├── target
    ├── maven-status
    │   └── maven-compiler-plugin
    │   │   ├── testCompile
    │   │       └── default-testCompile
    │   │       │   └── inputFiles.lst
    │   │   └── compile
    │   │       └── default-compile
    │   │           ├── createdFiles.lst
    │   │           └── inputFiles.lst
    ├── classes
    │   ├── Main.class
    │   ├── Agent.class
    │   └── utils
    │   │   └── ServerDetector.class
    ├── releaseBehinderShell-1.0-SNAPSHOT.jar
    ├── maven-archiver
    │   └── pom.properties
    └── releaseBehinderShell-1.0-SNAPSHOT-jar-with-dependencies.jar
├── releaseBehinderShell.iml
├── .idea
    ├── .gitignore
    ├── compiler.xml
    ├── misc.xml
    └── jarRepositories.xml
├── README.md
├── src
    └── main
    │   └── java
    │       ├── Main.java
    │       ├── Agent.java
    │       └── utils
    │           └── ServerDetector.java
└── pom.xml


/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/releaseBehinderShell.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="JAVA_MODULE" version="4" />


--------------------------------------------------------------------------------
/target/classes/Main.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wuppp/releaseBehinderShell/HEAD/target/classes/Main.class


--------------------------------------------------------------------------------
/target/classes/Agent.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wuppp/releaseBehinderShell/HEAD/target/classes/Agent.class


--------------------------------------------------------------------------------
/target/classes/utils/ServerDetector.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wuppp/releaseBehinderShell/HEAD/target/classes/utils/ServerDetector.class


--------------------------------------------------------------------------------
/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst:
--------------------------------------------------------------------------------
1 | Agent.class
2 | Main.class
3 | utils/ServerDetector.class
4 | 


--------------------------------------------------------------------------------
/target/releaseBehinderShell-1.0-SNAPSHOT.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wuppp/releaseBehinderShell/HEAD/target/releaseBehinderShell-1.0-SNAPSHOT.jar


--------------------------------------------------------------------------------
/target/maven-archiver/pom.properties:
--------------------------------------------------------------------------------
1 | #Generated by Maven
2 | #Fri Apr 09 12:02:23 CST 2021
3 | version=1.0-SNAPSHOT
4 | groupId=org.example
5 | artifactId=releaseBehinderShell
6 | 


--------------------------------------------------------------------------------
/target/releaseBehinderShell-1.0-SNAPSHOT-jar-with-dependencies.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wuppp/releaseBehinderShell/HEAD/target/releaseBehinderShell-1.0-SNAPSHOT-jar-with-dependencies.jar


--------------------------------------------------------------------------------
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # Default ignored files
2 | /shelf/
3 | /workspace.xml
4 | # Datasource local storage ignored files
5 | /dataSources/
6 | /dataSources.local.xml
7 | # Editor-based HTTP Client requests
8 | /httpRequests/
9 | 


--------------------------------------------------------------------------------
/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst:
--------------------------------------------------------------------------------
1 | /Users/ppwu/Desktop/releaseBehinderShell/src/main/java/Agent.java
2 | /Users/ppwu/Desktop/releaseBehinderShell/src/main/java/Main.java
3 | /Users/ppwu/Desktop/releaseBehinderShell/src/main/java/utils/ServerDetector.java
4 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # 编译
 2 | 
 3 | ```shell
 4 | mvn clean package -DskipTests
 5 | ```
 6 | 
 7 | # 使用
 8 | 
 9 | 1. 首先查看机器进程，找到Tomcat或者Weblogic进程ID，如下为查找Tocmat进程ID
10 | ```shell
11 | ps -el | grep org.apache.catalina.startup.Bootstrap
12 | ```
13 | 
14 | 2. 运行卸载内存马程序
15 | ```shell
16 | java -Xbootclasspath/a:$JAVA_HOME/lib/tools.jar -jar releaseBehinderShell-1.0-SNAPSHOT-jar-with-dependencies.jar [pid]
17 | ```
18 | 
19 | # 注意
20 | 
21 | 1. 本工具只在Tomcat环境下进行测试通过，weblogic环境未进行测试。
22 | 2. 由于使用本工具导致的任何服务器崩溃等一系列问题，与本人无关。
23 | 


--------------------------------------------------------------------------------
/.idea/compiler.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="CompilerConfiguration">
 4 |     <annotationProcessing>
 5 |       <profile name="Maven default annotation processors profile" enabled="true">
 6 |         <sourceOutputDir name="target/generated-sources/annotations" />
 7 |         <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
 8 |         <outputRelativeToContentRoot value="true" />
 9 |         <module name="releaseBehinderShell" />
10 |       </profile>
11 |     </annotationProcessing>
12 |   </component>
13 | </project>


--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ASMPluginConfiguration">
 4 |     <asm skipDebug="false" skipFrames="false" skipCode="false" expandFrames="false" />
 5 |     <groovy codeStyle="LEGACY" />
 6 |   </component>
 7 |   <component name="ExternalStorageConfigurationManager" enabled="true" />
 8 |   <component name="MavenProjectsManager">
 9 |     <option name="originalFiles">
10 |       <list>
11 |         <option value="$PROJECT_DIR$/pom.xml" />
12 |       </list>
13 |     </option>
14 |   </component>
15 |   <component name="ProjectRootManager" version="2" languageLevel="JDK_1_8" project-jdk-name="1.8" project-jdk-type="JavaSDK">
16 |     <output url="file://$PROJECT_DIR$/out" />
17 |   </component>
18 | </project>


--------------------------------------------------------------------------------
/src/main/java/Main.java:
--------------------------------------------------------------------------------
 1 | import com.sun.tools.attach.*;
 2 | 
 3 | import java.io.IOException;
 4 | import java.util.List;
 5 | 
 6 | public class Main {
 7 |     public static void main(String[] args) throws IOException, AttachNotSupportedException, AgentLoadException, AgentInitializationException {
 8 |         if (args.length < 1) {
 9 |             System.out.println("java -jar releaseShell.jar [pid]");
10 |             System.exit(0);
11 |         }
12 | 
13 |         System.out.println(Main.class.getProtectionDomain().getCodeSource().getLocation().getPath());
14 |         VirtualMachine virtualMachine = VirtualMachine.attach(args[0]);
15 |         virtualMachine.loadAgent(Main.class.getProtectionDomain().getCodeSource().getLocation().getPath());
16 |         virtualMachine.detach();
17 |         System.out.println("Success");
18 |     }
19 | }
20 | 


--------------------------------------------------------------------------------
/.idea/jarRepositories.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="RemoteRepositoriesConfiguration">
 4 |     <remote-repository>
 5 |       <option name="id" value="central" />
 6 |       <option name="name" value="Maven Central repository" />
 7 |       <option name="url" value="https://repo1.maven.org/maven2" />
 8 |     </remote-repository>
 9 |     <remote-repository>
10 |       <option name="id" value="jboss.community" />
11 |       <option name="name" value="JBoss Community repository" />
12 |       <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
13 |     </remote-repository>
14 |     <remote-repository>
15 |       <option name="id" value="central" />
16 |       <option name="name" value="Central Repository" />
17 |       <option name="url" value="https://maven.aliyun.com/repository/public" />
18 |     </remote-repository>
19 |   </component>
20 | </project>


--------------------------------------------------------------------------------
/src/main/java/Agent.java:
--------------------------------------------------------------------------------
 1 | import javassist.*;
 2 | import utils.ServerDetector;
 3 | 
 4 | import java.io.IOException;
 5 | import java.lang.instrument.ClassDefinition;
 6 | import java.lang.instrument.Instrumentation;
 7 | import java.lang.instrument.UnmodifiableClassException;
 8 | 
 9 | public class Agent {
10 |     public static void agentmain(String args, Instrumentation inst) throws NotFoundException, IOException, CannotCompileException, UnmodifiableClassException, ClassNotFoundException {
11 |         Class<?>[] cLasses = inst.getAllLoadedClasses();
12 |         String targetClass = "javax.servlet.http.HttpServlet";
13 |         if (ServerDetector.isWebLogic()) {
14 |             targetClass = "weblogic.servlet.internal.ServletStubImpl";
15 |         }
16 | 
17 |         Class[] classes = inst.getAllLoadedClasses();
18 |         for (Class clazz : classes) {
19 |             if (clazz.getName().equals(targetClass)) {
20 |                 System.out.println("found: " + targetClass);
21 |                 ClassPool cPool = ClassPool.getDefault();
22 |                 ClassClassPath classPath = new ClassClassPath(clazz);
23 |                 cPool.insertClassPath((ClassPath)classPath);
24 |                 CtClass cClass = cPool.get(clazz.getName());
25 |                 inst.redefineClasses(new ClassDefinition[] { new ClassDefinition(clazz, cClass.toBytecode()) });
26 |                 System.out.println("release ok!");
27 | //                if (cClass.isFrozen()) {
28 | //                    inst.redefineClasses(new ClassDefinition[] { new ClassDefinition(clazz, cClass.toBytecode()) });
29 | //                    System.out.println("release ok!");
30 | //                } else {
31 | //                    System.out.println("no change");
32 | //                }
33 |             }
34 |         }
35 |     }
36 | }
37 | 


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>releaseBehinderShell</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>6</maven.compiler.source>
13 |         <maven.compiler.target>6</maven.compiler.target>
14 |     </properties>
15 | 
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>com.sun</groupId>
19 |             <artifactId>tools</artifactId>
20 |             <version>1.8</version>
21 |             <scope>system</scope>
22 |             <systemPath>${java.home}/../lib/tools.jar</systemPath>
23 |         </dependency>
24 | 
25 |         <dependency>
26 |             <groupId>org.javassist</groupId>
27 |             <artifactId>javassist</artifactId>
28 |             <version>3.26.0-GA</version>
29 |         </dependency>
30 |     </dependencies>
31 | 
32 |     <build>
33 |         <plugins>
34 |             <plugin>
35 |                 <groupId>org.apache.maven.plugins</groupId>
36 |                 <artifactId>maven-assembly-plugin</artifactId>
37 |                 <configuration>
38 |                     <descriptorRefs>
39 |                         <descriptorRef>jar-with-dependencies</descriptorRef>
40 |                     </descriptorRefs>
41 |                     <archive>
42 |                         <manifestEntries>
43 |                             <Main-Class>Main</Main-Class>
44 |                             <Agent-Class>Agent</Agent-Class>
45 |                             <Can-Redefine-Classes>true</Can-Redefine-Classes>
46 |                             <Can-Retransform-Classes>true</Can-Retransform-Classes>
47 |                         </manifestEntries>
48 |                     </archive>
49 |                 </configuration>
50 | 
51 |                 <executions>
52 |                     <execution>
53 |                         <goals>
54 |                             <goal>attached</goal>
55 |                         </goals>
56 |                         <phase>package</phase>
57 |                     </execution>
58 |                 </executions>
59 |             </plugin>
60 |         </plugins>
61 |     </build>
62 | 
63 | 
64 | </project>


--------------------------------------------------------------------------------
/src/main/java/utils/ServerDetector.java:
--------------------------------------------------------------------------------
  1 | package utils;
  2 | 
  3 | public class ServerDetector {
  4 |     public static final String GERONIMO_ID = "geronimo";
  5 | 
  6 |     public static final String GLASSFISH_ID = "glassfish";
  7 | 
  8 |     public static final String JBOSS_ID = "jboss";
  9 | 
 10 |     public static final String JETTY_ID = "jetty";
 11 | 
 12 |     public static final String JONAS_ID = "jonas";
 13 | 
 14 |     public static final String OC4J_ID = "oc4j";
 15 | 
 16 |     public static final String RESIN_ID = "resin";
 17 | 
 18 |     public static final String TOMCAT_ID = "tomcat";
 19 | 
 20 |     public static final String WEBLOGIC_ID = "weblogic";
 21 | 
 22 |     public static final String WEBSPHERE_ID = "websphere";
 23 | 
 24 |     public static String getServerId() {
 25 |         ServerDetector sd = _instance;
 26 |         if (sd._serverId == null) {
 27 |             if (isGeronimo()) {
 28 |                 sd._serverId = "geronimo";
 29 |             } else if (isGlassfish()) {
 30 |                 sd._serverId = "glassfish";
 31 |             } else if (isJBoss()) {
 32 |                 sd._serverId = "jboss";
 33 |             } else if (isJOnAS()) {
 34 |                 sd._serverId = "jonas";
 35 |             } else if (isOC4J()) {
 36 |                 sd._serverId = "oc4j";
 37 |             } else if (isResin()) {
 38 |                 sd._serverId = "resin";
 39 |             } else if (isWebLogic()) {
 40 |                 sd._serverId = "weblogic";
 41 |             } else if (isWebSphere()) {
 42 |                 sd._serverId = "websphere";
 43 |             }
 44 |             if (isJetty()) {
 45 |                 if (sd._serverId == null) {
 46 |                     sd._serverId = "jetty";
 47 |                 } else {
 48 |                     sd._serverId += "-jetty";
 49 |                 }
 50 |             } else if (isTomcat()) {
 51 |                 if (sd._serverId == null) {
 52 |                     sd._serverId = "tomcat";
 53 |                 } else {
 54 |                     sd._serverId += "-tomcat";
 55 |                 }
 56 |             }
 57 |             if (sd._serverId == null)
 58 |                 throw new RuntimeException("Server is not supported");
 59 |         }
 60 |         return sd._serverId;
 61 |     }
 62 | 
 63 |     public static boolean isGeronimo() {
 64 |         ServerDetector sd = _instance;
 65 |         if (sd._geronimo == null)
 66 |             sd._geronimo = _detect("/org/apache/geronimo/system/main/Daemon.class");
 67 |         return sd._geronimo.booleanValue();
 68 |     }
 69 | 
 70 |     public static boolean isGlassfish() {
 71 |         ServerDetector sd = _instance;
 72 |         if (sd._glassfish == null) {
 73 |             String value = System.getProperty("com.sun.aas.instanceRoot");
 74 |             if (value != null) {
 75 |                 sd._glassfish = Boolean.TRUE;
 76 |             } else {
 77 |                 sd._glassfish = Boolean.FALSE;
 78 |             }
 79 |         }
 80 |         return sd._glassfish.booleanValue();
 81 |     }
 82 | 
 83 |     public static boolean isGlassfish2() {
 84 |         ServerDetector sd = _instance;
 85 |         if (sd._glassfish2 == null)
 86 |             if (isGlassfish() && !isGlassfish3()) {
 87 |                 sd._glassfish2 = Boolean.TRUE;
 88 |             } else {
 89 |                 sd._glassfish2 = Boolean.FALSE;
 90 |             }
 91 |         return sd._glassfish2.booleanValue();
 92 |     }
 93 | 
 94 |     public static boolean isGlassfish3() {
 95 |         ServerDetector sd = _instance;
 96 |         if (sd._glassfish3 == null) {
 97 |             String value = "";
 98 |             if (isGlassfish())
 99 |                 value = getString(System.getProperty("product.name"));
100 |             if (value.equals("GlassFish/v3")) {
101 |                 sd._glassfish3 = Boolean.TRUE;
102 |             } else {
103 |                 sd._glassfish3 = Boolean.FALSE;
104 |             }
105 |         }
106 |         return sd._glassfish3.booleanValue();
107 |     }
108 | 
109 |     public static boolean isJBoss() {
110 |         ServerDetector sd = _instance;
111 |         if (sd._jBoss == null)
112 |             sd._jBoss = _detect("/org/jboss/Main.class");
113 |         return sd._jBoss.booleanValue();
114 |     }
115 | 
116 |     public static boolean isJetty() {
117 |         ServerDetector sd = _instance;
118 |         if (sd._jetty == null)
119 |             sd._jetty = _detect("/org/mortbay/jetty/Server.class");
120 |         return sd._jetty.booleanValue();
121 |     }
122 | 
123 |     public static boolean isJOnAS() {
124 |         ServerDetector sd = _instance;
125 |         if (sd._jonas == null)
126 |             sd._jonas = _detect("/org/objectweb/jonas/server/Server.class");
127 |         return sd._jonas.booleanValue();
128 |     }
129 | 
130 |     public static boolean isOC4J() {
131 |         ServerDetector sd = _instance;
132 |         if (sd._oc4j == null)
133 |             sd._oc4j = _detect("oracle.oc4j.util.ClassUtils");
134 |         return sd._oc4j.booleanValue();
135 |     }
136 | 
137 |     public static boolean isResin() {
138 |         ServerDetector sd = _instance;
139 |         if (sd._resin == null)
140 |             sd._resin = _detect("/com/caucho/server/resin/Resin.class");
141 |         return sd._resin.booleanValue();
142 |     }
143 | 
144 |     public static boolean isSupportsComet() {
145 |         return false;
146 |     }
147 | 
148 |     public static boolean isTomcat() {
149 |         ServerDetector sd = _instance;
150 |         if (sd._tomcat == null)
151 |             sd._tomcat = _detect("/org/apache/catalina/startup/Bootstrap.class");
152 |         if (sd._tomcat == null)
153 |             sd._tomcat = _detect("/org/apache/catalina/startup/Embedded.class");
154 |         return sd._tomcat.booleanValue();
155 |     }
156 | 
157 |     public static boolean isWebLogic() {
158 |         ServerDetector sd = _instance;
159 |         if (sd._webLogic == null)
160 |             sd._webLogic = _detect("/weblogic/Server.class");
161 |         return sd._webLogic.booleanValue();
162 |     }
163 | 
164 |     public static boolean isWebSphere() {
165 |         ServerDetector sd = _instance;
166 |         if (sd._webSphere == null)
167 |             sd._webSphere = _detect("/com/ibm/websphere/product/VersionInfo.class");
168 |         return sd._webSphere.booleanValue();
169 |     }
170 | 
171 |     private static Boolean _detect(String className) {
172 |         try {
173 |             ClassLoader.getSystemClassLoader().loadClass(className);
174 |             return Boolean.TRUE;
175 |         } catch (ClassNotFoundException cnfe) {
176 |             ServerDetector sd = _instance;
177 |             Class<?> c = sd.getClass();
178 |             if (c.getResource(className) != null)
179 |                 return Boolean.TRUE;
180 |             return Boolean.FALSE;
181 |         }
182 |     }
183 | 
184 |     public static String getString(String value) {
185 |         return getString(value, "");
186 |     }
187 | 
188 |     public static String getString(String value, String defaultValue) {
189 |         return get(value, defaultValue);
190 |     }
191 | 
192 |     public static String get(String value, String defaultValue) {
193 |         if (value != null) {
194 |             value = value.trim();
195 |             value = replace(value, "\r\n", "\n");
196 |             return value;
197 |         }
198 |         return defaultValue;
199 |     }
200 | 
201 |     public static String replace(String s, String oldSub, String newSub) {
202 |         if (s == null || oldSub == null || newSub == null)
203 |             return null;
204 |         int y = s.indexOf(oldSub);
205 |         if (y >= 0) {
206 |             StringBuilder sb = new StringBuilder(s.length() + 5 * newSub.length());
207 |             int length = oldSub.length();
208 |             int x = 0;
209 |             while (x <= y) {
210 |                 sb.append(s.substring(x, y));
211 |                 sb.append(newSub);
212 |                 x = y + length;
213 |                 y = s.indexOf(oldSub, x);
214 |             }
215 |             sb.append(s.substring(x));
216 |             return sb.toString();
217 |         }
218 |         return s;
219 |     }
220 | 
221 |     private static ServerDetector _instance = new ServerDetector();
222 | 
223 |     private String _serverId;
224 | 
225 |     private Boolean _geronimo;
226 | 
227 |     private Boolean _glassfish;
228 | 
229 |     private Boolean _glassfish2;
230 | 
231 |     private Boolean _glassfish3;
232 | 
233 |     private Boolean _jBoss;
234 | 
235 |     private Boolean _jetty;
236 | 
237 |     private Boolean _jonas;
238 | 
239 |     private Boolean _oc4j;
240 | 
241 |     private Boolean _resin;
242 | 
243 |     private Boolean _tomcat;
244 | 
245 |     private Boolean _webLogic;
246 | 
247 |     private Boolean _webSphere;
248 | }
249 | 


--------------------------------------------------------------------------------