{"id":62956,"date":"2019-12-23T09:00:49","date_gmt":"2019-12-23T01:00:49","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=62956"},"modified":"2019-12-21T16:58:18","modified_gmt":"2019-12-21T08:58:18","slug":"waterbear-%e5%8f%88%e5%9b%9e%e4%be%86%e4%ba%86%ef%bc%8c%e9%80%99%e6%ac%a1%e4%bd%bf%e7%94%a8-api-%e6%94%94%e6%88%aa%e6%8a%80%e5%b7%a7%e8%ba%b2%e9%81%bf%e8%b3%87%e5%ae%89%e7%94%a2%e5%93%81%e5%81%b5","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=62956","title":{"rendered":"Waterbear \u53c8\u56de\u4f86\u4e86\uff0c\u9019\u6b21\u4f7f\u7528 API \u6514\u622a\u6280\u5de7\u8eb2\u907f\u8cc7\u5b89\u7522\u54c1\u5075\u6e2c"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"alignleft is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/Malware-380x238.jpg\" alt=\"\" width=\"242\" height=\"152\"\/><\/figure><\/div>\n\n\n\n<p>Waterbear \u662f\u4e00\u500b\u5df2\u8086\u8650\u591a\u5e74\u3001\u5584\u65bc\u4f7f\u7528\u6a21\u7d44\u5316\u60e1\u610f\u7a0b\u5f0f\u3001\u4e26\u53ef\u5f9e\u9060\u7aef\u65b0\u589e\u529f\u80fd\u7684\u99ed\u5ba2\u653b\u64ca\u884c\u52d5\u3002\u6b64\u653b\u64ca\u884c\u52d5\u5e55\u5f8c\u7684\u64cd\u63a7\u8005\u5f88\u53ef\u80fd\u662f <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/following-trail-blacktech-cyber-espionage-campaigns\/\">BlackTech<\/a> \u7db2\u8def\u9593\u8adc\u96c6\u5718\uff0c\u8a72\u96c6\u5718\u4e3b\u8981\u653b\u64ca\u6771\u4e9e\u7684\u79d1\u6280\u516c\u53f8\u8207\u653f\u5e9c\u6a5f\u95dc (\u7279\u5225\u662f\u53f0\u7063\uff0c\u6709\u6642\u4e5f\u653b\u64ca\u65e5\u672c\u548c\u9999\u6e2f)\uff0c\u540c\u6642\u4e5f\u662f\u67d0\u4e9b\u60e1\u540d\u662d\u5f70\u7684\u653b\u64ca (\u5982&nbsp; PLEAD \u548c Shrouded Crossbow) \u5e55\u5f8c\u7684\u9ed1\u624b\u3002\u5728\u4e4b\u524d\u7684\u653b\u64ca\u7576\u4e2d\uff0c\u6211\u5011\u770b\u5230 Waterbear \u4e3b\u8981\u7528\u65bc\u6a6b\u5411\u79fb\u52d5\uff0c\u4e26\u4f7f\u7528\u6a94\u6848\u8f09\u5165\u5668\u4f86\u89e3\u958b\u53ca\u89f8\u767c\u52a0\u5bc6\u7684\u60e1\u610f\u6a94\u6848\u3002\u5728\u5927\u591a\u6578\u60c5\u6cc1\u4e0b\uff0c\u9019\u4e9b\u60e1\u610f\u6a94\u6848\u90fd\u662f\u7528\u4f86\u63a5\u6536\u4e26\u8f09\u5165\u66f4\u591a\u6a21\u7d44\u7684\u5f8c\u9580\u7a0b\u5f0f\u3002\u4e0d\u904e\u5728\u6700\u8fd1\u4e00\u8d77\u653b\u64ca\u4e2d\uff0c<a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u767c\u73fe\u67d0\u500b Waterbear \u60e1\u610f\u6a94\u6848\u6709\u4e86\u5168\u65b0\u7684\u7528\u9014\uff1a\u85c9\u7531 API \u6514\u622a (API hooking) \u6280\u5de7\u4f86\u96b1\u85cf\u81ea\u5df1\u7684\u7db2\u8def\u6d3b\u52d5\u4ee5\u514d\u88ab\u67d0\u8cc7\u5b89\u5ee0\u5546\u7684\u7522\u54c1\u5075\u6e2c\u3002\u6839\u64da\u6211\u5011\u7684\u5206\u6790\uff0c\u9019\u662f\u4e00\u5bb6\u4e9e\u592a\u5730\u5340\u7684\u8cc7\u5b89\u5ee0\u5546\uff0c\u800c\u9019\u4e5f\u6b63\u662f BlackTech \u96c6\u5718\u7fd2\u6163\u653b\u64ca\u7684\u5730\u5340\u3002<\/p>\n\n\n\n<table  class=\"wp-block-table is-style-stripes table table-hover\" ><tbody><tr><td> <ins>[\u5ef6\u4f38\u95b1\u8b80\uff1a<\/ins><a href=\"https:\/\/blog.trendmicro.com.tw\/?p=50684\">\u4e3b\u8981\u9396\u5b9a\u53f0\u7063,\u5c08\u5077\u6a5f\u5bc6\u6280\u8853\u7684BlackTech \u7db2\u8def\u9593\u8adc\u96c6\u5718<\/a><ins>]<\/ins> <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>\u7531\u65bc\u99ed\u5ba2\u77e5\u9053\u8a72\u6514\u622a\u54ea\u500b API \u4f86\u907f\u958b\u5075\u5074\uff0c\u56e0\u6b64\u610f\u5473\u8457\u99ed\u5ba2\u5f88\u53ef\u80fd\u719f\u6089\u8a72\u8cc7\u5b89\u7522\u54c1\u5728\u5ba2\u6236\u7aef\u9ede\u548c\u7db2\u8def\u4e0a\u8490\u96c6\u8cc7\u8a0a\u7684\u65b9\u5f0f\u3002\u800c\u4e14\uff0c\u7531\u65bc\u5176\u7a0b\u5f0f\u78bc\u63a1\u7528\u901a\u7528\u7684\u65b9\u5f0f\u4f86\u6514\u622a\nAPI\uff0c\u56e0\u6b64\u672a\u4f86\u5f88\u53ef\u80fd\u53ea\u9700\u66f4\u63db\u90e8\u5206\u7a0b\u5f0f\u78bc\u5c31\u80fd\u8b93\u5225\u7684\u7522\u54c1\u4e5f\u7121\u6cd5\u5075\u6e2c Waterbear\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Waterbear \u6df1\u5165\u5256\u6790<\/h2>\n\n\n\n<!--more-->\n\n\n\n<p>Waterbear \u7684\u60e1\u610f\u7a0b\u5f0f\u63a1\u7528\u6a21\u7d44\u5316\u8a2d\u8a08\uff0c\u5b83\u4f7f\u7528\u4e00\u500b DLL \u8f09\u5165\u5668\u4f86\u89e3\u958b\u4e26\u57f7\u884c RC4 \u52a0\u5bc6\u7684\u60e1\u610f\u6a94\u6848\u3002\u6b64\u60e1\u610f\u6a94\u6848\u901a\u5e38\u662f\u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\uff0c\u8ca0\u8cac\u5f9e\u5916\u90e8\u99ed\u5ba2\u63a5\u6536\u4e26\u57f7\u884c\u5f8c\u7e8c\u7684\u57f7\u884c\u6a94\u3002\u50cf\u9019\u6a23\u7684\u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\u5927\u81f4\u53ef\u5206\u70ba\u5169\u7a2e\uff1a\u7b2c\u4e00\u7a2e\u6703\u4e3b\u52d5\u8207\u5e55\u5f8c\u64cd\u7e31\n(C&amp;C) \u4f3a\u670d\u5668\u9023\u7dda\uff0c\u7b2c\u4e8c\u7a2e\u6703\u4e00\u76f4\u76e3\u807d\u67d0\u500b\u9023\u63a5\u57e0\u4ee5\u7b49\u5019\u9060\u7aef\u9023\u7dda\u3002\u6211\u5011\u767c\u73fe\u6709\u4e9b\u52a0\u5bc6\u6a94\u6848\u7684\u8def\u5f91\u662f\u5beb\u6b7b\u7684\uff0c\u800c\u4e14\u4e0d\u662f\u6307\u5411 Windows \u7684\u7cfb\u7d71\u76ee\u9304 (\u4f8b\u5982\u6307\u5411\u8cc7\u5b89\u7522\u54c1\u6216\u7b2c\u4e09\u65b9\u7a0b\u5f0f\u5eab\u7684\u76ee\u9304)\uff0c\u9019\u8868\u793a\u99ed\u5ba2\u53ef\u80fd\u5df2\u7d93\u9810\u5148\u719f\u6089\u4e86\u653b\u64ca\u76ee\u6a19\u7684\u74b0\u5883\u3002\u6b64\u5916\uff0c\u99ed\u5ba2\u6709\u6642\u4e5f\u6703\u5c07\nWaterbear \u7576\u6210\u4ed6\u5011\u5df2\u6ef2\u900f\u76ee\u6a19\u7cfb\u7d71\u4e4b\u5f8c\u7528\u4f86\u9577\u671f\u6f5b\u4f0f\u65bc\u7cfb\u7d71\u5167\u7684\u7b2c\u4e8c\u6ce2\u7a0b\u5f0f\u3002\u56e0\u70ba Waterbear \u7d93\u5e38\u4f7f\u7528\u5167\u90e8\u7684 IP \u4f4d\u5740\u70ba C&amp;C \u4f3a\u670d\u5668\u4f4d\u5740\uff0c\u4f8b\u5982\uff1aBKDR64_WATERBEAR.ZTGD \u9019\u500b\u60e1\u610f\u7a0b\u5f0f (\u96dc\u6e4a\u78bcb9f3a3b9452a396c3ba0ce4a644dd2b7f494905e820e7b1c6dca2fdcce069361\uff0c\u8acb\u53c3\u898b\u6587\u672b\u7684\u8868\u683c)\n\u5c31\u4f7f\u7528 10.0.0.211 \u70ba C&amp;C \u4f3a\u670d\u5668 IP \u4f4d\u5740\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5178\u578b\u7684 Waterbear \u611f\u67d3\u904e\u7a0b<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure-1-01-v3.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure-1-01-v3.jpg\"><\/a><\/p>\n\n\n\n<p>\u5716 1\uff1a\u5178\u578b\u7684 Waterbear \u611f\u67d3\u904e\u7a0b\u3002<\/p>\n\n\n\n<p>\u5982\u5716 1 \u6240\u793a\uff0cWaterbear \u7684\u611f\u67d3\u904e\u7a0b\u662f\u5f9e\u8f09\u5165\u4e00\u500b\u60e1\u610f\u7684 DLL\u958b\u59cb\u3002\u4e4b\u524d\u6211\u5011\u5df2\u898b\u904e\u5169\u7a2e\u8f09\u5165\u60e1\u610f DLL \u7684\u6280\u5de7\u3002\u7b2c\u4e00\u7a2e\u662f<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/attack-gains-foothold-against-east-asian-government-through-auto-start\/\">\u7be1\u6539\u67d0\u500b\u6b63\u5e38\u7684\u4f3a\u670d\u5668\u61c9\u7528\u7a0b\u5f0f&nbsp;<\/a>\u4f86\u532f\u5165\u4e26\u8f09\u5165\u60e1\u610f\nDLL\uff1b\u7b2c\u4e8c\u7a2e\u662f\u63a1\u7528\u5e7d\u9748 DLL \u633e\u6301 (Phantom DLL Hijacking) \u8207 DLL \u5074\u8f09 (DLL Side Loading) \u7684\u65b9\u5f0f\u3002\u6709\u4e9b\nWindows \u670d\u52d9\u6703\u5728\u7cfb\u7d71\u958b\u6a5f\u6642\u8a66\u5716\u8f09\u5165\u4e00\u4e9b\u540d\u7a31\u548c\u8def\u5f91\u90fd\u5beb\u6b7b\u7684\u5916\u90e8 DLL\u3002\u7136\u800c\uff0c\u5982\u679c\u9019\u985e DLL \u662f\u4e00\u500b\u8001\u820a\u7684 DLL (\u4e5f\u5c31\u662f Windows \u5df2\u7d42\u6b62\u652f\u63f4\u7684\nDLL) \u6216\u662f\u4e00\u500b\u7b2c\u4e09\u65b9 DLL (\u975e Windows \u539f\u59cb\u7cfb\u7d71\u7684 DLL)\uff0c\u99ed\u5ba2\u5c31\u80fd\u5c07\u60e1\u610f DLL \u6539\u540d\u6210\u9019\u500b\u5beb\u6b7b\u7684\u540d\u7a31\uff0c\u63a5\u8457\u653e\u5728\u7cfb\u7d71\u8f09\u5165 DLL \u6642\u6703\u641c\u5c0b\u7684\u5176\u4e2d\u4e00\u500b\u76ee\u9304\u5167\u3002\u7576\u60e1\u610f\nDLL \u4e00\u65e6\u88ab\u8f09\u5165\u4e4b\u5f8c\uff0c\u5c31\u6703\u53d6\u5f97\u8207\u8f09\u5165 DLL \u7684\u670d\u52d9\u76f8\u540c\u7684\u7cfb\u7d71\u6b0a\u9650\u3002<\/p>\n\n\n\n<p>\u6839\u64da\u6211\u5011\u8fd1\u671f\u5c0d Waterbear \u7684\u7814\u7a76\u6307\u51fa\uff0c\u5176\u60e1\u610f DLL \u6703\u8f09\u5165\u5169\u500b\u60e1\u610f\u6a94\u6848\uff0c\u9019\u5169\u500b\u6a94\u6848\u6240\u626e\u6f14\u7684\u529f\u80fd\uff0c\u6211\u5011\u5f9e\u672a\u5728\u5176\u4ed6 Waterbear \u884c\u52d5\u7576\u4e2d\u898b\u904e\u3002\u7b2c\u4e00\u500b\u6a94\u6848\u6703\u5c07\u7a0b\u5f0f\u78bc\u6ce8\u5165\u67d0\u500b\u8cc7\u5b89\u7522\u54c1\u7684\u57f7\u884c\u7a0b\u5e8f\u7576\u4e2d\uff0c\u85c9\u6b64\u96b1\u85cf\u653b\u64ca\u884c\u52d5\u6240\u7528\u5230\u7684\u5f8c\u9580\u7a0b\u5f0f\u3002\u7b2c\u4e8c\u500b\u6a94\u6848\u662f\u4e00\u500b\u5178\u578b\u7684 Waterbear \u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\uff0c\u4ee5\u4e0b\u6211\u5011\u5148\u6839\u64da\u5206\u6790\u904e\u7a0b\u89c0\u5bdf\u5230\u7684\u67d0\u500b\u6848\u4f8b\u4f86\u5256\u6790\u9019\u500b\u6a94\u6848\u3002<\/p>\n\n\n\n<div style=\"padding:20px\" class=\"wp-block-tnp-minimal\"><p><em>\u8a02\u95b1\u8cc7\u5b89\u8da8\u52e2\u96fb\u5b50\u5831<\/em><\/p><div><div class=\"tnp tnp-subscription-minimal  \"><form action=\"https:\/\/blog.trendmicro.com.tw\/wp-admin\/admin-ajax.php?action=tnp&amp;na=s\" method=\"post\" style=\"text-align: center\"><input type=\"hidden\" name=\"nr\" value=\"minimal\">\n<input type=\"hidden\" name=\"nlang\" value=\"\">\n<input class=\"tnp-email\" type=\"email\" required name=\"ne\" value=\"\" placeholder=\"Email\"><input class=\"tnp-submit\" type=\"submit\" value=\"\u8a02\u95b1\" style=\"background-color:undefined;\">\n<\/form><\/div>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Waterbear \u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f<\/h2>\n\n\n\n<p>\u6211\u5011\u5728\u300c<strong>%PATH%<\/strong>\u300d\u74b0\u5883\u8b8a\u6578\u6240\u5217\u7684\u67d0\u500b\u8cc7\u6599\u593e\u4e2d\uff0c\u770b\u5230\u4e00\u500b\u540d\u70ba\u300c<strong>ociw32.dll<\/strong>\u300d\u7684\nWaterbear \u60e1\u610f\u7a0b\u5f0f\u8f09\u5165\u5668\u3002\u6b64 DLL \u540d\u7a31\u662f\u300c<strong>mtxoci.dll<\/strong>\u300d\u7576\u4e2d\u5beb\u6b7b\u7684\u4e00\u500b\u540d\u7a31\uff0c\u9019\u662f Microsoft \u5206\u6563\u5f0f\u4ea4\u6613\u5354\u8abf\u5668\n(MSDTC) \u670d\u52d9\u5728\u958b\u6a5f\u6642\u6703\u8f09\u5165\u7684\u4e00\u500b DLL\u3002\u7167\u6b63\u5e38\u7a0b\u5e8f\u662f\uff0c<strong>mtxoci.dll <\/strong>\u6703\u5148\u8a66\u5716\u67e5\u770b\u7cfb\u7d71\u767b\u9304\u6a5f\u78bc\u300c<strong>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI<\/strong>\u300d\u5e95\u4e0b\u7684\u300c<strong>OracleOciLib<\/strong>\u300d\u6578\u503c\u662f\u5426\u5b58\u5728\u3002\u82e5\u5b58\u5728\uff0c\u5c31\u8b80\u53d6\u8a72\u503c\uff0c\u4e26\u8f09\u5165\u8a72\u503c\u6307\u5b9a\u7684\nDLL\u3002\u82e5\u4e0d\u5b58\u5728\uff0c<strong>mtxoci.dll <\/strong>\u5c31\u6703\u8a66\u5716\u8f09\u5165 <strong>ociw32.dll <\/strong>\u4f86\u4ee3\u66ff\u3002\u5728\u6211\u5011\u6240\u7814\u7a76\u7684\u53d7\u5bb3\u7cfb\u7d71\u4e0a\uff0c\u5176\n<strong>OracleOciLib <\/strong><strong>\u767b\u9304<\/strong>\u6578\u503c\u5df2\u906d\u522a\u9664 (\u5982\u5716 2 \u6240\u793a)\u3002\u56e0\u6b64\uff0cMSDTC\u624d\u6703\u53bb\u8f09\u5165\u99ed\u5ba2\u7684 <strong>ociw32.dll\n<\/strong>\u4f86\u57f7\u884c\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/FIG-2.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/FIG-2.png\"><\/a><\/p>\n\n\n\n<p>\u5716 2\uff1a\u53d7\u5bb3\u4e3b\u6a5f\u4e0a\u7684\u7cfb\u7d71\u767b\u9304\u6578\u503c\u300cOracleOciLib\u300d\u5df2\u906d\u522a\u9664\u3002<\/p>\n\n\n\n<p><em>\u8a3b\uff1a\u5de6\u908a\u7684\u5716\u986f\u793a\u6b63\u5e38\u7cfb\u7d71\u4e0a\u5217\u4e86\u5e7e\u500b DLL \u767b\u9304\u6578\u503c\uff0c\u53f3\u908a\u7684\u5716\u986f\u793a\u53d7\u5bb3\u7cfb\u7d71\u4e0a\u5c11\u4e86\u4e00\u500b DLL \u767b\u9304\u6578\u503c\u3002\u7531\u65bc\u300c<\/em><strong><em>OracleOciLib<\/em><\/strong><em>\u300d\u9019\u500b\u6578\u503c\u4e0d\u5b58\u5728\uff0c\u56e0\u6b64\u6703\u8f09\u5165\u5beb\u6b7b\u7684\u300c<\/em><strong><em>ociw32.dll<\/em><\/strong><em>\u300d\u4f86\u4ee3\u66ff\uff0c\u6240\u4ee5\u624d\u6703\u555f\u52d5\nWaterbear \u7684\u60e1\u610f DLL\u3002<\/em><\/p>\n\n\n\n<p>\u7576 Waterbear \u7684\u60e1\u610f DLL \u57f7\u884c\u6642\uff0c\u6703\u5148\u641c\u5c0b\u67d0\u500b\u5beb\u6b7b\u7684\u8def\u5f91\u662f\u5426\u5b58\u5728\uff0c\u7136\u5f8c\u8a66\u8457\u89e3\u958b\u5c0d\u61c9\u7684\u60e1\u610f\u6a94\u6848\uff0c\u8a72\u6a94\u6848\u662f\u4e00\u6bb5\u52a0\u5bc6\u904e\u7684 shellcode\u3002\u63a1\u7528\nRC4 \u52a0\u5bc6\u6f14\u7b97\u6cd5\uff0c\u4e26\u4e14\u4ee5\u4e00\u500b\u5beb\u6b7b\u7684\u6a94\u6848\u8def\u5f91\u4f86\u7522\u751f\u89e3\u5bc6\u91d1\u9470\u3002\u89e3\u958b\u7684\u60e1\u610f\u6a94\u6848\u82e5\u6c92\u554f\u984c\uff0c\u5c31\u6703\u5c07\u9019\u6bb5 shellcode \u6ce8\u5165\u67d0\u500b Windows \u670d\u52d9 (\u6b64\u8655\u70ba LanmanServer)\n\u7684\u57f7\u884c\u7a0b\u5e8f (svchost.exe) \u7576\u4e2d\u3002\u5728\u5927\u591a\u6578\u60c5\u6cc1\u4e0b\uff0c\u6b64\u60e1\u610f\u7a0b\u5f0f\u78bc\u70ba\u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\uff0c\u4e3b\u8981\u8ca0\u8cac\u63a5\u6536\u7b2c\u4e8c\u968e\u6bb5\u7684\u60e1\u610f\u6a94\u6848\uff0c\u4e5f\u5c31\u662f\u9023\u7dda\u5230 C&amp;C \u4f3a\u670d\u5668\uff0c\u6216\u958b\u555f\u67d0\u500b\u9023\u63a5\u57e0\u4f86\u7b49\u5019\u5916\u90e8\u9023\u7dda\uff0c\u63a5\u8457\u8f09\u5165\u63a5\u6536\u5230\u7684\u57f7\u884c\u6a94\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\u7d44\u614b\u8a2d\u5b9a<\/h2>\n\n\n\n<p>Waterbear \u7684\u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\u7d44\u614b\u8a2d\u5b9a\u5305\u542b\u4e86\u7a0b\u5f0f\u6b63\u78ba\u57f7\u884c\u8207\u5916\u90e8\u901a\u8a0a\u6240\u9700\u7684\u8cc7\u8a0a\u3002<\/p>\n\n\n\n<ul><li>\u4f4d\u79fb 0x00\uff0c\u5927\u5c0f 0x10\uff1a\u51fd\u5f0f\u6240\u9700\u7684\u52a0\u5bc6\n     \/ \u89e3\u5bc6\u91d1\u9470<\/li><li>\u4f4d\u79fb 0x10\uff0c\u5927\u5c0f 0x04\uff1a0x0BB8&nbsp;(\u4fdd\u7559)<\/li><li>\u4f4d\u79fb 0x14\uff0c\u5927\u5c0f 0x10\uff1a\u7248\u672c\n     (\u5982\uff1a0.13\u30010.14\u30010.16 \u7b49\u7b49)<\/li><li>\u4f4d\u79fb 0x24\uff0c\u5927\u5c0f 0x10\uff1aMutex\n     \u6216\u4fdd\u7559\u7684\u4f4d\u5143\u7d44<\/li><li>\u4f4d\u79fb 0x34\uff0c\u5927\u5c0f 0x78\uff1aC&amp;C\n     \u4f3a\u670d\u5668\u4f4d\u5740\uff0c\u4ee5 0xFF \u70ba\u91d1\u9470\u9032\u884c XOR \u52a0\u5bc6\u3002\u5982\u679c\u5f8c\u9580\u7a0b\u5f0f\u662f\u7528\u4f86\u76e3\u807d\u67d0\u500b\u9023\u63a5\u57e0\uff0c\u5247\u6b64\u5340\u6bb5\u586b\u5165 0x00\u3002<\/li><li>\u4f4d\u79fb 0xAC\uff0c\u5927\u5c0f 0x02\uff1a\u9023\u63a5\u57e0<\/li><li>\u4f4d\u79fb 0xAE\uff0c\u5927\u5c0f 0x5A\uff1a\u4fdd\u7559\u7684\u4f4d\u5143\u7d44\u3002<\/li><li>\u8868\u683c\uff1a\u60e1\u610f\u6a94\u6848\u51fd\u5f0f\u4f4d\u5740\u8868\u3002\u6b64\u5340\u584a\u4e00\u958b\u59cb\u6703\u586b\u5165\n     0x00\uff0c\u96a8\u5f8c\u5728\u57f7\u884c\u6642\u671f\u6703\u586b\u5165\u8cc7\u6599\u3002<\/li><li>\u8868\u683c\uff1a\u51fd\u5f0f\u5927\u5c0f\u3002<\/li><li>\u8868\u683c\uff1aAPI \u4f4d\u5740\u8868\u3002\u6b64\u5340\u584a\u4e00\u958b\u59cb\u6703\u586b\u5165\n     0x00\uff0c\u96a8\u5f8c\u5728\u57f7\u884c\u6642\u671f\u6703\u586b\u5165\u8f09\u5165\u7684 API \u4f4d\u5740\u3002<\/li><li>\u8868\u683c\uff1a\u52d5\u614b API \u8f09\u5165\u6240\u9700\u7684\n     API \u96dc\u6e4a\u78bc\u3002<\/li><li>DLL \u540d\u7a31\u6e05\u55ae\u4ee5\u53ca\u8981\u8f09\u5165\u7684\n     API \u6578\u91cf\u3002<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure-3-01-v2-900x1563.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure-3-01-v2.jpg\"><\/a><\/p>\n\n\n\n<p>\u5716 3\uff1a\u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\u7d44\u614b\u8a2d\u5b9a\u7d50\u69cb\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Shellcode \u60e1\u610f\u6a94\u6848\u7684\u8a18\u61b6\u9ad4\u6383\u63cf\u53cd\u5236\u6a5f\u5236<\/h2>\n\n\n\n<p>\u70ba\u4e86\u907f\u958b\u8cc7\u5b89\u8edf\u9ad4\u7684\u57f7\u884c\u6642\u671f\u8a18\u61b6\u9ad4\u6383\u63cf\uff0c\u60e1\u610f\u6a94\u6848\u5728\u57f7\u884c\u5be6\u969b\u7684\u60e1\u610f\u884c\u70ba\u4e4b\u524d\u6703\u5148\u5c07\u6240\u6709\u51fd\u5f0f\u5340\u584a\u52a0\u5bc6\u3002\u96a8\u5f8c\uff0c\u6bcf\u7576\u5b83\u9700\u8981\u7528\u5230\u67d0\u500b\u51fd\u5f0f\uff0c\u5c31\u6703\u5c07\u8a72\u51fd\u5f0f\u89e3\u5bc6\u3001\u57f7\u884c\uff0c\u7136\u5f8c\u518d\u52a0\u5bc6\u56de\u53bb\uff0c\u5982\u5716\n4 \u6240\u793a\u3002\u5982\u679c\u67d0\u500b\u51fd\u5f0f\u63a5\u4e0b\u4f86\u90fd\u4e0d\u6703\u518d\u7528\u5230\uff0c\u8a72\u51fd\u5f0f\u6703\u7531\u53e6\u5916\u4e00\u500b\u51fd\u5f0f\u5c07\u5b83\u7684\u5167\u5bb9\u652a\u4e82\uff0c\u5982\u5716 6 \u6240\u793a\u3002\u9019\u500b\u652a\u4e82\u51fd\u5f0f\u6703\u5c07\u6307\u5b9a\u5340\u584a\u5167\u7684\u6bcf\u500b\u4f4d\u5143\u7d44\u586b\u5165\u96a8\u6a5f\u6578\u503c\uff0c\u4f7f\u5340\u584a\u5167\u5bb9\u7121\u6cd5\u5fa9\u539f\u3002\u9019\u9ebc\u505a\u7684\u76ee\u7684\uff0c\u662f\u5e0c\u671b\u9032\u4e00\u6b65\u907f\u514d\u88ab\u67d0\u500b\u7db2\u8def\u8cc7\u5b89\u8edf\u9ad4\u6240\u5075\u6e2c\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/FIG-4.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/FIG-4.png\"><\/a><\/p>\n\n\n\n<p>\u5716 4\uff1ashellcode \u57f7\u884c\u904e\u7a0b\u4e2d\u7684\u51fd\u5f0f\u89e3\u5bc6\u3001\u57f7\u884c\u3001\u52a0\u5bc6\u6d41\u7a0b\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/FIG-5.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/FIG-5.png\"><\/a><\/p>\n\n\n\n<p>\u5716 5\uff1a\u8ca0\u8cac\u51fd\u5f0f\u5340\u584a\u52a0\u5bc6\u8207\u89e3\u5bc6\u7684\u51fd\u5f0f\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/FIG-6.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/FIG-6.png\"><\/a><\/p>\n\n\n\n<p>\u5716 6\uff1a\u8ca0\u8cac\u652a\u4e82\u51fd\u5f0f\u5167\u5bb9\u7684\u51fd\u5f0f\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Waterbear \u624b\u6cd5\u6539\u8b8a\uff0c\u672c\u8cea\u4f9d\u7136\u4e0d\u8b8a<\/h2>\n\n\n\n<p>\u6211\u5011\u5728\u7814\u7a76\u904e\u7a0b\u4e2d\u767c\u73fe\u4e86\u4e00\u500b\u6709\u5225\u65bc\u5148\u524d\u5176\u4ed6 Waterbear \u611f\u67d3\u6848\u4f8b\u7684\u5947\u602a\u60c5\u6cc1\u3002\u9019\u4e00\u6b21\uff0c\u60e1\u610f DLL\u8f09\u5165\u4e86\u5169\u500b\u60e1\u610f\u6a94\u6848\uff1a\u7b2c\u4e00\u500b\u51fa\u73fe\u4e86\u6211\u5011\u4e4b\u524d\u6c92\u770b\u904e\u7684\u884c\u70ba\uff1a\u5229\u7528\nAPI \u6514\u622a\u6280\u5de7\u5c07\u7a0b\u5f0f\u78bc\u6ce8\u5165\u4e86\u67d0\u500b\u8cc7\u5b89\u7522\u54c1\u7576\u4e2d\u4ee5\u514d\u5f8c\u9580\u7a0b\u5f0f\u88ab\u8a72\u7522\u54c1\u5075\u6e2c\u5230\u3002\u7b2c\u4e8c\u500b\u5247\u662f\u4e00\u500b\u5178\u578b\u7684 Waterbear \u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/API-Hooking-01.jpg\" alt=\"Figure 7. An unusual Waterbear infection chain\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/API-Hooking-01.jpg\"><\/a><\/p>\n\n\n\n<p>\u5716 7\uff1a\u975e\u5178\u578b\u7684 Waterbear \u611f\u67d3\u904e\u7a0b\u3002<\/p>\n\n\n\n<p>\u9019\u5169\u500b\u60e1\u610f\u6a94\u6848\u90fd\u7d93\u904e\u52a0\u5bc6\u4e26\u5132\u5b58\u5728\u53d7\u5bb3\u96fb\u8166\u7684\u78c1\u789f\u4e0a\uff0c\u4e26\u4e14\u4e5f\u90fd\u6ce8\u5165\u540c\u4e00\u500b\u670d\u52d9\u7576\u4e2d (\u6b64\u8655\u70ba LanmanServer)\u3002\u6211\u5011\u767c\u73fe\uff0c\u8f09\u5165\u5668\u6703\u8a66\u8457\u5f9e\u78c1\u789f\u8b80\u53d6\u9019\u5169\u500b\u6a94\u6848\uff0c\u5c07\u5b83\u5011\u89e3\u5bc6\uff0c\u7136\u5f8c\u8996\u4e0b\u5217\u60c5\u6cc1\u6ce8\u5165\u57f7\u884c\u7dd2\u7576\u4e2d\uff1a<\/p>\n\n\n\n<ol><li>\u5982\u679c\u78c1\u789f\u4e0a\u627e\u4e0d\u5230\u7b2c\u4e00\u500b\u60e1\u610f\u6a94\u6848\uff0c\u8f09\u5165\u5668\u5c31\u76f4\u63a5\u7d42\u6b62\u800c\u4e0d\u8f09\u5165\u7b2c\u4e8c\u500b\u6a94\u6848\u3002<\/li><li>\u5982\u679c\u7b2c\u4e00\u500b\u60e1\u610f\u6a94\u6848\u6210\u529f\u89e3\u958b\u4e26\u6ce8\u5165\u670d\u52d9\u7576\u4e2d\uff0c\u7b2c\u4e8c\u500b\u6a94\u6848\u4e5f\u6703\u88ab\u8f09\u5165\u4e26\u6ce8\u5165\u670d\u52d9\u7576\u4e2d\uff0c\u4e0d\u8ad6\u7b2c\u4e00\u500b\u57f7\u884c\u7dd2\u7684\u57f7\u884c\u7d50\u679c\u5982\u4f55\u3002<\/li><li>\u5728\u7b2c\u4e00\u500b\u88ab\u6ce8\u5165\u7684\u57f7\u884c\u7dd2\u7576\u4e2d\uff0c\u5982\u679c\u627e\u4e0d\u5230\u8a72\u8cc7\u5b89\u7522\u54c1\u7684\u5fc5\u8981\u57f7\u884c\u6a94\uff0c\u8a72\u57f7\u884c\u7dd2\u5c31\u6703\u7d42\u6b62\u4e26\u4e14\u653e\u68c4\u57f7\u884c\u5176\u4ed6\u7684\u60e1\u610f\u884c\u70ba\u3002\u8acb\u6ce8\u610f\uff0c\u53ea\u6709\u8a72\u57f7\u884c\u7dd2\u672c\u8eab\u6703\u7d42\u6b62\uff0c\u539f\u672c\u7684\u670d\u52d9\u4f9d\u7136\u6703\u6b63\u5e38\u7e7c\u7e8c\u57f7\u884c\u3002<\/li><\/ol>\n\n\n\n<p>\u4e0d\u8ad6 API \u6514\u622a\u52d5\u4f5c\u662f\u5426\u57f7\u884c\u6210\u529f\uff0c\u7b2c\u4e8c\u500b\u5f8c\u9580\u7a0b\u5f0f\u5728\u6210\u529f\u8f09\u5165\u4e4b\u5f8c\u4ecd\u6703\u6b63\u5e38\u57f7\u884c\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5229\u7528 API \u6514\u622a\u4f86\u8eb2\u907f\u5075\u6e2c<\/h2>\n\n\n\n<p>\u70ba\u4e86\u96b1\u85cf\u7b2c\u4e00\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\u7684\u884c\u70ba (\u4e5f\u5c31\u662f\u4e0b\u8f09\u7b2c\u4e8c\u500b\u60e1\u610f\u6a94\u6848)\uff0c\u7b2c\u4e00\u500b\u60e1\u610f\u6a94\u6848\u6703\u4f7f\u7528 API \u6514\u622a\u6280\u5de7\u4f86\u5e72\u64fe API \u51fd\u5f0f\u7684\u57f7\u884c\u7d50\u679c\uff0c\u4ee5\u907f\u514d\u5f8c\u9580\u7a0b\u5f0f\u7684\u884c\u70ba\u88ab\u67d0\u8cc7\u5b89\u7522\u54c1\u6240\u5075\u6e2c\u3002\u5b83\u6703\u6514\u622a\u300c<strong>ZwOpenProcess<\/strong>\u300d\u548c\u300c<strong>GetExtendedTcpTable<\/strong>\u300d\u9019\u500b\nAPI \u51fd\u5f0f\u4f86\u96b1\u85cf\u81ea\u5df1\u7684\u884c\u70ba\u3002\u4e0d\u904e\u5b83\u53ea\u6703\u4fee\u6539\u8cc7\u5b89\u7522\u54c1\u57f7\u884c\u7a0b\u5e8f\u5728\u8a18\u61b6\u9ad4\u5167\u7684\u51fd\u5f0f\uff0c\u56e0\u6b64\u539f\u672c\u7684\u7cfb\u7d71 DLL \u4ecd\u4e0d\u53d7\u5f71\u97ff\u3002<\/p>\n\n\n\n<p>\u60e1\u610f\u6a94\u6848\u5305\u542b\u4e86\u5169\u500b\u653b\u64ca\u6b65\u9a5f\u7684 shellcode\u3002\u7b2c\u4e00\u6b65\u9a5f\u7684 shellcode \u6703\u641c\u5c0b\u8a72\u8cc7\u5b89\u7522\u54c1\u67d0\u500b\u540d\u7a31\u7684\u7279\u5b9a\u57f7\u884c\u7a0b\u5e8f\uff0c\u7136\u5f8c\u5c07\u7b2c\u4e8c\u6b65\u9a5f\u7684\nshellcode \u6ce8\u5165\u8a72\u57f7\u884c\u7a0b\u5e8f\u5167\u90e8\u3002\u63a5\u8457\uff0c\u7b2c\u4e8c\u6b65\u9a5f\u7684 shellcode \u6703\u6514\u622a\u76ee\u6a19\u57f7\u884c\u7a0b\u5e8f\u5167\u7684 API \u51fd\u5f0f\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u96b1\u85cf\u57f7\u884c\u7a0b\u5e8f\u8b58\u5225\u78bc (PID)<\/h3>\n\n\n\n<p>\u57f7\u884c\u7a0b\u5e8f\u8b58\u5225\u78bc (\u4e5f\u5c31\u662f PID) \u662f\u5132\u5b58\u5728\u5171\u7528\u8a18\u61b6\u9ad4\u300c<strong>Global\\&lt;computer_name&gt;<\/strong>\u300d\u7576\u4e2d\u3002\u5982\u679c\u5171\u7528\u8a18\u61b6\u9ad4\u4e0d\u5b58\u5728\uff0c\u60e1\u610f\u7a0b\u5f0f\u5c31\u6703\u4f7f\u7528\u7b2c\u4e00\u6b65\u9a5f\u7684\nshellcode \u6240\u7d66\u7684 PID\u3002\u6b64\u8655\u60e1\u610f\u7a0b\u5f0f\u78bc\u60f3\u505a\u7684\u5c31\u662f\u96b1\u85cf Waterbear \u7684\u5f8c\u9580\u7a0b\u5f0f\u6d3b\u52d5\u4e0d\u8b93\u8cc7\u5b89\u7522\u54c1\u767c\u73fe\u3002\u56e0\u6b64\uff0c\u7b2c\u4e00\u6b65\u9a5f\u7684 shellcode \u6703\u53d6\u5f97\nWindows \u670d\u52d9\u7684 PID (\u4e5f\u5c31\u662f\u7b2c\u4e00\u6b65\u9a5f shellcode \u548c\u5f8c\u7e8c\u5f8c\u9580\u7a0b\u5f0f\u6240\u6ce8\u5165\u7684\u8cc7\u5b89\u7522\u54c1\u57f7\u884c\u7a0b\u5e8f)\uff0c\u5c07\u8a72\u57f7\u884c\u7a0b\u5e8f\u96b1\u85cf\u8d77\u4f86\uff0c\u7136\u5f8c\u5c07\u5176 PID \u5beb\u5165\u7b2c\u4e8c\u6b65\u9a5f\nshellcode\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/fig8new.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/fig8new.png\"><\/a>\u5716 8\uff1a\u5c07\u7576\u524d\u7684 PID \u5beb\u5165\u7b2c\u4e8c\u6b65\u9a5f shellcode\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u6514\u622a ntdll.dll \u4e2d\u7684 ZwOpenProcess \u51fd\u5f0f<\/h3>\n\n\n\n<p>\u6514\u622a <strong>ZwOpenProcess <\/strong>\u51fd\u5f0f\u7684\u76ee\u7684\uff0c\u662f\u70ba\u4e86\u9632\u6b62\u8cc7\u5b89\u7522\u54c1\u5b58\u53d6\u8a72\u57f7\u884c\u7a0b\u5e8f\u3002\u6bcf\u7576 <strong>ZwOpenProcess\n<\/strong>\u88ab\u547c\u53eb\u6642\uff0c\u88ab\u6ce8\u5165\u7684\u7a0b\u5f0f\u78bc\u5c31\u6703\u5148\u6838\u5c0d\u6b63\u8981\u88ab\u958b\u555f\u7684\u57f7\u884c\u7a0b\u5e8f\u662f\u5426\u70ba\u5b83\u60f3\u8981\u96b1\u85cf\u7684\u5176\u4e2d\u4e00\u500b\u57f7\u884c\u7a0b\u5e8f (\u6bd4\u5c0d PID)\u3002\u82e5\u662f\uff0c\u5c31\u4fee\u6539\u5b83\u6240\u6536\u5230\u7684 PID\uff0c\u8b93\u7cfb\u7d71\u958b\u555f\u53e6\u4e00\u500b\nWindows \u670d\u52d9\u7684\u57f7\u884c\u7a0b\u5e8f\u3002<\/p>\n\n\n\n<p>\u9996\u5148\uff0c\u5b83\u6703\u5148\u7522\u751f\u597d\u8981\u88ab\u6ce8\u5165\u7684\u51fd\u5f0f\uff0c\u7136\u5f8c\u5c07\u51fd\u5f0f\u52a0\u5165 <strong>ntdll.dll <\/strong>\u7684\u672b\u7aef\u3002\u6b64\u51fd\u5f0f\u5305\u542b\u5169\u90e8\u5206 (\u5982\u5716 9 \u6240\u793a)\uff1a<\/p>\n\n\n\n<ol><li>PID \u6aa2\u67e5\u7a0b\u5e8f\u3002\u5b83\u6703\u6aa2\u67e5 <strong>ZwOpenProcess<\/strong>\n     \u8981\u958b\u555f\u7684\u57f7\u884c\u7a0b\u5e8f\u662f\u5426\u5728\u5b83\u8981\u96b1\u85cf\u7684\u57f7\u884c\u7a0b\u5e8f\u6e05\u55ae\u7576\u4e2d (\u6bd4\u5c0d PID)\u3002\u5982\u679c\u662f\uff0c\u5c31\u5c07\u8981\u88ab\u958b\u555f\u7684 PID \u6539\u6210 Waterbear \u8f09\u5165\u5668\u4e00\u958b\u59cb\u5beb\u5165\u7684\u53e6\u4e00\u500b\n     Windows \u670d\u52d9\u7684 PID\u3002<\/li><li>\u5728\u6aa2\u67e5\u904e PID \u4e4b\u5f8c\uff0c\u5b83\u5c31\u7e7c\u7e8c\u57f7\u884c\u539f\u672c\u7684\n     <strong>ZwOpenProcess<\/strong> \u51fd\u5f0f\u4e26\u50b3\u56de\u7d50\u679c\u3002<\/li><\/ol>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure-8-01.jpg\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure-8-01.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5716 9\uff1a\u6514\u622a <strong>ZwOpenProcess<\/strong>\n\u51fd\u5f0f\u4f86\u6aa2\u67e5\u4e26\u4fee\u6539\u51fd\u5f0f\u8f38\u51fa\u7d50\u679c\u3002<\/p>\n\n\n\n<p>\u5176\u6b21\uff0c\u5b83\u6703\u5728\u539f\u672c\u7684 <strong>ZwOpenProcess<\/strong> \u51fd\u5f0f\u958b\u982d\u4f4d\u5740\u5beb\u5165\u300c<strong>push\n&lt;ADDRESS&gt; ret<\/strong>\u300d\u9019\u884c\u7a0b\u5f0f\u78bc\u3002\u5982\u6b64\u4e00\u4f86\uff0c\u7576 <strong>ZwOpenProcess<\/strong> \u88ab\u547c\u53eb\u6642\uff0c\u5c31\u6703\u57f7\u884c\u88ab\u4fee\u6539\u904e\u7684\n<strong>ZwOpenProcess<\/strong> \u51fd\u5f0f\u3002<\/p>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/fig10new.png\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/fig10new.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5716 10\uff1a\u4fee\u6539\u904e\u5f8c\u7684 <strong>ZwOpenProcess<\/strong>\u3002<\/p>\n\n\n\n<p>\u6514\u622a API \u51fd\u5f0f <strong>ZwOpenProcess<\/strong> \u7684\u52d5\u4f5c\u53ea\u6703\u5728\u4e3b\u6a5f\u4e0a\u5b58\u5728\u8457\u300c<strong>%temp%\\KERNELBASE.dll<\/strong>\u300d\u9019\u500b\nDLL \u7684\u6642\u5019\u624d\u6703\u57f7\u884c\u3002\u9019\u6a23\u7684\u6aa2\u67e5\u6709\u53ef\u80fd\u662f\u91dd\u5c0d\u5b83\u6240\u8981\u8eb2\u907f\u7684\u8cc7\u5b89\u7522\u54c1\u6240\u8a2d\u8a08\u7684\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u6514\u622a iphlpapi.dll \u7576\u4e2d\u7684\u300cGetExtendedTcpTable\u300d\u548c\u300cGetRTTAndHopCount\u300d<\/h3>\n\n\n\n<p>\u63a5\u4e0b\u4f86\u8981\u6514\u622a\u7684 API \u662f\u300c<strong>GetExtendedTcpTable<\/strong>\u300d\u51fd\u5f0f\u3002<strong>GetExtendedTcpTable<\/strong>\n\u51fd\u5f0f\u7684\u7528\u9014\u662f\u7528\u4f86\u53d6\u5f97\u61c9\u7528\u7a0b\u5f0f\u53ef\u4f7f\u7528\u7684 TCP \u7aef\u9ede\u6e05\u55ae\uff0c\u4e00\u4e9b\u7db2\u8def\u76f8\u95dc\u7684\u6307\u4ee4 (\u5982\u300cnetstat\u300d) \u7d93\u5e38\u90fd\u6703\u7528\u5230\u3002\u6514\u622a\u9019\u500b\u51fd\u5f0f\u7684\u76ee\u7684\u662f\u8981\u6d88\u9664\u67d0\u4e9b\u57f7\u884c\u7a0b\u5e8f\u7684\nTCP \u7aef\u9ede\u8a18\u9304\u3002\u70ba\u4e86\u9054\u5230\u9019\u9805\u76ee\u7684\uff0c\u5b83\u6703\u4fee\u6539\u300c<strong>GetExtendedTcpTable<\/strong>\u300d\u548c\u300c&nbsp;<strong>GetRTTAndHopCount<\/strong>\u300d\u5169\u500b\u51fd\u5f0f\u3002\u6514\u622a\u7b2c\u4e8c\u500b\u51fd\u5f0f\n(<strong>GetRTTAndHopCount<\/strong>) \u7684\u76ee\u7684\u662f\u70ba\u4e86\u653e\u7f6e\u8981\u63d2\u5165\u7a0b\u7684\u5f0f\u78bc\u3002<\/p>\n\n\n\n<p>\u6514\u622a <strong>GetExtendedTcpTable<\/strong> \u51fd\u5f0f\u6642\u53ea\u6703\u5728\u5176\u958b\u982d\u5beb\u5165\u4e00\u884c\u8df3\u5230 <strong>GetRTTAndHopCount<\/strong>\n\u7684\u7a0b\u5f0f\u78bc\u3002<strong>GetExtendedTcpTable<\/strong> \u51fd\u5f0f\u53ea\u6709\u524d 5 \u500b\u4f4d\u5143\u7d44\u7684\u7a0b\u5f0f\u78bc\u6709\u6539\u8b8a\n(\u5982\u5716 11 \u6240\u793a)\u3002<\/p>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/fig11new.png\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/fig11new.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u5716 11\uff1a<strong>GetExtendedTcpTable<\/strong>\n\u51fd\u5f0f\u53ea\u6709\u524d 5 \u500b\u4f4d\u5143\u7d44\u88ab\u4fee\u6539\u3002<\/p>\n\n\n\n<p>\u5176\u9918\u7684\u7a0b\u5f0f\u78bc\u90fd\u653e\u7f6e\u5728 <strong>GetRTTAndHopCount<\/strong> \u7576\u4e2d\u3002\u5728\u7a0b\u5f0f\u78bc\u7684\u7b2c\u4e00\u90e8\u5206\uff0c\u5b83\u6703\u5148\u5c07 [<strong>GetRTTAndHopCount\n<\/strong>+0x3E] \u9019\u500b\u8fd4\u56de\u4f4d\u5740\u52a0\u5165\u5806\u758a\u7576\u4e2d\uff0c\u7136\u5f8c\u57f7\u884c\u539f\u672c <strong>GetExtendedTcpTable<\/strong> \u51fd\u5f0f\u7684\u524d\u56db\u9053\u6307\u4ee4\n(\u5728\u5716 11 \u7576\u4e2d\u5df2\u7d93\u8b8a\u6210\u4e86 jump \u6307\u4ee4)\u3002\u4e4b\u5f8c\uff0c\u5c31\u6703\u8df3\u5230\u539f\u672c\u7684 <strong>GetExtendedTcpTable<\/strong> \u4f86\u57f7\u884c\uff0c\u4e26\u64f7\u53d6\u5176\u56de\u50b3\u7684\u6578\u503c\u3002\u8a72\u7a0b\u5f0f\u78bc\u986f\u793a\u5728\u5716\n12 \u7576\u4e2d\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure-11-01.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure-11-01.jpg\"><\/a><\/p>\n\n\n\n<p>\u5716 12\uff1a<strong>GetRTTAndHopCount<\/strong>\n\u7576\u4e2d\u7684\u7b2c\u4e00\u90e8\u5206\u7a0b\u5f0f\u78bc\uff0c\u5b83\u6703\u57f7\u884c <strong>GetExtendedTcpTable<\/strong> \u7136\u5f8c\u518d\u56de\u5230\u4e0b\u4e00\u500b\u6307\u4ee4\u3002<\/p>\n\n\n\n<p>\u5728 <strong>GetExtendedTcpTable<\/strong> \u57f7\u884c\u904e\u5f8c\uff0c\u57f7\u884c\u7a0b\u5e8f\u6703\u56de\u5230\u7b2c\u4e8c\u90e8\u5206\u7684\u7a0b\u5f0f\u78bc\uff0c\u4e5f\u5c31\u662f\u4f9d\u5e8f\u6aa2\u67e5\u56de\u50b3\u7684 TCP \u8868\u4e2d\u7684\u6bcf\u4e00\u7b46\u8cc7\u6599\u3002\u5982\u679c\u7576\u4e2d\u6709\u4efb\u4f55\nWaterbear \u60f3\u8981\u96b1\u85cf\u7684 PID\uff0c\u5b83\u5c31\u6703\u79fb\u9664\u8a72\u7b46\u8cc7\u6599\uff0c\u4fee\u6539\u8868\u4e2d\u7684\u8cc7\u6599\u7b46\u6578\uff0c\u7136\u5f8c\u7e7c\u7e8c\u5f80\u4e0b\u6aa2\u67e5\u3002\u6700\u5f8c\uff0c\u5b83\u6703\u56de\u50b3\u4fee\u6539\u904e\u7684 TCP \u8868\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure12-01.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/12\/Figure12-01.jpg\"><\/a><\/p>\n\n\n\n<p>\u5716 13\uff1a<strong>GetRTTAndHopCount<\/strong>\n\u7576\u4e2d\u7684\u7b2c\u4e00\u90e8\u5206\u7a0b\u5f0f\u78bc\uff0c\u5b83\u6703\u57f7\u884c <strong>GetExtendedTcpTable<\/strong> \u7136\u5f8c\u518d\u56de\u5230\u4e0b\u4e00\u500b\u6307\u4ee4\u3002<\/p>\n\n\n\n<p>\u8207\u5176\u76f4\u63a5\u505c\u7528\u4e0a\u8ff0\u5169\u500b\u51fd\u5f0f\uff0c\u9019\u7a2e API \u6514\u622a\u6280\u5de7\u53cd\u800c\u66f4\u96e3\u88ab\u767c\u89ba\uff0c\u56e0\u70ba\u88ab\u6514\u622a\u7684\u51fd\u5f0f\u4f9d\u7136\u7167\u5e38\u904b\u4f5c\uff0c\u4e5f\u7167\u5e38\u56de\u50b3\u8cc7\u6599\u3002\u5118\u7ba1\u6b64\u6848\u4f8b\u4e2d\u88ab\u653b\u64ca\u7684\u57f7\u884c\u7a0b\u5e8f\u662f\u5beb\u6b7b\u5728\u7b2c\u4e00\u6b65\u9a5f\u7684\nshellcode \u4e2d\uff0c\u4f46\u5176\u6514\u622a API\u7684\u908f\u8f2f\u662f\u901a\u7528\u7684\uff0c\u4e14\u76f8\u540c\u7684 shellcode \u4e5f\u53ef\u7528\u4f86\u6514\u622a\u5176\u4ed6\u5ee0\u5546\u7684\u7522\u54c1\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u7d50\u8ad6<\/strong><\/h2>\n\n\n\n<p>\u9019\u662f\u6211\u5011\u7b2c\u4e00\u6b21\u898b\u5230 Waterbear \u8a66\u5716\u96b1\u85cf\u5176\u5f8c\u9580\u7a0b\u5f0f\u6d3b\u52d5\u3002\u5f9e\u7522\u54c1\u540d\u7a31\u5beb\u6b7b\u7684\u60c5\u6cc1\u4f86\u770b\uff0c\u6211\u5011\u63a8\u6e2c\u99ed\u5ba2\u5c0d\u65bc\u53d7\u5bb3\u8005\u7684\u74b0\u5883\u4ee5\u53ca\u4ed6\u5011\u6240\u7528\u7684\u8cc7\u5b89\u7522\u54c1\u6709\u4e00\u5b9a\u7684\u4e86\u89e3\u3002\u6b64\u5916\uff0c\u99ed\u5ba2\u4e5f\u53ef\u80fd\u719f\u6089\u8cc7\u5b89\u7522\u54c1\u8490\u96c6\u5ba2\u6236\u7aef\u9ede\u8207\u7db2\u8def\u8cc7\u8a0a\u7684\u65b9\u6cd5\uff0c\u56e0\u6b64\u624d\u77e5\u9053\u8a72\u6514\u622a\u54ea\u4e9b\nAPI \u51fd\u5f0f\u3002\u7531\u65bc\u5176\u7a0b\u5f0f\u78bc\u63a1\u7528\u901a\u7528\u7684\u65b9\u5f0f\u4f86\u6514\u622a API\uff0c\u56e0\u6b64\u672a\u4f86\u5f88\u53ef\u80fd\u53ea\u8981\u66f4\u63db\u90e8\u5206\u7a0b\u5f0f\u78bc\u5c31\u8b93\u80fd\u5176\u4ed6\u7522\u54c1\u4e5f\u7121\u6cd5\u5075\u6e2c Waterbear \u7684\u6d3b\u52d5\u3002<\/p>\n\n\n\n<style>\n   table {border-collapse:collapse; table-layout:fixed; width:310px;}\n   table td {border:solid 1px ; width:100px; word-wrap:break-word;}\n   <\/style>\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  <strong>\u624b\u6cd5<\/strong>\n  <\/td><td>\n  <strong>\u6280\u5de7<\/strong>\n  <\/td><td>\n  <strong>\u8b58\u5225\u78bc<\/strong>\n  <\/td><td>\n  <strong>\u8aaa\u660e<\/strong>\n  <\/td><\/tr><tr><td>\n  \u57f7\u884c\n  <\/td><td>\n  \u900f\u904e\u8f09\u5165\u6a21\u7d44\u7684\u65b9\u5f0f\u57f7\u884c\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1129\/\">T1129<\/a>\n  &nbsp;\n  <\/td><td>\n  \u85c9\u7531 shellcode \u52d5\u614b\u8f09\u5165 DLL\u3002\n  <\/td><\/tr><tr><td>\n  \u900f\u904e API \u57f7\u884c\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1106\/\">T1106<\/a>\n  &nbsp;\n  <\/td><td>\n  \u85c9\u7531 shellcode \u52d5\u614b\u8f09\u5165 API\u3002\n  <\/td><\/tr><tr><td>\n  \u6301\u7e8c\u6f5b\u4f0f\n  &nbsp;\n  <\/td><td>\n  API \u6514\u622a\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1179\/\">T1179<\/a>\n  &nbsp;\n  <\/td><td>\n  \u6514\u622a\u8cc7\u5b89\u7522\u54c1\u5e38\u7528\u7684 API\u3002\n  <\/td><\/tr><tr><td>\n  \u63d0\u5347\u6b0a\u9650\n  &nbsp;\n  <\/td><td>\n  \u57f7\u884c\u7a0b\u5e8f\u6ce8\u5165\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/\">T1055<\/a>\n  <\/td><td>\n  \u5c07\u89e3\u5bc6\u5f8c\u7684\u60e1\u610f\u6a94\u6848\u6ce8\u5165\u300csvchost.exe\u300d\u57f7\u884c\u7a0b\u5e8f\u7576\u4e2d\u3002\n  <\/td><\/tr><tr><td>\n  API \u6514\u622a\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1179\/\">T1179<\/a>\n  &nbsp;\n  <\/td><td>\n  \u6514\u622a\u8cc7\u5b89\u7522\u54c1\u5e38\u7528\u7684 API\u3002\n  <\/td><\/tr><tr><td>\n  \u8eb2\u907f\u9632\u79a6\n  <\/td><td>\n  \u4e8c\u9032\u4f4d\u78bc\u586b\u5145\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1009\/\">T1009<\/a>\n  <\/td><td>\n  \u586b\u5165\u7121\u610f\u7fa9\u7684\u8cc7\u6599\u4f86\u8eb2\u907f\u9632\u6bd2\u6383\u63cf\u3002\n  <\/td><\/tr><tr><td>\n  \u505c\u7528\u8cc7\u5b89\u5de5\u5177\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1089\/\">T1089<\/a>\n  <\/td><td>\n  \u6ce8\u5165\u7a0b\u5f0f\u78bc\u7684\u76ee\u7684\u662f\u70ba\u4e86\u8eb2\u907f\u7279\u5b9a\u8cc7\u5b89\u7522\u54c1\u3002\n  <\/td><\/tr><tr><td>\n  \u89e3\u5bc6\/\u89e3\u78bc\u6a94\u6848\u6216\u8cc7\u8a0a\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1140\/\">T1140<\/a>\n  <\/td><td>\n  \u4f7f\u7528 TROJ_WATERBEAR \u4f86\u5c07\u52a0\u5bc6\u7684\u60e1\u610f\u6a94\u6848\u89e3\u958b\u3002\n  <\/td><\/tr><tr><td>\n  \u57f7\u884c\u9650\u5236\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1480\/\">T1480<\/a>\n  <\/td><td>\n  \u5c08\u9580\u91dd\u5c0d\u53d7\u5bb3\u8005\u74b0\u5883\u4e2d\u7684\u7279\u5b9a\u8edf\u9ad4\u3002\n  <\/td><\/tr><tr><td>\n  DLL \u5074\u8f09\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1073\/\">T1073<\/a>\n  &nbsp;\n  <\/td><td>\n  \u4f7f\u7528\u88ab\u4fee\u6539\u904e\u7684\u5408\u6cd5 DLL \u4f86\u8f09\u5165\u60e1\u610f DLL\u3002\n  <\/td><\/tr><tr><td>\n  \u57f7\u884c\u7a0b\u5e8f\u6ce8\u5165\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/\">T1055<\/a>\n  <\/td><td>\n  \u5c07\u89e3\u5bc6\u5f8c\u7684\u60e1\u610f\u6a94\u6848\u6ce8\u5165\u300csvchost.exe\u300d\u57f7\u884c\u7a0b\u5e8f\u7576\u4e2d\u3002\n  <\/td><\/tr><tr><td>\n  \u8cc7\u6599\u5916\u50b3\n  <\/td><td>\n  \u900f\u904e\u5e55\u5f8c\u64cd\u7e31 (C&amp;C) \u7ba1\u9053\u5c07\u8cc7\u6599\u5916\u50b3\n  <\/td><td>\n  <a href=\"https:\/\/attack.mitre.org\/techniques\/T1041\">T1041<\/a>\n  <\/td><td>\n  \u6709\u53ef\u80fd\u5c07\u8490\u96c6\u5230\u7684\u8cc7\u6599\u7d93\u7531 C&amp;C \u7ba1\u9053\u50b3\u9001\u7d66\u99ed\u5ba2\u3002\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<h3 class=\"wp-block-heading\">\u5165\u4fb5\u6307\u6a19 (IoC)<\/h3>\n\n\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  <strong>SHA256 \u96dc\u6e4a\u78bc<\/strong>\n  <\/td><td>\n  <strong>\u8da8\u52e2\u79d1\u6280\u547d\u540d<\/strong>\n  <\/td><\/tr><tr><td>\n  649675baef92381ffcdfa42e8959015e83c1ab1c7bbfd64635ce5f6f65efd651\n  <\/td><td>\n  BKDR_WATERBEAR.ZTGF\n  <\/td><\/tr><tr><td>\n  3909e837f3a96736947e387a84bb57e57974db9b77fb1d8fa5d808a89f9a401b\n  <\/td><td>\n  TROJ_WATERBEAR.ZTGD\n  <\/td><\/tr><tr><td>\n  fcfdd079b5861c0192e559c80e8f393b16ba419186066a21aab0294327ea9e58\n  <\/td><td>\n  TROJ_WATERBEAR.ZTGJ\n  <\/td><\/tr><tr><td>\n  3f26a971e393d7f6ce7bf4416abdbfa1def843a0cf74d8b7bb841ca90f5c9ed9\n  <\/td><td>\n  TROJ_WATERBEAR.ZTGH\n  <\/td><\/tr><tr><td>\n  abb91dfd95d11a232375d6b5cdf94b0f7afb9683fb7af3e50bcecdb2bd6cb035\n  <\/td><td>\n  TROJ_WATERBEAR.ZTGH\n  <\/td><\/tr><tr><td>\n  bda6812c3bbba3c885584d234be353b0a2d1b1cbd29161deab0ef8814ac1e8e1\n  <\/td><td>\n  TROJ_WATERBEAR.ZTGI\n  <\/td><\/tr><tr><td>\n  53402b662679f0bfd08de3abb064930af40ff6c9ec95469ce8489f65796e36c3\n  <\/td><td>\n  TROJ_WATERBEAR.ZTGH\n  <\/td><\/tr><tr><td>\n  f9f6bc637f59ef843bc939cb6be5000da5b9277b972904bf84586ea0a17a6000\n  <\/td><td>\n  TROJ_WATERBEAR.ZTGI\n  <\/td><\/tr><tr><td>\n  3442c076c8824d5da065616063a6520ee1d9385d327779b5465292ac978dec26\n  <\/td><td>\n  BKDR_WATERBEAR.ZTGD\n  <\/td><\/tr><tr><td>\n  7858171120792e5c98cfa75ccde7cba49e62a2aeb32ed62322aae0a80a50f1ea\n  <\/td><td>\n  TROJ64_WATERBEAR.ZTGI\n  <\/td><\/tr><tr><td>\n  acb2abc7fb44c2fdea0b65706d1e8b4c0bfb20e4bd4dcee5b95b346a60c6bd31\n  <\/td><td>\n  BKDR_WATERBEARENC.ZTGF\n  <\/td><\/tr><tr><td>\n  b9f3a3b9452a396c3ba0ce4a644dd2b7f494905e820e7b1c6dca2fdcce069361\n  <\/td><td>\n  BKDR64_WATERBEAR.ZTGD\n  <\/td><\/tr><tr><td>\n  7c0d2782a33debb65b488893705e71a001ea06c4eb4fe88571639ed71ac85cdd\n  <\/td><td>\n  BKDR_WATERBEARENC.ZTGH\n  <\/td><\/tr><tr><td>\n  c7c7b2270767aaa2d66018894a7425ba6192730b4fe2130d290cd46af5cc0b7b\n  <\/td><td>\n  BKDR_WATERBEARENC.ZTGI\n  <\/td><\/tr><tr><td>\n  7532fe7a16ba1db4d5e8d47de04b292d94882920cb672e89a48d07e77ddd0138\n  <\/td><td>\n  BKDR_WATERBEARENC.ZTGI\n  <\/td><\/tr><tr><td>\n  dea5c564c9d961ccf2ed535139fbfca4f1727373504f2972ac92acfaf21da831\n  <\/td><td>\n  BKDR_WATERBEARENC.ZTGI\n  <\/td><\/tr><tr><td>\n  05d0ab2fbeb7e0ba7547afb013d307d32588704daac9c12002a690e5c1cde3a4\n  <\/td><td>\n  BKDR64_WATERBEARENC.ZTGJ\n  <\/td><\/tr><tr><td>\n  39668008deb49a9b9a033fd01e0ea7c5243ad958afd82f79c1665fb73c7cfadf\n  <\/td><td>\n  BKDR_WATERBEARENC.ZTGD\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>&nbsp;\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection\/\">Waterbear\nis Back, Uses API Hooking to Evade Security Product Detection<\/a> <em>\u4f5c\u8005\uff1aVickie Su\u3001Anita Hsieh \u8207\nDove Chiu<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Waterbear \u662f\u4e00\u500b\u5df2\u8086\u8650\u591a\u5e74\u3001\u5584\u65bc\u4f7f\u7528\u6a21\u7d44\u5316\u60e1\u610f\u7a0b\u5f0f\u3001\u4e26\u53ef\u5f9e\u9060\u7aef\u65b0\u589e\u529f\u80fd\u7684\u99ed\u5ba2\u653b\u64ca\u884c\u52d5\u3002\u6b64\u653b\u64ca\u884c\u52d5\u5e55\u5f8c [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[1268],"tags":[2344],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/62956"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=62956"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/62956\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=62956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=62956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=62956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}