From 8c03aa7bf5fb3bbf321bc8af63f39e4befeaf1c0 Mon Sep 17 00:00:00 2001
From: hope <397386153@qq.com>
Date: Sun, 17 Mar 2024 14:33:19 +0800
Subject: [PATCH] Site updated: 2024-03-17 14:33:18

---
 Fuzzing101-Xpdf/index.html                    |   4 +-
 archives/2024/03/index.html                   |   2 +-
 archives/2024/index.html                      |   2 +-
 archives/index.html                           |   2 +-
 "babku\345\210\206\346\236\220/index.html"    |   4 +-
 categories/index.html                         |  93 ++--
 .../index.html"                               |   8 +-
 index.html                                    |  32 +-
 local-search.xml                              |  14 +-
 sitemap.xml                                   |   7 +
 .../index.html"                               | 401 ++++++++++++++++++
 tags/index.html                               |   2 +-
 wannacry/index.html                           |  43 +-
 13 files changed, 553 insertions(+), 61 deletions(-)
 create mode 100644 "tags/WannaCry\345\210\206\346\236\220/index.html"

diff --git a/Fuzzing101-Xpdf/index.html b/Fuzzing101-Xpdf/index.html
index 7a8dca5..e4684df 100644
--- a/Fuzzing101-Xpdf/index.html
+++ b/Fuzzing101-Xpdf/index.html
@@ -512,9 +512,9 @@ <h1 id="参考链接"><a href="#参考链接" class="headerlink" title="参考
                   <article class="post-prev col-6">
                     
                     
-                      <a href="/wannacry/" title="">
+                      <a href="/wannacry/" title="WannaCry分析">
                         <i class="iconfont icon-arrowleft"></i>
-                        <span class="hidden-mobile"></span>
+                        <span class="hidden-mobile">WannaCry分析</span>
                         <span class="visible-mobile">上一篇</span>
                       </a>
                     
diff --git a/archives/2024/03/index.html b/archives/2024/03/index.html
index 6c81bc2..c27fa3e 100644
--- a/archives/2024/03/index.html
+++ b/archives/2024/03/index.html
@@ -254,7 +254,7 @@
     
     <a href="/wannacry/" class="list-group-item list-group-item-action">
       <time>03-08</time>
-      <div class="list-group-item-title"></div>
+      <div class="list-group-item-title">WannaCry分析</div>
     </a>
   
 </div>
diff --git a/archives/2024/index.html b/archives/2024/index.html
index cb71576..1a5e6b4 100644
--- a/archives/2024/index.html
+++ b/archives/2024/index.html
@@ -254,7 +254,7 @@
     
     <a href="/wannacry/" class="list-group-item list-group-item-action">
       <time>03-08</time>
-      <div class="list-group-item-title"></div>
+      <div class="list-group-item-title">WannaCry分析</div>
     </a>
   
     
diff --git a/archives/index.html b/archives/index.html
index 9dde9c4..2140588 100644
--- a/archives/index.html
+++ b/archives/index.html
@@ -254,7 +254,7 @@
     
     <a href="/wannacry/" class="list-group-item list-group-item-action">
       <time>03-08</time>
-      <div class="list-group-item-title"></div>
+      <div class="list-group-item-title">WannaCry分析</div>
     </a>
   
     
diff --git "a/babku\345\210\206\346\236\220/index.html" "b/babku\345\210\206\346\236\220/index.html"
index d3a376e..d1ded35 100644
--- "a/babku\345\210\206\346\236\220/index.html"
+++ "b/babku\345\210\206\346\236\220/index.html"
@@ -430,8 +430,8 @@ <h1 id="结论"><a href="#结论" class="headerlink" title="结论"></a>结论</
                   <article class="post-next col-6">
                     
                     
-                      <a href="/wannacry/" title="">
-                        <span class="hidden-mobile"></span>
+                      <a href="/wannacry/" title="WannaCry分析">
+                        <span class="hidden-mobile">WannaCry分析</span>
                         <span class="visible-mobile">下一篇</span>
                         <i class="iconfont icon-arrowright"></i>
                       </a>
diff --git a/categories/index.html b/categories/index.html
index 7f0bcc6..ea07ecc 100644
--- a/categories/index.html
+++ b/categories/index.html
@@ -844,6 +844,57 @@
     
     
     
+    <div class="category row nomargin-x">
+      <a class="category-item collapsed
+          list-group-item category-item-action col-10 col-md-11 col-xm-11" title="病毒分析"
+        id="heading-ca87328505ec44da6cd9a8d4d1adf64a" role="tab" data-toggle="collapse" href="#collapse-ca87328505ec44da6cd9a8d4d1adf64a"
+        aria-expanded="false"
+      >
+        病毒分析
+        <span class="list-group-count"></span>
+        <i class="iconfont icon-arrowright"></i>
+      </a>
+      
+        <a href="/categories/%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/" class="category-count col-2 col-md-1 col-xm-1">
+          <i class="iconfont icon-articles"></i>
+          <span>2</span>
+        </a>
+      
+      <div class="category-collapse collapse " id="collapse-ca87328505ec44da6cd9a8d4d1adf64a"
+           role="tabpanel" aria-labelledby="heading-ca87328505ec44da6cd9a8d4d1adf64a">
+        
+        
+          
+  <div class="category-post-list">
+    
+    
+      
+      
+        <a href="/babku%E5%88%86%E6%9E%90/" title="baku分析"
+           class="list-group-item list-group-item-action
+           ">
+          <span class="category-post">baku分析</span>
+        </a>
+      
+    
+      
+      
+        <a href="/wannacry/" title="WannaCry分析"
+           class="list-group-item list-group-item-action
+           ">
+          <span class="category-post">WannaCry分析</span>
+        </a>
+      
+    
+  </div>
+
+        
+      </div>
+    </div>
+  
+    
+    
+    
     <div class="category row nomargin-x">
       <a class="category-item collapsed
           list-group-item category-item-action col-10 col-md-11 col-xm-11" title="Ubuntu"
@@ -1096,48 +1147,6 @@
     
     
     
-    <div class="category row nomargin-x">
-      <a class="category-item collapsed
-          list-group-item category-item-action col-10 col-md-11 col-xm-11" title="病毒分析"
-        id="heading-ca87328505ec44da6cd9a8d4d1adf64a" role="tab" data-toggle="collapse" href="#collapse-ca87328505ec44da6cd9a8d4d1adf64a"
-        aria-expanded="false"
-      >
-        病毒分析
-        <span class="list-group-count"></span>
-        <i class="iconfont icon-arrowright"></i>
-      </a>
-      
-        <a href="/categories/%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/" class="category-count col-2 col-md-1 col-xm-1">
-          <i class="iconfont icon-articles"></i>
-          <span>1</span>
-        </a>
-      
-      <div class="category-collapse collapse " id="collapse-ca87328505ec44da6cd9a8d4d1adf64a"
-           role="tabpanel" aria-labelledby="heading-ca87328505ec44da6cd9a8d4d1adf64a">
-        
-        
-          
-  <div class="category-post-list">
-    
-    
-      
-      
-        <a href="/babku%E5%88%86%E6%9E%90/" title="baku分析"
-           class="list-group-item list-group-item-action
-           ">
-          <span class="category-post">baku分析</span>
-        </a>
-      
-    
-  </div>
-
-        
-      </div>
-    </div>
-  
-    
-    
-    
     <div class="category row nomargin-x">
       <a class="category-item collapsed
           list-group-item category-item-action col-10 col-md-11 col-xm-11" title="C++"
diff --git "a/categories/\347\227\205\346\257\222\345\210\206\346\236\220/index.html" "b/categories/\347\227\205\346\257\222\345\210\206\346\236\220/index.html"
index ce3d52e..655d690 100644
--- "a/categories/\347\227\205\346\257\222\345\210\206\346\236\220/index.html"
+++ "b/categories/\347\227\205\346\257\222\345\210\206\346\236\220/index.html"
@@ -232,7 +232,7 @@
                 
 
 <div class="list-group">
-  <p class="h4">共计 1 篇文章</p>
+  <p class="h4">共计 2 篇文章</p>
   <hr>
   
   
@@ -245,6 +245,12 @@
       <div class="list-group-item-title">baku分析</div>
     </a>
   
+    
+    <a href="/wannacry/" class="list-group-item list-group-item-action">
+      <time>03-08</time>
+      <div class="list-group-item-title">WannaCry分析</div>
+    </a>
+  
 </div>
 
 
diff --git a/index.html b/index.html
index 64fbf0a..e6402d3 100644
--- a/index.html
+++ b/index.html
@@ -365,14 +365,14 @@ <h1 class="index-header">
       <h1 class="index-header">
         
         <a href="/wannacry/" target="_self">
-          
+          WannaCry分析
         </a>
       </h1>
 
       
       <a class="index-excerpt index-excerpt__noimg" href="/wannacry/" target="_self">
         <div>
-          样本情况 样本名称：WannaCry 大小：3,514,368 bytes MD5：84C82835A5D21BBCF75A61706D8AB549  查壳PEiD使用PEiD观察到WannaCry使用VC++编写  Exeinfo使用Exeinfo观察到WannaCry未加壳  基础分析基础静态分析查看字符串首先检索字符串，发现WannaCry采用了Windows的加解密函数，并且字符串中出现了
+          病毒分析
         </div>
       </a>
 
@@ -386,6 +386,34 @@ <h1 class="index-header">
           </div>
         
         
+          <div class="post-meta mr-3 d-flex align-items-center">
+            <i class="iconfont icon-category"></i>
+            
+
+<span class="category-chains">
+  
+  
+    
+      <span class="category-chain">
+        
+  <a href="/categories/%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/" class="category-chain-item">病毒分析</a>
+  
+  
+
+      </span>
+    
+  
+</span>
+
+          </div>
+        
+        
+          <div class="post-meta">
+            <i class="iconfont icon-tags"></i>
+            
+              <a href="/tags/WannaCry%E5%88%86%E6%9E%90/">#WannaCry分析</a>
+            
+          </div>
         
       </div>
     </article>
diff --git a/local-search.xml b/local-search.xml
index f9fd5c3..1011374 100644
--- a/local-search.xml
+++ b/local-search.xml
@@ -54,13 +54,25 @@
   
   
   <entry>
-    <title></title>
+    <title>WannaCry分析</title>
     <link href="/wannacry/"/>
     <url>/wannacry/</url>
     
     <content type="html"><![CDATA[<h1 id="样本情况"><a href="#样本情况" class="headerlink" title="样本情况"></a>样本情况</h1><ul><li>样本名称：WannaCry</li><li>大小：3,514,368 bytes</li><li>MD5：84C82835A5D21BBCF75A61706D8AB549</li></ul><h1 id="查壳"><a href="#查壳" class="headerlink" title="查壳"></a>查壳</h1><h2 id="PEiD"><a href="#PEiD" class="headerlink" title="PEiD"></a>PEiD</h2><p>使用PEiD观察到WannaCry使用VC++编写</p><p><img src="https://s2.loli.net/2024/03/17/AcFNGLwfoIl5aKQ.png" alt="image-20230423103933500"></p><h2 id="Exeinfo"><a href="#Exeinfo" class="headerlink" title="Exeinfo"></a>Exeinfo</h2><p>使用Exeinfo观察到WannaCry未加壳</p><p><img src="https://s2.loli.net/2024/03/17/57OrVIJU1RxPhTw.png" alt="image-20230423104132051"></p><h1 id="基础分析"><a href="#基础分析" class="headerlink" title="基础分析"></a>基础分析</h1><h2 id="基础静态分析"><a href="#基础静态分析" class="headerlink" title="基础静态分析"></a>基础静态分析</h2><h3 id="查看字符串"><a href="#查看字符串" class="headerlink" title="查看字符串"></a>查看字符串</h3><p>首先检索字符串，发现WannaCry采用了Windows的加解密函数，并且字符串中出现了RSA与AES的字样。可能用到这些加密算法，并且还有通过<code>cmd</code>执行的命令。</p><p><img src="https://s2.loli.net/2024/03/17/5sWMHtAzSe2jq1d.png" alt="image-20230423104716511"></p><h3 id="使用PEiD识别加密算法"><a href="#使用PEiD识别加密算法" class="headerlink" title="使用PEiD识别加密算法"></a>使用PEiD识别加密算法</h3><p>PEiD自带了许多插件，其中Krypto ANALyzer是一种加密货币分析工具</p><p><img src="https://s2.loli.net/2024/03/17/3qIwEnt9HDCBvJR.png" alt="image-20230423105155291"></p><p>使用KANAL分析出下面几种算法</p><ul><li>ADLER32：校验和而算法，用于数据完整性检验</li><li>CRC32：是一种循环冗余校验码，用于数据完整性校验和错误检测</li><li>CryptDecrypt：是一组Windows API函数，用于加密和解密数据。可以在加密的数据块上执行解密操作，并将结果存储在相同的缓冲区中。</li><li>CryptEncrypt：是一组Windows API函数，用于加密和解密数据。可以在未加密的数据块上执行加密操作，并将结果存储在相同的缓冲区中。</li><li>RIJNDAEL：是一种块密码算法</li><li>ZIP2与ZLIB：是压缩算法</li></ul><p><img src="https://s2.loli.net/2024/03/17/i2fXnI8GbSTgE5H.png" alt="image-20230423105520546"></p><h3 id="查看导入表"><a href="#查看导入表" class="headerlink" title="查看导入表"></a>查看导入表</h3><p>可以看到<code>wannacry</code>没有输出表的信息，只有输入表的信息</p><p><img src="https://s2.loli.net/2024/03/17/iEz46st9TvRS2Iu.png" alt="image-20230423112726434"></p><p>输入表中可以观察到引用了</p><ul><li><code>KERNEL32.dll</code>：是一个Windows操作系统中非常重要的系统动态链接库文件，它包含了大量的系统核心函数，文件读写以及进程控制等函数</li><li><code>USER32.dll</code>：是Windows操作系统中的一个动态链接库文件，包含了许多用户界面相关的函数。</li><li><code>ADVAPI32.dll</code>：是Windows操作系统中的一个动态链接库文件，包含了许多安全和系统管理相关的函数。例如控制注册表等函数</li><li><code>MSVCRT.dll</code>：是Microsoft Visual C++运行时库中的一个动态链接库文件，包含了许多与C和C++语言相关的函数。</li></ul><p><img src="https://s2.loli.net/2024/03/17/9pbF21n6jWMzTH5.png" alt="image-20230423113302137"></p><p><strong>KERNEL32.dll</strong></p><p>发现大量的文件操作函数</p><p><img src="https://s2.loli.net/2024/03/17/mp3Cz8ZjsrS7qFh.png" alt="image-20230423113913211"></p><p>资源读写函数</p><p><img src="https://s2.loli.net/2024/03/17/qXIV9UfDEgBGdOQ.png" alt="image-20230423114016416"></p><p><strong>USER32.dll</strong></p><p>只有一个宽字节写的函数</p><p><img src="https://s2.loli.net/2024/03/17/RlMDrqmGAt4zOW8.png" alt="image-20230423114122423"></p><p><strong>ADVAPI32.dll</strong></p><p>含有注册表操作的函数，说明Wannacry会修改注册表</p><p><img src="https://s2.loli.net/2024/03/17/rT5qIA3Eg8RkbxM.png" alt="image-20230423114232814"></p><p><strong>MSVCRT.dll</strong></p><p>一些C&#x2F;C++相关函数</p><p><img src="https://s2.loli.net/2024/03/17/6jqEMpYktJv5Cca.png" alt="image-20230423114430098"></p><h3 id="使用Resource-Hacker查看资源"><a href="#使用Resource-Hacker查看资源" class="headerlink" title="使用Resource Hacker查看资源"></a>使用Resource Hacker查看资源</h3><p>Wannacry中存在三个资源，分别为XIA、Version Info以及Manifest</p><p><img src="https://s2.loli.net/2024/03/17/BSiVTQPHW9Alk4t.png" alt="image-20230423114712265"></p><p><strong>XIA</strong></p><p>XIA中存在一个PK头，即压缩包资源</p><p><img src="https://s2.loli.net/2024/03/17/SoML5F1ATydN8la.png" alt="image-20230423114839859"></p><p>压缩包里有许多文件以及可执行文件，可能是用于感染的</p><p><img src="https://s2.loli.net/2024/03/17/zDVqNjYk1Xd6a9F.png" alt="image-20230423135848538"></p><h2 id="基础动态分析"><a href="#基础动态分析" class="headerlink" title="基础动态分析"></a>基础动态分析</h2><h3 id="Process-Monitor"><a href="#Process-Monitor" class="headerlink" title="Process Monitor"></a>Process Monitor</h3><p>使用Process Monitor分析进程树，发现wannacry会生成创建五个进程，四个自定义进程，以及一个cmd.exe用于执行系统命令</p><p><img src="https://s2.loli.net/2024/03/17/fJ5pZldwexTLWSH.png" alt="image-20230423141255646"></p><h3 id="Reshot"><a href="#Reshot" class="headerlink" title="Reshot"></a>Reshot</h3><p>使用Reshot观察注册表被修改的情况，添加了新的键，并且键名为WanaCrypt0r</p><p><img src="https://s2.loli.net/2024/03/17/16fxF4mAJnlKZ3q.png" alt="image-20230423150919111"></p><p>值为”wd”&#x3D;”C:\Users\pwn\Desktop\勒索软件样本(13个)附解压密码\勒索软件样本(1)\Wannacry”</p><p><img src="https://s2.loli.net/2024/03/17/8769hdONeCKj2bE.png" alt="image-20230423151016310"></p><h3 id="文件监控"><a href="#文件监控" class="headerlink" title="文件监控"></a>文件监控</h3><p>使用火绒剑进行文件监控，创建了脚本文件，应该是配合上述的cmd.exe执行相应的操作</p><p><img src="https://s2.loli.net/2024/03/17/AESzCXpwO2mTIvo.png" alt="image-20230423151852243"></p><p>释放了许多可执行文件</p><p><img src="https://s2.loli.net/2024/03/17/fCwsG43XRyHhdm7.png" alt="image-20230423152203525"></p><h1 id="深入分析"><a href="#深入分析" class="headerlink" title="深入分析"></a>深入分析</h1><h2 id="WannaCry"><a href="#WannaCry" class="headerlink" title="WannaCry"></a>WannaCry</h2><p>WannaCry用于做勒索的前期准备，不是具体的勒索行为，改程序的各函数功能入下图。</p><p><img src="https://s2.loli.net/2024/03/17/aAyD9hQeXPZUvSH.png" alt="WannaCry"></p><h2 id="TaskStart-dll"><a href="#TaskStart-dll" class="headerlink" title="TaskStart.dll"></a>TaskStart.dll</h2><p>TaskStart.dll宏观操作如下图，其中加密行为在sub_100057c0函数</p><p><img src="https://s2.loli.net/2024/03/17/qxmGcw2ifI3Veth.png" alt="TaskStart.dll"></p><h3 id="sub-100057c0"><a href="#sub-100057c0" class="headerlink" title="sub_100057c0"></a>sub_100057c0</h3><p>接下来就详细分析具体的勒索行为</p><p>首先初使用CryptAcquireContextA函数始化加密的上下文环境</p><p><img src="https://s2.loli.net/2024/03/17/CFmQ7Zc6vAdPXyz.png" alt="image-20230426152830554"></p><p>使用CryptImportKey函数导入攻击者的密钥，该密钥为公钥</p><p><img src="https://s2.loli.net/2024/03/17/pABQTFOhDtkfjKJ.png" alt="image-20230426154704615"></p><p>使用CryptGenKey导入密钥句柄，并且规定加密的方式为RSA</p><p><img src="https://s2.loli.net/2024/03/17/vWRB7umSYTnl8yV.png" alt="image-20230426154806314"></p><p>使用CryptExportKey函数，在本机导出公钥</p><p><img src="https://s2.loli.net/2024/03/17/PHU4zAJ85uBKGgw.png" alt="image-20230426154955134"></p><p>使用CryptExportKey函数在本机导出私钥，并且攻击者使用自己的公钥，将本地生成的私钥进行加密</p><p><img src="https://s2.loli.net/2024/03/17/4UqT2XQ1aN3KeZp.png" alt="image-20230426155559715"></p><p>这里总的来说，就是攻击者会在受害者机器上利用API生成公私钥对，用于后续加密文件。但是为了防止用户自己将文件解密，因此攻击者会使用自己手上的公钥，将在本地生成的密钥给加密，这样只有利用攻击者手上的私钥才能进行解密。如下图所示</p><p><img src="https://s2.loli.net/2024/03/17/PSOuMnoJkbmTqsf.png" alt="加密流程.drawio"></p><p>程序会利用SHGetFolderPathW函数获取桌面的路径，因此该程序会优先加密桌面的文件</p><p><img src="https://s2.loli.net/2024/03/17/HA6lpmLgS7bIUBR.png" alt="image-20230426160604608"></p><p>利用FindNextFileW函数遍历桌面的文件</p><p><img src="https://s2.loli.net/2024/03/17/7UnOHPVLjqsZuh4.png" alt="image-20230426160734804"></p><p>程序会对文件后缀进行匹配，遇到.exe和.dll文件会选择跳过不加密</p><p><img src="https://s2.loli.net/2024/03/17/o4eR6SWj3CpPuO5.png" alt="image-20230426160844204"></p><p>将所有符合条件的文件都存放到内存中，完成后续的加密以及修改后缀名的行为</p><p><img src="https://s2.loli.net/2024/03/17/OjwfprFVPKHn8ta.png" alt="image-20230426161232814"></p><p>将每个文件的后缀名新增.WNCRY的后缀</p><p><img src="https://s2.loli.net/2024/03/17/leU1DGvYn3uaCLi.png" alt="image-20230426161615557"></p><p>Wannacry并不是在原始文件上进行修改的，而是会新建一个文件，将加密后的数据填充到里面，该文件的名称就是原有的名称加上.WNCRY</p><p><img src="https://s2.loli.net/2024/03/17/Vemu6dWZ2y19AGX.png" alt="image-20230426161818801"></p><p>在加密之前会使用CryptGenRandom函数生成一个随机数</p><p><img src="https://s2.loli.net/2024/03/17/DiyQqfSaZXV7AUd.png" alt="image-20230426162009133"></p><p>利用CryptEncrypt函数，使用刚刚在本地生成的公钥，将该随机数进行加密</p><p><img src="https://s2.loli.net/2024/03/17/mNRPOrynIJBDtaG.png" alt="image-20230426162201093"></p><p>利用上面生成的随机数进行AES加密，并且加密后立刻将生成的随机数清空</p><p><img src="https://s2.loli.net/2024/03/17/bjSxdQvYhyg2ECG.png" alt="image-20230426162413519"></p><p>那么加密的操作就比较简单了，就是不断读取原始的文件数据，经过AES加密，加密的密钥是刚刚生成的随机数，然后将加密后的结果写入刚刚新建的文件中。</p><p><img src="https://s2.loli.net/2024/03/17/shWvupH9XUVSoYP.png" alt="image-20230426163215954"></p><p>在完成加密后，WannaCry还会对原始文件进行加密，加密的操作与上述流程一致</p><p><img src="https://s2.loli.net/2024/03/17/VtZ3cvGCf1shwQl.png" alt="image-20230426163550255"></p><p>在加密完桌面程序后，则是加密其他路径的文件，完成全磁盘的加密，所有加密操作都如上述一致，并且最后会把原始文件进行删除</p><h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><h2 id="加密流程"><a href="#加密流程" class="headerlink" title="加密流程"></a>加密流程</h2><p>首先攻击者会准备一个RSA的公钥，接着会在被攻击的主机上生成一对公钥与私钥，本地生成的私钥会被攻击者的公钥进行RSA加密，然后攻击者会生成一组随机值，接着读取原文件的数据，将随机值作为AES的密钥，将原始文件的数据进行AES加密，并将加密后的数据写入到*.wnry文件中。并且为了防止原始文件被获取，WannaCry会将原始文件也加密，接着将原始文件删除。</p><p>因此程序的加密流程是</p><ul><li>读取原始文件的数据流</li><li>将数据流进行AES加密</li><li>将加密后的数据流写入到其他文件</li><li>并将原始文件删除</li></ul><h2 id="加密使用的API"><a href="#加密使用的API" class="headerlink" title="加密使用的API"></a>加密使用的API</h2><p>用于读写文件</p><ul><li><p>CreateFileW</p></li><li><p>WriteFile</p></li><li><p>ReadFile</p></li></ul><p>用于加密文件</p><ul><li>CryptAcquireContextA</li><li>CryptImportKey</li><li>CryptGenKey</li><li>CryptEncrypt</li><li>CryptDestroyKey</li><li>CryptGenRandom</li></ul>]]></content>
     
     
+    <categories>
+      
+      <category>病毒分析</category>
+      
+    </categories>
+    
+    
+    <tags>
+      
+      <tag>WannaCry分析</tag>
+      
+    </tags>
     
   </entry>
   
diff --git a/sitemap.xml b/sitemap.xml
index 958ec23..4a11f5f 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -599,6 +599,13 @@
     <priority>0.2</priority>
   </url>
   
+  <url>
+    <loc>https://h0pe-ay.github.io/tags/WannaCry%E5%88%86%E6%9E%90/</loc>
+    <lastmod>2024-03-17</lastmod>
+    <changefreq>weekly</changefreq>
+    <priority>0.2</priority>
+  </url>
+  
 
   
   <url>
diff --git "a/tags/WannaCry\345\210\206\346\236\220/index.html" "b/tags/WannaCry\345\210\206\346\236\220/index.html"
new file mode 100644
index 0000000..407c059
--- /dev/null
+++ "b/tags/WannaCry\345\210\206\346\236\220/index.html"
@@ -0,0 +1,401 @@
+
+
+<!DOCTYPE html>
+<html lang="zh-CN" data-default-color-scheme=auto>
+
+
+
+<head>
+  <meta charset="UTF-8">
+  <meta name="google-site-verification" content="McULNauwae3fxE8yPK3QNQNAYvG6cZAJ02xx9Lpbc98" />
+  <link rel="apple-touch-icon" sizes="76x76" href="/img/hope.jpg">
+  <link rel="icon" href="/img/hope.jpg">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
+  <meta http-equiv="x-ua-compatible" content="ie=edge">
+  
+  <meta name="theme-color" content="#2f4154">
+  <meta name="author" content="hope">
+  <meta name="keywords" content="">
+  
+    <meta property="og:type" content="website">
+<meta property="og:title" content="标签 - WannaCry分析">
+<meta property="og:url" content="https://h0pe-ay.github.io/tags/WannaCry%E5%88%86%E6%9E%90/index.html">
+<meta property="og:site_name" content="hope">
+<meta property="og:locale" content="zh_CN">
+<meta property="article:author" content="hope">
+<meta name="twitter:card" content="summary_large_image">
+  
+  
+  
+  <title>标签 - WannaCry分析 - hope</title>
+
+  <link  rel="stylesheet" href="https://lib.baomitu.com/twitter-bootstrap/4.6.1/css/bootstrap.min.css" />
+
+
+
+
+
+<!-- 主题依赖的图标库，不要自行修改 -->
+<!-- Do not modify the link that theme dependent icons -->
+
+<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_hj8rtnfg7um.css">
+
+
+
+<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_lbnruvf0jn.css">
+
+
+<link  rel="stylesheet" href="/css/main.css" />
+
+
+  <link id="highlight-css" rel="stylesheet" href="/css/highlight.css" />
+  
+    <link id="highlight-css-dark" rel="stylesheet" href="/css/highlight-dark.css" />
+  
+
+
+
+
+  <script id="fluid-configs">
+    var Fluid = window.Fluid || {};
+    Fluid.ctx = Object.assign({}, Fluid.ctx)
+    var CONFIG = {"hostname":"h0pe-ay.github.io","root":"/","version":"1.9.4","typing":{"enable":true,"typeSpeed":70,"cursorChar":"_","loop":false,"scope":[]},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"left","visible":"hover","icon":""},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"code_language":{"enable":true,"default":"TEXT"},"copy_btn":true,"image_caption":{"enable":false},"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"placement":"right","headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":0},"lazyload":{"enable":true,"loading_img":"/img/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":true,"baidu":null,"google":null,"gtag":null,"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":"ZqEEnP8vrF2LzEKjCt8pL5Cf-gzGzoHsz","app_key":"6Owvec9nVB4K93xxi7CKzAqh","server_url":"https://zqeenp8v.lc-cn-n1-shared.com","path":"window.location.pathname","ignore_local":false}},"search_path":"/local-search.xml"};
+
+    if (CONFIG.web_analytics.follow_dnt) {
+      var dntVal = navigator.doNotTrack || window.doNotTrack || navigator.msDoNotTrack;
+      Fluid.ctx.dnt = dntVal && (dntVal.startsWith('1') || dntVal.startsWith('yes') || dntVal.startsWith('on'));
+    }
+  </script>
+  <script  src="/js/utils.js" ></script>
+  <script  src="/js/color-schema.js" ></script>
+  
+
+  
+
+  
+
+  
+
+  
+
+  
+
+  
+
+  
+    
+  
+
+
+
+  
+<meta name="generator" content="Hexo 6.3.0"></head>
+
+
+<body>
+  
+
+  <header>
+    
+
+<div class="header-inner" style="height: 80vh;">
+  <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
+  <div class="container">
+    <a class="navbar-brand" href="/">
+      <strong>hope</strong>
+    </a>
+
+    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
+            data-target="#navbarSupportedContent"
+            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
+      <div class="animated-icon"><span></span><span></span><span></span></div>
+    </button>
+
+    <!-- Collapsible content -->
+    <div class="collapse navbar-collapse" id="navbarSupportedContent">
+      <ul class="navbar-nav ml-auto text-center">
+        
+          
+          
+          
+          
+            <li class="nav-item">
+              <a class="nav-link" href="/">
+                <i class="iconfont icon-home-fill"></i>
+                <span>首页</span>
+              </a>
+            </li>
+          
+        
+          
+          
+          
+          
+            <li class="nav-item">
+              <a class="nav-link" href="/archives/">
+                <i class="iconfont icon-archive-fill"></i>
+                <span>归档</span>
+              </a>
+            </li>
+          
+        
+          
+          
+          
+          
+            <li class="nav-item">
+              <a class="nav-link" href="/categories/">
+                <i class="iconfont icon-category-fill"></i>
+                <span>分类</span>
+              </a>
+            </li>
+          
+        
+          
+          
+          
+          
+            <li class="nav-item">
+              <a class="nav-link" href="/tags/">
+                <i class="iconfont icon-tags-fill"></i>
+                <span>标签</span>
+              </a>
+            </li>
+          
+        
+          
+          
+          
+          
+            <li class="nav-item">
+              <a class="nav-link" href="/about/">
+                <i class="iconfont icon-user-fill"></i>
+                <span>关于</span>
+              </a>
+            </li>
+          
+        
+        
+          <li class="nav-item" id="search-btn">
+            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
+              <i class="iconfont icon-search"></i>
+            </a>
+          </li>
+          
+        
+        
+          <li class="nav-item" id="color-toggle-btn">
+            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">
+              <i class="iconfont icon-dark" id="color-toggle-icon"></i>
+            </a>
+          </li>
+        
+      </ul>
+    </div>
+  </div>
+</nav>
+
+  
+
+<div id="banner" class="banner" parallax=true
+     style="background: url('/img/default.png') no-repeat center center; background-size: cover;">
+  <div class="full-bg-img">
+    <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0.3)">
+      <div class="banner-text text-center fade-in-up">
+        <div class="h2">
+          
+            <span id="subtitle" data-typed-text="标签 - WannaCry分析"></span>
+          
+        </div>
+
+        
+      </div>
+
+      
+        <div class="scroll-down-bar">
+          <i class="iconfont icon-arrowdown"></i>
+        </div>
+      
+    </div>
+  </div>
+</div>
+
+</div>
+
+  </header>
+
+  <main>
+    
+      <div class="container nopadding-x-md">
+        <div id="board"
+          >
+          
+          <div class="container">
+            <div class="row">
+              <div class="col-12 col-md-10 m-auto">
+                
+
+<div class="list-group">
+  <p class="h4">共计 1 篇文章</p>
+  <hr>
+  
+  
+    
+      
+      <p class="h5">2024</p>
+    
+    <a href="/wannacry/" class="list-group-item list-group-item-action">
+      <time>03-08</time>
+      <div class="list-group-item-title">WannaCry分析</div>
+    </a>
+  
+</div>
+
+
+
+
+
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+    
+
+    
+      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
+        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
+      </a>
+    
+
+    
+      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
+     aria-hidden="true">
+  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
+    <div class="modal-content">
+      <div class="modal-header text-center">
+        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
+        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
+          <span aria-hidden="true">&times;</span>
+        </button>
+      </div>
+      <div class="modal-body mx-3">
+        <div class="md-form mb-5">
+          <input type="text" id="local-search-input" class="form-control validate">
+          <label data-error="x" data-success="v" for="local-search-input">关键词</label>
+        </div>
+        <div class="list-group" id="local-search-result"></div>
+      </div>
+    </div>
+  </div>
+</div>
+
+    
+
+    
+  </main>
+
+  <footer>
+    <div class="footer-inner">
+  
+    <div class="footer-content">
+       <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>Hexo</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>Fluid</span></a> 
+    </div>
+  
+  
+    <div class="statistics">
+  
+  
+
+  
+    
+      <span id="leancloud-site-pv-container" style="display: none">
+        总访问量 
+        <span id="leancloud-site-pv"></span>
+         次
+      </span>
+    
+    
+      <span id="leancloud-site-uv-container" style="display: none">
+        总访客数 
+        <span id="leancloud-site-uv"></span>
+         人
+      </span>
+    
+    
+
+  
+</div>
+
+  
+  
+  
+</div>
+
+  </footer>
+
+  <!-- Scripts -->
+  
+  <script  src="https://lib.baomitu.com/nprogress/0.2.0/nprogress.min.js" ></script>
+  <link  rel="stylesheet" href="https://lib.baomitu.com/nprogress/0.2.0/nprogress.min.css" />
+
+  <script>
+    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
+    NProgress.start()
+    window.addEventListener('load', function() {
+      NProgress.done();
+    })
+  </script>
+
+
+<script  src="https://lib.baomitu.com/jquery/3.6.0/jquery.min.js" ></script>
+<script  src="https://lib.baomitu.com/twitter-bootstrap/4.6.1/js/bootstrap.min.js" ></script>
+<script  src="/js/events.js" ></script>
+<script  src="/js/plugins.js" ></script>
+
+
+  <script  src="https://lib.baomitu.com/typed.js/2.0.12/typed.min.js" ></script>
+  <script>
+    (function (window, document) {
+      var typing = Fluid.plugins.typing;
+      var subtitle = document.getElementById('subtitle');
+      if (!subtitle || !typing) {
+        return;
+      }
+      var text = subtitle.getAttribute('data-typed-text');
+      
+        typing(text);
+      
+    })(window, document);
+  </script>
+
+
+
+
+  
+    <script  src="/js/img-lazyload.js" ></script>
+  
+
+
+
+
+  <script defer src="/js/leancloud.js" ></script>
+
+  <script  src="/js/local-search.js" ></script>
+
+
+
+
+
+<!-- 主题的启动项，将它保持在最底部 -->
+<!-- the boot of the theme, keep it at the bottom -->
+<script  src="/js/boot.js" ></script>
+
+
+  
+
+  <noscript>
+    <div class="noscript-warning">博客在允许 JavaScript 运行的环境下浏览效果更佳</div>
+  </noscript>
+</body>
+</html>
diff --git a/tags/index.html b/tags/index.html
index 74348f7..ad5e0b1 100644
--- a/tags/index.html
+++ b/tags/index.html
@@ -236,7 +236,7 @@
                 
 
 <div class="text-center tagcloud">
-  <a href="/tags/Android/" style="font-size: 26.25px; color: #558ac5">Android</a> <a href="/tags/CVE-2016-5195/" style="font-size: 15px; color: #bbe">CVE-2016-5195</a> <a href="/tags/CVE-2021-3156/" style="font-size: 15px; color: #bbe">CVE-2021-3156</a> <a href="/tags/CVE-2021-4034/" style="font-size: 15px; color: #bbe">CVE-2021-4034</a> <a href="/tags/CVE-2022-08475/" style="font-size: 15px; color: #bbe">CVE-2022-08475</a> <a href="/tags/CVE-2022-1015/" style="font-size: 15px; color: #bbe">CVE-2022-1015</a> <a href="/tags/CVE-2023-0179/" style="font-size: 15px; color: #bbe">CVE-2023-0179</a> <a href="/tags/Docker/" style="font-size: 18.75px; color: #99abe0">Docker</a> <a href="/tags/ETW/" style="font-size: 18.75px; color: #99abe0">ETW</a> <a href="/tags/Fuzzing-Xpdf/" style="font-size: 15px; color: #bbe">Fuzzing-Xpdf</a> <a href="/tags/IDA/" style="font-size: 15px; color: #bbe">IDA</a> <a href="/tags/Reverse/" style="font-size: 18.75px; color: #99abe0">Reverse</a> <a href="/tags/baku%E5%88%86%E6%9E%90/" style="font-size: 15px; color: #bbe">baku分析</a> <a href="/tags/ctf/" style="font-size: 18.75px; color: #99abe0">ctf</a> <a href="/tags/ctf-pwn/" style="font-size: 15px; color: #bbe">ctf-pwn</a> <a href="/tags/fuzz/" style="font-size: 15px; color: #bbe">fuzz</a> <a href="/tags/git/" style="font-size: 15px; color: #bbe">git</a> <a href="/tags/kernel/" style="font-size: 30px; color: #337ab7">kernel</a> <a href="/tags/patch/" style="font-size: 15px; color: #bbe">patch</a> <a href="/tags/pwn/" style="font-size: 15px; color: #bbe">pwn</a> <a href="/tags/%E4%BB%A3%E7%90%86%E8%AE%BE%E7%BD%AE/" style="font-size: 15px; color: #bbe">代理设置</a> <a href="/tags/%E7%BC%96%E7%A8%8B/" style="font-size: 15px; color: #bbe">编程</a> <a href="/tags/%E8%99%9A%E5%87%BD%E6%95%B0%E7%9B%B8%E5%85%B3%E7%9F%A5%E8%AF%86/" style="font-size: 15px; color: #bbe">虚函数相关知识</a> <a href="/tags/%E8%AE%A1%E7%AE%97%E6%9C%BA%E5%9F%BA%E7%A1%80/" style="font-size: 15px; color: #bbe">计算机基础</a> <a href="/tags/%E9%80%86%E5%90%91/" style="font-size: 22.5px; color: #779bd3">逆向</a>
+  <a href="/tags/Android/" style="font-size: 26.25px; color: #558ac5">Android</a> <a href="/tags/CVE-2016-5195/" style="font-size: 15px; color: #bbe">CVE-2016-5195</a> <a href="/tags/CVE-2021-3156/" style="font-size: 15px; color: #bbe">CVE-2021-3156</a> <a href="/tags/CVE-2021-4034/" style="font-size: 15px; color: #bbe">CVE-2021-4034</a> <a href="/tags/CVE-2022-08475/" style="font-size: 15px; color: #bbe">CVE-2022-08475</a> <a href="/tags/CVE-2022-1015/" style="font-size: 15px; color: #bbe">CVE-2022-1015</a> <a href="/tags/CVE-2023-0179/" style="font-size: 15px; color: #bbe">CVE-2023-0179</a> <a href="/tags/Docker/" style="font-size: 18.75px; color: #99abe0">Docker</a> <a href="/tags/ETW/" style="font-size: 18.75px; color: #99abe0">ETW</a> <a href="/tags/Fuzzing-Xpdf/" style="font-size: 15px; color: #bbe">Fuzzing-Xpdf</a> <a href="/tags/IDA/" style="font-size: 15px; color: #bbe">IDA</a> <a href="/tags/Reverse/" style="font-size: 18.75px; color: #99abe0">Reverse</a> <a href="/tags/WannaCry%E5%88%86%E6%9E%90/" style="font-size: 15px; color: #bbe">WannaCry分析</a> <a href="/tags/baku%E5%88%86%E6%9E%90/" style="font-size: 15px; color: #bbe">baku分析</a> <a href="/tags/ctf/" style="font-size: 18.75px; color: #99abe0">ctf</a> <a href="/tags/ctf-pwn/" style="font-size: 15px; color: #bbe">ctf-pwn</a> <a href="/tags/fuzz/" style="font-size: 15px; color: #bbe">fuzz</a> <a href="/tags/git/" style="font-size: 15px; color: #bbe">git</a> <a href="/tags/kernel/" style="font-size: 30px; color: #337ab7">kernel</a> <a href="/tags/patch/" style="font-size: 15px; color: #bbe">patch</a> <a href="/tags/pwn/" style="font-size: 15px; color: #bbe">pwn</a> <a href="/tags/%E4%BB%A3%E7%90%86%E8%AE%BE%E7%BD%AE/" style="font-size: 15px; color: #bbe">代理设置</a> <a href="/tags/%E7%BC%96%E7%A8%8B/" style="font-size: 15px; color: #bbe">编程</a> <a href="/tags/%E8%99%9A%E5%87%BD%E6%95%B0%E7%9B%B8%E5%85%B3%E7%9F%A5%E8%AF%86/" style="font-size: 15px; color: #bbe">虚函数相关知识</a> <a href="/tags/%E8%AE%A1%E7%AE%97%E6%9C%BA%E5%9F%BA%E7%A1%80/" style="font-size: 15px; color: #bbe">计算机基础</a> <a href="/tags/%E9%80%86%E5%90%91/" style="font-size: 22.5px; color: #779bd3">逆向</a>
 </div>
 
               </div>
diff --git a/wannacry/index.html b/wannacry/index.html
index e6b3754..1075336 100644
--- a/wannacry/index.html
+++ b/wannacry/index.html
@@ -17,12 +17,12 @@
   <meta name="author" content="hope">
   <meta name="keywords" content="">
   
-    <meta name="description" content="样本情况 样本名称：WannaCry 大小：3,514,368 bytes MD5：84C82835A5D21BBCF75A61706D8AB549  查壳PEiD使用PEiD观察到WannaCry使用VC++编写  Exeinfo使用Exeinfo观察到WannaCry未加壳  基础分析基础静态分析查看字符串首先检索字符串，发现WannaCry采用了Windows的加解密函数，并且字符串中出现了">
+    <meta name="description" content="病毒分析">
 <meta property="og:type" content="article">
-<meta property="og:title" content="hope">
+<meta property="og:title" content="WannaCry分析">
 <meta property="og:url" content="https://h0pe-ay.github.io/wannacry/index.html">
 <meta property="og:site_name" content="hope">
-<meta property="og:description" content="样本情况 样本名称：WannaCry 大小：3,514,368 bytes MD5：84C82835A5D21BBCF75A61706D8AB549  查壳PEiD使用PEiD观察到WannaCry使用VC++编写  Exeinfo使用Exeinfo观察到WannaCry未加壳  基础分析基础静态分析查看字符串首先检索字符串，发现WannaCry采用了Windows的加解密函数，并且字符串中出现了">
+<meta property="og:description" content="病毒分析">
 <meta property="og:locale" content="zh_CN">
 <meta property="og:image" content="https://s2.loli.net/2024/03/17/AcFNGLwfoIl5aKQ.png">
 <meta property="og:image" content="https://s2.loli.net/2024/03/17/57OrVIJU1RxPhTw.png">
@@ -65,12 +65,13 @@
 <meta property="og:image" content="https://s2.loli.net/2024/03/17/VtZ3cvGCf1shwQl.png">
 <meta property="article:published_time" content="2024-03-08T09:42:12.343Z">
 <meta property="article:author" content="hope">
+<meta property="article:tag" content="WannaCry分析">
 <meta name="twitter:card" content="summary_large_image">
 <meta name="twitter:image" content="https://s2.loli.net/2024/03/17/AcFNGLwfoIl5aKQ.png">
   
   
   
-  <title>hope</title>
+  <title>WannaCry分析 - hope</title>
 
   <link  rel="stylesheet" href="https://lib.baomitu.com/twitter-bootstrap/4.6.1/css/bootstrap.min.css" />
 
@@ -253,7 +254,7 @@
       <div class="banner-text text-center fade-in-up">
         <div class="h2">
           
-            <span id="subtitle" data-typed-text=""></span>
+            <span id="subtitle" data-typed-text="WannaCry分析"></span>
           
         </div>
 
@@ -333,7 +334,7 @@
         <div id="board">
           <article class="post-content mx-auto">
             <!-- SEO header -->
-            <h1 style="display: none"></h1>
+            <h1 style="display: none">WannaCry分析</h1>
             
             
               <div class="markdown-body">
@@ -476,6 +477,34 @@ <h2 id="加密使用的API"><a href="#加密使用的API" class="headerlink" tit
             <div>
               <div class="post-metas my-3">
   
+    <div class="post-meta mr-3 d-flex align-items-center">
+      <i class="iconfont icon-category"></i>
+      
+
+<span class="category-chains">
+  
+  
+    
+      <span class="category-chain">
+        
+  <a href="/categories/%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/" class="category-chain-item">病毒分析</a>
+  
+  
+
+      </span>
+    
+  
+</span>
+
+    </div>
+  
+  
+    <div class="post-meta">
+      <i class="iconfont icon-tags"></i>
+      
+        <a href="/tags/WannaCry%E5%88%86%E6%9E%90/">#WannaCry分析</a>
+      
+    </div>
   
 </div>
 
@@ -485,7 +514,7 @@ <h2 id="加密使用的API"><a href="#加密使用的API" class="headerlink" tit
 
   <div class="license-box my-3">
     <div class="license-title">
-      <div></div>
+      <div>WannaCry分析</div>
       <div>https://h0pe-ay.github.io/wannacry/</div>
     </div>
     <div class="license-meta">