gemesa/malware-analysis-toolkit

# 恶意软件分析工具包 恶意软件分析工具的设置指南。 核心工具： - [Android Studio](#android-studio) - [Apktool](#apktool) - [Binwalk](#binwalk) - [capa](#capa) - [DiE](#die) - [frida](#frida) - [Ghidra](#ghidra) - [INetSim](#inetsim) - [JADX](#jadx) - [Joern](#joern) - [LLVM](#llvm) - [OpenSSL](#openssl) - [Python](#python) - [QEMU](#qemu) - [Qiling](#qiling) - [rbi](#rbi) - [shadow-shell](#shadow-shell) - [Suricata](#suricata) - [VirtualBox](#virtualbox) - [Wireshark](#wireshark) - [YARA](#yara) - [Zeek](#zeek) macOS: - [ILSpy](#ilspy) - [ipsw](#ipsw) - [pythonnet](#pythonnet) # Ghidra ## 基础 ``` curl -s "https://get.sdkman.io" | bash sdk install gradle sdk list java sdk install java 21.0.7-tem git clone https://github.com/NationalSecurityAgency/ghidra.git cd ghidra gradle -I gradle/support/fetchDependencies.gradle gradle assembleAll ``` Ghidra 调试器所需： ``` pip install psutil pip install google-api-python-client ``` PyGhidra： https://pypi.org/project/ghidra-stubs/ ``` pip install pyghidra pip install ghidra-stubs ``` ### 配置 - **Edit** --> **Theme** --> **Switch...** --> Flat Dark - **Edit** --> **Theme** --> **Configure** --> Fonts --> font.plugin.terminal --> Source Code Pro-BOLD-12 - **Edit** --> **Theme** --> **Configure** --> Colors --> color.fg.plugin.terminal.normal.blue --> RGB --> Color Code: 00FFFF, Alpha: 255 - 添加 Python stubs: https://github.com/NationalSecurityAgency/ghidra/issues/8018#issuecomment-2810720052 - 打开一个 domain file, 然后 **File** --> **Configure** --> **BSim** ### 启动 ``` cd ghidra/build/dist/ghidra_11.4_DEV ./ghidraRun ``` 参考： - https://sdkman.io/ - https://github.com/NationalSecurityAgency/ghidra?tab=readme-ov-file#build - https://github.com/NationalSecurityAgency/ghidra/blob/master/DevGuide.md#common-gradle-tasks ## Ghidra 服务器 ``` cd ghidra/build/dist/ghidra_11.4_DEV sudo ./server/svrInstall ``` ### 配置 ``` cd ghidra/build/dist/ghidra_11.4_DEV sed -i 's|ghidra.repositories.dir=./repositories|ghidra.repositories.dir=/home/gemesa/git-repos/ghidra-server|' server/server.conf sed -i 's|wrapper.app.parameter.2|wrapper.app.parameter.2=-u\nwrapper.app.parameter.3|' sudo ./server/ghidraSvr restart ./server/ghidraSvr status sudo ./server/svrAdmin -add gemesa sudo ./server/svrAdmin -users ``` ### 启动 ``` cd ghidra/build/dist/ghidra_11.4_DEV sudo ./server/ghidraSvr start ``` 参考： - https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/RuntimeScripts/Common/server/svrREADME.html ## BSim ``` cd ghidra/build/dist/ghidra_11.4_DEV cd Ghidra/Features/BSim/support sudo dnf install readline-devel ./make-postgres.sh ``` ### 启动 ``` cd ghidra/build/dist/ghidra_11.4_DEV ./support/bsim_ctl start ~/git-repos/bsim-db ``` 参考： - https://github.com/NationalSecurityAgency/ghidra/blob/master/GhidraDocs/GhidraClass/BSim/BSimTutorial_Intro.md - https://github.com/NationalSecurityAgency/ghidra/tree/master/Ghidra/Features/BSim/src/main/help/help/topics/BSim - https://github.com/NationalSecurityAgency/ghidra/pull/7085#issuecomment-2438640305 ## 扩展 - https://github.com/google/binexport - https://github.com/ubfx/BinDiffHelper - https://github.com/gemesa/ghidra-scripts # INetSim ``` wget https://www.inetsim.org/downloads/inetsim-1.3.2.tar.gz tar -xzf inetsim-1.3.2.tar.gz sudo groupadd inetsim cd inetsim-1.3.2 sudo ./setup.sh sudo dnf install perl-Net-Server perl-IPC-Shareable perl-Digest-SHA perl-IO-Socket-SSL sudo dnf install perl-CPAN perl-App-cpanminus # REMnux 上已安装 Net::DNS@1.22（1.40..1.50 等较新版本无法与 INetSim 配合使用） sudo cpanm Net::DNS@1.22 --verbose --notest ``` ## 配置 ``` sed -i 's|#service_run_as_user inetsim|service_run_as_user gemesa|' conf/inetsim.conf sed -i 's|start_service tftp|#start_service tftp|' conf/inetsim.conf sed -i 's|start_service irc|#start_service irc|' conf/inetsim.conf sed -i 's|start_service ntp|#start_service ntp|' conf/inetsim.conf sed -i 's|start_service finger|#start_service finger|' conf/inetsim.conf sed -i 's|start_service ident|#start_service ident|' conf/inetsim.conf sed -i 's|start_service syslog|#start_service syslog|' conf/inetsim.conf sed -i 's|start_service time_tcp|#start_service time_tcp|' conf/inetsim.conf sed -i 's|start_service time_udp|#start_service time_udp|' conf/inetsim.conf sed -i 's|start_service daytime_tcp|#start_service daytime_tcp|' conf/inetsim.conf sed -i 's|start_service daytime_udp|#start_service daytime_udp|' conf/inetsim.conf sed -i 's|start_service echo_tcp|#start_service echo_tcp|' conf/inetsim.conf sed -i 's|start_service echo_udp|#start_service echo_udp|' conf/inetsim.conf sed -i 's|start_service discard_tcp|#start_service discard_tcp|' conf/inetsim.conf sed -i 's|start_service discard_udp|#start_service discard_udp|' conf/inetsim.conf sed -i 's|start_service quotd_tcp|#start_service quotd_tcp|' conf/inetsim.conf sed -i 's|start_service quotd_udp|#start_service quotd_udp|' conf/inetsim.conf sed -i 's|start_service chargen_tcp|#start_service chargen_tcp|' conf/inetsim.conf sed -i 's|start_service chargen_udp|#start_service chargen_udp|' conf/inetsim.conf sed -i 's|start_service dummy_tcp|#start_service dummy_tcp|' conf/inetsim.conf sed -i 's|start_service dummy_udp|#start_service dummy_udp|' conf/inetsim.conf sed -i 's|#service_bind_address 10.10.10.1|service_bind_address 192.168.56.128|' conf/inetsim.conf sed -i 's|#dns_default_ip 10.10.10.1|dns_default_ip 192.168.56.128|' conf/inetsim.conf ``` 设置静态 IP 和 DNS： ``` nmcli connection show sudo nmcli connection modify "Wired connection 1" ipv4.method manual ipv4.addresses 192.168.56.128/24 ipv4.gateway 192.168.56.128 ipv4.dns 192.168.56.128 sudo nmcli connection down "Wired connection 1" sudo nmcli connection up "Wired connection 1" ``` 恢复静态 IP 和 DNS（升级或安装新软件包时需要）： ``` sudo nmcli connection modify "Wired connection 1" ipv4.method auto sudo nmcli connection modify "Wired connection 1" ipv4.addresses "" ipv4.gateway "" sudo nmcli connection modify "Wired connection 1" ipv4.dns "" sudo nmcli connection down "Wired connection 1" sudo nmcli connection up "Wired connection 1" ``` 更新防火墙规则： ``` sudo firewall-cmd --permanent --add-port=80/tcp # HTTP sudo firewall-cmd --permanent --add-port=443/tcp # HTTPS sudo firewall-cmd --permanent --add-port=21/tcp # FTP sudo firewall-cmd --permanent --add-port=25/tcp # SMTP sudo firewall-cmd --permanent --add-port=53/tcp # DNS (TCP) sudo firewall-cmd --permanent --add-port=53/udp # DNS (UDP) sudo firewall-cmd --permanent --add-port=110/tcp # POP3 sudo firewall-cmd --permanent --add-port=143/tcp # IMAP sudo firewall-cmd --reload sudo firewall-cmd --list-all ``` ## 启动 ``` sudo ./inetsim ``` 检查服务： ``` netstat -tuln sudo tail -f log/service.log ``` 参考： - https://www.inetsim.org/requirements.html - https://www.inetsim.org/documentation.html # Zeek ``` sudo dnf config-manager addrepo --from-repofile=https://download.opensuse.org/repositories/security:zeek/Fedora_41/security:zeek.repo sudo dnf install zeek ``` ## 配置 ``` sudo ln -s /opt/zeek/bin/zeek /usr/local/bin/zeek sudo ln -s /opt/zeek/bin/zeekctl /usr/local/bin/zeekctl sudo ln -s /opt/zeek/bin/zeek-cut /usr/local/bin/zeek-cut ip a sudo sed -i 's|interface=eth0|interface=enp0s3|' /opt/zeek/etc/node.cfg ``` ## 启动 ``` ip a sudo zeek -i enp0s3 ``` 打开另一个终端： ``` cat http.log | zeek-cut -d ts uid id.orig_h host ``` 参考： - https://github.com/zeek/zeek/wiki/Binary-Packages#fedora-41 - https://docs.zeek.org/en/master/quickstart.html # Suricata ``` sudo dnf install dnf-plugins-core sudo dnf copr enable @oisf/suricata-7.0 sudo dnf install suricata sudo suricata-update ``` ## 配置 ``` ip a sudo sed -i 's| HOME_NET| #HOME_NET|' /etc/suricata/suricata.yaml sudo sed -i 's|#HOME_NET: "any"|#HOME_NET: "any"\n HOME_NET: "[192.168.56.128/25]"|' /etc/suricata/suricata.yaml sudo cat /etc/suricata/suricata.yaml ... address-groups: #HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" #HOME_NET: "[192.168.0.0/16]" #HOME_NET: "[10.0.0.0/8]" #HOME_NET: "[172.16.0.0/12]" #HOME_NET: "any" HOME_NET: "[192.168.56.128/25]" ... ``` ## 启动 创建一些规则： ``` cat http.rules alert http any any -> any any (msg:"HTTP GET Request Detected"; flow:established,to_server; http.method; content:"GET"; sid:1000001; rev:1;) alert http any any -> any any (msg:"HTTP POST Request Detected"; flow:established,to_server; http.method; content:"POST"; sid:1000002; rev:1;) ``` ``` suricata -h ip a sudo suricata -s http.rules -i enp0s3 ``` 打开另一个终端： ``` sudo tail -f /var/log/suricata/fast.log ``` 参考： - https://docs.suricata.io/en/latest/install.html#installing-from-package-repositories - https://docs.suricata.io/en/latest/rule-management/adding-your-own-rules.html# - https://github.com/OISF/suricata/tree/master/rules # DiE ``` sudo dnf install cmake qt5-qtbase-devel qt5-qttools-devel qt5-qtmultimedia-devel qt5-qtsvg-devel qt5-qtwebsockets-devel qt5-qtdeclarative-devel qt5-qtscript-devel qt5-qtquickcontrols2-devel qt5-qtwayland-devel git clone --recursive https://github.com/horsicq/DIE-engine.git cd DIE-engine mkdir -p build cmake . -B build cd build make -j4 sudo make install -j4 ``` ## 配置 ``` sudo dnf install qt5ct echo 'export QT_QPA_PLATFORMTHEME=qt5ct' >> ~/.zshrc source ~/.zshrc ``` `qt5ct` --> Appearance --> Palette --> Custom --> Color scheme --> darker --> OK 然后 注销并重新登录 ## 启动 ``` die ``` 或 ``` diec ``` 参考： - https://github.com/horsicq/Detect-It-Easy/blob/master/docs/BUILD.md#how-to-build-with-cmake - https://unix.stackexchange.com/questions/745499/how-to-enable-dark-theme-for-qt-applications # VirtualBox ``` sudo dnf install gcc make perl kernel-devel wget https://www.virtualbox.org/download/oracle_vbox_2016.asc sudo rpm --import oracle_vbox_2016.asc wget https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo sudo mv virtualbox.repo /etc/yum.repos.d/ sudo dnf install VirtualBox-7.0 sudo usermod -a -G vboxusers $USER ``` 指纹： ``` B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF Oracle Corporation (VirtualBox archive signing key) ``` ## Fedora 虚拟机 安装 [Fedora](https://fedoraproject.org/workstation/download)。 ### 配置 - 虚拟机设置： - **Settings** --> **System** - --> **Processor** --> Processors: 4 - --> **Motherboard** --> Base Memory: 4096 - **Devices** --> **Shared Clipboard** --> Bidirectional - **Settings** - --> **Display** --> **Resolution** --> 1600 x 900 - --> **Appearance** --> **Style** --> Dark - `sudo dnf upgrade --refresh -y` - 安装[上面](#malware-analysis-toolkit)列出的工具 - 虚拟机设置： - **Settings** - --> **Adapter 1** --> Attached to: Internal Network - --> **Shared Folders** --> add read-only, auto-mount folder, path: `/home/gemesa/malware-bazaar` - 创建虚拟机快照 ## 故障排除 ### `VirtualBox 无法启用 AMD-V 扩展。请禁用 KVM 内核扩展，重新编译内核并重启 (VERR_SVM_IN_USE)` ``` lsmod | grep kvm ``` ``` sudo modprobe -r kvm_amd ``` 或 ``` sudo modprobe -r kvm_intel ``` 参考： - https://www.virtualbox.org/wiki/Linux_Downloads # Python ``` sudo dnf install python pip ``` # LLVM ``` sudo dnf install llvm ``` # OpenSSL ``` sudo dnf install openssl ``` # capa ``` wget https://github.com/mandiant/capa/releases/download/v9.1.0/capa-v9.1.0-linux.zip unzip capa-v9.1.0-linux.zip sudo mv capa /usr/local/bin/ ``` # frida ``` pip install frida-tools ``` # rbi ``` git clone https://github.com/N0fix/rustbininfo sudo dnf install poetry cd rustbininfo poetry build pip install dist/*.whl ``` # QEMU ``` sudo dnf install qemu-user sudo dnf install qemu-user-static sudo dnf install qemu-user-static-aarch64 sudo dnf install qemu-system-aarch64 sudo dnf install qemu-system-aarch64-core sudo dnf install sysroot-aarch64-fc41-glibc ``` # shadow-shell ``` git clone https://github.com/gemesa/shadow-shell sudo dnf install mingw64-gcc sudo dnf install gcc-aarch64-linux-gnu sudo dnf install binutils-aarch64-linux-gnu sudo dnf install sysroot-aarch64-fc41-glibc sudo dnf install llvm cd shadow-shell ``` 然后 ``` make arm64x make x64 ``` # Qiling ``` pip install qiling ``` 参考： - https://docs.qiling.io/en/latest/install/ # YARA ``` wget https://github.com/VirusTotal/yara-x/releases/download/v0.13.0/yara-x-v0.13.0-x86_64-unknown-linux-gnu.gz tar -xzf yara-x-v0.13.0-x86_64-unknown-linux-gnu.gz sudo mv yr /usr/local/bin/ ``` 参考： - https://virustotal.github.io/yara-x/docs/intro/installation/ # Wireshark ``` sudo dnf install wireshark sudo usermod -a -G wireshark gemesa ``` # Joern ``` git clone https://github.com/joernio/joern cd joern sdk install scala sdk install sbt sbt stage ``` 参考： - https://docs.joern.io/ # ILSpy ``` brew install dotnet@8 export DOTNET_ROOT=/opt/homebrew/opt/dotnet@8/libexec export PATH=$PATH:/Users/gemesa/.dotnet/tools dotnet tool install --global ilspycmd ``` 用法： ``` ilspycmd -il -t Client.Settings -o Client.Settings.il ~/Downloads/cfe65a88ebc858c083c6bfd48d1caf16128a420d9352b46c3107b8b1a1614639.exe ilspycmd -p -o ./AsyncRAT ~/Downloads/cfe65a88ebc858c083c6bfd48d1caf16128a420d9352b46c3107b8b1a1614639.exe ``` 在 VS Code 中浏览反编译的项目（首先安装 `C# Dev Kit` 扩展）。 或者，使用带有 GUI 的已弃用 [AvaloniaILSpy](https://github.com/icsharpcode/AvaloniaILSpy/)。 参考： - https://github.com/icsharpcode/ILSpy/blob/master/ICSharpCode.ILSpyCmd/README.md # ipsw ``` brew install ipsw ``` # pythonnet ``` brew install dotnet export DOTNET_ROOT=/opt/homebrew/opt/dotnet/libexec pip install pythonnet curl -L -o dnlib.nupkg https://www.nuget.org/api/v2/package/dnlib/ unzip dnlib.nupkg -d dnlib_pkg cp dnlib_pkg/lib/netstandard2.0/dnlib.dll . ``` 用法： ``` from pythonnet import load load("coreclr") import clr import sys sys.path.append(".") clr.AddReference("dnlib") from dnlib.DotNet import ModuleDefMD module = ModuleDefMD.Load("dcrat.exe") print(f"Module: {module.Name}") for t in module.Types: if t.Name != "": print(f" Class: {t.Namespace}.{t.Name}") ``` ``` python3 test.py Module: ClientJAH.exe Class: Client.Program Class: Client.Settings Class: Client.Connection.ClientSocket Class: Client.Connection.Amsi Class: Client.Connection.Win32 Class: Client.Install.NormalStartup Class: Client.Helper.AntiProcess Class: Client.Helper.PROCESSENTRY32 Class: Client.Helper.Anti_Analysis Class: Client.Helper.Camera Class: Client.Helper.HwidGen Class: Client.Helper.IdSender Class: Client.Helper.Methods Class: Client.Helper.MutexControl Class: Client.Helper.NativeMethods Class: Client.Helper.ProcessCritical Class: Client.Helper.SetRegistry Class: Client.Algorithm.Aes256 Class: MessagePackLib.MessagePack.BytesTools Class: MessagePackLib.MessagePack.MsgPackEnum Class: MessagePackLib.MessagePack.MsgPackArray Class: MessagePackLib.MessagePack.MsgPack Class: MessagePackLib.MessagePack.MsgPackType Class: MessagePackLib.MessagePack.ReadTools Class: MessagePackLib.MessagePack.WriteTools Class: MessagePackLib.MessagePack.Zip Class: . ``` # JADX ``` git clone https://github.com/skylot/jadx.git cd jadx ./gradlew dist sudo cp build/jadx/bin/jadx /usr/local/bin/ sudo cp build/jadx/bin/jadx-gui /usr/local/bin/ sudo cp build/jadx/lib/jadx-dev-all.jar /usr/local/lib/ ``` Fedora: ``` sudo dnf install google-noto-sans-cjk-fonts google-noto-serif-cjk-fonts ``` 注意：这对于包含中文/日文/韩文字符的应用程序是必需的。 # Android Studio 从 https://developer.android.com/studio 下载 `android-studio-*-linux.tar.gz`。 ``` sudo dnf install zlib.i686 ncurses-libs.i686 bzip2-libs.i686 sudo tar -xzf android-studio-*-linux.tar.gz -C /opt/ sudo ln -sf /opt/android-studio/bin/studio /usr/local/bin/android-studio ``` ``` echo 'export ANDROID_HOME=$HOME/Android/Sdk' >> ~/.zshrc echo 'export PATH=$PATH:$ANDROID_HOME/platform-tools' >> ~/.zshrc echo 'export PATH=$PATH:$ANDROID_HOME/emulator' >> ~/.zshrc echo 'export PATH=$PATH:$ANDROID_HOME/cmdline-tools/latest/bin' >> ~/.zshrc echo 'export PATH=$PATH:$ANDROID_HOME/build-tools/$(ls $ANDROID_HOME/build-tools | tail -1)' >> ~/.zshrc source ~/.zshrc ``` 启动后安装命令行工具： - **More Actions** --> **SDK Manager** --> **SDK Tools** --> **Android SDK Command-line Tools (latest)** ## 启动 ``` android-studio ``` 参考： - https://developer.android.com/studio/install#linux # Apktool ``` git clone https://github.com/iBotPeaches/Apktool cd Apktool ./gradlew build shadowJar proguard sudo cp scripts/osx/apktool /usr/local/bin/ sudo cp brut.apktool/apktool-cli/build/libs/apktool-v2.12.1-27-255a875a-SNAPSHOT.jar /usr/local/bin/apktool.jar ``` 注意：`objection` 需要一个稳定版本： ``` $ objection patchapk -s com.facebook.katana_x86_64.patched.apk No architecture specified. Determining it using `adb`... Detected target device architecture as: x86_64 Using latest Github gadget version: 17.7.3 Remote FridaGadget version is v17.7.3, local is v0. Downloading... Downloading from: https://github.com/frida/frida/releases/download/17.7.3/frida-gadget-17.7.3-android-x86_64.so.xz Downloading x86_64 library to /home/gemesa/.objection/android/x86_64/libfrida-gadget.so.xz... Unpacking /home/gemesa/.objection/android/x86_64/libfrida-gadget.so.xz... Cleaning up downloaded archives... Patcher will be using Gadget version: 17.7.3 Detected apktool version as: v2.12.1-33-0df4f393-SNAPSHOT Traceback (most recent call last): File "/home/gemesa/.local/bin/objection", line 8, in sys.exit(cli()) ~~~^^ File "/home/gemesa/.local/lib/python3.14/site-packages/click/core.py", line 1485, in __call__ return self.main(*args, **kwargs) ~~~~~~~~~^^^^^^^^^^^^^^^^^ File "/home/gemesa/.local/lib/python3.14/site-packages/click/core.py", line 1406, in main rv = self.invoke(ctx) File "/home/gemesa/.local/lib/python3.14/site-packages/click/core.py", line 1873, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^ File "/home/gemesa/.local/lib/python3.14/site-packages/click/core.py", line 1269, in invoke return ctx.invoke(self.callback, **ctx.params) ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/gemesa/.local/lib/python3.14/site-packages/click/core.py", line 824, in invoke return callback(*args, **kwargs) File "/home/gemesa/.local/lib/python3.14/site-packages/objection/console/cli.py", line 344, in patchapk patch_android_apk(**locals()) ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^ File "/home/gemesa/.local/lib/python3.14/site-packages/objection/commands/mobile_packages.py", line 190, in patch_android_apk if not patcher.is_apktool_ready(): ~~~~~~~~~~~~~~~~~~~~~~~~^^ File "/home/gemesa/.local/lib/python3.14/site-packages/objection/utils/patchers/android.py", line 252, in is_apktool_ready if semver.compare(o, min_version) < 0: ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^ File "/home/gemesa/.local/lib/python3.14/site-packages/semver/_deprecated.py", line 81, in wrapper return func(*args, **kwargs) # type: ignore File "/home/gemesa/.local/lib/python3.14/site-packages/semver/_deprecated.py", line 113, in compare return Version.parse(ver1).compare(ver2) ~~~~~~~~~~~~~^^^^^^ File "/home/gemesa/.local/lib/python3.14/site-packages/semver/version.py", line 644, in parse raise ValueError(f"{version} is not valid SemVer string") ValueError: v2.12.1-33-0df4f393-SNAPSHOT is not valid SemVer string Cleaning up temp files... ``` 参考： - https://apktool.org/docs/build # Binwalk ``` git clone https://github.com/ReFirmLabs/binwalk cd binwalk sudo ./build_docker.sh ``` ## 启动 ``` sudo docker run -t -v "$PWD":/analysis binwalkv3 -Me firmware.bin ``` 参考： - https://github.com/ReFirmLabs/binwalk/wiki/Building-A-Binwalk-Docker-Image

标签：AD攻击面, AMSI绕过, Android安全, Bash脚本, Binwalk, DAST, Docker支持, Frida, Ghidra, JS文件枚举, QEMU, Qiling, Rootkit, SIGMA, Suricata, VirtualBox, Wireshark, YARA, Zeek, 云安全监控, 云资产可视化, 云资产清单, 内联执行, 句柄查看, 后台面板检测, 多人体追踪, 威胁检测, 安全工具集, 恶意软件分析, 情报收集, 日志审计, 沙箱, 漏洞研究, 环境搭建, 现代安全运营, 系统分析, 网络分析, 网络安全, 请求拦截, 身份验证强制, 逆向工具, 逆向工程, 配置指南, 隐私保护, 静态分析