![\"\"](\"http:\/\/www.nokws.top\/wp-content\/uploads\/2024\/10\/image.png\")
<\/div><\/figure>\n\n\n\n\u5339\u914d\u662f\u5426\u662f\u9700\u8981\u68c0\u6d4b\u7684\u7c7b\u3001\u68c0\u6d4b\u7684\u7c7b\u578b\u3001\u68c0\u6d4b\u7684\u51fd\u6570<\/p>\n\n\n\n
\u5229\u7528insertbefore\u63d2\u5165\u68c0\u6d4b\u7684\u4ee3\u7801<\/p>\n\n\n\n
\/**\n * \u5728\u76ee\u6807\u7c7b\u7684\u76ee\u6807\u65b9\u6cd5\u7684\u5165\u53e3\u63d2\u5165\u76f8\u5e94\u7684\u6e90\u4ee3\u7801\n *\n * @param ctClass \u76ee\u6807\u7c7b\n * @param methodName \u76ee\u6807\u65b9\u6cd5\u540d\u79f0\n * @param desc \u76ee\u6807\u65b9\u6cd5\u7684\u63cf\u8ff0\u7b26\u53f7\n * @param src \u5f85\u63d2\u5165\u7684\u6e90\u4ee3\u7801\n *\/\n public void insertBefore(CtClass ctClass, String methodName, String desc, String src)\n throws NotFoundException, CannotCompileException {\n\n LinkedList<CtBehavior> methods = getMethod(ctClass, methodName, desc, null);\n if (methods != null && methods.size() > 0) {\n insertBefore(methods, src);\n } else {\n if (Config.getConfig().isDebugEnabled()) {\n LOGGER.info(\"can not find method \" + methodName + \" \" + desc + \" in class \" + ctClass.getName());\n }\n }\n\n }\n\n \/**\n * \u5728\u76ee\u6807\u7c7b\u7684\u76ee\u6807\u65b9\u6cd5\u7684\u5165\u53e3\u63d2\u5165\u76f8\u5e94\u7684\u6e90\u4ee3\u7801\n * \u53ef\u6392\u9664\u4e00\u5b9a\u7684\u65b9\u6cd5\n *\n * @param ctClass \u76ee\u6807\u7c7b\n * @param methodName \u76ee\u6807\u65b9\u6cd5\u540d\u79f0\n * @param excludeDesc \u6392\u9664\u7684\u65b9\u6cd5\u63cf\u8ff0\u7b26\n * @param src \u5f85\u63d2\u5165\u7684\u6e90\u4ee3\u7801\n *\/\n public void insertBeforeWithExclude(CtClass ctClass, String methodName, String excludeDesc, String src)\n throws NotFoundException, CannotCompileException {\n\n LinkedList<CtBehavior> methods = getMethod(ctClass, methodName, null, excludeDesc);\n if (methods != null && methods.size() > 0) {\n insertBefore(methods, src);\n } else {\n if (Config.getConfig().isDebugEnabled()) {\n LOGGER.info(\"can not find method \" + methodName +\n \" exclude desc:\" + excludeDesc + \" in class \" + ctClass.getName());\n }\n }\n\n }\n\n private void insertBefore(LinkedList<CtBehavior> methods, String src)\n throws CannotCompileException {\n for (CtBehavior method : methods) {\n if (method != null) {\n insertBefore(method, src);\n }\n }\n }\n\n \/**\n * \u5728\u76ee\u6807\u7c7b\u7684\u4e00\u7ec4\u91cd\u8f7d\u7684\u76ee\u6807\u65b9\u6cd5\u7684\u5165\u53e3\u63d2\u5165\u76f8\u5e94\u7684\u6e90\u4ee3\u7801\n *\n * @param ctClass \u76ee\u6807\u7c7b\n * @param methodName \u76ee\u6807\u65b9\u6cd5\u540d\u79f0\n * @param allDesc \u76ee\u6807\u65b9\u6cd5\u7684\u4e00\u7ec4\u63cf\u8ff0\u7b26\n * @param src \u5f85\u63d2\u5165\u7684\u6e90\u4ee3\u7801\n *\/\n public void insertBefore(CtClass ctClass, String methodName, String src, String[] allDesc)\n throws NotFoundException, CannotCompileException {\n for (String desc : allDesc) {\n insertBefore(ctClass, methodName, desc, src);\n }\n }<\/pre>\n\n\n\n\u8fd9\u91cc\u56db\u4e2a\u7684\u533a\u522b\u662f1\u548c2\u6307\u5b9a\u65b9\u6cd5\u7684\u540d\u79f0\uff0c1\u662f\u786e\u5b9a\u65b9\u6cd5\u7684\u63cf\u8ff0\u7b26\uff0c2\u662f\u6392\u9664\u65b9\u6cd5\u7684\u63cf\u8ff0\u7b26\u53f7\uff1b3\u662f\u904d\u5386\u4e00\u7ec4\u65b9\u6cd5\uff1b4\u662f\u904d\u5386\u4e00\u4e2a\u65b9\u6cd5\u7684\u4e00\u7ec4\u63cf\u8ff0\u7b26\u3002<\/p>\n\n\n\n
insertafter\u505a\u68c0\u6d4b\u540e\u7684\u5904\u7406<\/p>\n\n\n\n
\/**\n * \u5728\u76ee\u6807\u7c7b\u7684\u76ee\u6807\u65b9\u6cd5\u7684\u51fa\u53e3\u63d2\u5165\u76f8\u5e94\u7684\u6e90\u4ee3\u7801\n *\n * @param ctClass \u76ee\u6807\u7c7b\n * @param methodName \u76ee\u6807\u65b9\u6cd5\u540d\u79f0\n * @param desc \u76ee\u6807\u65b9\u6cd5\u7684\u63cf\u8ff0\u7b26\u53f7\n * @param src \u5f85\u63d2\u5165\u7684\u6e90\u4ee3\u7801\n * @param asFinally \u662f\u5426\u5728\u629b\u51fa\u5f02\u5e38\u7684\u65f6\u5019\u540c\u6837\u6267\u884c\u8be5\u6e90\u4ee3\u7801\n *\/\n public void insertAfter(CtClass ctClass, String methodName, String desc, String src, boolean asFinally)\n throws NotFoundException, CannotCompileException {\n\n LinkedList<CtBehavior> methods = getMethod(ctClass, methodName, desc, null);\n if (methods != null && methods.size() > 0) {\n for (CtBehavior method : methods) {\n if (method != null) {\n insertAfter(method, src, asFinally);\n }\n }\n } else {\n if (Config.getConfig().isDebugEnabled()) {\n LOGGER.info(\"can not find method \" + methodName + \" \" + desc + \" in class \" + ctClass.getName());\n }\n }\n\n }\n\n private LinkedList<CtBehavior> getConstructor(CtClass ctClass, String desc) {\n LinkedList<CtBehavior> methods = new LinkedList<CtBehavior>();\n if (StringUtils.isEmpty(desc)) {\n Collections.addAll(methods, ctClass.getDeclaredConstructors());\n } else {\n try {\n methods.add(ctClass.getConstructor(desc));\n } catch (NotFoundException e) {\n \/\/ ignore\n }\n }\n return methods;\n }\n\n \/**\n * \u83b7\u53d6\u7279\u5b9a\u7c7b\u7684\u65b9\u6cd5\u5b9e\u4f8b\n * \u5982\u679c\u63cf\u8ff0\u7b26\u4e3a\u7a7a\uff0c\u90a3\u4e48\u8fd4\u56de\u6240\u6709\u540c\u540d\u7684\u65b9\u6cd5\n *\n * @param ctClass javassist \u7c7b\u5b9e\u4f8b\n * @param methodName \u65b9\u6cd5\u540d\u79f0\n * @param desc \u65b9\u6cd5\u63cf\u8ff0\u7b26\n * @return \u6240\u6709\u7b26\u5408\u8981\u6c42\u7684\u65b9\u6cd5\u5b9e\u4f8b\n * @see javassist.bytecode.Descriptor\n *\/\n protected LinkedList<CtBehavior> getMethod(CtClass ctClass, String methodName, String desc, String excludeDesc) {\n if (\"<init>\".equals(methodName)) {\n return getConstructor(ctClass, desc);\n }\n LinkedList<CtBehavior> methods = new LinkedList<CtBehavior>();\n if (StringUtils.isEmpty(desc)) {\n CtMethod[] allMethods = ctClass.getDeclaredMethods();\n if (allMethods != null) {\n for (CtMethod method : allMethods) {\n if (method != null\n && !method.isEmpty()\n && method.getName().equals(methodName)\n && !method.getSignature().equals(excludeDesc))\n methods.add(method);\n }\n }\n } else {\n try {\n CtMethod ctMethod = ctClass.getMethod(methodName, desc);\n if (ctMethod != null && !ctMethod.isEmpty()) {\n methods.add(ctMethod);\n }\n } catch (NotFoundException e) {\n \/\/ ignore\n }\n }\n return methods;\n }\n\n \/**\n * \u5728\u76ee\u6807\u7c7b\u7684\u76ee\u6807\u65b9\u6cd5\u7684\u5165\u53e3\u63d2\u5165\u76f8\u5e94\u7684\u6e90\u4ee3\u7801\n *\n * @param method \u76ee\u6807\u65b9\u6cd5\n * @param src \u6e90\u4ee3\u7801\n *\/\n public void insertBefore(CtBehavior method, String src) throws CannotCompileException {\n try {\n method.insertBefore(src);\n LOGGER.info(\"insert before method \" + method.getLongName());\n } catch (CannotCompileException e) {\n LogTool.traceError(ErrorType.HOOK_ERROR,\n \"insert before method \" + method.getLongName() + \" failed: \" + e.getMessage(), e);\n throw e;\n }\n }\n\n \/**\n * (none-javadoc)\n *\n * @see com.baidu.openrasp.hook.AbstractClassHook#insertAfter(CtClass, String, String, String, boolean)\n *\/\n public void insertAfter(CtClass invokeClass, String methodName, String desc, String src)\n throws NotFoundException, CannotCompileException {\n insertAfter(invokeClass, methodName, desc, src, false);\n }\n\n \/**\n * \u5728\u76ee\u6807\u7c7b\u7684\u76ee\u6807\u65b9\u6cd5\u7684\u51fa\u53e3\u63d2\u5165\u76f8\u5e94\u7684\u6e90\u4ee3\u7801\n *\n * @param method \u76ee\u6807\u65b9\u6cd5\n * @param src \u6e90\u4ee3\u7801\n * @param asFinally \u662f\u5426\u5728\u629b\u51fa\u5f02\u5e38\u7684\u65f6\u5019\u540c\u6837\u6267\u884c\u8be5\u6e90\u4ee3\u7801\n *\/\n public void insertAfter(CtBehavior method, String src, boolean asFinally) throws CannotCompileException {\n try {\n method.insertAfter(src, asFinally);\n LOGGER.info(\"insert after method: \" + method.getLongName());\n } catch (CannotCompileException e) {\n LogTool.traceError(ErrorType.HOOK_ERROR,\n \"insert after method \" + method.getLongName() + \" failed: \" + e.getMessage(), e);\n throw e;\n }\n }<\/pre>\n\n\n\ninsertafter\u505a\u68c0\u6d4b\u540e\u7684\u5904\u7406<\/p>\n\n\n\n
1\u548c2\u5728\u67e5\u627e\u5bf9\u5e94\u7684\u65b9\u6cd5\u548c\u63cf\u8ff0\u7b26\u540e\u63d2\u5165\u4ee3\u7801\uff0c\u533a\u522b\u662f\u662f\u5426\u5728\u5f02\u5e38\u65f6\u63d2\u5165\u4ee3\u7801\uff0c3\u5728\u76f4\u63a5\u5bf9\u627e\u5230\u7684\u65b9\u6cd5\u63d2\u5165\u4ee3\u7801\u3002<\/p>\n\n\n\n
\u52a8\u6001\u751f\u6210\u9759\u6001\u4ee3\u7801<\/p>\n\n\n\n
\/**\n * \u83b7\u53d6\u8c03\u7528\u9759\u6001\u65b9\u6cd5\u7684\u4ee3\u7801\u5b57\u7b26\u4e32\n *\n * @param invokeClass \u9759\u6001\u65b9\u6cd5\u6240\u5c5e\u7684\u7c7b\n * @param methodName \u9759\u6001\u65b9\u6cd5\u540d\u79f0\n * @param paramString \u8c03\u7528\u4f20\u5165\u7684\u53c2\u6570\u5b57\u7b26\u4e32,\u6309\u7167javassist\u683c\u5f0f\n * @return \u6574\u5408\u4e4b\u540e\u7684\u4ee3\u7801\n *\/\n public String getInvokeStaticSrc(Class invokeClass, String methodName, String paramString, Class... parameterTypes) {\n String src;\n String invokeClassName = invokeClass.getName();\n\n String parameterTypesString = \"\";\n if (parameterTypes != null && parameterTypes.length > 0) {\n for (Class parameterType : parameterTypes) {\n if (parameterType.getName().startsWith(\"[\")) {\n parameterTypesString += \"Class.forName(\\\"\" + parameterType.getName() + \"\\\"),\";\n } else {\n parameterTypesString += (parameterType.getName() + \".class,\");\n }\n }\n parameterTypesString = parameterTypesString.substring(0, parameterTypesString.length() - 1);\n }\n if (parameterTypesString.equals(\"\")) {\n parameterTypesString = null;\n } else {\n parameterTypesString = \"new Class[]{\" + parameterTypesString + \"}\";\n }\n if (isLoadedByBootstrapLoader) {\n src = \"com.baidu.openrasp.ModuleLoader.moduleClassLoader.loadClass(\\\"\" + invokeClassName + \"\\\").getMethod(\\\"\" + methodName +\n \"\\\",\" + parameterTypesString + \").invoke(null\";\n if (!StringUtils.isEmpty(paramString)) {\n src += (\",new Object[]{\" + paramString + \"});\");\n } else {\n src += \",null);\";\n }\n src = \"try {\" + src + \"} catch (Throwable t) {if(t.getCause() != null && t.getCause().getClass()\" +\n \".getName().equals(\\\"com.baidu.openrasp.exceptions.SecurityException\\\")){throw t;}}\";\n } else {\n src = invokeClassName + '.' + methodName + \"(\" + paramString + \");\";\n src = \"try {\" + src + \"} catch (Throwable t) {if(t.getClass()\" +\n \".getName().equals(\\\"com.baidu.openrasp.exceptions.SecurityException\\\")){throw t;}}\";\n }\n return src;\n }<\/pre>\n\n\n\n\u52a8\u6001\u751f\u6210\u9759\u6001\u4ee3\u7801\u4e3b\u8981\u662f\u4ee5\u4e0b\u51e0\u4e2a\u65b9\u9762<\/p>\n\n\n\n
- \n
- \u8fd0\u884c\u751f\u6210\u4ee3\u7801\uff0c\u4e0d\u5728\u7f16\u8bd1\u65f6\u786c\u7f16\u7801<\/li>\n\n\n\n
- \u9002\u5e94\u4e0d\u540c\u7684\u7c7b\u3001\u65b9\u6cd5<\/li>\n\n\n\n
- \u9009\u62e9\u4e0d\u540c\u7684\u7c7b\u52a0\u8f7d\u5668<\/li>\n<\/ul>\n\n\n\n
0x02 \u53cd\u5e8f\u5217\u5316\u7684\u68c0\u6d4b<\/strong><\/h2>\n\n\n\n
\u67e5\u770bDeserializationHook<\/a>\u7c7b<\/p>\n\n\n\n
public String getType() {\n return \"deserialization\";\n }\n\n \/**\n * (none-javadoc)\n *\n * @see com.baidu.openrasp.hook.AbstractClassHook#isClassMatched(String)\n *\/\n @Override\n public boolean isClassMatched(String className) {\n return \"java\/io\/ObjectInputStream\".equals(className);\n }\n\n \/**\n * (none-javadoc)\n *\n * @see com.baidu.openrasp.hook.AbstractClassHook#hookMethod(CtClass)\n *\/\n @Override\n protected void hookMethod(CtClass ctClass) throws IOException, CannotCompileException, NotFoundException {\n String src = getInvokeStaticSrc(DeserializationHook.class, \"checkDeserializationClass\",\n \"$1\", ObjectStreamClass.class);\n insertBefore(ctClass, \"resolveClass\", \"(Ljava\/io\/ObjectStreamClass;)Ljava\/lang\/Class;\", src);\n }\n\n \/**\n * \u53cd\u5e8f\u5217\u5316\u76d1\u68c0\u6d4b\u70b9\n *\n * @param objectStreamClass \u53cd\u5e8f\u5217\u5316\u7684\u7c7b\u7684\u6d41\u5bf9\u8c61\n *\/\n public static void checkDeserializationClass(ObjectStreamClass objectStreamClass) {\n if (objectStreamClass != null) {\n String clazz = objectStreamClass.getName();\n if (clazz != null) {\n HashMap<String, Object> params = new HashMap<String, Object>();\n params.put(\"clazz\", clazz);\n HookHandler.doCheck(CheckParameter.Type.DESERIALIZATION, params);\n }\n }\n\n }\n<\/pre>\n\n\n\n\u627e\u7684\u7c7b\u540d\uff1ajava\/io\/ObjectInputStream<\/p>\n\n\n\n
hookMethods\u4e2d\u751f\u6210\u4e86\u5177\u4f53\u8c03\u7528\u7684\u9759\u6001\u4ee3\u7801\uff0c\u5229\u7528insertBefore\u63d2\u5165\u751f\u6210\u7684\u4ee3\u7801\u5230ctClass\uff08\u5177\u4f53\u7684\u7c7b\uff09\uff0cresolveClass\uff08\u65b9\u6cd5\uff09\uff0c\u201c(Ljava\/io\/ObjectStreamClass;)Ljava\/lang\/Class;\u201d\u662f\u65b9\u6cd5\u524d\u9762\u3002<\/p>\n\n\n\n
\u5177\u4f53\u7684\u68c0\u6d4b<\/p>\n\n\n\n
\/**\n * \u53cd\u5e8f\u5217\u5316\u76d1\u68c0\u6d4b\u70b9\n *\n * @param objectStreamClass \u53cd\u5e8f\u5217\u5316\u7684\u7c7b\u7684\u6d41\u5bf9\u8c61\n *\/\n public static void checkDeserializationClass(ObjectStreamClass objectStreamClass) {\n if (objectStreamClass != null) {\n String clazz = objectStreamClass.getName();\n if (clazz != null) {\n HashMap<String, Object> params = new HashMap<String, Object>();\n params.put(\"clazz\", clazz);\n HookHandler.doCheck(CheckParameter.Type.DESERIALIZATION, params);\n }\n }\n\n }\n<\/pre>\n\n\n\n\u5177\u4f53\u7684\uff1aHookHandler<\/a>#docheck();—>HookHandler#doCheckWithoutRequest();—>HookHandler#doRealCheckWithoutRequest();—>CheckerManager#check();
\u5e76\u4e14\u901a\u8fc7checkParameter<\/a>\u8bbe\u7f6e\u7684\u5185\u5bb9\u8fdb\u884c\u68c0\u6d4b<\/p>\n\n\n\n![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n0x03 \u5c0f\u7ed3<\/h2>\n\n\n\n
\u5b66\u4e60\u4e86rasp\u7684hook\uff0c\u5927\u6982\u89e3\u51b3\u4e86\u4e4b\u524d\u7684\u95ee\u9898\uff0c\u4e3a\u4ec0\u4e48rasp\u62e6\u622a\u4e86\u53cd\u5e8f\u5217\u5316\u5bf9\u8c61\u7684\u751f\u6210\uff0c\u8fd8\u53ef\u4ee5\u83b7\u53d6\u5b8c\u6574\u7684\u4ee3\u7801\u8fd0\u884c\u94fe\u8def\uff0c\u53ea\u9700\u8981\u5728\u8c03\u7528\u88abhook\u7684\u65b9\u6cd5\u524d\u540e\uff0c\u5bf9\u5177\u4f53\u7684\u4ee3\u7801\u8fdb\u884c\u5904\u7406\u5c31\u53ef\u4ee5\u4e86\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5728\u770b\u4e86\u90e8\u5206\u7684\u6d89\u53camongo\u7684\u4ee3\u7801\u540e\uff0c\u53d1\u73b0\u5f88\u591a\u662f\u7528\u4e8e\u9519\u8bef\u5904\u7406\u7684\uff0c\u90a3\u4e48\u80fd\u5426\u76f4\u63a5\u5220\u9664\u8fd9\u90e8\u5206\u5462\u3002\u3002\uff08\u8fd9\u4e2a\u95ee\u9898\u4e4b\u540e\u5728\u770b\uff09 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1014","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1014","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/comments?post=1014"}],"version-history":[{"count":4,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1014\/revisions"}],"predecessor-version":[{"id":1021,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/1014\/revisions\/1021"}],"wp:attachment":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/media?parent=1014"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/categories?post=1014"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/tags?post=1014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"http:\/\/www.nokws.top\/wp-content\/uploads\/2024\/10\/image-1.png\")
<\/div><\/figure>\n\n\n\n