onhexgroup/TABPE

# TABPE ## 什么是 TABPE？ **TABPE**（由 **TABriz** + **PE** 组合而成——Tabriz 是我的家乡，我以对这座城市的热爱命名了这个项目）是一个开放、结构化的数据集，包含了在全新、完全更新的 Windows 10 Pro 和 Windows 11 Pro 版本上，**所有 PE 文件**（Windows 可执行文件，包括 `.exe`、`.dll`、`.sys` 等）的信息。 **我的工作流程如下：** - 我安装了 Windows，并且在 Microsoft 每月发布安全更新（Patch Tuesday）后，我都会尝试更新系统。 - 在某些月份，更新会在 Patch Tuesday 当天或几天后应用。 - 在其他月份，由于各种原因（例如伊朗的互联网中断），我无法按时更新。在这些情况下，我会手动下载并安装更新文件（`.msu`）。 - 因此，**相对于 Patch Tuesday 的确切扫描时间可能会有几天到几周的差异。** 不过，最终在扫描日期之前 Microsoft 发布的所有更新都已应用到系统中。 ## 项目输出 每个 Release 提供三个主要文件： | 文件 | 描述 | | :--- | :--- | | `pe_files_info.json` | 包含所有 PE 文件完整信息的主文件（headers、sections、imports、exports、SHA256 哈希、安全信息、LOAD_CONFIG 等） | | `file_list.txt` | 该特定 Windows 版本中所有 PE 文件路径的完整列表 | | `scanner.log` | 扫描器无法访问的文件（Access Denied）及错误的日志 + error | ### `pe_files_info.json` 的示例结构 ``` { "scan_info": { "start_time": "2026-06-04T06:21:51-07:00", "end_time": "2026-06-04T08:09:37-07:00", "duration": "1h 47m 45s", "windows_version": { "os_name": "Windows 11 Pro", "os_version": "10.0.26100.8457 Build 26100", "system_type": "x64-based PC", "version": "24H2", "last_update": "KB5087054" }, "total_files": 29377, "error_files": 12, "error_files_list": [ { "id": 7618, "path": "C:\\Windows\\SysWOW64\\compobj.dll" }, { "id": 8561, "path": "C:\\Windows\\SysWOW64\\ole2disp.dll" }, { "id": 8562, "path": "C:\\Windows\\SysWOW64\\ole2nls.dll" }, { "id": 8560, "path": "C:\\Windows\\SysWOW64\\ole2.dll" }, { "id": 8839, "path": "C:\\Windows\\SysWOW64\\storage.dll" }, { "id": 8912, "path": "C:\\Windows\\SysWOW64\\typelib.dll" }, { "id": 28768, "path": "C:\\Windows\\WinSxS\\x86_microsoft-windows-n..nd-syswow64-payload_31bf3856ad364e35_1.0.26100.1_none_d3b8ff829e6c9bfb\\ole2.dll" }, { "id": 28767, "path": "C:\\Windows\\WinSxS\\x86_microsoft-windows-n..nd-syswow64-payload_31bf3856ad364e35_1.0.26100.1_none_d3b8ff829e6c9bfb\\compobj.dll" }, { "id": 28769, "path": "C:\\Windows\\WinSxS\\x86_microsoft-windows-n..nd-syswow64-payload_31bf3856ad364e35_1.0.26100.1_none_d3b8ff829e6c9bfb\\ole2disp.dll" }, { "id": 28770, "path": "C:\\Windows\\WinSxS\\x86_microsoft-windows-n..nd-syswow64-payload_31bf3856ad364e35_1.0.26100.1_none_d3b8ff829e6c9bfb\\ole2nls.dll" }, { "id": 28772, "path": "C:\\Windows\\WinSxS\\x86_microsoft-windows-n..nd-syswow64-payload_31bf3856ad364e35_1.0.26100.1_none_d3b8ff829e6c9bfb\\typelib.dll" }, { "id": 28771, "path": "C:\\Windows\\WinSxS\\x86_microsoft-windows-n..nd-syswow64-payload_31bf3856ad364e35_1.0.26100.1_none_d3b8ff829e6c9bfb\\storage.dll" } ] }, "pe_files": [ { "id": 1, "filename": "msdaosp.dll", "path": "C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll", "sha256": "38390b62e81fd3381d6ea2d50c5e35ff93370e70122326c0cb8de53f9f9085d0", "file_type": "dll", "has_rich_header": "YES", "machine": "AMD64", "time_date_stamp": "2010-06-03 08:46:58 UTC", "characteristics": [ "EXECUTABLE_IMAGE", "LARGE_ADDRESS_AWARE", "UP_SYSTEM_ONLY" ], "magic": "PE32+", "major_linker_version": 14, "minor_linker_version": 38, "major_os_version": 10, "minor_os_version": 0, "major_image_version": 10, "minor_image_version": 0, "major_subsystem_version": 10, "minor_subsystem_version": 0, "checksum": 188850, "subsystem": "WINDOWS_GUI", "dll_characteristics": [ "DYNAMIC_BASE", "GUARD_CF", "HIGH_ENTROPY_VA", "NX_COMPAT" ], "data_directories": [ "EXPORT_TABLE", "IMPORT_TABLE", "RESOURCE_TABLE", "EXCEPTION_TABLE", "BASE_RELOCATION_TABLE", "DEBUG", "LOAD_CONFIG_TABLE", "IAT" ], "sections": [ { "name": ".text", "characteristics": [ "CNT_CODE", "MEM_EXECUTE", "MEM_SHARED" ] }, { "name": "fothk", "characteristics": [ "CNT_CODE", "MEM_EXECUTE", "MEM_SHARED" ] }, { "name": ".rdata", "characteristics": [ "CNT_INITIALIZED_DATA", "MEM_EXECUTE" ] }, { "name": ".data", "characteristics": [ "CNT_INITIALIZED_DATA", "MEM_EXECUTE", "MEM_READ" ] }, { "name": ".pdata", "characteristics": [ "CNT_INITIALIZED_DATA", "MEM_EXECUTE" ] }, { "name": ".rsrc", "characteristics": [ "CNT_INITIALIZED_DATA", "MEM_EXECUTE" ] }, { "name": ".reloc", "characteristics": [ "CNT_INITIALIZED_DATA", "LNK_NRELOC_OVFL", "MEM_EXECUTE" ] } ], "exports": [ "DllCanUnloadNow", "DllGetClassObject", "DllMain", "DllRegisterServer", "DllUnregisterServer" ], "imports": [ { "dll_name": "ADVAPI32.DLL", "functions": [ "RegCloseKey", "RegOpenKeyExW", "RegQueryValueExW" ] }, { "dll_name": "KERNEL32.DLL", "functions": [ "CompareStringA", "CompareStringW", "DeleteCriticalSection", "DisableThreadLibraryCalls", "EnterCriticalSection", "GetCurrentProcess", "GetCurrentProcessId", "GetCurrentThread", "GetCurrentThreadId", "GetProcessHeap", "GetSystemDefaultLCID", "GetSystemInfo", "GetSystemTimeAsFileTime", "GetTickCount", "InitializeCriticalSection", "LeaveCriticalSection", "MultiByteToWideChar", "QueryPerformanceCounter", "RtlCaptureContext", "RtlLookupFunctionEntry", "RtlVirtualUnwind", "SetUnhandledExceptionFilter", "Sleep", "TerminateProcess", "TryEnterCriticalSection", "UnhandledExceptionFilter", "WideCharToMultiByte" ] }, { "dll_name": "MSVCRT.DLL", "functions": [ "_XcptFilter", "__C_specific_handler", "_amsg_exit", "_callnewh", "_initterm", "_mbsinc", "_purecall", "_wcsicmp", "floor", "free", "malloc", "memcmp", "memcpy", "memmove", "memset", "realloc" ] }, { "dll_name": "OLE32.DLL", "functions": [ "CLSIDFromProgID", "CoCreateInstance", "CoGetMalloc", "CoTaskMemFree", "ProgIDFromCLSID", "StringFromCLSID" ] }, { "dll_name": "USER32.DLL", "functions": [ "DispatchMessageW", "LoadStringW", "MsgWaitForMultipleObjects", "PeekMessageW", "TranslateMessage" ] } ], "debug_info": [ "CODEVIEW" ], "mitigations": [ "DYNAMIC_BASE/ASLR", "NX_COMPAT/DEP", "CFG", "HIGH_ENTROPY_VA" ], "has_certificate": false, "load_config": { "raw": "00000148 size\n0 time date stamp\n0.00 Version\n0 GlobalFlags Clear\n0 GlobalFlags Set\n0 Critical Section Default Timeout\n0 Decommit Free Block Threshold\n0 Decommit Total Free Threshold\n0000000000000000 Lock Prefix Table\n0 Maximum Allocation Size\n0 Virtual Memory Threshold\n0 Process Affinity Mask\n0 Process Heap Flags\n0 CSD Version\n0000 Dependent Load Flag\n0000000000000000 Edit List\n00000001800190C0 Security Cookie\n0000000180015B38 Guard CF address of check-function pointer\n0000000180015B40 Guard CF address of dispatch-function pointer\n0000000180015BD4 Guard CF function table\nA5 Guard CF function count\n10417500 Guard Flags\nCF instrumented\nFID table present\nProtect delayload IAT\nDelayload IAT in its own section\nExport suppression info present\nLong jump target table present\nEH Continuation table present\n0000 Code Integrity Flags\n0000 Code Integrity Catalog\n00000000 Code Integrity Catalog Offset\n00000000 Code Integrity Reserved\n0000000000000000 Guard CF address taken IAT entry table\n0 Guard CF address taken IAT entry count\n0000000000000000 Guard CF long jump target table\n0 Guard CF long jump target count\n0000000000000000 Dynamic value relocation table\n0000000000000000 Hybrid metadata pointer\n0000000000000000 Guard RF address of failure-function\n0000000000000000 Guard RF address of failure-function pointer\n00000228 Dynamic value relocation table offset\n0007 Dynamic value relocation table section\n0000 Reserved2\n0000000000000000 Guard RF address of stack pointer verification function pointer\n00000000 Hot patching table offset\n0000 Reserved3\n0000000000000000 Enclave configuration pointer\n0000000000000000 Volatile metadata pointer\n0000000180015B90 Guard EH continuation table\nD Guard EH continuation count\n0000000180015B48 Guard XFG address of check-function pointer\n0000000180015B50 Guard XFG address of dispatch-function pointer\n0000000180015B58 Guard XFG address of dispatch-table-function pointer\n0000000180015B60 CastGuard OS determined failure mode\n0000000000000000 Guard memcpy function pointer\nGuard CF Function Table\nAddress\n--------\n0000000180001060\n00000001800012E0\n0000000180001550\n00000001800017D0\n0000000180001AA0\n0000000180001AC0\n0000000180001AE0\n0000000180001B60\n0000000180001BA0\n0000000180001CF0\n0000000180001D10\n0000000180001D30\n0000000180001D40\n0000000180001D50\n0000000180001D60\n0000000180001D70\n0000000180002080\n00000001800022C0\n00000001800022D0\n00000001800022F0\n0000000180002B70\n0000000180003470\n00000001800034D0\n0000000180003D20\n0000000180003D30\n0000000180003D40\n0000000180003F30\n0000000180003F50\n0000000180003F60\n0000000180003F70\n0000000180003F80\n0000000180003F90\n0000000180003FA0\n0000000180003FC0\n0000000180003FD0\n0000000180003FE0\n0000000180003FF0\n0000000180004000\n0000000180004010\n0000000180004500\n00000001800046A0\n0000000180004800\n0000000180004810\n0000000180004840\n0000000180004A30\n0000000180005490\n00000001800054A0\n00000001800055A0\n0000000180005710\n00000001800057A0\n00000001800057B0\n00000001800059B0\n0000000180005AD0\n0000000180005B70\n0000000180005BB0\n0000000180005BD0\n0000000180005C10\n0000000180005E00\n00000001800062F0\n00000001800064C0\n0000000180006890\n00000001800068D0\n0000000180006A00\n0000000180006BB0\n0000000180006C30\n0000000180006C50\n0000000180007150\n00000001800075B0\n00000001800076A0\n0000000180007C60\nE 0000000180008570\nE 00000001800085E0\nE 00000001800088F0\n0000000180008BD0\n00000001800094F0\n0000000180009B80\n000000018000A040\n000000018000A060\n000000018000A0A0\n000000018000A3E0\n000000018000A420\n000000018000A620\n000000018000A790\n000000018000A890\n000000018000A8C0\n000000018000A930\n000000018000AA40\n000000018000AA70\n000000018000AAF0\n000000018000AB20\n000000018000AB80\n000000018000AC70\n000000018000ACA0\n000000018000AD30\n000000018000ADB0\n000000018000AE00\n000000018000AF40\n000000018000B470\n000000018000B630\n000000018000BA90\n000000018000CFF0\n000000018000D0D0\n000000018000D190\n000000018000D2E0\n000000018000D2F0\n000000018000D300\n000000018000D310\n000000018000D320\n000000018000D330\n000000018000D350\n000000018000D360\n000000018000D450\n000000018000D4C0\n000000018000D910\n000000018000D930\n000000018000E030\n000000018000E5B0\n000000018000EBF0\n000000018000EC00\n000000018000EF90\n000000018000F370\n000000018000F6F0\n000000018000F780\n000000018000F7D0\n000000018000F7E0\n000000018000F800\n000000018000F820\n000000018000F830\n000000018000FA80\n000000018000FCA0\n00000001800102A0\n0000000180010440\n00000001800104B0\n00000001800105D0\n0000000180010680\n0000000180010960\n0000000180010970\n0000000180010980\n0000000180010990\n00000001800109A0\n00000001800109B0\n0000000180010A10\n0000000180010A20\n0000000180010A30\n0000000180010A40\n0000000180010A50\n0000000180010A60\n0000000180010B50\n0000000180010B90\n0000000180010C90\n0000000180010D00\n0000000180010E80\n0000000180010FD0\n0000000180011580\n0000000180011750\n0000000180012050\n0000000180013080\n0000000180013100\n0000000180013120\n0000000180013140\n0000000180013170\n0000000180013180\n0000000180013190\n00000001800131C0\n00000001800131E0\nGuard EH Continuation Table\nAddress\n--------\n00000001800013A3\n00000001800013DA\n0000000180001411\n000000018000143E\n0000000180001460\n000000018000148E\n00000001800014C4\n0000000180001508\n0000000180001640\n00000001800085C4\n0000000180008B93\n000000018000D49B\n0000000180010CE8\nDynamic Value Relocation Table (version: 1)\nSymbol VA: 0000000000000007 IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE\nTotal function overrides size: 20 bytes\nBDD data: 20 bytes\nFunction Override (1)\nOriginal RVA: 00013480\nBDD Offset: 0\nRVA array size: 4\nReloc size: C\nRVAs:\n[00000000] 00013480\nBDD (version: 1, 18 bytes):\n[00000000] 0002, 0001, 00000142\n[00000001] 0001, 0001, 00000000\n[00000002] 0000, 0000, 00000000\nFixup RVAs:\n[00000000] = page 00014000 rva 00014011 type 1" } }, ``` ## 网络安全用例 ### 防御（蓝队） - **伪装检测：** 通过将系统上的文件哈希与 TABPE 中的进行比对，你可以检测伪装成合法系统文件的虚假文件和恶意软件（例如，虚假的 `svchost.exe`）。 - **取证分析：** 通过在 TABPE 中搜索文件的哈希值，你可以快速确定它是属于 Windows 本身还是外部威胁。 - **LOLBin 识别（Living Off the Land Binaries）：** 通过检查合法 Windows 文件的能力（通过 imports 和 exports），你可以了解攻击者可能会使用哪些内置工具来执行恶意代码。 ### 攻击（红队） - **DLL Side-Loading：** 通过检查合法可执行文件的 import 表，你可以确定特定可执行文件加载了哪些 DLL。这些信息对于 DLL Side-Loading 技术至关重要。 - **查找无安全机制的文件：** 通过检查 `mitigations` 部分，你可以找到缺乏 ASLR 或 DEP 的文件，从而使 exploit 开发变得更加容易。 - **LOLBin 识别（Living Off the Land Binaries）：** 对于红队来说，了解哪些合法 Windows 文件具有代码执行、文件下载或网络通信等能力以用于攻击是至关重要的。 ### 恶意软件分析与 Exploit 开发 - **Packer 检测：** 经过 Packer 处理的恶意软件通常具有不寻常的 sections。TABPE 提供了正常文件的基准，让你可以更快地发现异常。 - **缓解措施检查：** 在编写 exploit 之前，你需要知道目标文件上激活了哪些安全机制（ASLR、DEP、CFG 等）。TABPE 为你提供了这些信息。 ### 随时间追踪变化（BinaryDiffing） 通过对比两个不同 Release 的 PE 文件，你可以： - 准确查看在每个 Patch Tuesday 期间哪些文件发生了变化。 - 识别隐形的安全补丁。 - 追踪文件变化以分析零日漏洞。 ## 技术信息 | 特性 | 值 | | :--- | :--- | | **平台** | Windows 10 Pro & Windows 11 Pro (x64) | | **虚拟化环境** | VMware Workstation（隔离的 VM，无宿主机干扰） | | **更新频率** | 每月（每次 Patch Tuesday 之后） | | **每个版本的 PE 文件数量** | 大约 25,000 – 31,000 个文件 | | **输出格式** | JSON（可使用 Python、PowerShell、C# 等处理） | | **标签格式** | `YYYY.M`（示例：`2026.5` 代表 2026 年 5 月） | | **压缩文件大小** | ~30 MB（原始 JSON ~1 GB） | ## 免责声明 本项目**仅供研究和教育用途。** 提供的数据是合法 Windows 文件的基准。任何将此信息用于非法、恶意或未经授权活动的行为，其责任完全由用户承担。对于任何滥用此数据的行为，作者不承担任何责任。 ## 许可证 本项目基于 **MIT License** 发布。

标签：AI合规, API接口, DAST, DNS 反向解析, Homebrew安装, PE文件分析, 威胁情报, 开发者工具, 恶意软件分析, 逆向工具