first commit.

threedr3am · threedr3am · commit 97980595142c · 2020-07-17T16:29:15.000+08:00
diff --git a/.DS_Store b/.DS_Store
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.idea
+target
diff --git a/README.md b/README.md
@@ -0,0 +1,24 @@
+## LOG-AGENT
+
+利用agent hock指定的class，在jar运行周期内，用于跟踪被执行的方法，辅助做一些事情，比如挖洞啊
+
+这样子，就不用干看代码的啦，说不定一运行就能找到漏洞的啦，想想3分钟一个CVE就激动啦
+
+### 编译jar
+```
+mvn clean compile assembly:single
+```
+
+### 运行
+```
+java -javaagent:/Users/threedr3am/log-agent.jar="^org\.aaa\.bbb$" -jar bug-test-env-1-1.0-SNAPSHOT.jar
+```
+1. /Users/threedr3am/log-agent.jar: 编译出来的agent jar
+2. "^org\.aaa\.bbb$": 双引号内为需要hock的class name匹配正则
+3. bug-test-env-1-1.0-SNAPSHOT.jar: 运行的jar
+
+### 辅助挖洞比较实用的正则
+```
+(org\.aaa\.bbb)|(java\.io\.ObjectInputStream)|(sun\.rmi\.registry)|(com\.sun\.jndi)|(javax\.naming\.InitialContext)|(org\.hibernate\.validator\.internal\.engine\.constraintvalidation\.ConstraintValidatorContextImpl)|(org\.springframework\.expression)|(javax\.el)|(org\.springframework\.jdbc\.core\.StatementCallback)|(javax\.xml\.parsers\.DocumentBuilder)|(org\.jdom\.input\.SAXBuilder)|(javax\.xml\.parsers\.SAXParser)|(org\.dom4j\.io\.SAXReader)|(javax\.xml\.transform\.sax\.SAXTransformerFactory)|(javax\.xml\.validation\.SchemaFactory)|(javax\.xml\.transform\.Transformer)|(javax\.xml\.bind\.Unmarshaller)|(javax\.xml\.validation\.Validator)|(org\.xml\.sax\.XMLReader)|(java\.lang\.Runtime)|(java\.lang\.ProcessBuilder)|(java\.beans\.XMLDecoder)|(org\.yaml\.snakeyaml\.Yaml)|(java\.net\.URL)|(com\.fasterxml\.jackson\.databind\.ObjectMapper)|(com\.alibaba\.fastjson\.JSON)
+```
+- org\.aaa\.bbb: 改成当前运行jar能匹配上所有class的包名（因为这样能知道当前服务的执行栈信息，更好的定位漏洞）
diff --git a/log-agent.iml b/log-agent.iml
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4" />
diff --git a/pom.xml b/pom.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>me.threedr3am.log.agent</groupId>
+  <artifactId>log-agent</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.javassist</groupId>
+      <artifactId>javassist</artifactId>
+      <version>3.27.0-GA</version>
+    </dependency>
+
+
+    <dependency>
+      <groupId>org.projectlombok</groupId>
+      <artifactId>lombok</artifactId>
+      <version>1.18.2</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-assembly-plugin</artifactId>
+        <configuration>
+          <archive>
+            <manifest>
+              <mainClass>me.threedr3am.log.agent.Agent</mainClass>
+            </manifest>
+            <manifestFile>src/main/resources/META-INF/MANIFEST.MF</manifestFile>
+          </archive>
+          <descriptorRefs>
+            <descriptorRef>jar-with-dependencies</descriptorRef>
+          </descriptorRefs>
+          <attach>false</attach>
+        </configuration>
+        <executions>
+          <execution>
+            <id>make-assembly</id>
+            <phase>package</phase>
+            <goals>
+              <goal>single</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <configuration>
+          <source>8</source>
+          <target>8</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>
diff --git a/src/main/java/me/threedr3am/log/agent/Agent.java b/src/main/java/me/threedr3am/log/agent/Agent.java
@@ -0,0 +1,50 @@
+package me.threedr3am.log.agent;
+
+import java.lang.instrument.Instrumentation;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.HashSet;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+/**
+ * @author threedr3am
+ */
+public class Agent {
+
+    public static void premain(String agentArg, Instrumentation inst) {
+        init(agentArg, inst);
+    }
+
+    public static void agentmain(String agentArg, Instrumentation inst) {
+        init(agentArg, inst);
+    }
+
+    public static synchronized void init(String action, Instrumentation inst) {
+        System.out.println("[LOG-AGENT] running ...");
+        System.out.println("[LOG-AGENT] init ...");
+        System.out.println("[LOG-AGENT] agentArg: " + action);
+        try {
+            JarFileHelper.addJarToBootstrap(inst);
+            CatClassFileTransformer catClassFileTransformer = new CatClassFileTransformer();
+            if (action != null && !action.isEmpty()) {
+                catClassFileTransformer.setPkgPattern(action);
+            }
+            inst.addTransformer(catClassFileTransformer, true);
+            Class[] classes = inst.getAllLoadedClasses();
+            List<Class> classList =  Arrays.asList(classes).stream()
+                .filter(c -> catClassFileTransformer.getPattern().matcher(c.getName()).find() && inst.isModifiableClass(c))
+                .collect(Collectors.toList());
+            classList.forEach(aClass -> System.out.println("[LOG-AGENT] retransformClasses ------------> " + aClass.getName()));
+            classes = classList.toArray(new Class[0]);
+            if (classes.length > 0) {
+                inst.retransformClasses(classes);
+            }
+        } catch (Throwable e) {
+            System.err.println("[LOG-AGENT] Failed to initialize, will continue without security protection.");
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/src/main/java/me/threedr3am/log/agent/CatClassFileTransformer.java b/src/main/java/me/threedr3am/log/agent/CatClassFileTransformer.java
@@ -0,0 +1,101 @@
+package me.threedr3am.log.agent;
+
+import java.io.ByteArrayInputStream;
+import java.lang.instrument.ClassFileTransformer;
+import java.lang.instrument.IllegalClassFormatException;
+import java.security.ProtectionDomain;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Pattern;
+import javassist.ClassClassPath;
+import javassist.ClassPool;
+import javassist.CtClass;
+import javassist.CtMethod;
+import javassist.LoaderClassPath;
+import javassist.Modifier;
+
+/**
+ * @author threedr3am
+ */
+public class CatClassFileTransformer implements ClassFileTransformer {
+
+    private String pkgPattern = ".";
+    private Pattern pattern;
+
+    public String getPkgPattern() {
+        return pkgPattern;
+    }
+
+    public void setPkgPattern(String pkgPattern) {
+        this.pkgPattern = pkgPattern;
+    }
+
+    public Pattern getPattern() {
+        return pattern;
+    }
+
+    public byte[] transform(ClassLoader loader, String className, Class<?> classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer) throws IllegalClassFormatException {
+        if (pattern == null)
+            pattern = Pattern.compile(pkgPattern);
+        className = className.replace("/",".");
+        if (pattern.matcher(className).find()) {
+            System.out.println("[LOG-AGENT] --------- modify class: " + className);
+            CtClass ctClass = null;
+            try {
+                ClassPool classPool = ClassPool.getDefault();
+                addLoader(classPool, loader);
+                ctClass = classPool.makeClass(new ByteArrayInputStream(classfileBuffer));
+                Set<String> cache = new HashSet();
+                CtMethod[] ctMethods = ctClass.getMethods();
+                if (ctMethods != null) {
+                    inject(ctMethods, cache);
+                }
+                ctMethods = ctClass.getDeclaredMethods();
+                if (ctMethods != null) {
+                    inject(ctMethods, cache);
+                }
+                return ctClass.toBytecode();
+            } catch (Throwable e) {
+                e.printStackTrace();
+            } finally {
+                if (ctClass != null) {
+                    ctClass.detach();
+                }
+            }
+            System.out.println("[LOG-AGENT] --------- modify class end.");
+        }
+        return classfileBuffer;
+    }
+
+    private void inject(CtMethod[] ctMethods, Set<String> cache) {
+        for (int i = 0; i < ctMethods.length; i++) {
+            CtMethod ctMethod = ctMethods[i];
+            if (ctMethod.isEmpty() || Modifier.isNative(ctMethod.getModifiers()))
+                continue;
+            String methodName = ctMethod.getLongName();
+            if (cache.contains(methodName))
+                continue;
+            try {
+                System.out.println("[LOG-AGENT]           method: " + methodName + " " + cache.size());
+                StringBuilder stringBuilder = new StringBuilder()
+                    .append("{")
+                    .append(String.format("   if (me.threedr3am.log.agent.CatContext.check(\"%s\"))", methodName))
+                    .append(String.format("         System.out.println(\"%s %s\");", "[LOG-AGENT] ", methodName))
+                    .append("}");
+                ctMethod.insertBefore(stringBuilder.toString());
+                cache.add(methodName);
+            } catch (Throwable e) {
+                System.err.println(String.format("[LOG-AGENT] inject code into method:%s fail!", methodName));
+                e.printStackTrace();
+            }
+        }
+    }
+
+    private void addLoader(ClassPool classPool, ClassLoader loader) {
+        classPool.appendSystemPath();
+        classPool.appendClassPath(new ClassClassPath(CatClassFileTransformer.class));
+        if (loader != null) {
+            classPool.appendClassPath(new LoaderClassPath(loader));
+        }
+    }
+}
diff --git a/src/main/java/me/threedr3am/log/agent/CatContext.java b/src/main/java/me/threedr3am/log/agent/CatContext.java
@@ -0,0 +1,23 @@
+package me.threedr3am.log.agent;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @author threedr3am
+ */
+public class CatContext {
+
+    private static ThreadLocal<Set<String>> cache = new ThreadLocal();
+
+    public static boolean check(String method) {
+        if (cache.get() == null) {
+            cache.set(new HashSet());
+            System.out.println("[LOG-AGENT] call begin +++++++++++++++++++++++++++++++++++++++++++++++++ ");
+        }
+        if (cache.get().contains(method))
+            return false;
+        cache.get().add(method);
+        return true;
+    }
+}
diff --git a/src/main/java/me/threedr3am/log/agent/JarFileHelper.java b/src/main/java/me/threedr3am/log/agent/JarFileHelper.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2017-2019 Baidu Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package me.threedr3am.log.agent;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.lang.instrument.Instrumentation;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.util.jar.JarFile;
+import lombok.extern.slf4j.Slf4j;
+
+public class JarFileHelper {
+
+    /**
+     * 添加jar文件到jdk的跟路径下，优先加载
+     *
+     * @param inst {@link Instrumentation}
+     */
+    public static void addJarToBootstrap(Instrumentation inst) throws IOException {
+        String localJarPath = getLocalJarPath();
+        inst.appendToBootstrapClassLoaderSearch(new JarFile(localJarPath));
+    }
+
+    /**
+     * 获取当前所在jar包的路径
+     *
+     * @return jar包路径
+     */
+    public static String getLocalJarPath() throws UnsupportedEncodingException {
+        URL localUrl = Agent.class.getProtectionDomain().getCodeSource().getLocation();
+        String path = null;
+        try {
+            path = URLDecoder.decode(localUrl.getFile().replace("+", "%2B"), "UTF-8");
+        } catch (UnsupportedEncodingException e) {
+            System.out.println("[OpenRASP] Failed to get jarFile path.");
+            throw e;
+        }
+        return path;
+    }
+
+    /**
+     * 获取当前jar包所在的文件夹路径
+     *
+     * @return jar包所在文件夹路径
+     */
+    public static String getLocalJarParentPath() throws UnsupportedEncodingException {
+        String jarPath = getLocalJarPath();
+        return jarPath.substring(0, jarPath.lastIndexOf("/"));
+    }
+
+}
diff --git a/src/main/resources/META-INF/MANIFEST.MF b/src/main/resources/META-INF/MANIFEST.MF
@@ -0,0 +1,7 @@
+Manifest-Version: 1.0
+Agent-Class: me.threedr3am.log.agent.Agent
+Can-Redefine-Classes: true
+Can-Retransform-Classes: true
+Premain-Class: me.threedr3am.log.agent.Agent
+Main-Class: me.threedr3am.log.agent.Agent
+

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+<?xml version="1.0" encoding="UTF-8"?>`
	`2`	`+<module type="JAVA_MODULE" version="4" />`