000 ADD [EAX+0x0], BH 0x00000000014e0015 0000 ADD [EAX], AL 0x00000000014e0017 004000 ADD [EAX+0x0], AL 0x00000000014e001a 0000 ADD [EAX], AL 0x00000000014e001c 0000 ADD [EAX], AL 0x00000000014e001e 0000 ADD [EAX], AL 0x00000000014e0020 0000 ADD [EAX], AL 0x00000000014e0022 0000 ADD [EAX], AL 0x00000000014e0024 0000 ADD [EAX], AL 0x00000000014e0026 0000 ADD [EAX], AL 0x00000000014e0028 0000 ADD [EAX], AL 0x00000000014e002a 0000 ADD [EAX], AL 0x00000000014e002c 0000 ADD [EAX], AL 0x00000000014e002e 0000 ADD [EAX], AL 0x00000000014e0030 0000 ADD [EAX], AL 0x00000000014e0032 0000 ADD [EAX], AL 0x00000000014e0034 0000 ADD [EAX], AL 0x00000000014e0036 0000 ADD [EAX], AL 0x00000000014e0038 0000 ADD [EAX], AL 0x00000000014e003a 0000 ADD [EAX], AL 0x00000000014e003c f00000 LOCK ADD [EAX], AL 0x00000000014e003f 00 DB 0x0 Process: svchost.exe Pid: 1060 Address: 0x1990000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 43, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x0000000001990000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 56 MZ.....[REU....V 0x0000000001990010 45 00 00 ff d3 81 c3 a3 62 02 00 89 3b 53 6a 04 E.......b...;Sj. 0x0000000001990020 50 ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 P............... 0x0000000001990030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................ 0x0000000001990000 4d DEC EBP 0x0000000001990001 5a POP EDX 0x0000000001990002 e800000000 CALL 0x1990007 0x0000000001990007 5b POP EBX 0x0000000001990008 52 PUSH EDX 0x0000000001990009 45 INC EBP 0x000000000199000a 55 PUSH EBP 0x000000000199000b 89e5 MOV EBP, ESP 0x000000000199000d 81c356450000 ADD EBX, 0x4556 0x0000000001990013 ffd3 CALL EBX 0x0000000001990015 81c3a3620200 ADD EBX, 0x262a3 0x000000000199001b 893b MOV [EBX], EDI 0x000000000199001d 53 PUSH EBX 0x000000000199001e 6a04 PUSH 0x4 0x0000000001990020 50 PUSH EAX 0x0000000001990021 ffd0 CALL EAX 0x0000000001990023 0000 ADD [EAX], AL 0x0000000001990025 0000 ADD [EAX], AL 0x0000000001990027 0000 ADD [EAX], AL 0x0000000001990029 0000 ADD [EAX], AL 0x000000000199002b 0000 ADD [EAX], AL 0x000000000199002d 0000 ADD [EAX], AL 0x000000000199002f 0000 ADD [EAX], AL 0x0000000001990031 0000 ADD [EAX], AL 0x0000000001990033 0000 ADD [EAX], AL 0x0000000001990035 0000 ADD [EAX], AL 0x0000000001990037 0000 ADD [EAX], AL 0x0000000001990039 0000 ADD [EAX], AL 0x000000000199003b 00f0 ADD AL, DH 0x000000000199003d 0000 ADD [EAX], AL 0x000000000199003f 00 DB 0x0 Process: svchost.exe Pid: 1060 Address: 0x1a50000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 49, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x0000000001a50000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 56 MZ.....[REU....V 0x0000000001a50010 45 00 00 ff d3 81 c3 a3 62 02 00 89 3b 53 6a 04 E.......b...;Sj. 0x0000000001a50020 50 ff d0 00 00 00 00 00 00 00 00 00 00 00 00 00 P............... 0x0000000001a50030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................ 0x0000000001a50000 4d DEC EBP 0x0000000001a50001 5a POP EDX 0x0000000001a50002 e800000000 CALL 0x1a50007 0x0000000001a50007 5b POP EBX 0x0000000001a50008 52 PUSH EDX 0x0000000001a50009 45 INC EBP 0x0000000001a5000a 55 PUSH EBP 0x0000000001a5000b 89e5 MOV EBP, ESP 0x0000000001a5000d 81c356450000 ADD EBX, 0x4556 0x0000000001a50013 ffd3 CALL EBX 0x0000000001a50015 81c3a3620200 ADD EBX, 0x262a3 0x0000000001a5001b 893b MOV [EBX], EDI 0x0000000001a5001d 53 PUSH EBX 0x0000000001a5001e 6a04 PUSH 0x4 0x0000000001a50020 50 PUSH EAX 0x0000000001a50021 ffd0 CALL EAX 0x0000000001a50023 0000 ADD [EAX], AL 0x0000000001a50025 0000 ADD [EAX], AL 0x0000000001a50027 0000 ADD [EAX], AL 0x0000000001a50029 0000 ADD [EAX], AL 0x0000000001a5002b 0000 ADD [EAX], AL 0x0000000001a5002d 0000 ADD [EAX], AL 0x0000000001a5002f 0000 ADD [EAX], AL 0x0000000001a50031 0000 ADD [EAX], AL 0x0000000001a50033 0000 ADD [EAX], AL 0x0000000001a50035 0000 ADD [EAX], AL 0x0000000001a50037 0000 ADD [EAX], AL 0x0000000001a50039 0000 ADD [EAX], AL 0x0000000001a5003b 00f0 ADD AL, DH 0x0000000001a5003d 0000 ADD [EAX], AL 0x0000000001a5003f 00 DB 0x0 Process: svchost.exe Pid: 1060 Address: 0x2430000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 95, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x0000000002430000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x0000000002430010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x0000000002430020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x0000000002430030 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................ 0x0000000002430000 4d DEC EBP 0x0000000002430001 5a POP EDX 0x0000000002430002 90 NOP 0x0000000002430003 0003 ADD [EBX], AL 0x0000000002430005 0000 ADD [EAX], AL 0x0000000002430007 000400 ADD [EAX+EAX], AL 0x000000000243000a 0000 ADD [EAX], AL 0x000000000243000c ff DB 0xff 0x000000000243000d ff00 INC DWORD [EAX] 0x000000000243000f 00b800000000 ADD [EAX+0x0], BH 0x0000000002430015 0000 ADD [EAX], AL 0x0000000002430017 004000 ADD [EAX+0x0], AL 0x000000000243001a 0000 ADD [EAX], AL 0x000000000243001c 0000 ADD [EAX], AL 0x000000000243001e 0000 ADD [EAX], AL 0x0000000002430020 0000 ADD [EAX], AL 0x0000000002430022 0000 ADD [EAX], AL 0x0000000002430024 0000 ADD [EAX], AL 0x0000000002430026 0000 ADD [EAX], AL 0x0000000002430028 0000 ADD [EAX], AL 0x000000000243002a 0000 ADD [EAX], AL 0x000000000243002c 0000 ADD [EAX], AL 0x000000000243002e 0000 ADD [EAX], AL 0x0000000002430030 0000 ADD [EAX], AL 0x0000000002430032 0000 ADD [EAX], AL 0x0000000002430034 0000 ADD [EAX], AL 0x0000000002430036 0000 ADD [EAX], AL 0x0000000002430038 0000 ADD [EAX], AL 0x000000000243003a 0000 ADD [EAX], AL 0x000000000243003c f8 CLC 0x000000000243003d 0000 ADD [EAX], AL 0x000000000243003f 00 DB 0x0 Process: svchost.exe Pid: 1060 Address: 0x5350000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 4113, PrivateMemory: 1, Protection: 6 0x0000000005350000 c8 00 00 00 4a 01 00 00 ff ee ff ee 00 10 04 00 ....J........... 0x0000000005350010 00 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................ 0x0000000005350020 00 02 00 00 00 20 00 00 30 21 20 00 ff ef fd 7f ........0!...... 0x0000000005350030 1c 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x0000000005350000 c8000000 ENTER 0x0, 0x0 0x0000000005350004 4a DEC EDX 0x0000000005350005 0100 ADD [EAX], EAX 0x0000000005350007 00ff ADD BH, BH 0x0000000005350009 ee OUT DX, AL 0x000000000535000a ff DB 0xff 0x000000000535000b ee OUT DX, AL 0x000000000535000c 0010 ADD [EAX], DL 0x000000000535000e 0400 ADD AL, 0x0 0x0000000005350010 0000 ADD [EAX], AL 0x0000000005350012 0000 ADD [EAX], AL 0x0000000005350014 00fe ADD DH, BH 0x0000000005350016 0000 ADD [EAX], AL 0x0000000005350018 0000 ADD [EAX], AL 0x000000000535001a 1000 ADC [EAX], AL 0x000000000535001c 0020 ADD [EAX], AH 0x000000000535001e 0000 ADD [EAX], AL 0x0000000005350020 0002 ADD [EDX], AL 0x0000000005350022 0000 ADD [EAX], AL 0x0000000005350024 0020 ADD [EAX], AH 0x0000000005350026 0000 ADD [EAX], AL 0x0000000005350028 3021 XOR [ECX], AH 0x000000000535002a 2000 AND [EAX], AL 0x000000000535002c ff DB 0xff 0x000000000535002d ef OUT DX, EAX 0x000000000535002e fd STD 0x000000000535002f 7f1c JG 0x535004d 0x0000000005350031 0008 ADD [EAX], CL 0x0000000005350033 06 PUSH ES 0x0000000005350034 0000 ADD [EAX], AL 0x0000000005350036 0000 ADD [EAX], AL 0x0000000005350038 0000 ADD [EAX], AL 0x000000000535003a 0000 ADD [EAX], AL 0x000000000535003c 0000 ADD [EAX], AL 0x000000000535003e 0000 ADD [EAX], AL
只发现1060进程是可疑的。
(7)利用查毒软件|在线查杀网站检测dump下来的进程
刚拖到主机,火绒就查杀了。
virustotal.com的检测结果
综上:1060进程已被感染!
5、内存取证发现恶意软件的示例镜像
Volatility开发者提供可直接下载下来分析
- https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
- https://code.google.com/archive/p/volatility/wikis/SampleMemoryImages.wiki
五、活取证
1、从内存还原文字
procdump程序:https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
strings程序windows版:https://technet.microsoft.com/en-us/sysinternals/bb897439.aspx
procdump -ma xxx.exe xxx.dmp #将某一个进程的所有相关文件保存下来,m内存,a->all
strings只能查看英文字符查看连续三个以上的ascii字符,适用于很多种文件(word、excel、powerpoint),或者是将邮件进程dump下来然后进行读取就能查看内容,也就是说适用于各种文字处理工具
可能存在某些文字记录程序中包含了用户的账户密码,就可以dump内存查看
strings xxx.dmp > xxx.txt(使用查找工具查找文件中包含的文字)
示例:
2、从内存还原图片
画图截屏进行图片操作的时候dump内存内容中应该是含有图片的数据的,那能不能使用方法还原图片 (可以一定程度上进行还原、并不能原模原样还原)截图之后进行保存然后使用画图工具进行编辑、进程中就有画图进程procdump -ma mspaint.exe mspaint.dmp 将内存保存为dmp文件
示例:
远程桌面连接使用远程桌面尝试连接一台机器远程连接的所有操作都是在被操作的机器上产生的,其所做的只是把操作的图像传回自己的机器,那么有图像信息或许就可以使用工具将图像进行还原产生一个新的进程mstsc.exe。
在kali中使用gimp(相当于Windows下的PS软件,需自行安装)还原
安装gimp:apt-get install gimp(建议用代理快点)
将mspaint.dmp后缀变为data,接着用gimp打开调参还原。
mv mspaint.dmp mspaint.data
左边是原图,右侧是gimp调出来的,几乎不能百分百还原,但能看个大概。
3、从内存还原明文密码
存放密码相关的进程叫做lsass.exe进程,每台windows电脑上都有,system权限,该进程存放windows明文密码。
procdump -ma lsass.exe lsass.dmp
mimikatz.exe
sekularlsa::minidump lsass.dmp
sekular::logonPasswords
示例:
注意,以管理员身份打开cmd,否则lsass.exe打不开。
利用mimikatz提取明文密码(mimikatz具体用法参见提权部分的介绍)
利用DumpIt + volatility外部插件mimikatz提取明文密码(https://github.com/cofarmer/volatility_mimikatz/blob/master/mimikatz.py)
将mimikatz.py复制到/usr/local/lib/python2.7/dist-packages/volatility/plugins目录下
vol.py -f WIN7-Z9M8R8-1-20230125-140115.raw --profile=Win7SP1x64 mimikatz
可能的报错
……
Failed to import volatility.plugins.mimikatz (ImportError: No module named construct)
……
使用 pip2 install construct 安装即可,若pip2安装报错,则先去https://pypi.tuna.tsinghua.edu.cn/simple/construct/将包下载下来,再安装(如图)。
六、死取证
1、硬盘镜像
使用kali光盘启动目标计算机,用工具给机器硬盘做一个镜像,镜像文件需要有一个足够大的空间来储存,u盘或者外挂硬盘
镜像制作工具
- Dc3dd(命令行)
- Dcfldd(命令行)
- guymager(图形界面)
guymager演示
计算机取证技术参考数据集合(电子取证镜像文件):https://cfreds.nist.gov/all/DFIR_AB/ForensicsImageTestimage或https://dftt.sourceforge.net/
2、取证工具
(1)DFF (Digital Forensics Framework)
- Open Evidence # 红色表示已经删除的文件
- 发现恢复已经删除和隐藏的文件
- kali已弃用,老版本kali可正常使用
- 想动手实践的推荐参考:https://github.com/apachecn/apachecn-kali-zh/blob/master/docs/digifore-kali/10.md
(2)Autopsy(推荐)
webserver+浏览器客户端架构
注意:导入内容与模式
- Disk(整个硬盘)
- Partition(硬盘分区)
- move:将整个镜像文件加载到autopsy中成为evidence locker(证据locker,被写入的文件无法再被更改),如果过程中突然断电可能对文件造成损坏
- copy(建议):复制一份然后加载到autopsy中
- symlink:链接模式,如果源文件移动可能发生错误
Autopsy中文使用教程(用户版):https://www.wangan.com/docs/autopsy
Autopsy分析示例:https://juejin.cn/post/6844903791095971847
(3)Extundelete
适用于ext3、ext4文件系统的反删除工具
Extundelete [device -file] –restore-file [restore location]
关于ext系统:多用于linux下的一种日志型文件系统,如果在其中删除了文件,可以还原对应文件
使用方法是 Extundelete 设备名(例如/dev/sda) –restore-file 恢复文件路径
(4)iPhone Backup Analyzer
能分析iTunes生成的iPhone手机备份文件、并非image文件
(5)Foremost(美国政府开发)
从内存dump中恢复文档图片(并不是图像,而是原来就存在磁盘中某个位置中的某个图片加载进内存),支持raw、dd(硬盘镜像格式)、iso(光盘镜像格式)、vmem(虚拟内存格式)、doc等格式。
kali需要自己重新安装一下这个程序
使用命令:foremost -t jpeg,gif,png,doc -i xx.raw
处理完成之后会在当前目录下生成一个output文件夹 在该文件夹内存放着提取到的所有图片文件,以及一个对所有文件详细信息进行描述的txt文档
示例:
foremost -t jpeg,gif,png,doc -i WIN7-Z9M8R8-1-20230125-140115.raw
不忘初心,方得始终。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?