SUMMARY.md

Summary

GitHub 地址：https://github.com/firmianay/CTF-All-In-One

• 简介
• 前言
• 一、基础知识篇
  • 1.1 CTF 简介
  • 1.2 学习方法
  • 1.3 Linux 基础
  • 1.4 Web 安全基础
    • 1.4.1 HTML 基础
    • 1.4.2 HTTP 协议基础
    • 1.4.3 JavaScript 基础
    • 1.4.4 常见 Web 服务器基础
    • 1.4.5 OWASP Top Ten Project 漏洞基础
    • 1.4.6 PHP 源码审计基础
  • 1.5 逆向工程基础
    • 1.5.1 C/C++ 语言基础
    • 1.5.2 汇编基础
    • 1.5.3 Linux ELF
    • 1.5.4 Windows PE
    • 1.5.5 静态链接
    • 1.5.6 动态链接
    • 1.5.7 内存管理
    • 1.5.8 glibc malloc
    • 1.5.9 Linux 内核
    • 1.5.10 Windows 内核
    • 1.5.11 jemalloc
  • 1.6 密码学基础
    • 1.6.1 密码学导论
    • 1.6.2 流密码
    • 1.6.3 分组密码
    • 1.6.4 公钥密码
    • 1.6.5 消息认证和哈希函数
    • 1.6.6 数字签名
    • 1.6.7 密码协议
    • 1.6.8 密钥分配与管理
    • 1.6.9 数字货币
  • 1.7 Android 安全基础
    • 1.7.1 Android 环境搭建
    • 1.7.2 Dalvik 指令集
    • 1.7.3 ARM 汇编基础
    • 1.7.4 Android 常用工具
• 二、工具篇
  • 虚拟化分析环境
    • 2.1.1 VirtualBox
    • 2.1.2 QEMU
    • 2.1.3 Docker
    • 2.1.4 Unicorn
  • 静态分析工具
    • 2.2.1 radare2
    • 2.2.2 IDA Pro
    • 2.2.3 JEB
    • 2.2.4 Capstone
    • 2.2.5 Keystone
    • 2.2.6 Ghidra
  • 动态分析工具
    • 2.3.1 GDB
    • 2.3.2 OllyDbg
    • 2.3.3 x64dbg
    • 2.3.4 WinDbg
    • 2.3.5 LLDB
  • 其他工具
    • 2.4.1 pwntools
    • 2.4.2 zio
    • 2.4.3 metasploit
    • 2.4.4 binwalk
    • 2.4.5 Burp Suite
    • 2.4.6 Wireshark
    • 2.4.7 Cuckoo Sandbox
• 三、分类专题篇
  • Pwn
    • 3.1.1 格式化字符串漏洞
    • 3.1.2 整数溢出
    • 3.1.3 栈溢出
    • 3.1.4 返回导向编程（ROP）（x86）
    • 3.1.5 返回导向编程（ROP）（ARM）
    • 3.1.6 Linux 堆利用（一）
    • 3.1.7 Linux 堆利用（二）
    • 3.1.8 Linux 堆利用（三）
    • 3.1.9 Linux 堆利用（四）
    • 3.1.10 内核 ROP
    • 3.1.11 Linux 内核漏洞利用
    • 3.1.12 Windows 内核漏洞利用
    • 3.1.13 竞争条件
    • 3.1.14 虚拟机逃逸
  • Reverse
    • 3.2.1 patch 二进制文件
    • 3.2.2 脱壳技术（PE）
    • 3.2.3 脱壳技术(ELF)
    • 3.2.4 反调试技术（PE）
    • 3.2.5 反调试技术（ELF）
    • 3.2.6 指令混淆
  • Web
    • 3.3.1 SQL 注入利用
    • 3.3.2 XSS 漏洞利用
  • Crypto
  • Misc
  • Mobile
• 四、技巧篇
  • 4.1 Linux 内核调试
  • 4.2 Linux 命令行技巧
  • 4.3 GCC 编译参数解析
  • 4.4 GCC 堆栈保护技术
  • 4.5 ROP 防御技术
  • 4.6 one-gadget RCE
  • 4.7 通用 gadget
  • 4.8 使用 DynELF 泄露函数地址
  • 4.9 shellcode 开发
  • 4.10 跳转导向编程（JOP）
  • 4.11
  • 4.12 利用 __stack_chk_fail
  • 4.13 利用 _IO_FILE 结构
  • 4.14 glibc tcache 机制
  • 4.15 利用 vsyscall 和 vDSO
• 五、高级篇
  • 5.0 软件漏洞分析
  • 5.1 模糊测试
    • 5.1.1 AFL fuzzer
    • 5.1.2 libFuzzer
  • 5.2 动态二进制插桩
    • 5.2.1 Pin
    • 5.2.2 DynamoRio
    • 5.2.3 Valgrind
  • 5.3 符号执行
    • 5.3.1 angr
    • 5.3.2 Triton
    • 5.3.3 KLEE
    • 5.3.4 S²E
  • 5.4 数据流分析
    • 5.4.1 Soot
  • 5.5 污点分析
    • 5.5.1 TaintCheck
  • 5.6 LLVM
    • 5.6.1 Clang
  • 5.7 程序切片
  • 5.8 SAT/SMT
    • 5.8.1 Z3
  • 5.9 基于模式的漏洞分析
  • 5.10 基于二进制比对的漏洞分析
  • 5.11 反编译技术
    • 5.11.1 RetDec
• 六、题解篇
  • Pwn
    • 6.1.1 pwn HCTF2016 brop
    • 6.1.2 pwn NJCTF2017 pingme
    • 6.1.3 pwn XDCTF2015 pwn200
    • 6.1.4 pwn BackdoorCTF2017 Fun-Signals
    • 6.1.5 pwn GreHackCTF2017 beerfighter
    • 6.1.6 pwn DefconCTF2015 fuckup
    • 6.1.7 pwn 0CTF2015 freenote
    • 6.1.8 pwn DCTF2017 Flex
    • 6.1.9 pwn RHme3 Exploitation
    • 6.1.10 pwn 0CTF2017 BabyHeap2017
    • 6.1.11 pwn 9447CTF2015 Search-Engine
    • 6.1.12 pwn N1CTF2018 vote
    • 6.1.13 pwn 34C3CTF2017 readme_revenge
    • 6.1.14 pwn 32C3CTF2015 readme
    • 6.1.15 pwn 34C3CTF2017 SimpleGC
    • 6.1.16 pwn HITBCTF2017 1000levels
    • 6.1.17 pwn SECCONCTF2016 jmper
    • 6.1.18 pwn HITBCTF2017 Sentosa
    • 6.1.19 pwn HITBCTF2018 gundam
    • 6.1.20 pwn 33C3CTF2016 babyfengshui
    • 6.1.21 pwn HITCONCTF2016 Secret_Holder
    • 6.1.22 pwn HITCONCTF2016 Sleepy_Holder
    • 6.1.23 pwn BCTF2016 bcloud
    • 6.1.24 pwn HITCONCTF2016 House_of_Orange
    • 6.1.25 pwn HCTF2017 babyprintf
    • 6.1.26 pwn 34C3CTF2017 300
    • 6.1.27 pwn SECCONCTF2016 tinypad
    • 6.1.28 pwn ASISCTF2016 b00ks
    • 6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3
    • 6.1.30 pwn HITCONCTF2017 Ghost_in_the_heap
    • 6.1.31 pwn HITBCTF2018 mutepig
    • 6.1.32 pwn SECCONCTF2017 vm_no_fun
    • 6.1.33 pwn 34C3CTF2017 LFA
    • 6.1.34 pwn N1CTF2018 memsafety
    • 6.1.35 pwn 0CTF2018 heapstorm2
  • Reverse
    • 6.2.1 re XHPCTF2017 dont_panic
    • 6.2.2 re ECTF2016 tayy
    • 6.2.3 re CodegateCTF2017 angrybird
    • 6.2.4 re CSAWCTF2015 wyvern
    • 6.2.5 re PicoCTF2014 Baleful
    • 6.2.6 re SECCONCTF2017 printf_machine
    • 6.2.7 re CodegateCTF2018 RedVelvet
    • 6.2.8 re DefcampCTF2015 entry_language
  • Web
    • 6.3.1 web HCTF2017 babycrack
  • Crypto
  • Misc
  • Mobile
• 七、实战篇
  • CVE
    • 7.1.1 CVE-2017-11543 tcpdump sliplink_print 栈溢出漏洞
    • 7.1.2 CVE-2015-0235 glibc __nss_hostname_digits_dots 堆溢出漏洞
    • 7.1.3 CVE-2016-4971 wget 任意文件上传漏洞
    • 7.1.4 CVE-2017-13089 wget skip_short_body 栈溢出漏洞
    • 7.1.5 CVE–2018-1000001 glibc realpath 缓冲区下溢漏洞
    • 7.1.6 CVE-2017-9430 DNSTracer 栈溢出漏洞
    • 7.1.7 CVE-2018-6323 GNU binutils elf_object_p 整型溢出漏洞
    • 7.1.8 CVE-2010-2883 Adobe CoolType SING 表栈溢出漏洞
    • 7.1.9 CVE-2010-3333 Microsoft Word RTF pFragments 栈溢出漏洞
  • Malware
• 八、学术篇
  • 8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
  • 8.2 Return-Oriented Programming without Returns
  • 8.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
  • 8.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks
  • 8.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks
  • 8.6 Hacking Blind
  • 8.7 What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses
  • 8.8 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
  • 8.9 Symbolic Execution for Software Testing: Three Decades Later
  • 8.10 AEG: Automatic Exploit Generation
  • 8.11 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software
  • 8.12 ASLR on the Line: Practical Cache Attacks on the MMU
  • 8.13 New Frontiers of Reverse Engineering
  • 8.14 Who Allocated My Memory? Detecting Custom Memory Allocators in C Binaries
  • 8.15 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning
  • 8.16 DynaLog: An automated dynamic analysis framework for characterizing Android applications
  • 8.17 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls
  • 8.18 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models
  • 8.19 DroidNative: Semantic-Based Detection of Android Native Code Malware
  • 8.20 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware
  • 8.21 Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks
  • 8.22 Practical Memory Checking With Dr. Memory
  • 8.23 Evaluating the Effectiveness of Current Anti-ROP Defenses
  • 8.24 How to Make ASLR Win the Clone Wars: Runtime Re-Randomization
  • 8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis
  • 8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution
  • 8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware
  • 8.28 Cross-Architecture Bug Search in Binary Executables
  • 8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data
  • 8.30 Preventing brute force attacks against stack canary protection on networking servers
  • 8.31 WYSINWYX What You See Is Not What You eXecute
  • 8.32 Unleashing MAYHEM on Binary Code
  • 8.33 Under-Constrained Symbolic Execution: Correctness Checking for Real Code
  • 8.34 Enhancing Symbolic Execution with Veritesting
  • 8.35 Q: Exploit Hardening Made Easy
  • 8.36 A Survey of Symbolic Execution Techniques
  • 8.37 CUTE: A Concolic Unit Testing Engine for C
  • 8.38 TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking
  • 8.39 DART: Directed Automated Random Testing
  • 8.40 EXE: Automatically Generating Inputs of Death
  • 8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time
  • 8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
  • 8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation
  • 8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics
  • 8.45 Ramblr: Making Reassembly Great Again
  • 8.46 FreeGuard: A Faster Secure Heap Allocator
  • 8.47 Jump-Oriented Programming: A New Class of Code-Reuse Attack
  • 8.48 Reassembleable Disassembling
  • 8.49 Understanding Integer Overflow in C/C++
  • 8.50 A Large-Scale Analysis of the Security of Embedded Firmwares
• 九、附录
  • 9.1 更多 Linux 工具
  • 9.2 更多 Windows 工具
  • 9.3 更多资源
  • 9.4 Linux 系统调用表
  • 9.5 幻灯片