Add controller check algorithm

Author: sf197

IDEA.md

@@ -0,0 +1,6 @@
+还可发展的方向（欢迎提交Pr）：
+
+- 目前暂未支持Interceptor、Filter、Servlet等内存马检测算法。
+- 目前可以支持Attach Agent，但是还未实现Self Attach JVM的方式运行。
+- 目前Sink函数只有Runtime.exec，还可以添加其他恶意函数进行检测。
+- 添加Agent启动参数，用于控制是否自动删除内存马/是否开启DumpClass功能

README.md

@@ -2,24 +2,52 @@
 Java Agent memory horse scanner combined with Call Graph modus
 
 
+![Platforms](https://img.shields.io/badge/Platforms-JavaAgent-brightgreen.svg)
+![Java version](https://img.shields.io/badge/Java-8-green.svg)
+![License](https://img.shields.io/badge/License-Mozilla-green.svg)
+
+
+### About
+
+MemoryShellHunter是一款结合动态Building Call Graph的内存马Scanner/Killer工具。支持Agent和Attach方式启动检测，弥补常规内存马检测工具需要人工验证WebSocket内存马的问题。
+
+MemoryShellHunter项目使用了逆拓扑算法精确捕获恶意方法的调用行为，可弥补SpringBoot内存马查杀的难点和WebSocket新型内存马无法从Class文件是否落地上进行判断。有着性能影响低于一般的RASP检测、属于轻量级Agent、对业务代码侵入性小等特点。
+
+
+
 
 ### How to used
 
 ```bash
 java -javaagent:./MemoryShellHunter.jar -jar SpringBootRunner.jar
 ```
 
+```java
+VirtualMachine vmObj = VirtualMachine.attach(targetJvmPid);//targetJvmPid为目标JVM的进程ID  
+vmObj.loadAgent(agentJarPath, cfg);  // agentJarPath为MemoryShellHunter jar包的路径，cfg为传递给agent的参数  
+```
+
 
 
 ### Supported middleware
 
+1.1 Version:
+
+- Add Controller memory shell check algorithm
+
 1.0 Version:
 
-- WebSocket Memory Shell
+- Add WebSocket memory shell check/delete algorithm
 
 
 
 ### Show results
 
+##### WebSocket Memory Shell Test Report
+
 ![1666788512005](./images/renderings.png)
 
+
+
+##### Controller Memory Shell Test Report
+![controller](./images/controller.png)

images/controller.png

@@ -1,10 +1,14 @@
 package com.websocket.findMemShell;
 
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.Stack;
 
+import com.websocket.findMemShell.checkAndDel.getControllerResult;
+import com.websocket.findMemShell.checkAndDel.getWsConfigResult;
+
 public class SearchCallsThread extends Thread{
 	Map<String,List<String>> discoveredCalls;
 	String sinkMethod = "java/lang/Runtime#exec";
@@ -16,34 +20,75 @@ public SearchCallsThread(Map<String,List<String>> discoveredCalls) {
 		this.discoveredCalls = discoveredCalls;
 	}
 
+	public void checkWsConfig(ConfigPath cp) {
+		//System.out.println("WsConfig Class: \n"+cp.getClassName().replaceAll("\\.", "/")+"#onMessage"+"\n");
+		
+		if(discoveredCalls.containsKey(cp.getClassName().replaceAll("\\.", "/")+"#onMessage")) {
+			List<String> list = discoveredCalls.get(cp.getClassName().replaceAll("\\.", "/")+"#onMessage");
+	        for(String str : list) {
+	        	if(dfsSearchSink(str)) {
+	        		stack.push(str);
+	        		stack.push(cp.getClassName().replaceAll("\\.", "/")+"#onMessage");
+	        		StringBuilder sb = new StringBuilder();
+	        		while(!stack.empty()) {
+	        			sb.append("->");
+	        			sb.append(stack.pop());
+	        		}
+	        		System.out.println("CallEdge: "+sb.toString());
+	        		if(getWsConfigResult.deleteConfig(cp.getPath())) {
+	        			System.out.println("Delete Class "+cp.getPath()+" Succeed");
+	        		}else {
+	        			System.out.println("Delete Class "+cp.getPath()+" Failed");
+	        		}
+	        		break;
+	        	}
+	        }
+		}
+	}
+	
+	public void checkControllerPath(ConfigPath cp) {
+//		//内存马常规检测方式
+//		String className = cp.getClassName().split("#")[0];
+//		String classNamePath = className.replace(".", "/") + ".class";
+//        URL is = App.servletContext.getClass().getClassLoader().getResource(classNamePath);
+//        if (is == null) {
+//            return "在磁盘上没有对应class文件，可能是内存马";
+//        } else {
+//            return is.getPath();
+//        }
+		
+		//System.out.println("Controller Class: \n"+cp.getClassName().replaceAll("\\.", "/"));
+		
+		if(discoveredCalls.containsKey(cp.getClassName().replaceAll("\\.", "/"))) {
+			List<String> list = discoveredCalls.get(cp.getClassName().replaceAll("\\.", "/"));
+	        for(String str : list) {
+	        	if(dfsSearchSink(str)) {
+	        		stack.push(str);
+	        		stack.push(cp.getClassName().replaceAll("\\.", "/"));
+	        		StringBuilder sb = new StringBuilder();
+	        		while(!stack.empty()) {
+	        			sb.append("->");
+	        			sb.append(stack.pop());
+	        		}
+	        		System.out.println("Controller CallEdge: "+sb.toString());
+	        		break;
+	        	}
+	        }
+		}
+	}
+	
 	@Override
     public void run() {
 		while(true) {
 			List<ConfigPath> result = getWsConfigResult.getWsConfig();
+			getControllerResult.getControllerMemShell(result);
 			if(result != null && result.size() != 0) {
 				for(ConfigPath cp : result) {
-					System.out.println("WsConfig Class: \n"+cp.getClassName().replaceAll("\\.", "/")+"#onMessage"+"\n");
-					
-					if(discoveredCalls.containsKey(cp.getClassName().replaceAll("\\.", "/")+"#onMessage")) {
-						List<String> list = discoveredCalls.get(cp.getClassName().replaceAll("\\.", "/")+"#onMessage");
-				        for(String str : list) {
-				        	if(dfsSearchSink(str)) {
-				        		stack.push(str);
-				        		stack.push(cp.getClassName().replaceAll("\\.", "/")+"#onMessage");
-				        		StringBuilder sb = new StringBuilder();
-				        		while(!stack.empty()) {
-				        			sb.append("->");
-				        			sb.append(stack.pop());
-				        		}
-				        		System.out.println("CallEdge: "+sb.toString());
-				        		if(getWsConfigResult.deleteConfig(cp.getPath())) {
-				        			System.out.println("Delete Class "+cp.getPath()+" Succeed");
-				        		}else {
-				        			System.out.println("Delete Class "+cp.getPath()+" Failed");
-				        		}
-				        		break;
-				        	}
-				        }
+					if(!cp.getClassName().contains("#")) {
+						checkWsConfig(cp);		//Check WebSocket Memory Shell
+					}else {
+						//Normal Memory Shell Checked
+						checkControllerPath(cp);
 					}
 				}
 			}

src/main/java/com/websocket/findMemShell/SearchCallsThread.java

@@ -0,0 +1,57 @@
+package com.websocket.findMemShell.checkAndDel;
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import com.websocket.findMemShell.App;
+import com.websocket.findMemShell.ConfigPath;
+
+public class getControllerResult {
+	public static void getControllerMemShell(List<ConfigPath> classList) {
+		try {
+			Object servletContext = App.servletContext;
+			if(servletContext == null) {
+				return;
+			}
+			Method getAttribute = servletContext.getClass().getClassLoader().loadClass("org.apache.catalina.core.ApplicationContextFacade").getDeclaredMethod("getAttribute", String.class);
+			Object context = getAttribute.invoke(servletContext, "org.springframework.web.context.WebApplicationContext.ROOT");
+			Method getBean = servletContext.getClass().getClassLoader().loadClass("org.springframework.beans.factory.BeanFactory").getDeclaredMethod("getBean", Class.class);
+			Class requestMappingHandlerMapping = servletContext.getClass().getClassLoader().loadClass("org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping");
+			Object mappingHandlerMapping = getBean.invoke(context, requestMappingHandlerMapping);
+			
+			Field mappingRegistryField = servletContext.getClass().getClassLoader().loadClass("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping").getDeclaredField("mappingRegistry");
+			mappingRegistryField.setAccessible(true);
+			Object mappingRegistry = mappingRegistryField.get(mappingHandlerMapping);
+			Method getRegistrations = servletContext.getClass().getClassLoader().loadClass("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping$MappingRegistry").getDeclaredMethod("getRegistrations");
+			getRegistrations.setAccessible(true);
+			Map<?, ?> registry = (Map<?, ?>) getRegistrations.invoke(mappingRegistry);
+			
+			Method getMapping = servletContext.getClass().getClassLoader().loadClass("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping$MappingRegistration").getDeclaredMethod("getMapping");
+			getMapping.setAccessible(true);
+			Method getPatternsCondition = servletContext.getClass().getClassLoader().loadClass("org.springframework.web.servlet.mvc.method.RequestMappingInfo").getDeclaredMethod("getPatternsCondition");
+			getPatternsCondition.setAccessible(true);
+			Method getPatterns = servletContext.getClass().getClassLoader().loadClass("org.springframework.web.servlet.mvc.condition.PatternsRequestCondition").getDeclaredMethod("getPatterns");
+			getPatterns.setAccessible(true);
+			Method getHandlerMethod = servletContext.getClass().getClassLoader().loadClass("org.springframework.web.servlet.handler.AbstractHandlerMethodMapping$MappingRegistration").getDeclaredMethod("getHandlerMethod");
+			getHandlerMethod.setAccessible(true);
+			Collection<?> registryValues = registry.values();
+			for(Object value : registryValues) {
+				Object mapping = getMapping.invoke(value);
+				Object patternsCondition = getPatternsCondition.invoke(mapping);
+				Set<String> patterns = (Set<String>) getPatterns.invoke(patternsCondition);
+				String path = patterns.iterator().next();
+				String methodName = getHandlerMethod.invoke(value).toString().split("\\(")[0];
+				
+				ConfigPath cp = new ConfigPath(path,methodName);
+				classList.add(cp);
+			}
+		}catch(Exception e) {
+			e.printStackTrace();
+		}
+	}
+}

src/main/java/com/websocket/findMemShell/checkAndDel/getControllerResult.java

@@ -1,4 +1,4 @@
-package com.websocket.findMemShell;
+package com.websocket.findMemShell.checkAndDel;
 
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
@@ -8,6 +8,9 @@
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 
+import com.websocket.findMemShell.App;
+import com.websocket.findMemShell.ConfigPath;
+
 public class getWsConfigResult {
 
 	public static boolean deleteConfig(String className) {
@@ -53,7 +56,6 @@ public static List<ConfigPath> getWsConfig() {
 
 		    // 遍历configExactMatchMap, 打印所有注册的 websocket 服务
 		    Set<String> keyset = configExactMatchMap.keySet();
-		    StringBuilder sb = new StringBuilder();
 		    for (String key : keyset) {
 		    	System.out.println("configExactMatchMap key:" + key);
 		    	Object object = servletContext.getClass().getClassLoader().loadClass("org.apache.tomcat.websocket.server.WsServerContainer").getDeclaredMethod("findMapping", String.class).invoke(wsServerContainer, key);