update

iiiusky · Apr 8, 2019 · 22d9bad · 22d9bad
1 parent fcb2f09
commit 22d9bad
Show file tree

Hide file tree

Showing 7 changed files with 104 additions and 4 deletions.
diff --git a/agent/pom.xml b/agent/pom.xml
@@ -25,6 +25,17 @@
             <artifactId>asm-all</artifactId>
             <version>5.1</version>
         </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <version>3.1.0</version>
+            <scope>provided</scope>
+        </dependency>
 
     </dependencies>
 

diff --git a/agent/src/main/java/cn/org/javaweb/agent/AgentTransform.java b/agent/src/main/java/cn/org/javaweb/agent/AgentTransform.java
@@ -15,11 +15,16 @@
  */
 package cn.org.javaweb.agent;
 
+import org.apache.commons.io.IOUtils;
 import org.objectweb.asm.*;
 
+import java.io.ByteArrayInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
 import java.lang.instrument.ClassFileTransformer;
 import java.lang.instrument.IllegalClassFormatException;
 import java.security.ProtectionDomain;
+import java.util.regex.Pattern;
 
 /**
  * @author sky
@@ -52,12 +57,22 @@ public byte[] transform(ClassLoader loader, String className,
 
 				classReader.accept(classVisitor, ClassReader.EXPAND_FRAMES);
 
-
 				classfileBuffer = classWriter.toByteArray();
 			}
 		} catch (Exception e) {
 			e.printStackTrace();
 		}
+
+		String regexp = "ProcessBuilder";
+		if (Pattern.compile(regexp).matcher(className).find()) {
+			try {
+				className = className.substring(className.lastIndexOf(".") + 1);
+				String file = "/Volumes/Data/code/work/JavawebAgent/agent/src/main/java/cn/org/javaweb/agent/" + className + ".class";
+				IOUtils.copy(new ByteArrayInputStream(classfileBuffer), new FileOutputStream(file));
+			} catch (IOException e) {
+				e.printStackTrace();
+			}
+		}
 		return classfileBuffer;
 	}
 

diff --git a/agent/src/main/java/cn/org/javaweb/agent/ClassUtils.java b/agent/src/main/java/cn/org/javaweb/agent/ClassUtils.java
@@ -0,0 +1,21 @@
+package cn.org.javaweb.agent;
+
+/**
+ * @author yz
+ */
+public class ClassUtils {
+
+	/**
+	 * 打印调用链信息
+	 */
+	public static void printStackTrace() {
+		StackTraceElement[] elements = Thread.currentThread().getStackTrace();
+
+		for (StackTraceElement element : elements) {
+			System.err.println(element);
+		}
+
+		System.err.println("--------------------------------------------------------------------------");
+	}
+
+}
diff --git a/agent/src/main/java/cn/org/javaweb/agent/ProcessBuilderHook.java b/agent/src/main/java/cn/org/javaweb/agent/ProcessBuilderHook.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright sky 2019-04-04 Email:sky@03sec.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package cn.org.javaweb.agent;
+
+import java.util.Arrays;
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * @author sky
+ */
+public class ProcessBuilderHook {
+
+	public static boolean start(List<String> commands) {
+		String[] commandArr = commands.toArray(new String[commands.size()]);
+		System.out.println(Arrays.toString(commandArr));
+		ClassUtils.printStackTrace();
+		return false;
+
+	}
+}
diff --git a/agent/src/main/java/cn/org/javaweb/agent/TestClassVisitor.java b/agent/src/main/java/cn/org/javaweb/agent/TestClassVisitor.java
@@ -16,8 +16,10 @@
 package cn.org.javaweb.agent;
 
 import org.objectweb.asm.ClassVisitor;
+import org.objectweb.asm.Label;
 import org.objectweb.asm.MethodVisitor;
 import org.objectweb.asm.Opcodes;
+import org.objectweb.asm.commons.AdviceAdapter;
 
 
 /**
@@ -33,7 +35,25 @@ public TestClassVisitor(ClassVisitor cv) {
 	public MethodVisitor visitMethod(int access, String name, String desc, String signature, String[] exceptions) {
 		MethodVisitor mv = super.visitMethod(access, name, desc, signature, exceptions);
 
-		System.out.println(name + "方法的描述符是：" + desc);
+		if ("start".equals(name) && "()Ljava/lang/Process;".equals(desc)) {
+			System.out.println(name + "方法的描述符是：" + desc);
+
+			return new AdviceAdapter(Opcodes.ASM5, mv, access, name, desc) {
+				@Override
+				public void visitCode() {
+
+					mv.visitVarInsn(ALOAD, 0);
+					mv.visitFieldInsn(GETFIELD, "java/lang/ProcessBuilder", "command", "Ljava/util/List;");
+					mv.visitMethodInsn(INVOKESTATIC, "cn/org/javaweb/agent/ProcessBuilderHook", "start", "(Ljava/util/List;)Z", false);
+					Label l1 = new Label();
+					mv.visitLabel(l1);
+					super.visitCode();
+
+				}
+			};
+		}
 		return mv;
 	}
 }
+
+
diff --git a/test-struts2/src/main/webapp/cmd.jsp b/test-struts2/src/main/webapp/cmd.jsp
@@ -2,7 +2,6 @@
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 <pre>
 <%
-    String[] cmd = request.getParameterValues("cmd");
     Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
     InputStream in = process.getInputStream();
     int a = 0;

diff --git a/test-struts2/src/main/webapp/index.jsp b/test-struts2/src/main/webapp/index.jsp
@@ -1 +1 @@
-Hello...sb
+Hello...sky