Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to talk about the environment configuration and code implementation of RASP technology. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Initialize the project

First, let's create a new maven project in IDEA

Name it JavawebAgent.

Then the current directory structure is as follows:

Delete the src directory, then right-click to create a new Module

Still choose the Maven project

Then fill in agent at ArtifactId

And then just make sure.

Then repeat the operation of the new Module above, changing the ArtifactId in the second small step to test and the Module Name in the third small step to test-struts2, as shown in the following figure

The directory structure at this time is as follows

The agent directory is the main code area where we want to implement agent, and test-struts2 is the test web code area. (note: test-struts2 is not required)

Basic configuration of test-struts2 module

The test-struts2 part of the code will not be repeated here, you can go to the address of this project to download test-struts2 content directly.

Agent module basic configuration ≡≡ pom.xml package configuration

There are holes in the configuration of agent, the pom package. I will talk about this later. Let's take a look at the pom.xml content first.

Org.ow2.asm asm-all 5.1 agent org.apache.maven.plugins maven-compiler-plugin 1.6 1.6 Org.apache.maven.plugins maven-jar-plugin 2.3.2 src/main/resources/MANIFEST.MF org.apache.maven. Plugins maven-shade-plugin 2.3 package shade Commons-io:commons-io:jar:* org.ow2.asm:asm-all:jar:* Org.apache.maven.plugins maven-surefire-plugin 2.21.0 true

Copy the above to the pom.xml under the agent module

≡≡ creates a MAINFEST.NF file

Create a MAINFEST.NF file in the resources directory with the following contents

Manifest-Version: 1.0Can-Retransform-Classes: trueCan-Redefine-Classes: trueCan-Set-Native-Method-Prefix: true

≡≡ maven Auto Packaging configuration

Locate Add Configurations in the upper right section of idea and click this button

Select maven at the + in the upper left corner of the pop-up window

Then click the location of ① below to select the working directory, select agent in the location of ②, and enter clean install in the location of ③.

When you are finished, as shown in the following figure, then click OK to save

At this time, you can see the automatic packaging feature of maven that we just configured in the upper right corner. Every change in agent needs to be re-build, otherwise it will not take effect.

≡≡ creates the main implementation code package for Agent

Right-click the java folder under the agent package to select New package, and then fill in your package name. My package name is

Cn.org.javaweb.agent

Simple version of RASP implementation to create entry classes

Create a new class under the cn.org.javaweb.agent package.

The contents are as follows:

/ * Copyright sky 2019-04-03 Email:sky@03sec.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "ASIS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * / package cn.org.javaweb.agent;import java.lang.instrument.Instrumentation;/** * @ author sky * / public class Agent {public static void premain (String agentArgs, Instrumentation inst) {inst.addTransformer (new AgentTransform ());}}

Create Transform

Then we create a new AgentTransform class, which needs to implement the method of ClassFileTransformer, as follows:

/ * Copyright sky 2019-04-03 Email:sky@03sec.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "ASIS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * / package cn.org.javaweb.agent;import java.lang.instrument.ClassFileTransformer;import java.lang.instrument.IllegalClassFormatException;import java.security.ProtectionDomain / * @ author sky * / public class AgentTransform implements ClassFileTransformer {/ * * @ param loader * @ param className * @ param protectionDomain * @ param classfileBuffer * @ return * @ throws IllegalClassFormatException * / @ Override public byte [] transform (ClassLoader loader, String className, Class classBeingRedefined, ProtectionDomain protectionDomain Byte [] classfileBuffer) throws IllegalClassFormatException {className = className.replace ("/", ".") System.out.println ("Load class:" + className); return classfileBuffer;}}

Build Agent configuration

Click agent [clean,intall] in the upper right corner to build.

As can be seen from the picture above, the location of our package is

/ Volumes/Data/code/work/JavawebAgent/agent/target/agent.jar

Record the location of the change package, and then click tomcat configuration (there is no explanation on how to configure tomcat for idea. If not, you can do it on your own Baidu | Google)

Fill in the following at VM options:

-Dfile.encoding=UTF-8-noverify-Xbootclasspath/p:/Volumes/Data/code/work/JavawebAgent/agent/target/agent.jar-javaagent:/Volumes/Data/code/work/JavawebAgent/agent/target/agent.jar

The path of / Volumes/Data/code/work/JavawebAgent/agent/target/agent.jar is the path of the agent you compiled in the previous step, pay attention to replace it.

At this point, when we start tomcat, we can see that the print package name we wrote in AgentTransform has taken effect, as shown below:

The red box area above shows all the class names that are loaded when tomcat starts. Then we open the browser to see if the web is normal.

You can see that web also starts normally.

Create a ClassVisitor class

Then we create a new TestClassVisitor class, which needs to inherit the ClassVisitor class and implement the Opcodes class, as follows

/ * Copyright sky 2019-04-03 Email:sky@03sec.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "ASIS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * / package cn.org.javaweb.agent;import org.objectweb.asm.ClassVisitor;import org.objectweb.asm.MethodVisitor;import org.objectweb.asm.Opcodes;/** * @ author sky * / public class TestClassVisitor extends ClassVisitor implements Opcodes {public TestClassVisitor (ClassVisitor cv) {super (Opcodes.ASM5, cv) } @ Override public MethodVisitor visitMethod (int access, String name, String desc, String signature, String [] exceptions) {MethodVisitor mv = super.visitMethod (access, name, desc, signature, exceptions); System.out.println (name + "method descriptor is:" + desc); return mv;}}

Commands executed by the hook user on the ProcessBuilder (command execution) class ≡≡ uses transform to filter class names

Then go back to AgentTransform and modify the content of the transform method. The code of the transform method is as follows:

Public byte [] transform (ClassLoader loader, String className, Class classBeingRedefined, ProtectionDomain protectionDomain, byte [] classfileBuffer) throws IllegalClassFormatException {className = className.replace ("/", "."); try {if (className.contains ("ProcessBuilder")) {System.out.println ("Load class:" + className) ClassReader classReader = new ClassReader (classfileBuffer); ClassWriter classWriter = new ClassWriter (classReader, ClassWriter.COMPUTE_MAXS); ClassVisitor classVisitor = new TestClassVisitor (classWriter); classReader.accept (classVisitor, ClassReader.EXPAND_FRAMES); classfileBuffer = classWriter.toByteArray ();} catch (Exception e) {e.printStackTrace () } return classfileBuffer;}

A brief introduction to the contents of the code block

First of all, determine whether the class name contains ProcessBuilder, if so, use ClassReader to read the bytecode, then create a new ClassWriter to splice the bytecode read by ClassReader, then create a custom ClassVisitor to hook the trigger event of the class, then call the accept method of classReader, and finally re-assign the modified bytecode to classfileBuffer.

It may look like a circle, but it will be easier to understand if you learn to use it.

≡≡ creates a test environment

We create a new jsp in tomcat to invoke command execution, with the following code:

You can see that it is a simple code that executes the command; let's build what has been changed to see what is output.

Biuld completed, start tomcat.

Visit

Http://localhost:8080/cmd.jsp?cmd=whoami

You can see that the command has been executed successfully, so let's go back to the console in idea to see what the output is.

From the figure above, you can see all the call chains invoked by an execute command.

The descriptor of the Load class: java.lang.ProcessBuilder method is: (Ljava/util/List;) V the descriptor of the Vcommand method is: (Ljava/util/List;) the descriptor of the Ljava/lang/ProcessBuilder;command method is: ([Ljava/lang/String;) the descriptor of the Ljava/lang/ProcessBuilder;command method is: () the descriptor of the Ljava/util/List;environment method is: () Ljava/util/Map The descriptor of the environment method is: ([Ljava/lang/String;) the descriptor of the Ljava/lang/ProcessBuilder;directory method is: () the descriptor of the Ljava/io/File;directory method is: (Ljava/io/File;) the descriptor of the Ljava/lang/ProcessBuilder;redirects method is: () [the descriptor of the Ljava/lang/ProcessBuilder$Redirect;redirectInput method is: (Ljava/lang/ProcessBuilder$Redirect;) the descriptor of the Ljava/lang/ProcessBuilder;redirectOutput method is: (Ljava/lang/ProcessBuilder$Redirect;) Ljava/lang/ProcessBuilder The descriptor of the redirectError method is: (Ljava/lang/ProcessBuilder$Redirect;) the descriptor of the Ljava/lang/ProcessBuilder;redirectInput method is: (Ljava/io/File;) the descriptor of the Ljava/lang/ProcessBuilder;redirectOutput method is: (Ljava/io/File;) the descriptor of the Ljava/lang/ProcessBuilder;redirectError method is: (Ljava/io/File;) the descriptor of the Ljava/lang/ProcessBuilder;redirectInput method is: () the descriptor of the Ljava/lang/ProcessBuilder$Redirect;redirectOutput method is: () Ljava/lang/ProcessBuilder$Redirect The descriptor of the redirectError method is: () the descriptor of the Ljava/lang/ProcessBuilder$Redirect;inheritIO method is: () the descriptor of the Ljava/lang/ProcessBuilder;redirectErrorStream method is: () the descriptor of the ZredirectErrorStream method is: (Z) the descriptor of the Ljava/lang/ProcessBuilder;start method is: () Ljava/lang/Process The method descriptor is: () VLoad class: java.lang.ProcessBuilder$NullInputStream method descriptor is: () Vread method descriptor is: () Iavailable method descriptor is: () I method descriptor is: () VLoad class: java.lang.ProcessBuilder$NullOutputStream method descriptor is: () Vwrite method descriptor is: (I) V method descriptor is: () V

≡≡ gets the command executed by the user

Next, let's see if we can get the orders we have executed.

Create a new class named ProcessBuilderHook, and then create a new static method named start in the class. The complete code is as follows:

/ * Copyright sky 2019-04-04 Email:sky@03sec.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "ASIS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * / package cn.org.javaweb.agent;import java.util.Arrays;import java.util.List;/** * @ author sky * / public class ProcessBuilderHook {public static void start (List commands) {String [] commandArr = commands.toArray (new String [commands.size ()]); System.out.println (Arrays.toString (commandArr));}}

What's the use of this method? we'll talk about it later. Take a look at the following first.

≡≡ replication visitMethod method

Open TestClassVisitor and make changes to the visitMethod method. The specific code is as follows:

@ Override public MethodVisitor visitMethod (int access, String name, String desc, String signature, String [] exceptions) {MethodVisitor mv = super.visitMethod (access, name, desc, signature, exceptions); if ("start" .equals (name) & & "() Ljava/lang/Process;" .equals (desc)) {System.out.println (name + "method descriptor is:" + desc) Return new AdviceAdapter (Opcodes.ASM5, mv, access, name, desc) {@ Override public void visitCode () {mv.visitVarInsn (ALOAD, 0); mv.visitFieldInsn (GETFIELD, "java/lang/ProcessBuilder", "command", "Ljava/util/List;") Mv.visitMethodInsn (INVOKESTATIC, "cn/org/javaweb/agent/ProcessBuilderHook", "start", "(Ljava/util/List;) V", false); super.visitCode ();}};} return mv;}

Explain the new code to you, starting with the if judgment.

Determine whether the passed method name is start and the method descriptor is () Ljava/lang/Process;,. If so, create a new AdviceAdapter method, and copy the visitCode method to modify its bytecode.

Mv.visitVarInsn (ALOAD, 0)

Get the this on the top of the stack

Mv.visitFieldInsn (GETFIELD, "java/lang/ProcessBuilder", "command", "Ljava/util/List;")

Get the command in this

Mv.visitMethodInsn (INVOKESTATIC, "cn/org/javaweb/agent/ProcessBuilderHook", "start", "(Ljava/util/List;) V", false)

Then call the start method in our new ProcessBuilderHook class above and press the this.command we got above into our method.

The function of the ProcessBuilderHook class is to let this part be called, and then the transfer can be transferred to our logical code.

Let's compile again, then start tomcat and visit cmd.jsp.

≡≡ tests whether the command parameters executed by hook users are obtained

Visit

Http://localhost:8080/cmd.jsp?cmd=ls%20-la

You can see that the contents of the current directory have been printed out.

Let's go to idea and see what the console outputs.

You can see the commands we entered.

[whoami]

It has been output, and so far, we have got the order to be executed.

On how to talk about RASP technology environment configuration and code implementation to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.