-
-
[原创]一马调试分析之下篇(马说)
-
发表于: 2012-2-28 23:46
-
第一部分:猥缩的驱动
技术亮点:
1、得到“处女之身”,(在女人心中第1个男人永远会记得),主要目的是为了使自己挂钩原始的东西,sub_148a8()获取ntoskrnl的文件地址(ZwQuerySystemInformation),sub_11c78将ntoskrnl文件映身入内存,sub_136b6()找到原始SSDT偏移,sub_11338()手动重定位从而找到原始地址。具体实现可以看一下。原始的SSDT的函数地址。
2、大玩“躲猫猫”,创建服务,实施“乾坤大挪移”修改文件名,躲猫猫之对象HOOK \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES的ParseProcedure CmParseKey实现注册表隐藏。
IoDeviceObjctType的IopParseDevice,实现文件保护。(ObRefernceObjectByHandle)。
DriverEntry ===>
主要流程:
1、通过与"System"比较,确定进程名在PEB中的偏移(因为加载驱动时进程是System,这样做实际上是因为不同操作系统偏移位置不同)
2、解密字符串
3、获取所需的函数的地址
4、调用DriverReinitializationRoutine,开始猥缩的操作
流程4:DriverReinitializationRoutine ===>
1、测试打开"\SystemRoot"(这个应该是测试文件系统是否初始化完毕)
1-1、打开失败,使用IoRegisterDriverReinitialization从而转到1.
1-2、打开成功,进入sub_16BFE()。
流程4 ==> 流程1-2:sub_16BFE() ===>
1、解密字符串
2、获得原始SSDT,以获取原始函数的地址(内核本就是兵家必争之地,极可能不是“处女之身”了,可见作者也明白这道理)
2-1、获取失败,还是用别人搞了的函数,避免操作失败
3、sub_1132A(),调用PsSetCreateProcessNotifyRoutine注册进程回调,在回调中进行各种XX操作,回调例程为sub_108B8
4、sub_16BD2(),调用sub_1575C(),查找NtSetValueKey及NtDeleteKey中对ObReferenceObjectByHandle的调用。
4-1、如果找到则对NtSetValueKey及NtDeleteKey中对ObReferenceObjectByHandle的调用进行Inlie HOOK,Inline后分别对应调用sub_157F0()及sub_15824()
4-2、如果没找到则直接SSDT HOOK NtDeleteKey
5、sub_16AF2(),创建服务,实施“乾坤大挪移”修改文件名,对键HOOK \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES CmParseKey,以实现对服务的隐藏。
6、sub_10DE4(),HOOK IoDeviceObjctType的IopParseDevice,实现文件保护.
(PS,获取原始SSDT中,原始函数的地址,主要是通过读取ntoskrnl文件中原始SSDT的值)
流程4 ==> 流程1-2 ==> 流程3:回调流程sub_108B8() ===>
这个例程分别对userinit.exe、explorer.exe、rundll32.exe、iexplorer.exe进行不同的处理,实际上都是一些注册表的操作,主要是实现应用层的DLL起动,注册为IE的加载项,以便随同IE一起加载
1、case userinit: 写入\registry\machine\software\microsoft\windows\currentversion\runonce的键unfd,
对应的值为%systemroot%\system32\rundll32.exe %systemroot%\system32\zuefhm.dll,DllRegisterServer"
2、case explorer: 一些注册表查询设置操作,这里注册表操作较多,有兴趣自己可以跟一下,小弟简单列一下,有下面的这些键
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DDF3C19-E692-22D2-AB05-11AA44BDD685}\Shell\Open\Command
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\REGISTRY\USER\S-1-5-21-823518204-1336601894-1417001333- 500\Software\Microsoft\Internet Explorer\Main
\REGISTRY\USER\S-1-5-21-823518204-1336601894-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons \ClassicStartMenu\REGISTRY\USER\S-1-5-21-823518204-1336601894-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer \HideDesktopIcons\NewStartPanel
\REGISTRY\USER\S-1-5-21-823518204-1336601894-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \REGISTRY\USER\S-1-5- 21-823518204-1336601894-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
3、case rundll32: 判断其父进程是否是ExpLorer.exe
4、case iexplorer: 进行一些计时操作
看一下对应几次解密后分别对应如下几图:
我们再来看一下HOOK NtDeleteValueKey中对ObReferenceObjectByHandle的调用前如下图:
HOOK前查找NtSetValueKey中对ObReferenceObjectByHandle的调用前如下图:
再来看一下HOOK NtDeleteValueKey、NtSetValueKey后如下图:
看一下\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES的ParseProcedure CmParseKey被HOOK前:
对比下\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES的ParseProcedure CmParseKey被HOOK后:
再来看下代码:
看一下DriverEntry
INIT:00019380 ; NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) INIT:00019380 public DriverEntry INIT:00019380 DriverEntry proc near INIT:00019380 INIT:00019380 SymbolicLinkName= UNICODE_STRING ptr -14h INIT:00019380 DestinationString= UNICODE_STRING ptr -0Ch INIT:00019380 DeviceObject = dword ptr -4 INIT:00019380 DriverObject = dword ptr 8 INIT:00019380 RegistryPath = dword ptr 0Ch INIT:00019380 INIT:00019380 000 push ebp INIT:00019381 004 mov ebp, esp INIT:00019383 004 sub esp, 14h INIT:00019386 018 push ebx INIT:00019387 01C push esi INIT:00019388 020 push edi INIT:00019389 024 push edx INIT:0001938A 028 inc dl INIT:0001938C 028 or dh, dl INIT:0001938E 028 and edx, ebx INIT:00019390 028 test ah, dh INIT:00019392 028 and dh, 5Eh INIT:00019395 028 pop edx INIT:00019396 024 push [ebp+RegistryPath] INIT:00019399 028 call sub_19260 INIT:0001939E 024 push ecx INIT:0001939F 028 push bx INIT:000193A1 02A test cx, cx INIT:000193A4 02A sub cx, si INIT:000193A7 02A mov cx, 1DD6h INIT:000193AB 02A mov bh, 68h INIT:000193AD 02A xor cl, bl INIT:000193AF 02A or ecx, 3F17h INIT:000193B5 02A and bh, dh INIT:000193B7 02A pop bx INIT:000193B9 028 pop ecx INIT:000193BA 024 xor eax, eax INIT:000193BC 024 cmp g_ImageFileNameOffset, eax INIT:000193C2 024 jnz short loc_193DD INIT:000193C4 024 push eax INIT:000193C5 028 push eax INIT:000193C6 02C call sub_192A0 INIT:000193CB 024 push eax INIT:000193CC 028 push edx INIT:000193CD 02C push di INIT:000193CF 02E sub eax, 0DCCh INIT:000193D4 02E pop di INIT:000193D6 02C pop edx INIT:000193D7 028 pop eax INIT:000193D8 024 jmp loc_194A4 INIT:000193DD ; --------------------------------------------------------------------------- INIT:000193DD INIT:000193DD loc_193DD: ; CODE XREF: DriverEntry+42j INIT:000193DD 024 push edi INIT:000193DE 028 test eax, edi INIT:000193E0 028 pop edi INIT:000193E1 024 call near ptr DecodeAllStr INIT:000193E6 024 pusha INIT:000193E7 044 inc al INIT:000193E9 044 and dl, bl INIT:000193EB 044 or dx, ax INIT:000193EE 044 and dx, 463Eh INIT:000193F3 044 test dl, 63h INIT:000193F6 044 xor ax, cx INIT:000193F9 044 inc dl INIT:000193FB 044 popa INIT:000193FC 024 lea eax, [ebp+DestinationString] INIT:000193FF 024 push offset g_device_ksdrv ; SourceString INIT:00019404 028 push eax ; DestinationString INIT:00019405 02C call ds:RtlInitUnicodeString INIT:0001940B 024 pushaw INIT:0001940D 034 push edx INIT:0001940E 038 test bx, 1458h INIT:00019413 038 or ax, di INIT:00019416 038 add bh, ch INIT:00019418 038 test bh, al INIT:0001941A 038 pop edx INIT:0001941B 034 popaw INIT:0001941D 024 lea eax, [ebp+DeviceObject] INIT:00019420 024 xor esi, esi INIT:00019422 024 push eax ; DeviceObject INIT:00019423 028 push esi ; Exclusive INIT:00019424 02C push esi ; DeviceCharacteristics INIT:00019425 030 lea eax, [ebp+DestinationString] INIT:00019428 030 push 8000h ; DeviceType INIT:0001942D 034 push eax ; DeviceName INIT:0001942E 038 push esi ; DeviceExtensionSize INIT:0001942F 03C push [ebp+DriverObject] ; DriverObject INIT:00019432 040 call ds:IoCreateDevice INIT:00019438 024 cmp eax, esi INIT:0001943A 024 jl loc_194ED INIT:00019440 024 push ecx INIT:00019441 028 push edx INIT:00019442 02C push edi INIT:00019443 030 test cx, cx INIT:00019446 030 xor dl, 57h INIT:00019449 030 inc edi INIT:0001944A 030 or ch, 6Fh INIT:0001944D 030 pop edi INIT:0001944E 02C pop edx INIT:0001944F 028 pop ecx INIT:00019450 024 lea eax, [ebp+SymbolicLinkName] INIT:00019453 024 push offset g_dosdevice_ksdrv ; SourceString INIT:00019458 028 push eax ; DestinationString INIT:00019459 02C call ds:RtlInitUnicodeString INIT:0001945F 024 push ebx INIT:00019460 028 push edx INIT:00019461 02C mov bh, 64h INIT:00019463 02C pop edx INIT:00019464 028 pop ebx INIT:00019465 024 lea eax, [ebp+DestinationString] INIT:00019468 024 push eax ; DeviceName INIT:00019469 028 lea eax, [ebp+SymbolicLinkName] INIT:0001946C 028 push eax ; SymbolicLinkName INIT:0001946D 02C call ds:IoCreateSymbolicLink INIT:00019473 024 cmp eax, esi INIT:00019475 024 mov [ebp+RegistryPath], eax INIT:00019478 024 jge short loc_19485 INIT:0001947A 024 push [ebp+DeviceObject] ; DeviceObject INIT:0001947D 028 call ds:IoDeleteDevice INIT:00019483 024 jmp short loc_194EA INIT:00019485 ; --------------------------------------------------------------------------- INIT:00019485 INIT:00019485 loc_19485: ; CODE XREF: DriverEntry+F8j INIT:00019485 024 pusha INIT:00019486 044 inc al INIT:00019488 044 and dl, bl INIT:0001948A 044 or dx, ax INIT:0001948D 044 and dx, 463Eh INIT:00019492 044 test dl, 63h INIT:00019495 044 xor ax, cx INIT:00019498 044 inc dl INIT:0001949A 044 popa INIT:0001949B 024 call GetNeedSystemRootine INIT:000194A0 024 test al, al INIT:000194A2 024 jnz short loc_194AB INIT:000194A4 INIT:000194A4 loc_194A4: ; CODE XREF: DriverEntry+58j INIT:000194A4 024 mov eax, 0C0000001h INIT:000194A9 024 jmp short loc_194ED INIT:000194AB ; --------------------------------------------------------------------------- INIT:000194AB INIT:000194AB loc_194AB: ; CODE XREF: DriverEntry+122j INIT:000194AB 024 push cx INIT:000194AD 026 push edx INIT:000194AE 02A sub dh, al INIT:000194B0 02A add cx, dx INIT:000194B3 02A inc cl INIT:000194B5 02A test ah, cl INIT:000194B7 02A inc ch INIT:000194B9 02A or dx, bx INIT:000194BC 02A inc cx INIT:000194BE 02A xor dx, dx INIT:000194C1 02A xor cl, bh INIT:000194C3 02A pop edx INIT:000194C4 026 pop cx INIT:000194C6 024 mov eax, [ebp+DriverObject] INIT:000194C9 024 mov dword ptr [eax+38h], offset sub_16CD4 INIT:000194D0 024 push ecx INIT:000194D1 028 push edx INIT:000194D2 02C push edi INIT:000194D3 030 test cx, cx INIT:000194D6 030 xor dl, 57h INIT:000194D9 030 inc edi INIT:000194DA 030 or ch, 6Fh INIT:000194DD 030 pop edi INIT:000194DE 02C pop edx INIT:000194DF 028 pop ecx INIT:000194E0 024 push 0 ; ULONG INIT:000194E2 028 push 0 ; PVOID INIT:000194E4 02C push eax ; struct _DRIVER_OBJECT * INIT:000194E5 030 call DriverReinitializationRoutine INIT:000194EA INIT:000194EA loc_194EA: ; CODE XREF: DriverEntry+103j INIT:000194EA 024 mov eax, [ebp+RegistryPath] INIT:000194ED INIT:000194ED loc_194ED: ; CODE XREF: DriverEntry+BAj INIT:000194ED ; DriverEntry+129j INIT:000194ED 024 pop edi INIT:000194EE 020 pop esi INIT:000194EF 01C pop ebx INIT:000194F0 018 leave INIT:000194F1 000 retn 8 INIT:000194F1 DriverEntry endp
.text:000108B8 ; double __stdcall sub_108B8(int ParentId, int pid, char bCreate) .text:000108B8 sub_108B8 proc near ; DATA XREF: sub_1132A+2o .text:000108B8 .text:000108B8 var_10 = byte ptr -10h .text:000108B8 var_F = byte ptr -0Fh .text:000108B8 ParentId = dword ptr 8 .text:000108B8 pid = dword ptr 0Ch .text:000108B8 bCreate = dword ptr 10h .text:000108B8 .text:000108B8 0 000 push ebp .text:000108B9 0 004 mov ebp, esp .text:000108BB 0 004 sub esp, 10h .text:000108BE 0 014 push ebx .text:000108BF 0 018 push esi .text:000108C0 0 01C push edi .text:000108C1 0 020 xor ebx, ebx .text:000108C3 0 020 xor eax, eax .text:000108C5 0 020 lea edi, [ebp+var_F] .text:000108C8 0 020 mov [ebp+var_10], bl .text:000108CB 0 020 cmp byte ptr [ebp+bCreate], bl .text:000108CE 0 020 stosd .text:000108CF 0 020 stosd .text:000108D0 0 020 stosd .text:000108D1 0 020 stosw .text:000108D3 0 020 stosb .text:000108D4 0 020 jz loc_10A7D .text:000108DA 0 020 cmp [ebp+pid], 14h .text:000108DE 0 020 jb loc_10A7D .text:000108E4 0 020 cmp g_ImageFileNameOffset, ebx .text:000108EA 0 020 jz loc_10A7D .text:000108F0 0 020 lea eax, [ebp+var_10] .text:000108F3 0 020 push eax ; char * .text:000108F4 0 024 push [ebp+pid] ; int .text:000108F7 0 028 call SearchProccessName .text:000108FC 0 020 cmp eax, ebx .text:000108FE 0 020 mov [ebp+bCreate], eax .text:00010901 0 020 jz loc_10A7D .text:00010907 0 020 push edx .text:00010908 0 024 push edi .text:00010909 0 028 or edx, edx .text:0001090B 0 028 mov dl, ch .text:0001090D 0 028 cmp edx, ecx .text:0001090F 0 028 and edx, eax .text:00010911 0 028 pop edi .text:00010912 0 024 pop edx .text:00010913 0 020 mov esi, ds:_stricmp .text:00010919 0 020 lea eax, [ebp+var_10] .text:0001091C 0 020 push offset g_userinit ; "9UT瞋#Q" .text:00010921 0 024 push eax ; char * .text:00010922 0 028 call esi ; _stricmp .text:00010924 0 028 pop ecx .text:00010925 0 024 test eax, eax .text:00010927 0 024 pop ecx .text:00010928 0 020 jnz short loc_10947 .text:0001092A 0 020 push eax .text:0001092B 0 024 push bx .text:0001092D 0 026 test ax, 826h .text:00010931 0 026 sub bl, 12h .text:00010934 0 026 test bx, 3C13h .text:00010939 0 026 test ah, 56h .text:0001093C 0 026 cmp bx, dx .text:0001093F 0 026 pop bx .text:00010941 0 024 pop eax .text:00010942 0 020 call ProcessUserInit .text:00010947 .text:00010947 loc_10947: ; CODE XREF: sub_108B8+70j .text:00010947 0 020 push ax .text:00010949 0 022 push cx .text:0001094B 0 024 push edi .text:0001094C 0 028 and al, dl .text:0001094E 0 028 or ch, 3Ah .text:00010951 0 028 dec edi .text:00010952 0 028 inc edi .text:00010953 0 028 cmp ah, bl .text:00010955 0 028 xor ax, ax .text:00010958 0 028 cmp cl, dl .text:0001095A 0 028 dec cl .text:0001095C 0 028 pop edi .text:0001095D 0 024 pop cx .text:0001095F 0 022 pop ax .text:00010961 0 020 lea eax, [ebp+var_10] .text:00010964 0 020 push offset g_explorer_exe ; ")^A琘?]\n?^T? .text:00010969 0 024 push eax ; char * .text:0001096A 0 028 call esi ; _stricmp .text:0001096C 0 028 pop ecx .text:0001096D 0 024 test eax, eax .text:0001096F 0 024 pop ecx .text:00010970 0 020 jnz loc_10A24 .text:00010976 0 020 cmp g_bFirstExplorer, al .text:0001097C 0 020 jnz loc_10A24 .text:00010982 0 020 push ebx .text:00010983 0 024 add bx, ax .text:00010986 0 024 mov bx, 6602h .text:0001098A .text:0001098A loc_1098A: .text:0001098A 0 024 and bh, dl .text:0001098C 0 024 pop ebx .text:0001098D 0 020 push [ebp+bCreate] .text:00010990 0 024 call ProcessExplorer1 .text:00010995 0 020 test eax, eax .text:00010997 0 020 jl loc_10A24 .text:0001099D 0 020 jbe loc_109B4 .text:000109A3 0 020 push eax .text:000109A4 0 024 pop eax .text:000109A5 0 020 ja loc_109B4 .text:000109AB 0 020 pop esi .text:000109AC 0 01C fisubr dword ptr [ecx+7A96ED64h] .text:000109B2 db 26h .text:000109B2 0 01C dec esp .text:000109B4 .text:000109B4 loc_109B4: ; CODE XREF: sub_108B8+E5j .text:000109B4 ; sub_108B8+EDj .text:000109B4 0 01C mov g_bFirstExplorer, 1 .text:000109BB 0 01C jbe loc_109DD .text:000109C1 0 01C push si .text:000109C3 0 01E mov si, 5C11h .text:000109C7 0 01E pop si .text:000109C9 0 01C ja loc_109DD .text:000109C9 ; --------------------------------------------------------------------------- .text:000109CF 0 01C unk_109CF db 70h ; p .text:000109D0 0 01C db 0BAh ; ? .text:000109D1 0 01C db 0Eh .text:000109D2 0 01C dw 8D67h .text:000109D4 0 01C dd 3557B8FDh, 0CBA2EED7h .text:000109DC 0 01C db 0F3h .text:000109DD ; --------------------------------------------------------------------------- .text:000109DD .text:000109DD loc_109DD: ; CODE XREF: sub_108B8+103j .text:000109DD ; sub_108B8+111j .text:000109DD 0 01C mov b_FinishRegClsid, 1 .text:000109E4 0 01C jp short loc_109FB .text:000109E6 0 01C push edi .text:000109E7 0 020 mov di, 0B224h .text:000109EB 0 020 pop edi .text:000109EC 0 01C jnp short loc_109FB .text:000109EE 0 01C xchg eax, edx .text:000109EF 0 01C clc .text:000109F0 0 01C mov esi, 34A96CF4h .text:000109F5 0 01C inc eax .text:000109F5 ; --------------------------------------------------------------------------- .text:000109F6 0 01C unk_109F6 db 0C5h ; ? .text:000109F7 0 01C db 2Dh ; - .text:000109F8 0 01C db 3Ah ; : .text:000109F9 0 01C db 0B4h ; ? .text:000109FA 0 01C db 17h .text:000109FB ; --------------------------------------------------------------------------- .text:000109FB .text:000109FB loc_109FB: ; CODE XREF: sub_108B8+12Cj .text:000109FB ; sub_108B8+134j .text:000109FB 0 01C call ProcessExploerer2 .text:00010A00 0 01C pusha .text:00010A01 0 03C test bx, 0A43h .text:00010A06 0 03C cmp ch, 6Eh .text:00010A09 0 03C sub ch, bl .text:00010A0B 0 03C cmp dx, 7A98h .text:00010A10 0 03C sub ecx, edx .text:00010A12 0 03C popa .text:00010A13 0 01C push dword_19178 .text:00010A19 0 020 call ProcessExploerer3 .text:00010A1E 0 01C mov esi, ds:_stricmp .text:00010A24 .text:00010A24 loc_10A24: ; CODE XREF: sub_108B8+B8j .text:00010A24 ; sub_108B8+C4j ... .text:00010A24 0 01C push eax .text:00010A25 0 020 xor ax, bx .text:00010A28 0 020 pop eax .text:00010A29 0 01C lea eax, [ebp+var_10] .text:00010A2C 0 01C push offset g_aRundll32_exe ; char * .text:00010A31 0 020 push eax ; char * .text:00010A32 0 024 call esi ; _stricmp .text:00010A34 0 024 pop ecx .text:00010A35 0 020 test eax, eax .text:00010A37 0 020 pop ecx .text:00010A38 0 01C jnz short loc_10A4A .text:00010A3A 0 01C cmp g_bFirstExplorer, al .text:00010A40 0 01C jz short loc_10A4A .text:00010A42 0 01C push [ebp+ParentId] .text:00010A45 0 020 call ProcessRundll32 .text:00010A4A .text:00010A4A loc_10A4A: ; CODE XREF: sub_108B8+180j .text:00010A4A ; sub_108B8+188j .text:00010A4A 0 01C jo short loc_10A62 .text:00010A4C 0 01C push esi .text:00010A4D 0 020 mov esi, 387EF7E0h .text:00010A52 0 020 pop esi .text:00010A53 0 01C jno short loc_10A62 .text:00010A53 ; --------------------------------------------------------------------------- .text:00010A55 0 01C byte_10A55 db 0C6h, 71h, 7Dh .text:00010A58 0 01C dd 21D7221Dh, 0C0FF8AF7h .text:00010A60 0 01C db 0Dh, 0A7h .text:00010A62 ; --------------------------------------------------------------------------- .text:00010A62 .text:00010A62 loc_10A62: ; CODE XREF: sub_108B8:loc_10A4Aj .text:00010A62 ; sub_108B8+19Bj .text:00010A62 0 01C lea eax, [ebp+var_10] .text:00010A65 0 01C push offset g_aIEXPLORE_EXE ; char * .text:00010A6A 0 020 push eax ; char * .text:00010A6B 0 024 call esi ; _stricmp .text:00010A6D 0 024 pop ecx .text:00010A6E 0 020 test eax, eax .text:00010A70 0 020 pop ecx .text:00010A71 0 01C jnz short loc_10A7D .text:00010A73 0 01C push offset dword_19170 .text:00010A78 0 020 call ProcessIexplorer .text:00010A7D .text:00010A7D loc_10A7D: ; CODE XREF: sub_108B8+1Cj .text:00010A7D ; sub_108B8+26j ... .text:00010A7D 0 01C pop edi .text:00010A7E 0 018 pop esi .text:00010A7F 0 014 pop ebx .text:00010A80 0 010 leave .text:00010A81 0 000 retn 0Ch .text:00010A81 sub_108B8 endp ; sp-analysis failed
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
