feat: support command agent with asm on filterChain and contextValve (#51)

Author: ReaJason

bom/build.gradle

@@ -5,6 +5,7 @@ plugins {
 dependencies {
     constraints {
         api 'net.bytebuddy:byte-buddy:1.+'
+        api 'org.ow2.asm:asm-commons:9.7.1'
 
         api 'javax.servlet:javax.servlet-api:3.0.1'
         api 'jakarta.servlet:jakarta.servlet-api:6.0.0'

common/src/main/java/com/reajason/javaweb/asm/InnerClassDiscovery.java

@@ -0,0 +1,70 @@
+package com.reajason.javaweb.asm;
+
+import lombok.Getter;
+import net.bytebuddy.jar.asm.ClassReader;
+import net.bytebuddy.jar.asm.ClassVisitor;
+import net.bytebuddy.jar.asm.Opcodes;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.HashSet;
+import java.util.Set;
+
+public class InnerClassDiscovery {
+
+    /**
+     * Discovers all inner classes for a given class
+     *
+     * @param originalClass The class to discover inner classes for
+     * @return A set of fully qualified inner class names
+     */
+    public static Set<String> findAllInnerClasses(Class<?> originalClass) throws IOException {
+        Set<String> innerClasses;
+        String resourceName = originalClass.getName().replace('.', '/') + ".class";
+        try (InputStream is = originalClass.getClassLoader().getResourceAsStream(resourceName)) {
+            if (is == null) {
+                throw new IOException("Could not find class file for " + originalClass.getName());
+            }
+
+            ClassReader reader = new ClassReader(is);
+            InnerClassCollector collector = new InnerClassCollector(originalClass.getName());
+            reader.accept(collector, ClassReader.SKIP_CODE | ClassReader.SKIP_DEBUG | ClassReader.SKIP_FRAMES);
+
+            innerClasses = new HashSet<>(collector.getInnerClasses());
+        }
+        try {
+            for (Class<?> innerClass : originalClass.getDeclaredClasses()) {
+                innerClasses.add(innerClass.getName());
+                innerClasses.addAll(findAllInnerClasses(innerClass));
+            }
+        } catch (SecurityException ignored) {
+        }
+
+        return innerClasses;
+    }
+
+    private static class InnerClassCollector extends ClassVisitor {
+        private final String originalClassName;
+        @Getter
+        private final Set<String> innerClasses = new HashSet<>();
+
+        public InnerClassCollector(String originalClassName) {
+            super(Opcodes.ASM9);
+            this.originalClassName = originalClassName.replace('/', '.');
+        }
+
+        @Override
+        public void visitInnerClass(String name, String outerName, String innerName, int access) {
+            String className = name.replace('/', '.');
+            if (outerName != null) {
+                String outerClassName = outerName.replace('/', '.');
+                if (outerClassName.equals(originalClassName)) {
+                    innerClasses.add(className);
+                }
+            } else if (className.startsWith(originalClassName + "$")) {
+                innerClasses.add(className);
+            }
+        }
+
+    }
+}

common/src/main/java/com/reajason/javaweb/buddy/ClassRenameVisitorWrapper.java

@@ -0,0 +1,62 @@
+package com.reajason.javaweb.buddy;
+
+import net.bytebuddy.asm.AsmVisitorWrapper;
+import net.bytebuddy.description.field.FieldDescription;
+import net.bytebuddy.description.field.FieldList;
+import net.bytebuddy.description.method.MethodList;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.implementation.Implementation;
+import net.bytebuddy.jar.asm.ClassVisitor;
+import net.bytebuddy.jar.asm.commons.ClassRemapper;
+import net.bytebuddy.jar.asm.commons.Remapper;
+import net.bytebuddy.pool.TypePool;
+import org.jetbrains.annotations.NotNull;
+
+/**
+ * @author ReaJason
+ * @since 2025/3/27
+ */
+public class ClassRenameVisitorWrapper implements AsmVisitorWrapper {
+    public final String originalClassName;
+    public final String newClassName;
+
+    public ClassRenameVisitorWrapper(String originalClassName, String newClassName) {
+        this.originalClassName = originalClassName.replace('.', '/');
+        this.newClassName = newClassName.replace('.', '/');
+    }
+
+
+    @Override
+    public int mergeReader(int flags) {
+        return flags;
+    }
+
+    @Override
+    public int mergeWriter(int flags) {
+        return flags;
+    }
+
+    @NotNull
+    @Override
+    public ClassVisitor wrap(@NotNull TypeDescription instrumentedType,
+                             @NotNull ClassVisitor classVisitor,
+                             @NotNull Implementation.Context implementationContext,
+                             @NotNull TypePool typePool,
+                             @NotNull FieldList<FieldDescription.InDefinedShape> fields,
+                             @NotNull MethodList<?> methods,
+                             int writerFlags,
+                             int readerFlags) {
+        return new ClassRemapper(
+                classVisitor,
+                new Remapper() {
+                    @Override
+                    public String map(String typeName) {
+                        if (typeName.startsWith(originalClassName)) {
+                            return typeName.replaceFirst(originalClassName, newClassName);
+                        } else {
+                            return typeName;
+                        }
+                    }
+                });
+    }
+}

generator/build.gradle

@@ -24,6 +24,7 @@ dependencies {
     implementation project(":memshell")
     implementation project(":memshell-java8")
     implementation 'net.bytebuddy:byte-buddy'
+    implementation 'org.ow2.asm:asm-commons'
 
     implementation 'javax.servlet:javax.servlet-api'
     implementation 'javax.websocket:javax.websocket-api'

generator/src/main/java/com/reajason/javaweb/memshell/MemShellGenerator.java

@@ -7,6 +7,8 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.tuple.Pair;
 
+import java.util.Map;
+
 /**
  * @author ReaJason
  * @since 2024/11/24
@@ -48,7 +50,9 @@ public static GenerateResult generate(ShellConfig shellConfig, InjectorConfig in
         injectorConfig.setShellClassName(shellToolConfig.getShellClassName());
         injectorConfig.setShellClassBytes(shellBytes);
 
-        byte[] injectorBytes = new InjectorGenerator(shellConfig, injectorConfig).generate();
+        InjectorGenerator injectorGenerator = new InjectorGenerator(shellConfig, injectorConfig);
+        byte[] injectorBytes = injectorGenerator.generate();
+        Map<String, byte[]> innerClassBytes = injectorGenerator.getInnerClassBytes();
 
         return GenerateResult.builder()
                 .shellConfig(shellConfig)
@@ -58,6 +62,7 @@ public static GenerateResult generate(ShellConfig shellConfig, InjectorConfig in
                 .shellBytes(shellBytes)
                 .injectorClassName(injectorConfig.getInjectorClassName())
                 .injectorBytes(injectorBytes)
+                .injectorInnerClassBytes(innerClassBytes)
                 .build();
     }
 

generator/src/main/java/com/reajason/javaweb/memshell/Server.java

@@ -227,7 +227,9 @@ public enum Server {
                 .addShellClass(SPRING_WEBFLUX_HANDLER_FUNCTION, CommandHandlerFunction.class)
                 .addShellClass(NETTY_HANDLER, CommandNettyHandler.class)
                 .addShellClass(AGENT_FILTER_CHAIN, CommandFilterChainAdvisor.class)
+                .addShellClass(AGENT_FILTER_CHAIN_ASM, CommandFilterChainAsmMethodVisitor.class)
                 .addShellClass(CATALINA_AGENT_CONTEXT_VALVE, CommandFilterChainAdvisor.class)
+                .addShellClass(CATALINA_AGENT_CONTEXT_VALVE_ASM, CommandFilterChainAsmMethodVisitor.class)
                 .addShellClass(JETTY_AGENT_HANDLER, CommandHandlerAdvisor.class)
                 .addShellClass(UNDERTOW_AGENT_SERVLET_HANDLER, CommandServletInitialHandlerAdvisor.class)
                 .addShellClass(WEBLOGIC_AGENT_SERVLET_CONTEXT, CommandFilterChainAdvisor.class)

generator/src/main/java/com/reajason/javaweb/memshell/ShellType.java

@@ -21,7 +21,9 @@ public class ShellType {
     public static final String AGENT = "Agent";
 
     public static final String AGENT_FILTER_CHAIN = AGENT + "FilterChain";
+    public static final String AGENT_FILTER_CHAIN_ASM = AGENT + "FilterChainASM";
     public static final String CATALINA_AGENT_CONTEXT_VALVE = AGENT + "ContextValve";
+    public static final String CATALINA_AGENT_CONTEXT_VALVE_ASM = AGENT + "ContextValveASM";
     public static final String JETTY_AGENT_HANDLER = AGENT + "Handler";
     public static final String UNDERTOW_AGENT_SERVLET_HANDLER = AGENT + "ServletHandler";
     public static final String WAS_AGENT_FILTER_MANAGER = AGENT + "FilterManager";

generator/src/main/java/com/reajason/javaweb/memshell/config/GenerateResult.java

@@ -6,6 +6,8 @@
 import lombok.NoArgsConstructor;
 import org.apache.commons.codec.binary.Base64;
 
+import java.util.Map;
+
 /**
  * @author ReaJason
  * @since 2024/11/24
@@ -21,6 +23,7 @@ public class GenerateResult {
     private String shellBytesBase64Str;
     private String injectorClassName;
     private transient byte[] injectorBytes;
+    private transient Map<String, byte[]> injectorInnerClassBytes;
     private long injectorSize;
     private String injectorBytesBase64Str;
     private ShellConfig shellConfig;
@@ -38,7 +41,7 @@ public GenerateResult build() {
                 injectorSize = injectorBytes.length;
             }
             return new GenerateResult(shellClassName, shellBytes, shellSize, shellBytesBase64Str,
-                    injectorClassName, injectorBytes, injectorSize, injectorBytesBase64Str, shellConfig, shellToolConfig, injectorConfig);
+                    injectorClassName, injectorBytes, injectorInnerClassBytes, injectorSize, injectorBytesBase64Str, shellConfig, shellToolConfig, injectorConfig);
         }
     }
 }

generator/src/main/java/com/reajason/javaweb/memshell/generator/InjectorGenerator.java

@@ -1,20 +1,22 @@
 package com.reajason.javaweb.memshell.generator;
 
 import com.reajason.javaweb.ClassBytesShrink;
-import com.reajason.javaweb.buddy.ByPassJavaModuleInterceptor;
-import com.reajason.javaweb.buddy.LogRemoveMethodVisitor;
-import com.reajason.javaweb.buddy.ServletRenameVisitorWrapper;
-import com.reajason.javaweb.buddy.TargetJreVersionVisitorWrapper;
+import com.reajason.javaweb.asm.InnerClassDiscovery;
+import com.reajason.javaweb.buddy.*;
 import com.reajason.javaweb.memshell.config.InjectorConfig;
 import com.reajason.javaweb.memshell.config.ShellConfig;
 import com.reajason.javaweb.memshell.utils.CommonUtil;
 import lombok.SneakyThrows;
 import net.bytebuddy.ByteBuddy;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.dynamic.ClassFileLocator;
 import net.bytebuddy.dynamic.DynamicType;
+import net.bytebuddy.dynamic.scaffold.TypeValidation;
 import net.bytebuddy.implementation.FixedValue;
+import net.bytebuddy.pool.TypePool;
 import org.apache.commons.codec.binary.Base64;
 
-import java.util.Objects;
+import java.util.*;
 
 import static net.bytebuddy.matcher.ElementMatchers.named;
 
@@ -34,10 +36,13 @@ public InjectorGenerator(ShellConfig shellConfig, InjectorConfig injectorConfig)
     @SneakyThrows
     public DynamicType.Builder<?> getBuilder() {
         String base64String = Base64.encodeBase64String(CommonUtil.gzipCompress(injectorConfig.getShellClassBytes()));
+        String originalClassName = injectorConfig.getInjectorClass().getName();
+        String newClassName = injectorConfig.getInjectorClassName();
+
         DynamicType.Builder<?> builder = new ByteBuddy()
                 .redefine(injectorConfig.getInjectorClass())
-                .name(injectorConfig.getInjectorClassName())
                 .visit(new TargetJreVersionVisitorWrapper(shellConfig.getTargetJreVersion()))
+                .visit(new ClassRenameVisitorWrapper(originalClassName, newClassName))
                 .method(named("getUrlPattern")).intercept(FixedValue.value(Objects.toString(injectorConfig.getUrlPattern(), "/*")))
                 .method(named("getBase64String")).intercept(FixedValue.value(base64String))
                 .method(named("getClassName")).intercept(FixedValue.value(injectorConfig.getShellClassName()));
@@ -56,6 +61,38 @@ public DynamicType.Builder<?> getBuilder() {
         return builder;
     }
 
+    @SneakyThrows
+    public Map<String, byte[]> getInnerClassBytes() {
+        Set<String> innerClassNames = InnerClassDiscovery.findAllInnerClasses(injectorConfig.getInjectorClass());
+        if (innerClassNames.isEmpty()) {
+            return Collections.emptyMap();
+        }
+
+        String originalClassName = injectorConfig.getInjectorClass().getName();
+        String newClassName = injectorConfig.getInjectorClassName();
+
+        ClassFileLocator classFileLocator = ClassFileLocator.ForClassLoader.of(injectorConfig.getInjectorClass().getClassLoader());
+        TypePool typePool = TypePool.Default.of(classFileLocator);
+
+        Map<String, byte[]> bytes = new HashMap<>();
+        for (String innerClassName : innerClassNames) {
+            TypeDescription innerTypeDesc = typePool.describe(innerClassName).resolve();
+            String newInnerClassName = innerClassName.replace(originalClassName, newClassName);
+            DynamicType.Builder<?> innerBuilder = new ByteBuddy()
+                    .with(TypeValidation.DISABLED)
+                    .redefine(innerTypeDesc, classFileLocator)
+                    .visit(new TargetJreVersionVisitorWrapper(shellConfig.getTargetJreVersion()))
+                    .visit(new ClassRenameVisitorWrapper(originalClassName, newClassName));
+
+            try (DynamicType.Unloaded<?> unloaded = innerBuilder.make()) {
+                for (Map.Entry<TypeDescription, byte[]> entry : unloaded.getAllTypes().entrySet()) {
+                    bytes.put(newInnerClassName, entry.getValue());
+                }
+            }
+        }
+        return bytes;
+    }
+
     @SneakyThrows
     public byte[] generate() {
         DynamicType.Builder<?> builder = getBuilder();

generator/src/main/java/com/reajason/javaweb/memshell/packer/jar/AgentJarPacker.java

@@ -4,6 +4,7 @@
 import lombok.SneakyThrows;
 import net.bytebuddy.ByteBuddy;
 import org.apache.commons.io.IOUtils;
+import org.objectweb.asm.Opcodes;
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
@@ -13,6 +14,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Enumeration;
+import java.util.Map;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.jar.JarOutputStream;
@@ -40,7 +42,11 @@ public byte[] packBytes(GenerateResult generateResult) {
         manifest.getMainAttributes().putValue("Can-Retransform-Classes", "true");
         ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
         try (JarOutputStream targetJar = new JarOutputStream(byteArrayOutputStream, manifest)) {
-            addDependency(targetJar, ByteBuddy.class);
+            if (generateResult.getShellConfig().getShellType().endsWith("ASM")) {
+                addDependency(targetJar, Opcodes.class);
+            } else {
+                addDependency(targetJar, ByteBuddy.class);
+            }
 
             targetJar.putNextEntry(new JarEntry(mainClass.replace('.', '/') + ".class"));
             targetJar.write(generateResult.getInjectorBytes());
@@ -49,6 +55,12 @@ public byte[] packBytes(GenerateResult generateResult) {
             targetJar.putNextEntry(new JarEntry(advisorClass.replace('.', '/') + ".class"));
             targetJar.write(generateResult.getShellBytes());
             targetJar.closeEntry();
+
+            for (Map.Entry<String, byte[]> entry : generateResult.getInjectorInnerClassBytes().entrySet()) {
+                targetJar.putNextEntry(new JarEntry(entry.getKey().replace('.', '/') + ".class"));
+                targetJar.write(entry.getValue());
+                targetJar.closeEntry();
+            }
         }
         return byteArrayOutputStream.toByteArray();
     }

generator/src/main/java/com/reajason/javaweb/memshell/server/GlassFishShell.java

@@ -4,7 +4,9 @@
 import com.reajason.javaweb.memshell.injector.glassfish.GlassFishListenerInjector;
 import com.reajason.javaweb.memshell.injector.glassfish.GlassFishValveInjector;
 import com.reajason.javaweb.memshell.injector.tomcat.TomcatContextValveAgentInjector;
+import com.reajason.javaweb.memshell.injector.tomcat.TomcatContextValveAgentWithAsmInjector;
 import com.reajason.javaweb.memshell.injector.tomcat.TomcatFilterChainAgentInjector;
+import com.reajason.javaweb.memshell.injector.tomcat.TomcatFilterChainAgentWithAsmInjector;
 import com.reajason.javaweb.memshell.utils.ShellCommonUtil;
 import net.bytebuddy.asm.Advice;
 import net.bytebuddy.implementation.bytecode.assign.Assigner;
@@ -49,7 +51,9 @@ public InjectorMapping getShellInjectorMapping() {
                 .addInjector(VALVE, GlassFishValveInjector.class)
                 .addInjector(JAKARTA_VALVE, GlassFishValveInjector.class)
                 .addInjector(AGENT_FILTER_CHAIN, TomcatFilterChainAgentInjector.class)
+                .addInjector(AGENT_FILTER_CHAIN_ASM, TomcatFilterChainAgentWithAsmInjector.class)
                 .addInjector(CATALINA_AGENT_CONTEXT_VALVE, TomcatContextValveAgentInjector.class)
+                .addInjector(CATALINA_AGENT_CONTEXT_VALVE_ASM, TomcatContextValveAgentWithAsmInjector.class)
                 .build();
     }
 }

generator/src/main/java/com/reajason/javaweb/memshell/server/InforSuiteShell.java

@@ -4,7 +4,9 @@
 import com.reajason.javaweb.memshell.injector.glassfish.GlassFishValveInjector;
 import com.reajason.javaweb.memshell.injector.inforsuite.InforSuiteFilterInjector;
 import com.reajason.javaweb.memshell.injector.tomcat.TomcatContextValveAgentInjector;
+import com.reajason.javaweb.memshell.injector.tomcat.TomcatContextValveAgentWithAsmInjector;
 import com.reajason.javaweb.memshell.injector.tomcat.TomcatFilterChainAgentInjector;
+import com.reajason.javaweb.memshell.injector.tomcat.TomcatFilterChainAgentWithAsmInjector;
 
 import static com.reajason.javaweb.memshell.ShellType.*;
 
@@ -29,7 +31,9 @@ public InjectorMapping getShellInjectorMapping() {
                 .addInjector(VALVE, GlassFishValveInjector.class)
                 .addInjector(JAKARTA_VALVE, GlassFishValveInjector.class)
                 .addInjector(AGENT_FILTER_CHAIN, TomcatFilterChainAgentInjector.class)
+                .addInjector(AGENT_FILTER_CHAIN_ASM, TomcatFilterChainAgentWithAsmInjector.class)
                 .addInjector(CATALINA_AGENT_CONTEXT_VALVE, TomcatContextValveAgentInjector.class)
+                .addInjector(CATALINA_AGENT_CONTEXT_VALVE_ASM, TomcatContextValveAgentWithAsmInjector.class)
                 .build();
     }
 }