Summary

• 简介
• 一、基础知识篇
  • 1.2 学习方法
  • 1.4 Web 安全基础
    • 1.4.2 HTTP 协议基础
    • 1.4.4 常见 Web 服务器基础
    • 1.4.6 PHP 源码审计基础
  • • 1.5.1 C/C++ 语言基础
    • 1.5.3 Linux ELF
    • 1.5.5 静态链接
    • 1.5.7 内存管理
    • 1.5.9 Linux 内核
    • 1.5.11 jemalloc
  • • 1.6.1 密码学导论
    • 1.6.3 分组密码
    • 1.6.5 消息认证和哈希函数
    • 1.6.7 密码协议
    • 1.6.9 数字货币
  • • 1.7.1 Android 环境搭建
    • 1.7.3 ARM 汇编基础
• 二、工具篇
  • 虚拟化分析环境
    • 2.1.2 QEMU
    • 2.1.4 Unicorn
  • 静态分析工具
    • 2.2.2 IDA Pro
    • 2.2.4 Capstone
    • 2.2.6 Ghidra
  • 动态分析工具
    • 2.3.2 OllyDbg
    • 2.3.4 WinDbg
  • 其他工具
    • 2.4.1 pwntools
    • 2.4.3 metasploit
    • 2.4.5 Burp Suite
    • 2.4.7 Cuckoo Sandbox
• • Pwn
    • 3.1.1 格式化字符串漏洞
    • 3.1.3 栈溢出
    • 3.1.5 返回导向编程（ROP）（ARM）
    • 3.1.7 Linux 堆利用（二）
    • 3.1.9 Linux 堆利用（四）
    • 3.1.11 Linux 内核漏洞利用
    • 3.1.13 竞争条件
  • Reverse
    • 3.2.1 patch 二进制文件
    • 3.2.4 反调试技术（PE）
    • 3.2.6 指令混淆
  • Web
    • 3.3.2 XSS 漏洞利用
  • Crypto
  • Misc
  • Mobile
• • 4.1 Linux 内核调试
  • 4.3 GCC 编译参数解析
  • 4.5 ROP 防御技术
  • 4.7 通用 gadget
  • 4.9 shellcode 开发
  • 4.11
  • 4.12 利用 __stack_chk_fail
  • 4.14 glibc tcache 机制
• 五、高级篇
  • 5.1 模糊测试
    • 5.1.2 libFuzzer
  • • 5.2.1 Pin
    • 5.2.3 Valgrind
  • • 5.3.1 angr
    • 5.3.3 KLEE
  • 5.4 数据流分析
  • 5.5 污点分析
  • 5.6 LLVM
  • 5.7 程序切片
  • • 5.8.1 Z3
  • 5.10 基于二进制比对的漏洞分析
  • • 5.11.1 RetDec
• • Pwn
    • 6.1.1 pwn HCTF2016 brop
    • 6.1.3 pwn XDCTF2015 pwn200
    • 6.1.5 pwn GreHackCTF2017 beerfighter
    • 6.1.7 pwn 0CTF2015 freenote
    • 6.1.9 pwn RHme3 Exploitation
    • 6.1.11 pwn 9447CTF2015 Search-Engine
    • 6.1.13 pwn 34C3CTF2017 readme_revenge
    • 6.1.15 pwn 34C3CTF2017 SimpleGC
    • 6.1.17 pwn SECCONCTF2016 jmper
    • 6.1.19 pwn HITBCTF2018 gundam
    • 6.1.21 pwn HITCONCTF2016 Secret_Holder
    • 6.1.23 pwn BCTF2016 bcloud
    • 6.1.25 pwn HCTF2017 babyprintf
    • 6.1.27 pwn SECCONCTF2016 tinypad
    • 6.1.29 pwn Insomni’hack_teaserCTF2017 The_Great_Escape_part-3
    • 6.1.32 pwn SECCONCTF2017 vm_no_fun
    • 6.1.34 pwn N1CTF2018 memsafety
  • Reverse
    • 6.2.1 re XHPCTF2017 dont_panic
    • 6.2.3 re CodegateCTF2017 angrybird
    • 6.2.5 re PicoCTF2014 Baleful
    • 6.2.7 re CodegateCTF2018 RedVelvet
  • Web
    • 6.3.1 web HCTF2017 babycrack
  • Crypto
  • Misc
  • Mobile
• • CVE
    • 7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞
    • 7.1.3 CVE-2016-4971 wget 任意文件上传漏洞
    • 7.1.5 CVE–2018-1000001 glibc realpath 缓冲区下溢漏洞
    • 7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞
    • 7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞
  • Malware
• • 8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
  • 8.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
  • 8.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks
  • 8.7 What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses
  • 8.9 Symbolic Execution for Software Testing: Three Decades Later
  • 8.11 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software
  • 8.13 New Frontiers of Reverse Engineering
  • 8.15 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning
  • 8.17 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls
  • 8.19 DroidNative: Semantic-Based Detection of Android Native Code Malware
  • 8.21 Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks
  • 8.23 Evaluating the Effectiveness of Current Anti-ROP Defenses
  • 8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis
  • 8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware
  • 8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data
  • 8.31 WYSINWYX What You See Is Not What You eXecute
  • 8.33 Under-Constrained Symbolic Execution: Correctness Checking for Real Code
  • 8.35 Q: Exploit Hardening Made Easy
  • 8.37 CUTE: A Concolic Unit Testing Engine for C
  • 8.39 DART: Directed Automated Random Testing
  • 8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time
  • 8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation
  • 8.45 Ramblr: Making Reassembly Great Again
  • 8.47 Jump-Oriented Programming: A New Class of Code-Reuse Attack
  • 8.49 Understanding Integer Overflow in C/C++
• 九、附录
  • 9.2 更多 Windows 工具
  • 9.5 幻灯片