Hessian反序列化Hook方法详解<\/h1>

1. Java原生反序列化Hook方法<\/h2>
在CTF比赛中，hook Java原生反序列化是最常见的需求，通常通过重写`ObjectInputStream<\/code>的resolveClass<\/code>方法实现。<\/p>`

1.1 基本Hook方法<\/h3>
ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>inputStream)<\/span> {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        String className =<\/span> desc.<\/span>getName<\/span>();<\/span>
<\/span><\/span>        \/\/ 在这里添加黑名单检查逻辑
<\/span><\/span><\/span><\/span>        if<\/span> (<\/span>BLACKLISTED_CLASSES.<\/span>contains<\/span>(<\/span>className))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> InvalidClassException(<\/span>"Unauthorized deserialization attempt"<\/span>,<\/span> className);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>1.2 实战建议<\/h3>

使用匿名内部类方式实现，便于快速修复<\/li>
黑名单应尽可能全面，至少包含Java-chains中的每条链的一个节点<\/li>
这种方法适用于awdp等线下赛事，修复速度快<\/li>
<\/ol>
2. Hessian反序列化Hook方法<\/h2>
Hessian反序列化的hook方法较少被讨论，但同样重要。<\/p>
2.1 Hessian反序列化特点<\/h3>

不同于原生Java序列化<\/li>
传统基于base64解码检测的方法存在缺陷<\/li>
特别是面对"UTF-8 Overlong Encoding"攻击时不够安全<\/li>
<\/ol>
2.2 Hessian反序列化流程分析<\/h3>
通过调试Hessian2Input<\/code>的readObject<\/code>方法，发现关键点在findSerializerFactory<\/code>方法，该方法返回一个SerializerFactory<\/code>对象。<\/p>
2.3 SerializerFactory核心方法<\/h3>
SerializerFactory<\/code>类中有两个关键方法：<\/p>
public<\/span> Deserializer getDeserializer<\/span>(<\/span>String type)<\/span>
<\/span><\/span>public<\/span> Deserializer getDeserializer<\/span>(<\/span>Class cl)<\/span>
<\/span><\/span><\/code><\/pre>这两个方法在反序列化过程中会被调用，参数type<\/code>或cl<\/code>就是当前反序列化的类名\/类对象。<\/p>
2.4 Hook实现方法<\/h3>
方法一：直接修改SerializerFactory<\/h4>
SerializerFactory factory =<\/span> new<\/span> SerializerFactory()<\/span> {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> Deserializer getDeserializer<\/span>(<\/span>String type)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>BLACKLISTED_CLASSES.<\/span>contains<\/span>(<\/span>type))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> RuntimeException(<\/span>"Blocked deserialization of "<\/span> +<\/span> type);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>getDeserializer<\/span>(<\/span>type);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>方法二：通过Hessian2Input设置<\/h4>
更推荐的方法是通过Hessian2Input<\/code>的setSerializerFactory<\/code>方法：<\/p>
Hessian2Input input =<\/span> new<\/span> Hessian2Input(<\/span>is);<\/span>
<\/span><\/span>input.<\/span>setSerializerFactory<\/span>(<\/span>new<\/span> SerializerFactory()<\/span> {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> Deserializer getDeserializer<\/span>(<\/span>String type)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>BLACKLISTED_CLASSES.<\/span>contains<\/span>(<\/span>type))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> RuntimeException(<\/span>"Blocked deserialization of "<\/span> +<\/span> type);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>getDeserializer<\/span>(<\/span>type);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>});<\/span>
<\/span><\/span><\/code><\/pre>2.5 黑名单构建建议<\/h3>
根据Java-chains构建的防御性黑名单应包含：<\/p>

常见反序列化利用链的关键节点类<\/li>
避免误伤正常集合类<\/li>
能够防御绝大多数已知利用链<\/li>
<\/ol>
3. 实战应用与注意事项<\/h2>

修复速度<\/strong>：在awdp等比赛中，快速修复至关重要<\/li>
最小化改动<\/strong>：使用匿名内部类方式，便于快速部署<\/li>
防御全面性<\/strong>：黑名单应尽可能覆盖所有已知利用链<\/li>
调试技巧<\/strong>：通过断点调试确定关键hook点<\/li>
<\/ol>
4. 总结<\/h2>
Hessian反序列化的hook方法与原生Java序列化不同，主要通过拦截SerializerFactory<\/code>的getDeserializer<\/code>方法实现。这种方法：<\/p>

能够有效防御各种Hessian反序列化攻击<\/li>
包括UTF-8 Overlong Encoding等绕过方式<\/li>
实现简单，适合CTF比赛快速修复<\/li>
可以通过黑名单机制实现通防<\/li>
<\/ol>
在实际应用中，建议结合具体场景调整黑名单内容，并定期更新以应对新的攻击方式。<\/p>

Hessian反序列化Hook方法详解<\/h1>

1. Java原生反序列化Hook方法<\/h2> 在CTF比赛中，hook Java原生反序列化是最常见的需求，通常通过重写ObjectInputStream<\/code>的resolveClass<\/code>方法实现。<\/p>

2. Hessian反序列化Hook方法<\/h2> Hessian反序列化的hook方法较少被讨论，但同样重要。<\/p>

2.2 Hessian反序列化流程分析<\/h3> 通过调试Hessian2Input<\/code>的readObject<\/code>方法，发现关键点在findSerializerFactory<\/code>方法，该方法返回一个SerializerFactory<\/code>对象。<\/p>

1. Java原生反序列化Hook方法<\/h2>
在CTF比赛中，hook Java原生反序列化是最常见的需求，通常通过重写`ObjectInputStream<\/code>的resolveClass<\/code>方法实现。<\/p>`

2. Hessian反序列化Hook方法<\/h2>
Hessian反序列化的hook方法较少被讨论，但同样重要。<\/p>

2.2 Hessian反序列化流程分析<\/h3>
通过调试`Hessian2Input<\/code>的readObject<\/code>方法，发现关键点在findSerializerFactory<\/code>方法，该方法返回一个SerializerFactory<\/code>对象。<\/p>`