SIDOUmed/SQL-Server-Targeted-Malware-Campaign-Investigation

GitHub: SIDOUmed/SQL-Server-Targeted-Malware-Campaign-Investigation

一份针对 SQL Server 环境的内存取证分析报告,详细剖析了多阶段恶意软件攻击的完整感染链与高级逃避技术。

Stars: 1 | Forks: 0

# 取证分析报告:MemBase.mem ## 针对 SQL Server 的恶意软件活动调查 **分析日期:** 2025年7月 **目标系统:** Windows SQL Server 环境 **内存基础:** MemBase.mem **状态:** 已确认的高级威胁活动 **级别:** 极难(非常非常困难) ## 执行摘要 通过对 `MemBase.mem` 的内存取证分析,我们发现了一起针对 Microsoft SQL Server 基础设施的复杂多阶段恶意软件攻击活动。该攻击采用了包括反射式 PE 加载、进程注入和 AES-256-CBC 加密在内的高级技术,以逃避检测并维持持久性。 **关键发现:** - 两个反射式 PE 加载器(`sqlagent.exe`、`conhost.exe`) - 针对 SQL Server 的进程注入链 - 高级沙箱逃避机制 - 带有基于环境变量派生密钥的自定义加密方案 - 通过进程句柄滥用进行的多次权限提升尝试 ## 攻击链概述 ``` ┌─────────────────────────────────────────────────────────────┐ │ INFECTION CHAIN │ ├─────────────────────────────────────────────────────────────┤ │ │ │ sqlagent.exe (PID 4940) │ │ │ │ │ ├─ Reflective PE Loader │ │ ├─ Loads encrypted payload │ │ ├─ Injects into sqlservr.exe (PID 3684) │ │ │ │ │ └─ Opens handles with PROCESS_ALL_ACCESS (0x1FFFFF) │ │ ├─ conhost.exe (PID 8616) │ │ └─ winlogon.exe (PID 576) ← SYSTEM privileges │ │ │ │ sqlservr.exe (PID 3684) — Compromised Service │ │ │ │ │ ├─ Receives injected payload │ │ ├─ Enumerates processes (CreateToolhelp32Snapshot) │ │ ├─ Searches for SQLSVC_TARGET environment variable │ │ ├─ Opens target process with full access │ │ ├─ Spawns high-priority worker threads │ │ └─ Performs sandbox evasion (4.8M iterations) │ │ │ │ conhost.exe (PID 8616) — Payload Executor │ │ │ │ │ ├─ Receives PROCESS_ARCHITECTURE as argument │ │ ├─ Calls sub_7FF7E1311660() decryption routine │ │ ├─ Derives AES key from SHA-256(environment var) │ │ ├─ Decrypts 238,608 bytes of payload │ │ └─ Executes decrypted PE binary │ │ │ └─────────────────────────────────────────────────────────────┘ ``` ## 详细进程分析 ### 1. sqlagent.exe (PID 4940) — 阶段 1 加载器 **属性:** - 进程 ID:4940 - 父进程:sqlservr.exe (PID 652) - 内存基址:0x7FF6AB290000 - 类型:反射式 PE 加载器 **行为:** 主加载器 `sqlagent.exe` 实现了复杂的反射式 PE 加载机制: ``` v17 = VirtualAlloc(0, size, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); if (v17) { sub_7FF6AB292440(v17, encrypted_data, size); // Decrypt payload // Map PE sections with proper permissions for (each section) { VirtualProtect(section, size, flags & (RX|RW|RWX) ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE, &oldProtect); } // Hook API functions to prevent termination VirtualProtect(ExitProcess, 14, PAGE_EXECUTE_READWRITE, &oldProtect); *(_WORD *)ExitProcess = 0xb8fa; // mov r8, ExitThread *(_QWORD *)(ExitProcess+2) = (QWORD)ExitThread; VirtualProtect(ExitProcess, 14, oldProtect, &oldProtect); } ``` **关键技术:** - **两阶段分配:** RW 分配 → 代码复制 → 升级为 RWX(逃避即时 EDR 检测) - **内联 Hook:** 修补 `ExitProcess`/`TerminateProcess` 以重定向到 `ExitThread`(防止进程终止) - **动态 API 解析:** 使用 `GetProcAddress` 隐藏导入表以对抗静态分析 ### 2. sqlservr.exe (PID 3684) — 被攻陷的服务 **注入的 Payload 行为:** 注入到 `sqlservr.exe`(合法的 Microsoft SQL Server)中的 Payload 执行以下操作: #### 进程枚举 ``` CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) while (Process32NextW(&pe)) { if (matches(pe.szExeFile, GetEnvironmentVariable("SQLSVC_TARGET"))) { th32ProcessID = pe.th32ProcessID; break; } } ``` **目标环境变量:** - `SQLSVC_TARGET` — 要攻陷的目标进程名 - `SQLSVC_PATH` — 要注入的可执行文件路径 - `PROCESSOR_ARCHITECTURE` — 加密密钥派生输入 #### 句柄获取与权限提升 ``` v33 = OpenProcess(PROCESS_ALL_ACCESS, 0, th32ProcessID); if (!v33) { while (!v33) { Sleep(100); v33 = OpenProcess(PROCESS_ALL_ACCESS, 0, th32ProcessID); } } ``` **严重影响:** 获取对目标进程内存的无限制读写权限。 #### 沙箱逃避机制 ``` for (v31 = 4896164; v31 > 0; v31--) { NtQueryInformationToken(TokenHandle, TokenIntegrityLevel, &buffer, 4096, &retLen); // No-op loop: wastes 4,896,164 iterations // Each iteration calls a Windows API // Total time: ~30-50 seconds depending on system } ``` **目的:** - 逃避具有较短执行超时的自动化恶意软件沙箱 - 模拟合法工作以规避异常检测 - 延迟执行以绕过基于时间的特征码 #### 工作线程生成 ``` hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)StartAddress, NULL, 0, NULL); SetThreadPriority(hThread, THREAD_PRIORITY_TIME_CRITICAL); // Priority: 15 SetThreadAffinityMask(hThread, 1); // Lock to CPU Core 0 v50 = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)StartAddress, NULL, 0, NULL); SetThreadPriority(v50, THREAD_PRIORITY_TIME_CRITICAL); // Priority: 15 SetThreadAffinityMask(v50, 2); // Lock to CPU Core 1 ``` **分析:** 在专用核心上执行的高优先级 CPU 密集型工作表明存在资源消耗极大的操作(加密操作、数据编码或命令执行)。 ### 3. conhost.exe (PID 8616) — 阶段 2 Payload 执行器 **属性:** - 进程 ID:8616 - 父进程:winlogon.exe (PID 576) ← 通过进程句柄伪造 - 实际生成者:sqlservr.exe - 角色:解密与执行引擎 **解密例程:** ``` int fastcall sub_7FF7E1311660(const CHAR *lpName) { CHAR Buffer[272]; BYTE v17[32]; // SHA-256 hash output EVP_MD_CTX *v4 = EVP_MD_CTX_new(); if (!GetEnvironmentVariableA(lpName, Buffer, sizeof(Buffer))) { return 0; } EVP_MD_CTX_new(); EVP_sha256(); EVP_DigestInit_ex(v4, EVP_sha256(), NULL); // Hash the environment variable value size_t len = 0; while (Buffer[len]) len++; EVP_DigestUpdate(v4, Buffer, len); EVP_DigestFinal_ex(v4, v17, NULL); // v17 = SHA256(PROCESSOR_ARCHITECTURE) EVP_MD_CTX_free(v4); // v17 now contains the 256-bit AES key // Derived from: SHA-256(GetEnvironmentVariable("PROCESS_ARCHITECTURE")) return v17; // Return key to AES decryption function } ``` **密钥派生:** - 输入:`PROCESSOR_ARCHITECTURE` 环境变量 - 过程:SHA-256 哈希 - 输出:用于 AES-256-CBC 解密的 256 位密钥 **可能值:** - `x64` → 密钥:`5609f728403e197bb255ef50c62aeabb1f93b09f7b7c379903440b65cd4319cb` - `Intel64` → 密钥:`47e7b753eb7ffb5c82107a70d65e144788d5e34a2f96e1a3bcbe01292f692553` - `AMD64` → 密钥:`558b624e3a60d3e4a393272854dbbd35c6fea3f18ee692235dcbe31be8370700` #### AES-256-CBC 解密 ``` EVP_DecryptUpdate(ctx, plaintext_buffer, &outlen, (const unsigned char *)0x7FF7E1327AD0, // Encrypted payload 238608); // Payload size ``` **加密 Payload 详情:** - **位置:** 偏移量 0x7FF7E1327AD0 - **大小:** 238,608 字节 - **IV:** 偏移量 0x7FF7E1327AC0(16 字节) - **算法:** AES-256-CBC - **密钥:** SHA-256(PROCESSOR_ARCHITECTURE) ## 通过 Volatility 提取的环境数据 ### 系统信息 ``` PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 79 Stepping 1, GenuineIntel PROCESSOR_LEVEL: 6 PROCESSOR_REVISION: 4f01 NUMBER_OF_PROCESSORS: 4 ``` ### 进程层级结构 (pstree) ``` System └── csrss.exe (412) └── services.exe (652) ├── sqlservr.exe (3684) ← Compromised service │ └── sqlagent.exe (4940) ← Injected loader ├── svchost.exe (3432, 3992) └── winlogon.exe (576) ← Parent spoofing target └── conhost.exe (8616) ← Payload executor ``` ## 攻陷技术指标 (IOCs) ### 进程级 IOCs | 指标 | 值 | 严重程度 | 上下文 | |-----------|-------|----------|---------| | 进程名 | sqlagent.exe | 严重 | 阶段 1 反射式加载器 | | 进程 ID | 4940 | 严重 | 主要感染媒介 | | 父进程 | sqlservr.exe (652) | 严重 | 合法服务滥用 | | 子进程 | conhost.exe (8616) | 严重 | 阶段 2 执行器 | | 句柄类型 | PROCESS_ALL_ACCESS | 严重 | 无限制进程访问 | | 句柄访问权限 | 0x1FFFFF | 严重 | 最大权限 | | 目标进程 | winlogon.exe (576), conhost.exe (8616) | 严重 | 父进程伪造 | ### 内存级 IOCs | 指标 | 值 | 详情 | |-----------|-------|---------| | VirtualAlloc 模式 | RW → RWX 升级 | 两阶段分配逃避 | | Hook 目标 | ExitProcess, TerminateProcess | 内联 API Hooking | | 解密例程 | EVP_DecryptUpdate | 基于 OpenSSL 的 AES-256-CBC | | 加密 Payload 偏移量 | 0x7FF7E1327AD0 | 238,608 字节密文 | | IV 偏移量 | 0x7FF7E1327AC0 | 16 字节硬编码 IV | | 密钥派生 | SHA-256(env_var) | 二进制文件中无明文密钥 | ### 环境变量 IOCs ``` SQLSVC_TARGET — Target process name SQLSVC_PATH — Executable path for injection PROCESSOR_ARCHITECTURE — Encryption key source ``` ### API 调用特征 IOCs ``` CreateToolhelp32Snapshot + Process32NextW // Process enumeration OpenProcess(0x1FFFFF) // Maximum access VirtualAlloc + VirtualProtect pattern // Memory allocation evasion EVP_DigestInit_ex + EVP_DigestUpdate // SHA-256 hash EVP_DecryptUpdate with 238608-byte payload // AES decryption NtQueryInformationToken loop (4896164 iter) // Sandbox evasion ``` ## MITRE ATT&CK 映射 ### 已识别技术 | 战术 | 技术 | ID | 证据 | |--------|-----------|-----|----------| | **执行** | 命令和脚本解释器 | T1059 | 通过环境变量执行 Batch/PowerShell | | **持久化** | 引导或登录自动启动执行 | T1547 | 滥用 SQL Server 服务进行自动执行 | | **防御逃避** | 混淆文件或信息 | T1027 | 加密 Payload,无明文字符串 | | **防御逃避** | 解混淆/解码文件 | T1140 | 对内嵌 Payload 进行 AES-256-CBC 解密 | | **防御逃避** | 虚拟化/沙箱逃避 | T1497 | 480 万次迭代的 NtQueryInformationToken 循环 | | **防御逃避** | 修改系统镜像 | T1601 | API Hooking (ExitProcess/TerminateProcess) | | **发现** | 进程发现 | T1057 | CreateToolhelp32Snapshot 枚举 | | **权限提升** | 访问令牌操纵 | T1134 | 进程句柄滥用,父进程伪造 | | **权限提升** | 进程注入 | T1055 | 将反射式 PE 加载到 sqlservr.exe | ### 攻击框架 ``` Kill Chain Phase MITRE Technique Evidence ───────────────────────────────────────────────────────────────────── Initial Access [External - Pre-compromise] Not observed in dump Execution T1547 Boot or Logon Autostart sqlservr.exe injection Persistence T1547 + T1055 Process Injection conhost.exe spawning Privilege Escalation T1134 Access Token Manipulation PROCESS_ALL_ACCESS Defense Evasion T1027 + T1140 Obfuscation AES-256-CBC Discovery T1057 Process Discovery CreateToolhelp32Snapshot ``` ## 加密分析 ### AES-256-CBC 配置 ``` Algorithm: AES-256-CBC (256-bit key, 128-bit blocks) Key Source: SHA-256(GetEnvironmentVariable("PROCESSOR_ARCHITECTURE")) IV Source: Hardcoded at offset 0x7FF7E1327AC0 Payload Size: 238,608 bytes Payload Offset: 0x7FF7E1327AD0 ``` ### 密钥派生过程 ``` ┌─────────────────────────────────────────────────┐ │ GetEnvironmentVariable("PROCESSOR_ARCHITECTURE")│ │ ↓ │ │ "x64" (or similar) │ │ ↓ │ │ EVP_DigestInit_ex() │ │ EVP_DigestUpdate() │ │ EVP_DigestFinal_ex() │ │ ↓ │ │ SHA-256 Hash Output (32 bytes) │ │ ↓ │ │ 256-bit AES Key (No plaintext in binary) │ │ ↓ │ │ AES-256-CBC Decryption Context │ │ ↓ │ │ Decrypted PE Payload (238,608 bytes) │ └─────────────────────────────────────────────────┘ ``` ### 为什么这种设计有效 1. **无明文密钥存储** — 密钥在运行时动态派生 2. **环境变量耦合** — 攻击者必须知道受害者的 PROCESSOR_ARCHITECTURE 3. **SHA-256 不可逆性** — 无法从加密 Payload 逆向工程出密钥 4. **硬编码 IV** — 简化部署;对于此用例,IV 并非安全关键 ## 防御建议 ### 立即行动(0-24 小时) 1. **隔离 SQL Server 系统** - 断开网络连接 - 保留内存转储和磁盘镜像 - 防止横向移动 2. **终止恶意进程** taskkill /PID 4940 /F # sqlagent.exe taskkill /PID 8616 /F # conhost.exe taskkill /PID 3684 /F # sqlservr.exe (如果安全) 3. **重置 SQL Server 凭据** - 更改所有服务账户密码 - 审查服务账户权限 - 审计最近的 SQL Server 活动日志 4. **扫描持久化机制** - 计划任务(带有 SQLSVC_TARGET, SQLSVC_PATH) - 被 sqlservr.exe 修改的注册表 Run 键 - DLL 注入点 ### 短期缓解措施(1-7 天) 1. **EDR/XDR 部署** 告警以下行为: - sqlservr.exe 生成 conhost.exe - OpenProcess(0x1FFFFF) 调用 - VirtualAlloc 后跟随 VirtualProtect RW→RWX - NtQueryInformationToken 循环 >100 万次迭代 2. **网络分段** - 将 SQL Server 与工作站隔离 - 要求 SQL Server 服务账户使用 MFA - 监控来自 sqlservr.exe 的出站连接 3. **应用程序白名单** - 在 AppLocker/WDAC 中禁用 sqlagent.exe - 限制 sqlservr.exe 生成 conhost.exe - 强制执行代码签名要求 ### 长期强化(2-4 周) 1. **系统补丁** - 应用最新的 Windows 更新 - 将 SQL Server 更新至最新 CU/SP - 为所有第三方组件打补丁 2. **访问控制审查** - 对服务账户实行最小权限原则 - 删除不必要的 SYSTEM 组成员身份 - 审计所有进程创建权限 3. **检测与响应** - 部署针对反射式 PE 加载器的 YARA 规则 - 创建针对进程注入模式的 Sigma 规则 - 建立 SQL Server 攻陷的事件响应预案 ## YARA 检测规则 ``` rule SQL_Server_Malware_Loader { meta: description = "Detects sqlagent.exe reflective PE loader" author = "Security Team" date = "2025-07" severity = "CRITICAL" strings: // VirtualAlloc + VirtualProtect pattern $virtualalloc = { 48 89 C7 B9 00 30 00 00 B8 04 00 00 00 } // Hook inline signature (patches ExitProcess) $hook = { 66 C7 04 ?? FA B8 48 89 54 ?? 02 } // AES-256-CBC EVP functions $evp_init = "EVP_DigestInit_ex" $evp_update = "EVP_DigestUpdate" $evp_final = "EVP_DigestFinal_ex" // Environment variable references $env_target = "SQLSVC_TARGET" $env_path = "SQLSVC_PATH" $env_arch = "PROCESSOR_ARCHITECTURE" condition: uint16(0) == 0x5a4d and ( ($virtualalloc) or ($hook) or (all of ($evp*)) or (all of ($env*)) ) } ``` ## 搜索可疑模式: cat search_patterns.sh #!/bin/bash cd /home/kali/Downloads/volatility3/vad-output/ || exit echo "[*] Recherche des patterns suspects dans les fichiers .dmp..." echo for dump in *.dmp; do count=$(strings "$dump" | grep -E -c "GetProcAddress|CreateThread|OpenProcess|EVP_|SQLSVC") ``` if [ "$count" -gt 5 ]; then echo "[+] $dump : $count matches" fi ``` done # ./search_patterns.sh [+] pid.3684.vad.0x7ff8f2ff0000-0x7ff8f3080fff-1.dmp : 7 matches [+] pid.3684.vad.0x7ff8f2ff0000-0x7ff8f3080fff-2.dmp : 7 matches [+] pid.3684.vad.0x7ff8f2ff0000-0x7ff8f3080fff.dmp : 7 matches [+] pid.3684.vad.0x7ff8f5110000-0x7ff8f546efff-1.dmp : 11 matches [+] pid.3684.vad.0x7ff8f5110000-0x7ff8f546efff-2.dmp : 11 matches [+] pid.3684.vad.0x7ff8f5110000-0x7ff8f546efff.dmp : 11 matches [+] pid.3684.vad.0x7ff8f6160000-0x7ff8f621bfff-1.dmp : 11 matches [+] pid.3684.vad.0x7ff8f6160000-0x7ff8f621bfff-2.dmp : 11 matches [+] pid.3684.vad.0x7ff8f6160000-0x7ff8f621bfff.dmp : 11 matches [+] pid.3684ad.0x7ff8f78f0000-0x7ff8f7aeffff-1.dmp : 13 matches [+] pid.3684.vad.0x7ff8f78f0000-0x7ff8f7aeffff-2.dmp : 13 matches [+] pid.3684.vad.0x7ff8f78f0000-0x7ff8f7aeffff.dmp : 13 matches [2] Dérivation de la clé SHA-256... [*] x64 → 5609f728403e197bb255ef50c62aeabb1f93b09f7b7c379903440b65cd4319cb [*] Intel64 → 47e7b753eb7ffb5c82107a70d65e144788d5e34a2f96e1a3bcbe01292f692553 [*] AMD64 → 558b624e3a60d3e4a393272854dbbd35c6fea3f18ee692235dcbe31be8370700 [*] X86 → ee914f0378c4a89fd5c2e8e715133ff6d2512725f76ff05fbd35fd6b470f2753 [*] x86 → 13d6a668eb0789a68e20ff5b93a5fd42981d81c14f9fb6a0756a9368b8e2037e [+] Clé dérivée (x64): 5609f728403e197bb255ef50c62aeabb1f93b09f7b7c379903440b65cd4319cb ## 结论 `MemBase.mem` 的取证分析揭示了一场利用多种高级逃避技术的**复杂、有针对性的恶意软件攻击活动**。该攻击展示了: - **极高的复杂程度** — 自定义加密、沙箱逃避、API Hooking - **对 Windows 内部机制的深刻理解** — 反射式加载、权限提升 - **操作安全意识** — 无明文字符串、动态密钥派生 - **持久化机制** — SQL Server 滥用、环境变量耦合 **威胁评估:严重** 攻击者已经展示了以下能力: 1. 将代码注入合法服务 2. 提升至 SYSTEM 权限 3. 逃避检测机制 4. 部署加密 Payload **建议状态:** 将其视为高级持续性威胁 (APT) 活动。在整个基础设施范围内进行全面的威胁搜寻。 ## 附录 ### A. 内存地址参考 - sqlagent.exe 基址:0x7FF6AB290000 - conhost.exe 基址:0x7FF7028D0000(约) - 加密 Payload:0x7FF7E1327AD0 - IV 位置:0x7FF7E1327AC0 - VirtualAlloc 模式:0x3000 (MEM_COMMIT | MEM_RESERVE) - Hook 目标:ExitProcess, TerminateProcess ### B. 命令行参数 ``` conhost.exe PROCESS_ARCHITECTURE ``` ### C. 使用的 Volatility 命令 ``` python3 vol.py -f MemBase.mem windows.pslist python3 vol.py -f MemBase.mem windows.pstree python3 vol.py -f MemBase.mem windows.envars python3 vol.py -f MemBase.mem windows.vadinfo --pid 3684 --dump python3 vol.py -f MemBase.mem windows.dumpfiles --pid 4940 python3 vol.py -f MemBase.mem windows.handles --pid 4940 python3 vol.py -f MemBase.mem windows.malfind --pid 3684 ``` **分发对象:** SOC、事件响应、威胁情报 以下截图说明了取证调查的每一个步骤,包括 Volatility 分析、内存检查、恶意软件行为、进程注入、加密分析以及调查期间识别出的攻陷指标。 ## 插图 ![Fore67](https://static.pigsec.cn/wp-content/uploads/repos/cas/ea/ead93bc9bc7de7e9448de7e57d23611f506d9fa8cec44f84e3ceb0bb93acb572.png) ![Fore67-1](https://static.pigsec.cn/wp-content/uploads/repos/cas/91/916a9ab0420eb92588480c1915f61791d89c6e4e4af5c753cf2bc44d4cadd4f5.png) ![Fore67-2](https://static.pigsec.cn/wp-content/uploads/repos/cas/24/24048a5a5ea953432f7eaf557aa29755726d20529a34d162c8cb88552cf478ed.png) ![Fore68](https://static.pigsec.cn/wp-content/uploads/repos/cas/1f/1f710c7636ba6853b97d8cdb8168ec197c820703aaf05ea8f49af0249c914fef.png) ![Fore69](https://static.pigsec.cn/wp-content/uploads/repos/cas/9e/9e2f933b7ba6ba64a35e8b9e0b8f15cabe010cabee7da50b702a5e739fe4e5a1.png) ![Fore70](https://static.pigsec.cn/wp-content/uploads/repos/cas/80/80a576aa872ef69451963ee7ed41d59317cadee7488d7de7982ed651b0e341a0.png) ![Fore71](https://static.pigsec.cn/wp-content/uploads/repos/cas/41/415af7e14c03ebadf8e992819ca64b004e030aa37f0b4ef3d914ad8047b0cf48.png) ![Fore72](https://static.pigsec.cn/wp-content/uploads/repos/cas/7a/7a13e9b0b96b6909733e07d65f3698c28181c91d14826b4f97f497a7f9031e3b.png) ![Fore73](https://static.pigsec.cn/wp-content/uploads/repos/cas/fe/fe9f297fdf564043970d432db6a41e8849681a761619c8b9fb7f230e45a6af4d.png) ![Fore74](https://static.pigsec.cn/wp-content/uploads/repos/cas/61/61c619da86b9abcfb70f3687ccb9eafb993022a6642b7145b744f1b6488f2837.png) ![Fore75](https://static.pigsec.cn/wp-content/uploads/repos/cas/43/43596f603bc291215c2a909feccd19fc4e1ba2eb17e2aef303831369ce7f4d70.png) ![Fore76](https://static.pigsec.cn/wp-content/uploads/repos/cas/53/53a95776950ee6800336f762c578c1c6031cbc0a481d181f81eaabb57ef998fa.png) ![Fore77](https://static.pigsec.cn/wp-content/uploads/repos/cas/b1/b1fc09c0f1a71f625ed5334260c8499e0de8705fb4695397ed34c9a423393c60.png) ![Fore78](https://static.pigsec.cn/wp-content/uploads/repos/cas/34/34cbfdb13914f5cee19d4c8a4113532e74ce03c3b016edb51d807ed158792632.png) ![Fore79](https://static.pigsec.cn/wp-content/uploads/repos/cas/23/23f2d0fa189c80dd4f3f6eb738667e0cd9c3b275498501748c60160959ae3d32.png) ![Fore81](https://static.pigsec.cn/wp-content/uploads/repos/cas/79/7905848c5a041ea425c5a17cabe59cc9192361f8b664650a77ff4e38b44ef579.png) ![Fore82](https://static.pigsec.cn/wp-content/uploads/repos/cas/b4/b409f9e8d0f6d55f48154d9db53e1da0c5933d6c0fcbca7dcd8c7f42b7672c65.png) ![Fore83](https://static.pigsec.cn/wp-content/uploads/repos/cas/67/67f5b863138317fba5c701e3af3c5bcbd94d062398d015741bb84a0c451dd8d4.png) ![Fore84](https://static.pigsec.cn/wp-content/uploads/repos/cas/d2/d2490903c622929892a1b1b012ca0ff92ac5eb3ab8fce526408139b637e84033.png) ![Fore85](https://static.pigsec.cn/wp-content/uploads/repos/cas/d2/d2f6deb2d23003426c2c8e90f0af257f7cf2c0004e8249cdf2a2c57b6c0e35ed.png) ![Fore86](https://static.pigsec.cn/wp-content/uploads/repos/cas/9a/9aea5f15772eb671b19e435716382c11d7eed81ca0f1d8c5c4054d4197fea28b.png) ![Fore87](https://static.pigsec.cn/wp-content/uploads/repos/cas/e7/e7bf341f661ee91bf15ae86a31c4bffa037cc8d4a50f9bc148e6daff27702c2b.png) ![Fore88](https://static.pigsec.cn/wp-content/uploads/repos/cas/4c/4c07983b2bcf9d75ad9b0c12d6b6c66e84a7606d45b4138ad41993627d94e724.png) ![Fore89](https://static.pigsec.cn/wp-content/uploads/repos/cas/e1/e12367f8fec2659ab14362ce821b58b8a276992967304699899f31ebcb35561b.png) ![Fore90](https://static.pigsec.cn/wp-content/uploads/repos/cas/aa/aa2bf3bd6a015d32517f5c475a715a7ae92c8097f9416e9d022ce66ef197c152.png) ![Fore91](https://static.pigsec.cn/wp-content/uploads/repos/cas/aa/aa9f1268f32c0cf8860e08add2e2fdd8b7805eca73bc030c629d074632e10a59.png) ![Fore92](https://static.pigsec.cn/wp-content/uploads/repos/cas/06/06c3fd42ff683d4c2e5235f29c53af5409dc380f7b81c667a46716fd82a2d7ed.png) ![Fore93](https://static.pigsec.cn/wp-content/uploads/repos/cas/d7/d7090cf949a00c1a2a217148e69c3101a08e576094cc50393910de8629d1cd5d.png) ![Fore94](https://static.pigsec.cn/wp-content/uploads/repos/cas/ad/ada3bee7431358b62a6aab08bfd451dadcad64a7c0bd5210c21f8d08e6ea8d8c.png) ![Fore95](https://static.pigsec.cn/wp-content/uploads/repos/cas/49/498dd04e09aab08a617444d51f1652e20d56ec130fb2a60f7bf869881dfd2961.png) ![Fore96](https://static.pigsec.cn/wp-content/uploads/repos/cas/92/92b628c227ac6f8fc3f51ee31f55c6618f2b806903a80310c0412a21192dea9c.png) ![Fore97](https://static.pigsec.cn/wp-content/uploads/repos/cas/00/0070e7810d0e74a5395da169fa66f297105bdd369adb799070855ad9eabb5716.png) ![Fore98](https://static.pigsec.cn/wp-content/uploads/repos/cas/c1/c1e4ca73c68185daef1ecd46707c9a7a490f70b714505f4aac11bf70dc31dfa0.png) ![Fore99](https://static.pigsec.cn/wp-content/uploads/repos/cas/02/02342be25935bebfe1f68ccae4626c4a963866f900cc04b48f1e36f35e373fdd.png) ![Fore100](https://static.pigsec.cn/wp-content/uploads/repos/cas/8f/8f1494e1739fa61bae2cb05bb7b4d1cde6abc3a20be65582f3994e8b465cf21a.png) ![Fore101](https://static.pigsec.cn/wp-content/uploads/repos/cas/fe/fe4c27323d71dd73268d39982b19a56eb41ccdd153b82be5ffcedec44c535886.png) ![Fore102](https://static.pigsec.cn/wp-content/uploads/repos/cas/e0/e0fc4c7b7aad5e2574874e80f7e146441a877582daa3f3b6b1e9a21122410598.png) ![Fore103](https://static.pigsec.cn/wp-content/uploads/repos/cas/a2/a221cd639107d34743f85691d38849b243958ec5d21d0fbfe6803f562591ff1a.png) ![Fore104](https://static.pigsec.cn/wp-content/uploads/repos/cas/ae/aeae63ff3007a2d3e521b11e0c571d39b6e7bb9acca8d7854d9a6f7b464ccd78.png) ![Fore105](https://static.pigsec.cn/wp-content/uploads/repos/cas/c4/c4e293bbcaaa75fcd81812e073924c615e9783672c8c163b7ed23d9bc75751cb.png) ![Fore106](https://static.pigsec.cn/wp-content/uploads/repos/cas/38/388b3f049ebc75ddab2f409171eb6c18f9fb96e2686ca825ce53199b0005796d.png) ![Fore107](https://static.pigsec.cn/wp-content/uploads/repos/cas/13/131f63caca5ff9718e31096b7e3e4707ce47441ac497ff24918e69224f2d4a58.png) ![Fore108](https://static.pigsec.cn/wp-content/uploads/repos/cas/0a/0a0691cb914c433f4533f90bd1ca559a50228835aab216cd49a7135da6d72601.png) ![Fore109](https://static.pigsec.cn/wp-content/uploads/repos/cas/5f/5f82dd553b9b40c9272fb6ef4f68b9319977938c01bdb945b95303236d53b912.png) ![Fore110](https://static.pigsec.cn/wp-content/uploads/repos/cas/87/87686541d48ab47d16ef2532a882f9cb0414abcb052c26381a54fceff48986b0.png) ![Fore111](https://static.pigsec.cn/wp-content/uploads/repos/cas/ce/cea070894bb6aaa936f19e4ef729b6d2b53fef05d2c2e653ba0d04f99554a9b3.png) ![Fore112](https://static.pigsec.cn/wp-content/uploads/repos/cas/03/03caf6af409e022389931074ffcea29e3483404d8f2b03a232522a31c79c3469.png) ![Fore113](https://static.pigsec.cn/wp-content/uploads/repos/cas/42/42615bf77e52cbd6357e8d5743da2f52b234b8fbae9568d70381469f3a9e071a.png) ![Fore114](https://static.pigsec.cn/wp-content/uploads/repos/cas/6b/6be3b26eb184ab76adb41fcbced5a56ffead4db4462746558d1845b30e759bf5.png) ![Fore115](https://static.pigsec.cn/wp-content/uploads/repos/cas/f5/f5322ed43a0c5f4b14e1cadb997064fbf15e58b50e46652a681961c6bb4131b8.png) ![Fore116](https://static.pigsec.cn/wp-content/uploads/repos/cas/09/09cedfe8b7aad720ed2e08759c9cd32f3255e7f35b168c1a3352963af2ae6910.png) ![Fore117](https://static.pigsec.cn/wp-content/uploads/repos/cas/a1/a199ca8ae766cb5c6314ecc0f305f790b5d9873525bcfb9bcd556bb90abb863e.png) ![Fore118](https://static.pigsec.cn/wp-content/uploads/repos/cas/b8/b817c22b83898e48233ad9ebb614636e07f2c7ba546e00820328b29cec064c24.png) ![Fore119](https://static.pigsec.cn/wp-content/uploads/repos/cas/0b/0b016bcaa067962c93f81f373ad5beeb8a780bcc991f8a78b03a4c0cbacf082e.png) ![Fore120](https://static.pigsec.cn/wp-content/uploads/repos/cas/9b/9b8c23bc7d1d54882983f039c754f9f70bd2c4007a2922553b1ca3abc09136c1.png) ![Fore121](https://static.pigsec.cn/wp-content/uploads/repos/cas/48/481c1649a5c6fc5914634a0bbd3faffe5e87ccb34577573560b034071618aaa2.png) ![Fore122](https://static.pigsec.cn/wp-content/uploads/repos/cas/9f/9f13d282d43544cf19dfc1fe3e24e5fb341d968d5f245358d9d769a0a0252822.png) ![Fore123](https://static.pigsec.cn/wp-content/uploads/repos/cas/eb/eb1cbc0cbb5f5c669aac32fd190c99e0f2239398743d71e717f4d41a3d1f9bc6.png) ![Fore124](https://static.pigsec.cn/wp-content/uploads/repos/cas/3b/3b70543467b80fd13fcbe0a4ae3dc9653aeb716cfed2e7aa322c30ce643e7816.png) ![Fore125](https://static.pigsec.cn/wp-content/uploads/repos/cas/2b/2b4ed5b380ea3c49ddcc21fd73b332d3eeff808209ba58b9a131393c2fcfb0fd.png) ![Fore126](https://static.pigsec.cn/wp-content/uploads/repos/cas/f7/f7f998717a2cc61477b72ca01e16f6f87a72a39f1edecf6c8116a63ab4207d93.png) ![Fore127](https://static.pigsec.cn/wp-content/uploads/repos/cas/8b/8b3c9874faf42bc76f2110456f71e447ffa4fcb9793113d61da4e58299e4e1bd.png) ![Fore128](https://static.pigsec.cn/wp-content/uploads/repos/cas/4f/4fe98e065ae82ad9fc5e1729faf036a4fe5b36aba808dff4c0faa1d1dcfffbb9.png) ![Fore129](https://static.pigsec.cn/wp-content/uploads/repos/cas/e4/e40c819ad27d749763e8b19c43c5629068def59c14a1ce32fd5f28fec93b55d4.png) ![Fore130](https://static.pigsec.cn/wp-content/uploads/repos/cas/a8/a824f836f30c0501d2ee913dfcfa325c2e75767cebe826c8ba8d7160780000e4.png) ![Fore131](https://static.pigsec.cn/wp-content/uploads/repos/cas/41/41c15403aaaa2b1615f6cb8bcffb8dc4521e40a8946c544168bf6dea968bf5a3.png) ![Fore132](https://static.pigsec.cn/wp-content/uploads/repos/cas/6f/6f19aa6327d2737924443265bce77f8dc128101152cb65d339268132e58316e8.png) ![Fore133](https://static.pigsec.cn/wp-content/uploads/repos/cas/83/8344e5cd6f30ef4077c050bc2c79ca160639306e6904871a0818cd7a9d774d8b.png) ![Fore134](https://static.pigsec.cn/wp-content/uploads/repos/cas/63/63d9b04c52cb9edc760fe194e448e6b27ba683ed35783c4f1e911187ac4a9ba2.png) ![Fore135](https://static.pigsec.cn/wp-content/uploads/repos/cas/ce/cebdd5bbb45d925679780ed5317ec8a919ce512af4a234aa3ffcc09f67ae444e.png) ![Fore136](https://static.pigsec.cn/wp-content/uploads/repos/cas/c8/c8531f746865b64a95ed80128bc4d3ce12bd4841806a79e6d3bab22ddc16a567.png) ![Fore137](https://static.pigsec.cn/wp-content/uploads/repos/cas/76/76a2e0066c7e1ec2ae1b44178cdd979e558de63b39188b6fa6daac3fc2b64c4c.png) ![Fore138](https://static.pigsec.cn/wp-content/uploads/repos/cas/ed/edcaf7c60a17d9c68f41cfab4d4879709c3f755324283cd945e5e9ae1a2fb7dc.png) ![Fore139](https://static.pigsec.cn/wp-content/uploads/repos/cas/87/877f61bd79af8292395445fd15537309d06432d866f12542d9a6a1aa3ffb16e0.png) ![Fore140](https://static.pigsec.cn/wp-content/uploads/repos/cas/fa/facb6526922a5ff1631b1a7bdbb70aad2e590b49e46d94914b53bb61b639ac91.png) ![Fore141](https://static.pigsec.cn/wp-content/uploads/repos/cas/11/118b800b38dc3beed0a3dcb7d6f0da2c544bd18b5c6eccc1221b9515a1364e8e.png) ![Fore142](https://static.pigsec.cn/wp-content/uploads/repos/cas/77/7730cbabc969329c8b9ab6e904fc6ed702e9a39579cb7c8e47cb96ff82512a1f.png) ![Fore143](https://static.pigsec.cn/wp-content/uploads/repos/cas/f5/f54c4ce46a9378c528fe2575b921f9c0f101a4d0d8ae259973fb27f4a29b1051.png) ![Fore144](https://static.pigsec.cn/wp-content/uploads/repos/cas/55/556a8b8855d25f36abbe6d9d646f3545e8023dcc80ad35bebb17942a6b9dd702.png) ![Fore145](https://static.pigsec.cn/wp-content/uploads/repos/cas/85/85138fda7a401cd5ad830777dd8c72fc8bd5541ffdf9a8aa59315e9329dbc8d5.png) ![Fore146](https://static.pigsec.cn/wp-content/uploads/repos/cas/6b/6bbb4f87fe64e016a5f75d65a378eeaa561187edef12ebd6206f412fe31e627d.png) ![Fore147](https://static.pigsec.cn/wp-content/uploads/repos/cas/f3/f31e91f2b09adb35327ca0a5e24581545fe0ade8a1b1f27521001f63cb889839.png)
标签:DAST, JARM, 内存分析, 威胁情报, 安全报告, 安全测试工具, 开发者工具, 恶意软件分析, 数字取证, 端点可见性, 自动化脚本