feat memshell init hook

yoloyyh · yoloyyh · commit 13641854a89e · 2024-03-26T19:00:54.000+08:00
diff --git a/.gitignore b/.gitignore
@@ -41,3 +41,5 @@ Cargo.lock
 *CMakeFiles*
 *vcpkg_installed
 *node_modules
+*.output/
+build
diff --git a/rasp/jvm/JVMProbe/build.gradle b/rasp/jvm/JVMProbe/build.gradle
@@ -12,8 +12,8 @@ repositories {
 
 dependencies {
     testImplementation group: 'junit', name: 'junit', version: '4.13.1'
-    implementation group: 'org.ow2.asm', name: 'asm-tree', version: '9.3'
-    implementation group: 'org.ow2.asm', name: 'asm-commons', version: '9.3'
+    implementation group: 'org.ow2.asm', name: 'asm-tree', version: '9.6'
+    implementation group: 'org.ow2.asm', name: 'asm-commons', version: '9.6'
     implementation group: 'io.netty', name: 'netty-all', version: '4.1.85.Final'
     implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.14.0'
     implementation group: 'com.fasterxml.jackson.dataformat', name: 'jackson-dataformat-yaml', version: '2.14.0'
diff --git a/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbe.java b/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbe.java
@@ -181,7 +181,7 @@ public void onEvent(Trace trace, long sequence, boolean endOfBatch) {
         Predicate<MatchRule> pred = rule -> {
             Object[] args = trace.getArgs();
 
-            if (rule.getIndex() >= args.length)
+            if (rule.getIndex() >= args.length || rule.getRegex().isEmpty() || args[rule.getIndex()] == null)
                 return false;
 
             return Pattern.compile(rule.getRegex()).matcher(args[rule.getIndex()].toString()).find();
@@ -341,6 +341,27 @@ boolean hasExceptionHook(Map<String, SmithMethod> methodMap) {
         return false;
     }
 
+    public boolean checkInterfaceNeedTran(String interfaceName) {
+        if (interfaceName == null) {
+            return false;
+        }
+        boolean ret = false;
+        switch (interfaceName) {
+            case "org/springframework/web/servlet/HandlerInterceptor":
+            case "javax/servlet/Servlet":
+            case "javax/servlet/Filter":
+            case "javax/servlet/ServletRequestListener":
+            case "jakarta/servlet/Servlet":
+            case "jakarta/servlet/Filter":
+            case "jakarta/servlet/ServletRequestListener":
+            case "javax/websocket/Endpoint":
+                ret = true;
+                break;
+            default:
+                break;
+        }
+        return ret;
+    }
     @Override
     public byte[] transform(ClassLoader loader, String className, Class<?> classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer) {
          if (disable)
@@ -349,18 +370,41 @@ public byte[] transform(ClassLoader loader, String className, Class<?> classBein
         // if(scanswitch) {
         //     checkClassFilter(loader, className,classfileBuffer);
         // }
-  
-        Type classType = Type.getObjectType(className);
-        SmithClass smithClass = smithClasses.get(classType.getClassName());
 
-        if (smithClass == null)
-            return null;
+        Type classType = null;
+        SmithClass smithClass = null;
+        try {
+            classType = Type.getObjectType(className);
+            smithClass = smithClasses.get(classType.getClassName());
+        } catch (Exception e) {
+            //SmithLogger.exception(e);
+        }
+     
+        if (smithClass == null && className == null)  {
+            
+            ClassReader cr = new ClassReader(classfileBuffer);
+            String[] interfaces = cr.getInterfaces();
+            if (className == null) {
+                className = cr.getClassName();
+                classType = Type.getObjectType(className);
+            }
 
-        SmithLogger.logger.info("transform: " + classType.getClassName());
+            for (String interName : interfaces) {
+                if (checkInterfaceNeedTran(interName)) {
+                    Type interfaceType = Type.getObjectType(interName);
+                    smithClass = smithClasses.get(interfaceType.getClassName());
+                    break;
+                }
+            }
+            if (smithClass == null) {
+                return null;
+            }
+        } 
 
         try {
             Map<String, SmithMethod> methodMap = smithClass.getMethods().stream().collect(Collectors.toMap(method -> method.getName() + method.getDesc(), method -> method));
             
+            SmithLogger.logger.info("transform: " + classType.getClassName());
             ClassReader classReader = new ClassReader(classfileBuffer);
 
             ClassWriter classWriter;
@@ -372,14 +416,14 @@ public byte[] transform(ClassLoader loader, String className, Class<?> classBein
             }
 
             ClassVisitor classVisitor = new SmithClassVisitor(
-                    Opcodes.ASM8,
+                    Opcodes.ASM9,
                     classWriter,
                     smithClass.getId(),
                     classType,
                     methodMap
             );
 
-            classReader.accept(classVisitor, ClassReader.EXPAND_FRAMES);
+            classReader.accept(classVisitor, ClassReader.EXPAND_FRAMES);      
             return classWriter.toByteArray();
         } catch (Exception e) {
             SmithLogger.exception(e);
diff --git a/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbeProxy.java b/rasp/jvm/JVMProbe/src/main/java/com/security/smith/SmithProbeProxy.java
@@ -423,4 +423,46 @@ public void checkJettyDeployPost(int classID, int methodID, Object[] args, Objec
             jettyDeploying.set(false);
         }
     }
+
+    /*
+     * check spring controller memshell
+     */
+    public void checkSpringControllerPre(int classID, int methodID, Object[] args)  {
+        if (args.length < 3) {
+            return;
+        }
+        try {
+            Object controller = args[2];
+            sendMetadataObject(controller);
+        } catch (Exception e) {
+            SmithLogger.exception(e);
+        }
+    }
+
+    /*
+     * check spring Interceptor memshell
+     */
+    public void checkSpringInterceptorPre(int classID, int methodID, Object[] args)  {
+        if (args.length < 1) {
+            return;
+        }
+        try {
+            Object interceptor = args[0];
+            sendMetadataObject(interceptor);
+        } catch (Exception e) {
+            SmithLogger.exception(e);
+        }
+    }
+
+    public void checkMemshellInitPost(int classID, int methodID, Object[] args, Object ret, boolean blocked) {
+        //SmithLogger.logger.info("checkMemshellInitPost call success");
+        if (ret != null) {
+            try {
+                sendMetadataObject(ret);
+            } catch (Exception e) {
+                SmithLogger.exception(e);
+            }
+        }
+
+    }
 }
diff --git a/rasp/jvm/JVMProbe/src/main/java/com/security/smith/common/SmithHandler.java b/rasp/jvm/JVMProbe/src/main/java/com/security/smith/common/SmithHandler.java
@@ -217,7 +217,9 @@ private static boolean checkServletInterface(Class<?> clazz) {
 								    || clsName.endsWith(".ServletRequestListener")) {
 								return true;
 							}
-					    }
+					    } else if (clsName.equals("org.springframework.web.servlet.HandlerInterceptor")) {
+                            return true;
+                        }
 				    }
 			    }
             }
diff --git a/rasp/jvm/JVMProbe/src/main/resources/class.yaml b/rasp/jvm/JVMProbe/src/main/resources/class.yaml
@@ -250,10 +250,72 @@
       desc: (Ljava/util/EventListener;)V
       preHook: checkJettyListenerPre
 - id: 23
-  name: org.eclipse.jetty.deploy.bindings.StandardDeployer
+  name: org.springframework.web.servlet.handler.AbstractUrlHandlerMapping
   methods:
     - id: 0
-      name: processBinding
-      desc: (Lorg/eclipse/jetty/deploy/graph/Node;Lorg/eclipse/jetty/deploy/App;)V
-      preHook: checkJettyDeployPre
-      postHook: checkJettyDeployPost
+      name: registerHandler
+      desc: (Ljava/lang/String;Ljava/lang/Object;)V
+      preHook: checkSpringControllerPre
+- id: 24
+  name: org.springframework.web.servlet.handler.AbstractHandlerMethodMapping$MappingRegistry
+  methods:
+    - id: 0
+      name: register
+      desc: (Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/reflect/Method;)V
+      preHook: checkSpringControllerPre
+- id: 25
+  name: org.springframework.web.servlet.HandlerInterceptor
+  methods:
+    - id: 0
+      name: <init>
+      desc: ()V
+      postHook: checkMemshellInitPost
+- id: 26
+  name: javax.servlet.Filter
+  methods:
+    - id: 0
+      name: <init>
+      desc: ()V
+      postHook: checkMemshellInitPost
+- id: 27
+  name: javax.servlet.Servlet
+  methods:
+    - id: 0
+      name: <init>
+      desc: ()V
+      postHook: checkMemshellInitPost
+- id: 28
+  name: javax.servlet.ServletRequestListener
+  methods:
+    - id: 0
+      name: <init>
+      desc: ()V
+      postHook: checkMemshellInitPost
+- id: 29
+  name: javax.websocket.Endpoint
+  methods:
+    - id: 0
+      name: <init>
+      desc: ()V
+      postHook: checkMemshellInitPost
+- id: 30
+  name: jakarta.servlet.Filter
+  methods:
+    - id: 0
+      name: <init>
+      desc: ()V
+      postHook: checkMemshellInitPost
+- id: 31
+  name: jakarta.servlet.Servlet
+  methods:
+    - id: 0
+      name: <init>
+      desc: ()V
+      postHook: checkMemshellInitPost
+- id: 32
+  name: jakarta.servlet.ServletRequestListener
+  methods:
+    - id: 0
+      name: <init>
+      desc: ()V
+      postHook: checkMemshellInitPost

Original file line number	Diff line number	Diff line change
`@@ -217,7 +217,9 @@ private static boolean checkServletInterface(Class<?> clazz) {`
`217`	`217`	`\|\| clsName.endsWith(".ServletRequestListener")) {`
`218`	`218`	`return true;`
`219`	`219`	`}`
`220`		`- }`
	`220`	`+ } else if (clsName.equals("org.springframework.web.servlet.HandlerInterceptor")) {`
	`221`	`+ return true;`
	`222`	`+ }`
`221`	`223`	`}`
`222`	`224`	`}`
`223`	`225`	`}`