沙箱对抗之反沙箱技巧

news2024/12/23 4:17:04

前言

我们经常会在红蓝对抗中遇到这种场景,离线免杀,但是10分钟又被杀,这就是云查杀的威力,而云查杀可以分为下列两种:
1.静态分析
2.动态分析
静态分析就是分析样本的结构,导入表,等等来判定是否是恶意程序,或者使用AI等其他算法来聚类分析,看它整体的代码结构是否和其他病毒相似,既程序没有运行下来判定病毒,而动态分析则是样本运行起来后,它的API调用序列,内存特征,外联地址,流量特征,都是在静态的情况下无法捕获的,那么如果需要绕过他们,则需要识别沙箱的特征,进而来绕过沙箱不运行自己的样本,来完成绕过沙箱的目的。

反沙箱方法

本质上就是找到沙箱特征值,来区别沙箱和真机,例如如下方法
1.进程中包含vmtoolsd.exe
2.利用真机和沙箱API调用结果不同来绕过,例如获取gpu温度,而沙箱肯定获取不到该值
3.获取最近打开文件,或者temp文件小于10则被认为是沙箱
可以看到,我们的本质就是收集特征,那么下面我们写一个程序,获取沙箱的各种特征回传,来看看市面上主流的沙箱特征是什么样,进而针对绕过。

沙箱特征收集

我们主要收集如下特征:
1.主机名
2.用户名
3.UID
4.GID
5.平台
6.平台家族
7.平台版本
8.安装日期
9.启动时间
10.磁盘
11.所有网卡MAC
12.进程数目
13.进程名列表
14.临时文件名字
15.桌面文件
16.磁盘空余,可用,总大小

微X在线

WIN 7 32位分析系统

 
  1. {
  2. "Hostname": "DESKTOP-R0ASNAA",
  3. "Username": "DESKTOP-R0ASNAA\\Admin",
  4. "Uid": "S-1-5-21-2946486835-2728351130-1651602021-1000",
  5. "Gid": "S-1-5-21-2946486835-2728351130-1651602021-513",
  6. "Platform": "Microsoft Windows 7 Ultimate Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "4",
  10. "BootTime": "1658185174",
  11. "UpTime": "34862",
  12. "Disk": "C: ",
  13. "Mac": ["Local Area Connection 52:54:00:c5:0f:7c", "isatap.{1141D443-46F3-4C40-8D6C-D57632F2B3B2} 00:00:00:00:00:00:00:e0"],
  14. "Procs": "51",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe spoolsv.exe svchost.exe AcrylicService.exe svchost.exe dwm.exe taskhost.exe explorer.exe WeChat.exe rundll32.exe taskhost.exe taskhost.exe WinSAT.exe conhost.exe WeChat.exe aYdKcbVzZt.exe unsecapp.exe WmiPrvSE.exe WeChat.exe ShellExperienceHost.exe GoogleUpdateSetup.exe QQ.exe svchost.exe WUDFHost.exe taskhostw.exe GoogleUpdate.exe sihost.exe backgroundTaskHost.exe Detonate.exe RemindersServer.exe WmiPrvSE.exe audiodg.exe BackgroundTransferHost.exe main.exe ",
  16. "TempFiles": ["!!!!tnQGd", "ASPNETSetup_00000.log", "ArmUI.ini", "CVR8BDF.tmp.cvr", "DMI3F89.tmp", "FXSAPIDebugLogFile.txt", "Low", "RGI6BC7.tmp-tmp", "WPDNSE", "acro_rd_dir", "acrord32_sbx", "au-descriptor-1.8.0_171-b11.xml", "dd_vcredistMSI3185.txt", "gen_py", "jawshtml.html", "log_de-0.log", "log_de.log", "moz-update-new-backup-update.log", "moz-update-new-last-update.log", "mozilla-temp-files", "tmpaddon", "vbccsb.bmp", "wmsetup.log"],
  17. "DesktopFiles": ["desktop.ini"],
  18. "DiskInfos": [" free 28 MB avail 28 MB total 494 MB "]
  19. }

WIN 7 64位分析系统

 
  1. {
  2. "Hostname": "DESKTOP-RSILDVX",
  3. "Username": "DESKTOP-RSILDVX\\Admin",
  4. "Uid": "S-1-5-21-1129413703-3462700907-1341486384-1000",
  5. "Gid": "S-1-5-21-1129413703-3462700907-1341486384-513",
  6. "Platform": "Microsoft Windows 7 Ultimate Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "4",
  10. "BootTime": "1658190894",
  11. "UpTime": "28888",
  12. "Disk": "C: ",
  13. "Mac": ["Local Area Connection 52:54:00:30:56:0f", "isatap.{43AC80D5-D666-4C30-8995-823B98B4E2BF} 00:00:00:00:00:00:00:e0"],
  14. "Procs": "47",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe dwm.exe explorer.exe svchost.exe svchost.exe WeChat.exe taskhost.exe WeChat.exe KrlwNxbURe.exe unsecapp.exe WmiPrvSE.exe ShellExperienceHost.exe GoogleUpdateSetup.exe WeChat.exe svchost.exe WUDFHost.exe Detonate.exe backgroundTaskHost.exe taskhostw.exe audiodg.exe GoogleUpdate.exe RemindersServer.exe QQ.exe sihost.exe WmiPrvSE.exe BackgroundTransferHost.exe main.exe ",
  16. "TempFiles": ["!!!!OTVcUgAZCWtFUh", "ASPNETSetup_00005.log", "ArmUI.ini", "CVR45E1.tmp.cvr", "FXSAPIDebugLogFile.txt", "Low", "RGI64B.tmp-tmp", "WPDNSE", "acrord32_sbx", "chrome_installer.log", "gen_py", "jawshtml.html", "log_de-0.log", "log_de.log", "tmpaddon", "wmsetup.log"],
  17. "DesktopFiles": ["Sticky Notes.lnk", "desktop.ini"],
  18. "DiskInfos": [" free -725 MB avail -725 MB total 494 MB "]
  19. }

Win10分析系统

 
  1. {
  2. "Hostname": "DESKTOP-H9URB7T",
  3. "Username": "DESKTOP-H9URB7T\\Administrator",
  4. "Uid": "S-1-5-21-984825153-1336012551-2928140700-500",
  5. "Gid": "S-1-5-21-984825153-1336012551-2928140700-513",
  6. "Platform": "Microsoft Windows 10 Pro",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "10.0.18362 Build 18362",
  9. "Cpu": "4",
  10. "BootTime": "1658197215",
  11. "UpTime": "21692",
  12. "Disk": "C: ",
  13. "Mac": ["Ethernet 52:54:00:9d:94:82"],
  14. "Procs": "126",
  15. "Process": "[System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe AcrylicService.exe svchost.exe svchost.exe svchost.exe svchost.exe sppsvc.exe svchost.exe dasHost.exe svchost.exe SppExtComObj.Exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe taskhostw.exe svchost.exe ctfmon.exe explorer.exe svchost.exe ChsIME.exe svchost.exe StartMenuExperienceHost.exe svchost.exe svchost.exe RuntimeBroker.exe ApplicationFrameHost.exe MicrosoftEdge.exe browser_broker.exe svchost.exe Windows.WARP.JITService.exe dllhost.exe RuntimeBroker.exe MicrosoftEdgeCP.exe MicrosoftEdgeSH.exe WeChat.exe taskhostw.exe svchost.exe svchost.exe svchost.exe usocoreworker.exe AppHostRegistrationVerifier.exe TrustedInstaller.exe TiWorker.exe svchost.exe WmiPrvSE.exe WmiPrvSE.exe WeChat.exe oLDThMtHHL.exe unsecapp.exe svchost.exe svchost.exe WeChat.exe svchost.exe ShellExperienceHost.exe GoogleUpdateSetup.exe QQ.exe RemindersServer.exe backgroundTaskHost.exe GoogleUpdate.exe WUDFHost.exe taskhostw.exe svchost.exe WmiPrvSE.exe Detonate.exe sihost.exe audiodg.exe BackgroundTransferHost.exe dllhost.exe main.exe ",
  16. "TempFiles": ["!!!!QXnShWaDY", "gen_py", "log_de-0.log", "log_de.log"],
  17. "DesktopFiles": ["Microsoft Edge.lnk", "desktop.ini"],
  18. "DiskInfos": [" free 526 MB avail 526 MB total 494 MB "]
  19. }

any.run

 
  1. {
  2. "Hostname": "User-PC",
  3. "Username": "USER-PC\\admin",
  4. "Uid": "S-1-5-21-1302019708-1500728564-335382590-1000",
  5. "Gid": "S-1-5-21-1302019708-1500728564-335382590-513",
  6. "Platform": "Microsoft Windows 7 Professional Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "4",
  10. "BootTime": "1658219380",
  11. "UpTime": "1071",
  12. "Disk": "C: ",
  13. "Mac": ["Connection 12:03:33:4a:04:af", "isatap.{4040CF00-1B3E-486A-B407-FA14C56B6FC0} 00:00:00:00:00:00:00:e0"],
  14. "Procs": "32",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe IMEDICTUPDATE.EXE svchost.exe taskhost.exe taskeng.exe dwm.exe explorer.exe ctfmon.exe SearchIndexer.exe SearchProtocolHost.exe SearchFilterHost.exe main.exe ",
  16. "TempFiles": ["2hwflycr.wxy", "44fgwpug.l3b", "4h4bvyg0.zv1", "4hzyndia.i0b", "4u05srcx.2tm", "5cajz215.cyn", "DMI326A.tmp", "DMI5D92.tmp", "FXSAPIDebugLogFile.txt", "WPDNSE", "ae1197f8-1fef-485f-bd41-961d8cc76a3d.ps1", "be451b0w.oss", "io1vk3bc.a5o", "kdxz5yzf.q5x", "main.exe", "my5mdnsv.hzi", "nlkcainm.pwo", "qfgod4ch.wmc", "sotg2snm.etk", "wylivac0.ox4", "yn2xdy3b.fnw", "ytaotkcy.ydz"],
  17. "DesktopFiles": ["buttonforeign.rtf", "checkimportant.rtf", "consumershare.rtf", "desktop.ini", "generalthought.rtf", "localsociety.png", "mrc.jpg", "plansvillage.jpg", "reservedrisk.rtf", "roomwestern.jpg", "teachersure.png", "telephonealong.png", "xxxworldwide.png"],
  18. "DiskInfos": [" free -851 MB avail -851 MB total -51 MB "]
  19. }

奇X信

 
  1. {
  2. "Hostname": "WIN-IVE99JTTEQ6",
  3. "Username": "WIN-IVE99JTTEQ6\\Administrator",
  4. "Uid": "S-1-5-21-170072326-1450976669-2659344978-500",
  5. "Gid": "S-1-5-21-170072326-1450976669-2659344978-513",
  6. "Platform": "Microsoft Windows 7 Ultimate Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "4",
  10. "BootTime": "1658222038",
  11. "UpTime": "96",
  12. "Disk": "C: ",
  13. "Mac": ["Local Area Connection 2 6c:4b:90:45:7b:66"],
  14. "Procs": "58",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe OSPPSVC.EXE taskhost.exe dwm.exe explorer.exe reader_sl.exe svchost.exe taskhost.exe sdclt.exe sc.exe QQ.exe conhost.exe Timwp.exe conhost.exe TIM.exe conhost.exe WeChat.exe conhost.exe Skype.exe conhost.exe LxMainNew.exe conhost.exe navicat.exe conhost.exe IDMan.exe conhost.exe Everything.exe conhost.exe Code.exe conhost.exe BSPrintNotify.exe conhost.exe Postman.exe conhost.exe TOTALCMD64.EXE conhost.exe dllhost.exe main.exe conhost.exe ",
  16. "TempFiles": ["ASPNETSetup_00000.log", "Administrator.bmp", "BSPrintNotify.exe", "CVR4A69.tmp.cvr", "Code.exe", "Everything.exe", "FXSAPIDebugLogFile.txt", "IDMan.exe", "JavaDeployReg.log", "Low", "LxMainNew.exe", "MSI301d8.LOG", "MSI31bd8.LOG", "MSI358b2.LOG", "MSI36f67.LOG", "Microsoft .NET Framework 4.5.1 Setup_20190507_174334109.html", "Postman.exe", "QQ.exe", "RGIDD45.tmp", "RGIDD45.tmp-tmp", "SetupExe(201905071747259A8).log", "Skype.exe", "TCDA77F.tmp", "TCDA87B.tmp", "TCDA8BC.tmp", "TCDAAA2.tmp", "TCDAB60.tmp", "TCDABBF.tmp", "TCDAC3E.tmp", "TCDACAE.tmp", "TCDAD3C.tmp", "TCDADAC.tmp", "TCDAE3A.tmp", "TCDAF85.tmp", "TCDB081.tmp", "TCDB0D1.tmp", "TCDB1EC.tmp", "TCDB24C.tmp", "TCDB377.tmp", "TCDB388.tmp", "TCDB5DC.tmp", "TCDB699.tmp", "TCDB7F3.tmp", "TCDB8FF.tmp", "TCDB96E.tmp", "TCDBAF7.tmp", "TCDBB18.tmp", "TCDBCDF.tmp", "TCDBE29.tmp", "TCDBE4B.tmp", "TCDBF75.tmp", "TCDBFB6.tmp", "TCDC016.tmp", "TCDC047.tmp", "TCDC133.tmp", "TCDC1F0.tmp", "TCDC379.tmp", "TIM.exe", "TOTALCMD64.EXE", "Timwp.exe", "VBE", "WPDNSE", "WeChat.exe", "dd_vcredist_x86_20190507025919.log", "dd_vcredist_x86_20190507025919_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20190507025919_001_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20190507025958.log", "dd_vcredist_x86_20190507025958_001_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20190507025958_002_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20190507030029.log", "hsperfdata_Administrator", "jawshtml.html", "jusched.log", "main.exe", "navicat.exe", "outlook logging", "tmp0dgy8u", "wsa123.exe", "{1C306CB1-771E-4B4B-A902-86E897877F5B}.jpg", "~DF8644E64CA01A218F.TMP"],
  17. "DesktopFiles": ["DsGaLSzflu.docx", "desktop.ini", "kgnGFCzxsHo.ppt", "saDFoZCLTCK.pptx", "uNPPMKXOmp.pptx", "xaYfucvcptb.ppt"],
  18. "DiskInfos": [" free -328 MB avail -328 MB total -913 MB "]
  19. }

3x0

Windows 7 SP1 Pro 32

 
  1. {
  2. "Hostname": "WIN-3AI1DIQI7NN",
  3. "Username": "WIN-3AI1DIQI7NN\\Administrator",
  4. "Uid": "S-1-5-21-4209391066-2031757954-2950908010-500",
  5. "Gid": "S-1-5-21-4209391066-2031757954-2950908010-513",
  6. "Platform": "Microsoft Windows 7 Professional Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "1",
  10. "BootTime": "1658221348",
  11. "UpTime": "133",
  12. "Disk": "C: D: ",
  13. "Mac": ["本地连接 2 00:16:3e:eb:ca:65", "isatap.{ACF86E96-BF0F-433A-BE2B-29CE9110C5C6} 00:00:00:00:00:00:00:e0"],
  14. "Procs": "40",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dwm.exe explorer.exe spoolsv.exe svchost.exe taskhost.exe liteagent.exe WmiPrvSE.exe svchost.exe svchost.exe SearchIndexer.exe wmpnetwk.exe svchost.exe taskhost.exe mobsync.exe WmiPrvSE.exe dllhost.exe mscorsvw.exe sppsvc.exe SearchProtocolHost.exe SearchFilterHost.exe 8frufytb_829929069.exe ",
  16. "TempFiles": ["28299290697e835af887eeffd55331f9", "ASPNETSetup_00000.log", "AUCHECK_PARSER.txt", "CVR1A53.tmp.cvr", "DMI7C7F.tmp", "DMI7CCE.tmp", "DMI7D7A.tmp", "FXSAPIDebugLogFile.txt", "IME2010imeklmg00000001.log", "IME2010imeklmg00000002.log", "IME2010imeklmg00000003.log", "JAUReg.log", "Kno6F74.tmp", "Kno7CFB.tmp", "Kno7D59.tmp", "Low", "Microsoft .NET Framework 4 Setup_20200721_203001434-MSI_netfx_Core_x86.msi.txt", "Microsoft .NET Framework 4 Setup_20200721_203001434-MSI_netfx_Extended_x86.msi.txt", "Microsoft .NET Framework 4 Setup_20200721_203001434.html", "Microsoft .NET Framework 4 Setup_4.0.30319", "Microsoft Visual C 2010 x86 Redistributable Setup_10.0.30319", "Microsoft Visual C 2010 x86 Redistributable Setup_20200716_172954925-MSI_vc_red.msi.txt", "Microsoft Visual C 2010 x86 Redistributable Setup_20200716_172954925.html", "OneNoteRuntimeCache", "OneNote_MigrationLog.txt", "RGI390F.tmp", "RGI390F.tmp-tmp", "Rar$EXa0.016", "Rar$EXa0.428", "Rar$EXa0.529", "Rar$EXa0.859", "Rar$EXa0.911", "Setup000002e0", "Setup00000dd0", "SetupExe(20200721191235F90).log", "SetupExe(20200721191520DCC).log", "SetupExe(202007211923372E0).log", "SetupExe(20200721193448BC8).log", "SetupExe(20200721193623DD0).log", "SetupExe(20200721193828F1C).log", "SetupExe(20200721194221B08).log", "SetupExe(20200721194303BC0).log", "Ultra$ISO", "UserInfoSetup(20200721193828F1C).log", "UserInfoSetup(20200721194221B08).log", "UserInfoSetup(20200721194303BC0).log", "VBE", "WPDNSE", "config.model.xml", "configModel.xml", "dd_SetupUtility.txt", "dd_dotnet_decompression_log.txt", "dd_vcredistMSI0508.txt", "dd_vcredistUI0508.txt", "dd_vcredist_x86_20200716173003.log", "dd_vcredist_x86_20200716173003_0_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173003_1_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173015.log", "dd_vcredist_x86_20200716173015_0_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173015_1_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173026.log", "dd_vcredist_x86_20200716173026_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173026_001_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173047.log", "dd_vcredist_x86_20200716173047_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173047_001_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173109.log", "dd_wcf_CA_smci_20200721_123142_475.txt", "hsperfdata_Administrator", "java_install.log", "java_install_reg.log", "jusched.log", "langs.model.xml", "langsModel.xml", "nppLocalization", "ose00000.exe", "outlook logging", "stylers.model.xml", "stylers_remove.xml", "stylesGlobalModel.xml", "stylesLexerModel.xml", "vKHzvAZ", "wmplog00.sqm", "wmplog01.sqm", "wmsetup.log", "xmlUpdater.exe", "~DF3E206C0835443121.TMP"],
  17. "DesktopFiles": ["Internet Explorer.lnk", "Microsoft Excel 2010.lnk", "Microsoft OneNote 2010.lnk", "Microsoft Outlook 2010.lnk", "Microsoft PowerPoint 2010.lnk", "Microsoft Word 2010.lnk", "My Document.doc", "My Document.docx", "My Document.ppt", "My Document.pptx", "My Document.rtf", "My Document.txt", "My Document.xls", "My Document.xlsx", "desktop.ini"],
  18. "DiskInfos": [" free 37 MB avail 37 MB total -51 MB ", " free -48 MB avail -48 MB total -1 MB "]
  19. }

hybird分析

 
  1. {
  2. "Hostname": "HAPUBWS-PC",
  3. "Username": "7vVtzvDKth\\DIXkeMT",
  4. "Uid": "S-1-5-21-2092356043-4041700817-663127204-1001",
  5. "Gid": "S-1-5-21-2092356043-4041700817-663127204-513",
  6. "Platform": "Microsoft Windows 7 Professional Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "2",
  10. "BootTime": "1657307906",
  11. "UpTime": "907360",
  12. "Disk": "C: Z: ",
  13. "Mac": ["Local Area Connection 62:58:52:95:75:56", "isatap.scl3.dc 00:00:00:00:00:00:00:e0"],
  14. "Procs": "39",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe dwm.exe explorer.exe svchost.exe svchost.exe conhost.exe WmiPrvSE.exe OSPPSVC.EXE conhost.exe conhost.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe dllhost.exe main.exe mobsync.exe ",
  16. "TempFiles": ["10D5CC3F-71C4-40D7-8173-E990C25C1412.Diagnose.Admin.0.etl", "99F9947D-30DB-4640-92C7-6BB2A24B05F1.Diagnose.Admin.0.etl", "AA7D7BE8-CE8F-4570-A39C-1992F0466AAE.Diagnose.Admin.0.etl", "ASPNETSetup_00001.log", "ASPNETSetup_00002.log", "AdobeARM.log", "AdobeARM_NotLocked.log", "AdobeSFX.log", "Adobe_ADMLogs", "CVR640E.tmp.cvr", "CVR78E9.tmp.cvr", "CVRC166.tmp.cvr", "CVRE8FB.tmp.cvr", "FXSAPIDebugLogFile.txt", "HAPUBWS-PC-20171203-1827.log", "HAPUBWS-PC-20171203-1827a.log", "HAPUBWS-PC-20171203-1827b.log", "HAPUBWS-PC-20171204-1724.log", "HNCDownload", "HShow90", "HancomESD", "Hnc", "HncUpdate.txt", "Hwp80", "Hwp90", "JavaDeployReg.log", "Low", "Microsoft .NET Framework 4.7.1 Setup_20171203_174215874-MSI_netfx_Full_x86.msi.txt", "Microsoft .NET Framework 4.7.1 Setup_20171203_174215874.html", "Microsoft .NET Framework 4.8 Setup_20200214_151530609-MSI_netfx_Full_x86.msi.txt", "Microsoft .NET Framework 4.8 Setup_20200214_151530609.html", "NDFDiag.tmp", "PrinterSetup.log", "ProcessList.txt", "Python 3.6.3 (32-bit)_20171204192711.log", "Python 3.6.3 (32-bit)_20171204192711_000_core_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_001_dev_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_002_exe_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_003_lib_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_004_test_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_005_doc_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_006_tools_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_007_tcltk_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_008_launcher_AllUsers.log", "Python 3.6.3 (32-bit)_20171204192711_009_pip_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_010_path_JustForMe.log", "RGI7358.tmp", "RGI7358.tmp-tmp", "RGIA802.tmp", "RGIA802.tmp-tmp", "Setup00000588", "Setup00000ab0", "Setup00000adc", "SetupExe(2017120417370864C).log", "SetupExe(20180717121800DF8).log", "SetupExe(20180717122451248).log", "SetupExe(201807171224585BC).log", "SetupExe(20180717122536ADC).log", "SetupExe(20180717123728CF4).log", "SetupExe(20190129154611C6C).log", "SetupExe(2019012916352912C).log", "SetupExe(20190129164246588).log", "SetupExe(20190129164731D68).log", "SetupExe(20210127110003AB0).log", "SetupExe(20210127110250AC4).log", "Silverlight0.log", "SilverlightMSI.log", "TCD7656.tmp", "TCD7657.tmp", "TCD7658.tmp", "TCD7659.tmp", "TCD765A.tmp", "TCD765B.tmp", "TCD765C.tmp", "TCD765D.tmp", "TCD767C.tmp", "TCD7687.tmp", "TCD769D.tmp", "TCD769F.tmp", "TCD76AB.tmp", "TCD76B7.tmp", "TCD76B9.tmp", "TCD76C5.tmp", "TCD76DB.tmp", "TCD76E7.tmp", "TCD76F3.tmp", "TCD76FF.tmp", "TCD770B.tmp", "TCD7717.tmp", "TCD7723.tmp", "TCD772F.tmp", "TCD773B.tmp", "TCD7747.tmp", "TCD7749.tmp", "TCD7755.tmp", "TCD7761.tmp", "TCD7763.tmp", "TCD776F.tmp", "TCD777B.tmp", "TCD777D.tmp", "TCD7789.tmp", "TCD7795.tmp", "TFRAE69.tmp", "UserInfoSetup(20180717121800DF8).log", "VBE", "VBoxGuestAdditions", "VirtualBox Dropped Files", "WPDNSE", "ccversion.tag", "chromesetup.msi", "dat17FA.tmp", "dat17FB.tmp", "dat2336.tmp", "dat4FD7.tmp", "dat4FF7.tmp", "dat5008.tmp", "dat558A.tmp", "dat558B.tmp", "dat558C.tmp", "dat680B.tmp", "dat681B.tmp", "dat681C.tmp", "dat71C3.tmp", "dat7824.tmp", "dat7825.tmp", "dat7836.tmp", "dat81B.tmp", "dat9021.tmp", "dat9022.tmp", "dat9355.tmp", "dat95C7.tmp", "dat9CFD.tmp", "datB64D.tmp", "datBB64.tmp", "datC673.tmp", "datC783.tmp", "datC794.tmp", "datC795.tmp", "datC796.tmp", "datCB0D.tmp", "datCB0E.tmp", "datCB0F.tmp", "datCB10.tmp", "datD4D6.tmp", "datDE99.tmp", "datDE9A.tmp", "datDEAB.tmp", "dd_NDP471-KB4033342-x86-x64-AllOS-ENU_decompression_log.txt", "dd_SetupUtility.txt", "dd_dotnet48_decompression_log.txt", "dd_vcredistMSI32CB.txt", "dd_vcredistUI32CB.txt", "dd_vcredist_x86_20171203174931.log", "dd_vcredist_x86_20171203174931_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20171203174931_001_vcRuntimeAdditional_x86.log", "dd_wcf_CA_smci_20171203_164234_020.txt", "dd_wcf_CA_smci_20200214_141755_312.txt", "hsperfdata_HAPUBWS", "jawshtml.html", "jusched.log", "lilo.1028", "mozilla-temp-files", "msdtadmin", "ose00000.exe", "outlook logging", "tmpaddon", "tmpaddon-9dca54", "vxaction.log", "{1C306CB1-771E-4B4B-A902-86E897877F5B}.jpg", "~DF0143E214B8C9E6AE.TMP", "~DF077413B5F655E35F.TMP", "~DF07B80DBE1CCF0C79.TMP", "~DF07FD0640D4EA82C9.TMP", "~DF08090ACC356DFC21.TMP", "~DF093490451CAE83AB.TMP", "~DF0ED01EC732FDAFA2.TMP", "~DF0EF0E18548EEA293.TMP", "~DF0F0F234644F49DE2.TMP", "~DF101308F7E81C54F4.TMP", "~DF116385E86BED55F5.TMP", "~DF1B5DF0D392F9E6C7.TMP", "~DF1F0DDC5F8B609DE8.TMP", "~DF271EE0B23449FD12.TMP", "~DF2771B7C2AFD95939.TMP", "~DF337C0FE6AA3638C9.TMP", "~DF3585DA09B06D7E6D.TMP", "~DF398875B6755A22D2.TMP", "~DF3998002D6736F250.TMP", "~DF3BF1549098C3A3EF.TMP", "~DF3CC3C2F6C7776C4B.TMP", "~DF3FDA0C963CDEAEE4.TMP", "~DF40B648C0F2208FD2.TMP", "~DF41FFA924ADD67CE9.TMP", "~DF441C00F9EB6EB3CD.TMP", "~DF49006E350003EDAC.TMP", "~DF4B7C162F8F1CD972.TMP", "~DF4EE8A3A5CC156CE0.TMP", "~DF57339DF37D21BCD5.TMP", "~DF592AE2FC335E9F76.TMP", "~DF5B01072A4E03E492.TMP", "~DF5F0721D3B42DE902.TMP", "~DF62BF266AE832DD48.TMP", "~DF636ACE35E31011D2.TMP", "~DF6441493643A1F3A5.TMP", "~DF666651D70D3DA7EE.TMP", "~DF683666592FDF2EB3.TMP", "~DF756849845F24A090.TMP", "~DF757013ED8B56164D.TMP", "~DF7637732D3A85F269.TMP", "~DF790314186277E4A2.TMP", "~DF7B7DE2DED068BC09.TMP", "~DF89A65B2040F30C8F.TMP", "~DF8D37FE8D880D3185.TMP", "~DF8F0345C6CD888054.TMP", "~DF9182A01DA4D935FB.TMP", "~DF95FD6AF88DCD1AFB.TMP", "~DFA8A2B36753303ED2.TMP", "~DFA9EA58B172B43D82.TMP", "~DFAA50C5778E3DE2B9.TMP", "~DFB0FC97C4D2D510EB.TMP", "~DFB3F2CC227B95F4E7.TMP", "~DFB99F8C31CBB44EE4.TMP", "~DFBC669D44D419653F.TMP", "~DFC2B5D92B6664FFF1.TMP", "~DFC6A6CC22E4ED1D84.TMP", "~DFC95AC5F598668FBA.TMP", "~DFCDD6CF39DA6E89FA.TMP", "~DFD526B1CA2A67FC42.TMP", "~DFD7D5A4DE136CCB0E.TMP", "~DFD9FDF3F6C945C7B5.TMP", "~DFDA7311B468259D69.TMP", "~DFE12EE24DED8F1C5B.TMP", "~DFE8A1E01BFAFF2921.TMP", "~DFEA5B20C0E8F490C2.TMP", "~DFF0D25BB8135B3015.TMP", "~DFF45532CAEBA50EC9.TMP", "~DFF83E0CB58F7C7DB8.TMP", "~DFF8D79AF7CFF50FF8.TMP", "~DFFC4CABF8DB22D782.TMP", "~DFFEB1D8F752EE02C2.TMP"],
  17. "DesktopFiles": ["desktop.ini"],
  18. "DiskInfos": [" free 888 MB avail 888 MB total 0 MB ", " free 888 MB avail 888 MB total 0 MB "]
  19. }

桌面特征

我们对桌面进行截图后,某些沙箱会的桌面如下所示
沙箱1:
 


沙箱2:

特征提取

我们可以看到上面的沙箱大致特征如下
1.MAC存在00:00:00:00:00:00:00:e0
2.部分只有C盘
3.带负数大小的沙箱

总结

由此可见,大部分沙箱特征都十分明显,我们针对提取出的特征,代码中做判断即可

推荐个项目

https://github.com/LordNoteworthy/al-khaser

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1121141.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

C语言实现顺序表(图解增删查改+代码)

文章目录 写在前面1. 顺序表的初始化和销毁1.1 顺序表的初始化(SLInit)1.2 顺序表的销毁(SLDestroy) 2. 插入数据2.1 尾插数据(SLPushBack)2.2 头插数据(SLPushFront)2.3 指定位置插入数据(SLInsert) 3. 删除数据3.1 尾删数据(SLPopBack)3.2 头删数据(SLPopFront)3.3 删除指定位…

DDR3笔记 频率配置

可参考 基于FPGA的DDR3设计(2)DDR3各时钟频率及带宽分析 - 知乎 (zhihu.com) DDR3的时钟频率配置要看两个手册: 1.DDR3器件的手册。 2.开发板芯片的手册 器件 器件名称:MT41J128M16JT-125:K tCK 1.25ns,就可以算出…

冒泡排序应用过程中遇到的问题

冒泡排序思想&#xff1a;相邻的两个数据两两比较&#xff0c;然后按顺序排出 代码展示1&#xff1a; #include<stdio.h>void sort(int arr1[],int sz) {for (int i 0; i < sz-1; i){for (int j i1; j < sz; j){if (arr1[i] > arr1[j]) {int temp 0;temp a…

Wordpress - Xydown独立下载页面插件

Wordpress - Xydown独立下载页面插件&#xff1b; 1.使用ftp将demo.php和download.php上传到网站根目录&#xff08;两个文件中设计网站信息的代码可根据实际情况修改为自己的信息&#xff09; 使用ftp将demo.php和download.php上传到网站根目录&#xff08;两个文件中设计…

消息服务MNS之初见

消息服务MNS 说到消息服务MNS&#xff0c;那么消息服务MNS是什么呢&#xff1f;为什么会有消息服务MNS这款产品的产生呢&#xff1f; 什么是消息服务MNS 消息服务-阿里云消息服务MNS&#xff08;Message Service&#xff09;是一种高效、可靠、安全、便捷和可弹性扩展的分布…

GB28181学习(十)——视音频文件下载

要求 SIP服务器接收到媒体接收者发送的视音频文件下载请求后向媒体流发送者发送媒体文件下载命令&#xff0c;媒体流发送者采用RTP将视频流传输给媒体流接收者&#xff0c;媒体流接收者直接将视频流保存为媒体文件&#xff1b;媒体流接收者或SIP服务器可通过配置查询等方式获取…

算法模板之双链表图文详解

文章目录 &#x1f4cb;前言一. ⛳️使用数组模拟双链表讲解1.1 &#x1f514;为什么我们要使用数组去模拟双链表&#xff1f;1.2 &#x1f514;用数组模拟实现双链表1.2.1 &#x1f47b;整体框架说明1.2.2 &#x1f47b;双链表查找和修改1.2.3 &#x1f47b;双链表插入结点1.2…

云数据仓库实践:AWS Redshift在大数据储存分析上的落地经验分享

&#x1f3c6;作者简介&#xff0c;黑夜开发者&#xff0c;CSDN领军人物&#xff0c;全栈领域优质创作者✌&#xff0c;CSDN博客专家&#xff0c;阿里云社区专家博主&#xff0c;2023年6月CSDN上海赛道top4。 &#x1f3c6;数年电商行业从业经验&#xff0c;历任核心研发工程师…

【RNA structures】RNA-seq 分析: RNA转录的重构和前沿测序技术

文章目录 RNA转录重建1 先简单介绍一下测序相关技术2 Map to Genome Methods2.1 Step1 Mapping reads to the genome2.2 Step2 Deal with spliced reads2.3 Step 3 Resolve individual transcripts and their expression levels 3 Align-de-novo approaches3.1 Step 1: Generat…

C语言------接续符和转义符

接续符和转义符--------- \ C语言中的\符号可以表示接续符和转义符。 C语言中的接续符( \ )放在一行代码的结尾&#xff0c;可以将下一行的内容提到这一行来。 \符号还有另一个作用 — 转义符。 C语言中的转义符()主要用于表示无回显字符&#xff0c;也可用于表示常规字符。 …

原型链继承

方式一&#xff1a;原型链继承 1.套路&#xff1a; &#xff08;1&#xff09;定义父类型构造函数 &#xff08;2&#xff09;给父类型的原型添加方法 &#xff08;3&#xff09;定义子类型的构造函数 &#xff08;4&#xff09;创建父类型的对象赋值给子类型的原型 &…

基于SpringBoot的家具商城管理系统

基于SpringBoot的家具商城管理系统的设计与实现【文末源码】 开发语言&#xff1a;Java数据库&#xff1a;MySQL技术&#xff1a;SpringBootMyBatisVue工具&#xff1a;IDEA/Ecilpse、Navicat、Maven 系统展示 主页 家具详情 通知公告 登录界面 管理员界面 摘要 一段关于基于…

Windows下安装PyTorch(GPU版本)

PyTorch环境配置及安装 初步机器学习&#xff0c;这里记录下一些学习经过&#xff0c;之后以便于自己查看&#xff0c;同时欢迎各位大佬点评&#xff0c;本节是机器计算的一个包的安装和简单验证。 1.流程 确定自己的硬件信息-确定电脑有英伟达&#xff08;NVIDIA&#xff…

给视频批量添加背景图,轻松简单的操作方法

当我们需要给多个视频添加相同的背景图片时&#xff0c;一个一个地添加未免太过于繁琐和低效。幸运的是&#xff0c;我们可以使用固乔剪辑助手这款软件来实现批量添加背景图片的操作。下面就是详细的步骤指南。 首先&#xff0c;我们需要在浏览器搜索“固乔科技”&#xff0c;然…

面试官心声:个个都说会自动化,结果面试一问细节全露馅了

今年我们部门计划招聘几名自动化测试工程师&#xff0c;为此我进行了面试和培训&#xff0c;发现了一个让我感到担忧的趋势&#xff0c;许多候选人可以轻松地回答有关脚本编写、元素定位、框架API等问题。然而一问到实际项目&#xff0c;比如“如何从0开始搭建自动化体系”、“…

【C语言】用函数实现模块化程序设计

前言&#xff1a;如果把所有的程序代码都写在一个主函数(main函数)中&#xff0c;就会使主函数变得庞杂、头绪不清&#xff0c;使阅读和维护程序变得困难。此外&#xff0c;有时程序中要多次实现某一功能&#xff0c;如果重新编写实现此功能就会使得程序冗长、不精炼。 &#x…

day02_numpy_demo

Numpy Numpy的优势ndarray属性基本操作 ndarray.func() numpy.func()ndarray的运算&#xff1a;逻辑运算、统计运算、数组间运算合并、分割、IO操作、数据处理,不过这个一般使用的是pandas Numpy的优势 Numpy numerical数值化 python 数值计算的python库&#xff0c;用于快…

Node.js--》简易资金管理系统后台项目实战(后端)

今天开始使用 node vue3 ts搭建一个简易资金管理系统的前后端分离项目&#xff0c;因为前后端分离所以会分两个专栏分别讲解前端与后端的实现&#xff0c;后端项目文章讲解可参考&#xff1a;前端链接&#xff0c;我会在前后端的两类专栏的最后一篇文章中会将项目代码开源到我…

arduino 记录

​ 知识整理 Arduion U8G2简要说明 u8g2显示分为全页显示与分页显示和U8X8的无ram显示 全页显示需要单片机提供1024字节的ram&#xff0c;分页显示分为需要256字节和125字节的ram U8X8不需要ram,但不可画图&#xff0c;只能显示文字 全页使用 clearbuff senddbuff 分页…

javaweb中的转发与重定向

2023.10.22 在一个web应用中应该如何完成资源的跳转&#xff1f; 转发重定向 转发和重定向有什么区别&#xff1f; 转发是由服务器端进行的页面跳转&#xff0c;而重定向是由浏览器端进行的页面跳转。 ①代码上的区别&#xff1a; 转发&#xff1a; // 获取请求转发器对象…