Simple Java Rasp
基于 Java Instrumentation + Javaassist
@RaspHandler 标记一个用于处理的 Handler 类, 参数用于定位被 Hook 的方法或构造函数
- className: 类名
- methodName: 方法名 (可选)
- isConstructor: 是否为构造函数 (默认为 false)
- parameterTypes: 方法/构造函数的参数类型
@RaspBefore 标记一个在目标方法刚开始调用时进行处理的方法, 对应 Javaassist 中的 insertBefore
方法签名: public static Object[] handleBefore(Object obj, Object[] params)
- obj: 当目标方法为非静态方法时, 该值为目标对象本身 (this), 为静态方法时该值为 null
- params: 目标方法的参数列表
- 返回值: 默认为 params, 用于替代目标方法原来的参数
@RaspAfter 标记一个在目标方法 return 之前进行处理的方法, 对应 Javaassist 中的 insertAfter
方法签名: public static Object handleAfter(Object obj, Object result)
- obj: 同上
- result: 目标方法 return 的值, 如果方法返回类型为 void, 则该值为 null
- 返回值: 默认为 result, 用于替代目标方法原来的返回值
拦截 Runtime.exec 方法
package com.simplerasp.handlers;
import com.simplerasp.annotations.RaspAfter;
import com.simplerasp.annotations.RaspBefore;
import com.simplerasp.annotations.RaspHandler;
import com.simplerasp.exceptions.RaspException;
import sun.misc.IOUtils;
@RaspHandler(className = "java.lang.Runtime", methodName = "exec", parameterTypes = {String.class})
public class RuntimeExecHandler {
@RaspBefore
public static Object[] handleBefore(Object obj, Object[] params) {
System.out.println("before");
String cmd = (String) params[0];
System.out.println("try to exec: " + cmd);
if (cmd.contains("Calculator")) {
throw new RaspException("Reject malicious command execution attempts");
}
return params;
}
@RaspAfter
public static Object handleAfter(Object obj, Object result) throws Exception{
System.out.println("after");
Process p = (Process) result;
String output = new String(IOUtils.readAllBytes(p.getInputStream()));
if (output.contains("uid=")) {
throw new RaspException("Reject malicious command execution output");
}
return result;
}
}拦截 ProcessBuilder 构造函数
package com.simplerasp.handlers;
import com.simplerasp.annotations.RaspBefore;
import com.simplerasp.annotations.RaspHandler;
import com.simplerasp.exceptions.RaspException;
@RaspHandler(className = "java.lang.ProcessBuilder", isConstructor = true, parameterTypes = {String[].class})
public class ProcessBuilderHandler {
@RaspBefore
public static Object[] handleBefore(Object obj, Object[] params) {
System.out.println("before");
String cmd = String.join(" ", (String[])params[0]);
System.out.println("try to exec: " + cmd);
if (cmd.contains("Calculator")) {
throw new RaspException("Reject malicious command execution attempts");
}
return params;
}
}拦截 Log4j2 JNDI 注入
package com.simplerasp.handlers;
import com.simplerasp.annotations.RaspBefore;
import com.simplerasp.annotations.RaspHandler;
import com.simplerasp.exceptions.RaspException;
@RaspHandler(className = "org.apache.logging.log4j.core.net.JndiManager", methodName = "lookup", parameterTypes = {String.class})
public class JndiManagerLookupHandler {
@RaspBefore
public static Object[] handleBefore(Object obj, Object[] params) {
System.out.println("before");
String name = (String) params[0];
String[] blacklist = new String[]{"ldap", "jndi"};
for (String s : blacklist) {
if (name.toLowerCase().contains(s)) {
throw new RaspException("Reject malicious jndi lookup attempt");
}
}
return params;
}
}Modified some code from the following repos