From 7c798eff3a976d211e7e422f8a496749a3ed963d Mon Sep 17 00:00:00 2001 From: cc11001100 Date: 2023年9月13日 14:36:45 +0800 Subject: [PATCH] =?UTF-8?q?=E9=A3=9F=E7=94=A8=E5=AE=8C=E6=AF=95=EF=BC=8C?= =?UTF-8?q?=E7=88=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 15 ++++++- .../java/me/threedr3am/log/agent/Agent.java | 12 +++--- .../log/agent/CatClassFileTransformer.java | 39 ++++++++++++------- .../me/threedr3am/log/agent/CatContext.java | 10 +++-- .../threedr3am/log/agent/JarFileHelper.java | 8 +++- 5 files changed, 55 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index bfaca46..3b2dfb8 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,12 @@ ## LOG-AGENT -利用agent hock指定的class,在jar运行周期内,用于跟踪被执行的方法,辅助做一些事情,比如挖洞啊 +fork自三梦大佬的仓库,如其名,主要是用于观察是否有关注的方法被调用,感觉更像是用来观测sink点是否被调用?应该是自动化挖掘漏洞偏半自动的一种思路探索吧.... + +其原理就是通过Java Agent + javassist把关注的一些sink类或者sink包中的所有的方法都给加一个调用的日志打印,然后通过各种输入来观测是否触发了sink方法,比静态挖掘要准确一些,但是感觉还不如直接上iast... + +--- + +利用agent hook指定的class,在jar运行周期内,用于跟踪被执行的方法,辅助做一些事情,比如挖洞啊 这样子,就不用干看代码的啦,说不定一运行就能找到漏洞的啦,想想3分钟一个CVE就激动啦 @@ -21,4 +27,9 @@ java -javaagent:/Users/threedr3am/log-agent.jar="^org\.aaa\.bbb$" -jar bug-test- ``` (org\.aaa\.bbb)|(java\.io\.ObjectInputStream)|(sun\.rmi\.registry)|(com\.sun\.jndi)|(javax\.naming\.InitialContext)|(org\.hibernate\.validator\.internal\.engine\.constraintvalidation\.ConstraintValidatorContextImpl)|(org\.springframework\.expression)|(javax\.el)|(org\.springframework\.jdbc\.core\.StatementCallback)|(javax\.xml\.parsers\.DocumentBuilder)|(org\.jdom\.input\.SAXBuilder)|(javax\.xml\.parsers\.SAXParser)|(org\.dom4j\.io\.SAXReader)|(javax\.xml\.transform\.sax\.SAXTransformerFactory)|(javax\.xml\.validation\.SchemaFactory)|(javax\.xml\.transform\.Transformer)|(javax\.xml\.bind\.Unmarshaller)|(javax\.xml\.validation\.Validator)|(org\.xml\.sax\.XMLReader)|(java\.lang\.Runtime)|(java\.lang\.ProcessBuilder)|(java\.beans\.XMLDecoder)|(org\.yaml\.snakeyaml\.Yaml)|(java\.net\.URL)|(com\.fasterxml\.jackson\.databind\.ObjectMapper)|(com\.alibaba\.fastjson\.JSON) ``` -- org\.aaa\.bbb: 改成当前运行jar能匹配上所有class的包名(因为这样能知道当前服务的执行栈信息,更好的定位漏洞) \ No newline at end of file +- org\.aaa\.bbb: 改成当前运行jar能匹配上所有class的包名(因为这样能知道当前服务的执行栈信息,更好的定位漏洞) + + + + + diff --git a/src/main/java/me/threedr3am/log/agent/Agent.java b/src/main/java/me/threedr3am/log/agent/Agent.java index 7d32a99..6596598 100644 --- a/src/main/java/me/threedr3am/log/agent/Agent.java +++ b/src/main/java/me/threedr3am/log/agent/Agent.java @@ -2,14 +2,12 @@ import java.lang.instrument.Instrumentation; import java.util.Arrays; -import java.util.Base64; -import java.util.HashSet; import java.util.List; -import java.util.regex.Matcher; -import java.util.regex.Pattern; import java.util.stream.Collectors; /** + * 程序的入口类 + * * @author threedr3am */ public class Agent { @@ -34,9 +32,9 @@ public static synchronized void init(String action, Instrumentation inst) { } inst.addTransformer(catClassFileTransformer, true); Class[] classes = inst.getAllLoadedClasses(); - List classList = Arrays.asList(classes).stream() - .filter(c -> catClassFileTransformer.getPattern().matcher(c.getName()).find() && inst.isModifiableClass(c)) - .collect(Collectors.toList()); + List classList = Arrays.stream(classes) + .filter(c -> catClassFileTransformer.getPattern().matcher(c.getName()).find() && inst.isModifiableClass(c)) + .collect(Collectors.toList()); classList.forEach(aClass -> System.out.println("[LOG-AGENT] retransformClasses ------------> " + aClass.getName())); classes = classList.toArray(new Class[0]); if (classes.length> 0) { diff --git a/src/main/java/me/threedr3am/log/agent/CatClassFileTransformer.java b/src/main/java/me/threedr3am/log/agent/CatClassFileTransformer.java index 6623d8f..fbb6186 100644 --- a/src/main/java/me/threedr3am/log/agent/CatClassFileTransformer.java +++ b/src/main/java/me/threedr3am/log/agent/CatClassFileTransformer.java @@ -1,5 +1,7 @@ package me.threedr3am.log.agent; +import javassist.*; + import java.io.ByteArrayInputStream; import java.lang.instrument.ClassFileTransformer; import java.lang.instrument.IllegalClassFormatException; @@ -7,12 +9,6 @@ import java.util.HashSet; import java.util.Set; import java.util.regex.Pattern; -import javassist.ClassClassPath; -import javassist.ClassPool; -import javassist.CtClass; -import javassist.CtMethod; -import javassist.LoaderClassPath; -import javassist.Modifier; /** * @author threedr3am @@ -35,9 +31,10 @@ public Pattern getPattern() { } public byte[] transform(ClassLoader loader, String className, Class classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer) throws IllegalClassFormatException { - if (pattern == null) + if (pattern == null) { pattern = Pattern.compile(pkgPattern); - className = className.replace("/","."); + } + className = className.replace("/", "."); if (pattern.matcher(className).find()) { System.out.println("[LOG-AGENT] --------- modify class: " + className); CtClass ctClass = null; @@ -67,25 +64,37 @@ public byte[] transform(ClassLoader loader, String className, Class classBein return classfileBuffer; } + /** + * 为方法注入Hook + * + * @param ctMethods + * @param cache + */ private void inject(CtMethod[] ctMethods, Set cache) { for (int i = 0; i < ctMethods.length; i++) { CtMethod ctMethod = ctMethods[i]; - if (ctMethod.isEmpty() || Modifier.isNative(ctMethod.getModifiers())) + + if (ctMethod.isEmpty() || Modifier.isNative(ctMethod.getModifiers())) { continue; + } + String methodName = ctMethod.getLongName(); - if (cache.contains(methodName)) + if (cache.contains(methodName)) { continue; + } + + // 在每个方法的方法体头部都加上调用自己的检查调用的代码,那么这个检查又检查了什么呢? try { System.out.println("[LOG-AGENT] method: " + methodName + " " + cache.size()); StringBuilder stringBuilder = new StringBuilder() - .append("{") - .append(String.format(" if (me.threedr3am.log.agent.CatContext.check(\"%s\"))", methodName)) - .append(String.format(" System.out.println(\"%s %s\");", "[LOG-AGENT] ", methodName)) - .append("}"); + .append("{") + .append(String.format(" if (me.threedr3am.log.agent.CatContext.check(\"%s\"))", methodName)) + .append(String.format(" System.out.println(\"%s %s\");", "[LOG-AGENT] ", methodName)) + .append("}"); ctMethod.insertBefore(stringBuilder.toString()); cache.add(methodName); } catch (Throwable e) { - System.err.println(String.format("[LOG-AGENT] inject code into method:%s fail!", methodName)); + System.err.printf("[LOG-AGENT] inject code into method:%s fail!%n", methodName); e.printStackTrace(); } } diff --git a/src/main/java/me/threedr3am/log/agent/CatContext.java b/src/main/java/me/threedr3am/log/agent/CatContext.java index 9b94c08..4658ac4 100644 --- a/src/main/java/me/threedr3am/log/agent/CatContext.java +++ b/src/main/java/me/threedr3am/log/agent/CatContext.java @@ -8,15 +8,19 @@ */ public class CatContext { - private static ThreadLocal> cache = new ThreadLocal(); + private static ThreadLocal> cache = new ThreadLocal(); public static boolean check(String method) { + if (cache.get() == null) { - cache.set(new HashSet()); + cache.set(new HashSet()); System.out.println("[LOG-AGENT] call begin +++++++++++++++++++++++++++++++++++++++++++++++++ "); } - if (cache.get().contains(method)) + + if (cache.get().contains(method)) { return false; + } + cache.get().add(method); return true; } diff --git a/src/main/java/me/threedr3am/log/agent/JarFileHelper.java b/src/main/java/me/threedr3am/log/agent/JarFileHelper.java index bc2ea02..5318b24 100755 --- a/src/main/java/me/threedr3am/log/agent/JarFileHelper.java +++ b/src/main/java/me/threedr3am/log/agent/JarFileHelper.java @@ -22,12 +22,16 @@ import java.net.URL; import java.net.URLDecoder; import java.util.jar.JarFile; -import lombok.extern.slf4j.Slf4j; +/** + * 从openrasp借鉴的工具类,文件头保留版权了,好评 + *

+ * ... + */ public class JarFileHelper { /** - * 添加jar文件到jdk的跟路径下,优先加载 + * 添加jar文件到jdk的根路径下,优先加载 * * @param inst {@link Instrumentation} */

AltStyle によって変換されたページ (->オリジナル) /