├── .github └── ISSUE_TEMPLATE │ └── bug_report.md ├── .gitignore ├── CODE_OF_CONDUCT.md ├── LICENSE ├── README.md ├── SECURITY.md ├── img.png ├── pom.xml └── src ├── META-INF └── MANIFEST.MF └── main └── java ├── META-INF └── MANIFEST.MF └── com └── r00t4dm ├── CleanMemShellAgentMainAttach.java ├── CleanMemShellAgentmain.java └── CleanMemShellTransformer.java /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /.idea/ 2 | /libs/ 3 | /out/ 4 | /target/ 5 | *.iml 6 | .DS_Store 7 | dependency-reduced-pom.xml -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in our 6 | community a harassment-free experience for everyone, regardless of age, body 7 | size, visible or invisible disability, ethnicity, sex characteristics, gender 8 | identity and expression, level of experience, education, socio-economic status, 9 | nationality, personal appearance, race, religion, or sexual identity 10 | and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at 63 | r00t4dm@gmail.com. 64 | All complaints will be reviewed and investigated promptly and fairly. 65 | 66 | All community leaders are obligated to respect the privacy and security of the 67 | reporter of any incident. 68 | 69 | ## Enforcement Guidelines 70 | 71 | Community leaders will follow these Community Impact Guidelines in determining 72 | the consequences for any action they deem in violation of this Code of Conduct: 73 | 74 | ### 1. Correction 75 | 76 | **Community Impact**: Use of inappropriate language or other behavior deemed 77 | unprofessional or unwelcome in the community. 78 | 79 | **Consequence**: A private, written warning from community leaders, providing 80 | clarity around the nature of the violation and an explanation of why the 81 | behavior was inappropriate. A public apology may be requested. 82 | 83 | ### 2. Warning 84 | 85 | **Community Impact**: A violation through a single incident or series 86 | of actions. 87 | 88 | **Consequence**: A warning with consequences for continued behavior. No 89 | interaction with the people involved, including unsolicited interaction with 90 | those enforcing the Code of Conduct, for a specified period of time. This 91 | includes avoiding interactions in community spaces as well as external channels 92 | like social media. Violating these terms may lead to a temporary or 93 | permanent ban. 94 | 95 | ### 3. Temporary Ban 96 | 97 | **Community Impact**: A serious violation of community standards, including 98 | sustained inappropriate behavior. 99 | 100 | **Consequence**: A temporary ban from any sort of interaction or public 101 | communication with the community for a specified period of time. No public or 102 | private interaction with the people involved, including unsolicited interaction 103 | with those enforcing the Code of Conduct, is allowed during this period. 104 | Violating these terms may lead to a permanent ban. 105 | 106 | ### 4. Permanent Ban 107 | 108 | **Community Impact**: Demonstrating a pattern of violation of community 109 | standards, including sustained inappropriate behavior, harassment of an 110 | individual, or aggression toward or disparagement of classes of individuals. 111 | 112 | **Consequence**: A permanent ban from any sort of public interaction within 113 | the community. 114 | 115 | ## Attribution 116 | 117 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 118 | version 2.0, available at 119 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 120 | 121 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 122 | enforcement ladder](https://github.com/mozilla/diversity). 123 | 124 | [homepage]: https://www.contributor-covenant.org 125 | 126 | For answers to common questions about this code of conduct, see the FAQ at 127 | https://www.contributor-covenant.org/faq. Translations are available at 128 | https://www.contributor-covenant.org/translations. 129 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 r00t4dm 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # aLIEz 2 | 3 | English 4 | 5 | Use reflection to dynamically load JDK dependencies, and do not directly use transformers to modify bytecode. Now it is directly dumped and researchers are required to analyze it themselves. 6 | 7 | Kill the memory of various JavaEE containers and middleware 8 | 9 | Usage: java -jar aLIEz.jar JVMID aLIEz-agent-1.0-SNAPSHOT.jar 10 | 11 | Usage 12 | ```` 13 | ➜ java -jar aLIEz.jar 14 | usage: java -jar clearMemShell.jar "AgentLocate" 15 | 32866: org.jetbrains.idea.maven.server.RemoteMavenServer36 16 | 43237: org.jetbrains.jps.cmdline.Launcher /Applications/IntelliJ IDEA.app/Contents/lib/netty-common-4.1.52.Final.jar:/Applications/IntelliJ IDEA.app/Contents/lib/netty-resolver-4.1.52.Final.jar:/Applications/IntelliJ IDEA.app/Contents/plugins/java/lib/javac2.jar:/Applications/IntelliJ IDEA.app/Contents/lib/httpclient-4.5.12.jar:/Applications/IntelliJ IDEA.app/Contents/lib/plexus-component-annotations-1.7.1.jar:/Applications/IntelliJ IDEA.app/Contents/lib/maven-resolver-spi-1.3.3.jar:/Applications/IntelliJ IDEA.app/Contents/lib/util.jar:/Applications/IntelliJ IDEA.app/Contents/lib/platform-api.jar:/Applications/IntelliJ IDEA.app/Contents/lib/qdox-2.0-M10.jar:/Applications/IntelliJ IDEA.app/Contents/lib/asm-all-9.0.jar:/Applications/IntelliJ IDEA.app/Contents/lib/commons-lang3-3.10.jar:/Applications/IntelliJ IDEA.app/Contents/lib/jna.jar:/Applications/IntelliJ IDEA.app/Contents/lib/trove4j.jar:/Applications/IntelliJ IDEA.app/Contents/lib/nanoxml-2.2.3.jar:/Applications/IntelliJ IDEA.app/Contents/lib/maven-resolver-api 17 | 45253: org.jetbrains.idea.maven.server.RemoteMavenServer36 18 | 69401: org.jetbrains.idea.maven.server.RemoteMavenServer36 19 | 51529: Behinder_v3.0_Beta6_mac.jar 20 | 56185: org.apache.catalina.startup.Bootstrap start 21 | 57449: aLIEz.jar 22 | 37197: 23 | 64783: org.jetbrains.idea.maven.server.RemoteMavenServer36 24 | 56879: Godzilla-V2.96.jar 25 | 26 | 15:18:23 in out/artifacts/aLIEz_jar 27 | ➜ java -jar aLIEz.jar 56185 "/Users/r00t4dm/Downloads/JavaAgent_CleanMemShell/target/aLIEz-agent-1.0-SNAPSHOT.jar" 28 | [+]OK.i find a jvm.org.apache.catalina.startup.Bootstrap start 29 | [+]agent is injected. 30 | ```` 31 | 32 | 中文版本 33 | 34 | 采用反射动态加载JDK依赖,不会直接transformer去改bytecode 现在是直接dump出来依赖研究人员自己分析 35 | 36 | 杀各个JavaEE容器、中间件的内存马 37 | 38 | 使用方法:java -jar aLIEz.jar JVMID aLIEz-agent-1.0-SNAPSHOT.jar 39 | 40 | ![img.png](img.png) 41 | 42 | 43 | 使用方法 44 | ```` 45 | ➜ java -jar aLIEz.jar 46 | usage: java -jar clearMemShell.jar "AgentLocate" 47 | 32866: org.jetbrains.idea.maven.server.RemoteMavenServer36 48 | 43237: org.jetbrains.jps.cmdline.Launcher /Applications/IntelliJ IDEA.app/Contents/lib/netty-common-4.1.52.Final.jar:/Applications/IntelliJ IDEA.app/Contents/lib/netty-resolver-4.1.52.Final.jar:/Applications/IntelliJ IDEA.app/Contents/plugins/java/lib/javac2.jar:/Applications/IntelliJ IDEA.app/Contents/lib/httpclient-4.5.12.jar:/Applications/IntelliJ IDEA.app/Contents/lib/plexus-component-annotations-1.7.1.jar:/Applications/IntelliJ IDEA.app/Contents/lib/maven-resolver-spi-1.3.3.jar:/Applications/IntelliJ IDEA.app/Contents/lib/util.jar:/Applications/IntelliJ IDEA.app/Contents/lib/platform-api.jar:/Applications/IntelliJ IDEA.app/Contents/lib/qdox-2.0-M10.jar:/Applications/IntelliJ IDEA.app/Contents/lib/asm-all-9.0.jar:/Applications/IntelliJ IDEA.app/Contents/lib/commons-lang3-3.10.jar:/Applications/IntelliJ IDEA.app/Contents/lib/jna.jar:/Applications/IntelliJ IDEA.app/Contents/lib/trove4j.jar:/Applications/IntelliJ IDEA.app/Contents/lib/nanoxml-2.2.3.jar:/Applications/IntelliJ IDEA.app/Contents/lib/maven-resolver-api 49 | 45253: org.jetbrains.idea.maven.server.RemoteMavenServer36 50 | 69401: org.jetbrains.idea.maven.server.RemoteMavenServer36 51 | 51529: Behinder_v3.0_Beta6_mac.jar 52 | 56185: org.apache.catalina.startup.Bootstrap start 53 | 57449: aLIEz.jar 54 | 37197: 55 | 64783: org.jetbrains.idea.maven.server.RemoteMavenServer36 56 | 56879: Godzilla-V2.96.jar 57 | 58 | 15:18:23 in out/artifacts/aLIEz_jar 59 | ➜ java -jar aLIEz.jar 56185 "/Users/r00t4dm/Downloads/JavaAgent_CleanMemShell/target/aLIEz-agent-1.0-SNAPSHOT.jar" 60 | [+]OK.i find a jvm.org.apache.catalina.startup.Bootstrap start 61 | [+]agent is injected. 62 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Supported Versions 4 | 5 | Use this section to tell people about which versions of your project are 6 | currently being supported with security updates. 7 | 8 | | Version | Supported | 9 | | ------- | ------------------ | 10 | | 5.1.x | :white_check_mark: | 11 | | 5.0.x | :x: | 12 | | 4.0.x | :white_check_mark: | 13 | | < 4.0 | :x: | 14 | 15 | ## Reporting a Vulnerability 16 | 17 | Use this section to tell people how to report a vulnerability. 18 | 19 | Tell them where to go, how often they can expect to get an update on a 20 | reported vulnerability, what to expect if the vulnerability is accepted or 21 | declined, etc. 22 | -------------------------------------------------------------------------------- /img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r00t4dm/aLIEz/c320f37d3aa1f763b8da29586300d27db7942d53/img.png -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | org.example 8 | aLIEz-agent 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 8 13 | 8 14 | 15 | 16 | 17 | 18 | 19 | com.sun 20 | tools 21 | 1.8.0 22 | system 23 | /Library/Java/JavaVirtualMachines/jdk1.8.0_20.jdk/Contents/Home/lib/tools.jar 24 | 25 | 26 | 27 | 28 | org.javassist 29 | javassist 30 | 3.20.0-GA 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | org.apache.maven.plugins 41 | maven-compiler-plugin 42 | 3.6.2 43 | 44 | 1.8 45 | 1.8 46 | utf-8 47 | 48 | 49 | 50 | org.apache.maven.plugins 51 | maven-shade-plugin 52 | 3.2.4 53 | 54 | 55 | package 56 | 57 | shade 58 | 59 | 60 | 61 | 62 | 63 | com.r00t4dm.CleanMemShellAgentmain 64 | true 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | -------------------------------------------------------------------------------- /src/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: com.r00t4dm.CleanMemShellAgentMainAttach 3 | 4 | -------------------------------------------------------------------------------- /src/main/java/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: com.r00t4dm.CleanMemShellAgentMainAttach 3 | 4 | -------------------------------------------------------------------------------- /src/main/java/com/r00t4dm/CleanMemShellAgentMainAttach.java: -------------------------------------------------------------------------------- 1 | package com.r00t4dm; 2 | 3 | import com.sun.tools.attach.*; 4 | 5 | import java.io.File; 6 | import java.io.IOException; 7 | import java.lang.reflect.InvocationTargetException; 8 | import java.lang.reflect.Method; 9 | import java.net.MalformedURLException; 10 | import java.net.URL; 11 | import java.net.URLClassLoader; 12 | import java.util.List; 13 | 14 | public class CleanMemShellAgentMainAttach { 15 | private static final String TOOLS_CLASS_NAME = "com.sun.tools.attach.VirtualMachine"; 16 | private static final String VMD_CLASS_NAME = "com.sun.tools.attach.VirtualMachineDescriptor"; 17 | 18 | public static void main(String[] args) throws ClassNotFoundException, InvocationTargetException, 19 | NoSuchMethodException, IllegalAccessException, MalformedURLException { 20 | if (args.length == 0) { 21 | System.err.println("usage: java -jar aLIEz.jar \"Agent-Locate\""); 22 | listTargetVMs(); 23 | } else { 24 | String vmdId = args[0]; 25 | String agentLocate = args[1]; 26 | attachToTargetVM(vmdId, agentLocate); 27 | 28 | } 29 | } 30 | private static void attachToTargetVM(String vmdId, String agentLocate) throws ClassNotFoundException, 31 | NoSuchMethodException, InvocationTargetException, IllegalAccessException, MalformedURLException { 32 | 33 | File jarFile = new File(System.getProperty("java.home")); 34 | System.out.println("java.home : " +System.getProperty("java.home")); 35 | File toolsJar = new File(jarFile.getParentFile() + "/lib/", "tools.jar"); 36 | System.out.println("tools.jar path: " + toolsJar.getAbsolutePath()); 37 | 38 | 39 | URL[] urls = new URL[] {toolsJar.toURI().toURL()}; 40 | Class vmClass = new URLClassLoader(urls).loadClass(TOOLS_CLASS_NAME); 41 | Method attachMethod = vmClass.getDeclaredMethod("attach", String.class); 42 | Object vmInstance = attachMethod.invoke(null, vmdId); 43 | Method loadAgentMethod = vmClass.getDeclaredMethod("loadAgent", String.class); 44 | loadAgentMethod.invoke(vmInstance, agentLocate); 45 | System.out.println("[+]agent is injected."); 46 | 47 | Method detachMethod = vmClass.getDeclaredMethod("detach"); 48 | detachMethod.invoke(vmInstance); 49 | } 50 | 51 | private static void listTargetVMs() throws ClassNotFoundException, NoSuchMethodException, 52 | InvocationTargetException, IllegalAccessException, MalformedURLException { 53 | 54 | 55 | File jarFile = new File(System.getProperty("java.home")); 56 | File toolsJar = new File(jarFile.getParentFile() + "/lib/", "tools.jar"); 57 | 58 | System.out.println("java.home: " + System.getProperty("java.home")); 59 | System.out.println("tools.jar path: " + toolsJar.getAbsolutePath()); 60 | URL[] urls = new URL[] {toolsJar.toURI().toURL()}; 61 | Class vmClass = new URLClassLoader(urls).loadClass(TOOLS_CLASS_NAME); 62 | Method listMethod = vmClass.getDeclaredMethod("list"); 63 | List vms = (List) listMethod.invoke(null); 64 | for (Object vmObject : vms) { 65 | Class vmdClass = vmObject.getClass(); 66 | Method idMethod = vmdClass.getMethod("id"); 67 | Method displayNameMethod = vmdClass.getMethod("displayName"); 68 | String id = (String) idMethod.invoke(vmObject); 69 | String displayName = (String) displayNameMethod.invoke(vmObject); 70 | System.out.println(id + " : " + displayName); 71 | } 72 | } 73 | 74 | } 75 | -------------------------------------------------------------------------------- /src/main/java/com/r00t4dm/CleanMemShellAgentmain.java: -------------------------------------------------------------------------------- 1 | package com.r00t4dm; 2 | 3 | import java.io.File; 4 | import java.io.FileNotFoundException; 5 | import java.io.FileOutputStream; 6 | import java.io.IOException; 7 | import java.lang.instrument.Instrumentation; 8 | import java.lang.instrument.UnmodifiableClassException; 9 | import java.lang.management.ManagementFactory; 10 | import java.util.HashSet; 11 | import java.util.Set; 12 | 13 | public class CleanMemShellAgentmain { 14 | 15 | private static final Set setClasses = new HashSet<>(); 16 | 17 | public static String getCurrentPID() { 18 | try { 19 | String name = ManagementFactory.getRuntimeMXBean().getName(); 20 | return name.split("@")[0]; 21 | } catch (Exception e) { 22 | return ""; 23 | } 24 | } 25 | 26 | /** 27 | * @param agentOps 类名 28 | * @param inst 29 | * @throws UnmodifiableClassException 30 | */ 31 | public static void agentmain(String agentOps, Instrumentation inst) 32 | throws UnmodifiableClassException, ClassNotFoundException, IOException { 33 | 34 | for (Class clazz : inst.getAllLoadedClasses()) { 35 | Class[] classes = clazz.getInterfaces(); 36 | for (int i = 0; i < classes.length; i++) { 37 | if (classes[i].getName().equalsIgnoreCase("javax.servlet.Servlet") || 38 | classes[i].getName().equalsIgnoreCase("javax.servlet.Filter") || 39 | classes[i].getName().equalsIgnoreCase("javax.servlet.ServletRequestListener")) { 40 | System.out.println("符合条件的类 :" + clazz.getName()); 41 | setClasses.add(clazz); 42 | } 43 | } 44 | 45 | try { 46 | if (clazz.getSuperclass().getName().contains("AbstractTranslet")) { 47 | System.out.println("符合条件的类 :" + clazz.getName()); 48 | setClasses.add(clazz); 49 | } 50 | } 51 | catch (NullPointerException nullPointerException) { 52 | // not print 53 | } 54 | } 55 | 56 | inst.addTransformer(new CleanMemShellTransformer(inst), true); 57 | inst.retransformClasses(setClasses.toArray(new Class[setClasses.size()])); 58 | 59 | } 60 | 61 | 62 | } 63 | -------------------------------------------------------------------------------- /src/main/java/com/r00t4dm/CleanMemShellTransformer.java: -------------------------------------------------------------------------------- 1 | package com.r00t4dm; 2 | 3 | import javassist.*; 4 | import java.io.*; 5 | import java.lang.instrument.ClassFileTransformer; 6 | import java.lang.instrument.Instrumentation; 7 | import java.security.ProtectionDomain; 8 | 9 | public class CleanMemShellTransformer implements ClassFileTransformer { 10 | 11 | private static final String CLASSNAME = "javax.servlet.Servlet"; 12 | private static final String FILTERNAME = "javax.servlet.Filter"; 13 | private static final String LISTENERNAME = "javax.servlet.ServletRequestListener"; 14 | private static final String TEMPLATENAME = "com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"; 15 | 16 | private final Instrumentation inst; 17 | 18 | public CleanMemShellTransformer(Instrumentation inst) { 19 | this.inst = inst; 20 | } 21 | 22 | @Override 23 | public byte[] transform(ClassLoader loader, String className, Class classBeingRedefined, 24 | ProtectionDomain protectionDomain, byte[] classfileBuffer) { 25 | try { 26 | if (isMemshell(loader, classBeingRedefined, classfileBuffer)) { 27 | return dumpClasses(classBeingRedefined, classfileBuffer); 28 | } 29 | } catch (NotFoundException | IOException | ClassNotFoundException | NoSuchMethodException e) { 30 | System.out.println("dump MemShell Error : " + e.getMessage()); 31 | } catch (Exception e) { 32 | e.printStackTrace(); 33 | } 34 | // 不是内存马不修改字节码并返回 35 | return classfileBuffer; 36 | } 37 | 38 | /** 39 | * dump bytecode to class file. 40 | * @param classBeingRedefined 41 | * @param classfileBuffer 42 | * @return 43 | */ 44 | private byte[] dumpClasses(Class classBeingRedefined, byte[] classfileBuffer) throws IOException { 45 | String className = classBeingRedefined.getName(); 46 | File file = new File("/tmp/memshell/"+className); 47 | 48 | file.mkdirs(); 49 | File newFile = new File(file, classBeingRedefined.getSimpleName() + ".class"); 50 | FileOutputStream fos = new FileOutputStream(newFile); 51 | fos.write(classfileBuffer); 52 | fos.flush(); 53 | fos.close(); 54 | return classfileBuffer; 55 | } 56 | 57 | /** 58 | * 根据特征判断是否是内存马 59 | * @param loader 60 | * @param aClass 61 | * @param bytes 62 | * @return true代表是内存马,false代表不是 63 | */ 64 | private static boolean isMemshell(ClassLoader loader, Class aClass, byte[] bytes) throws NotFoundException, 65 | ClassNotFoundException, IOException, NoSuchMethodException { 66 | 67 | 68 | Class servletClass = loader.loadClass(CLASSNAME); 69 | Class filterClass = loader.loadClass(FILTERNAME); 70 | Class listenerClass = loader.loadClass(LISTENERNAME); 71 | Class templateClass = loader.loadClass(TEMPLATENAME); 72 | 73 | 74 | if (templateClass.isAssignableFrom(aClass)) { 75 | return true; 76 | } 77 | 78 | if (servletClass.isAssignableFrom(aClass) || 79 | filterClass.isAssignableFrom(aClass) || 80 | listenerClass.isAssignableFrom(aClass)) { 81 | 82 | 83 | return true; 84 | 85 | } 86 | 87 | return false; 88 | } 89 | 90 | /** 91 | * 92 | * @param MemShell 内存马 93 | * @param byteMemShell 内存马的字节码 94 | * @return 清理后的字节码 95 | * @throws NotFoundException 96 | * @throws CannotCompileException 97 | * @throws IOException 98 | */ 99 | private static byte[] killMemShell (Class MemShell, byte[] byteMemShell) 100 | throws IOException { 101 | String className = MemShell.getName(); 102 | File file = new File("/tmp/"+className); 103 | 104 | file.mkdirs(); 105 | File newFile = new File(file, MemShell.getSimpleName() + ".class"); 106 | FileOutputStream fos = new FileOutputStream(newFile); 107 | fos.write(byteMemShell); 108 | fos.flush(); 109 | fos.close(); 110 | return byteMemShell; 111 | 112 | } 113 | 114 | 115 | } 116 | --------------------------------------------------------------------------------