堆栈内存溢出
  简体   繁体   English

Java字节码操作?

[英]Java bytecode manipulation?

 原文  2013-08-17 10:32:26       java/ class/ assembly/ hex/ bytecode

问题描述

So, I'm writing an AV, and I'm developing hooks for a sandbox thing, and I have a problem: I can't edit the java.lang.* files, nor can I overwrite them with a classloader. 因此,我正在编写一个AV,并且正在为沙箱开发挂钩,但是我遇到了一个问题:我无法编辑java.lang。*文件,也无法使用类加载器覆盖它们。 Whenever I try to edit the bytes of a class file, no good happens. 每当我尝试编辑类文件的字节时,都不会发生。 Say, I have a copy of the source code from Runtime(with reflection for the restricted bits), works 100% the same as the one in java.lang, I can't modify the bytes to change all references from the lang one to my custom one. 说,我有一个运行时的源代码副本(对受限位进行了反射),与java.lang中的代码100%相同,我无法修改字节以将所有引用从lang更改为我的习惯之一。 Look at this, I compile this class, which just opens notepad.exe: 看看这个,我编译这个类,它只是打开notepad.exe: 

Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V...........java/lang/Runtime........getRuntime...()Ljava/lang/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException.. .....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'

I got the text dump from HxD. 我从HxD获得了文本转储。

Then I replace all occurrences of java/lang/Runtime with JavaProphet/JoustJAV/sandbox/Runtime and I get this: 然后,我将所有出现的Java / lang / Runtime替换为JavaProphet / JoustJAV / sandbox / Runtime,我得到了: 

Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V...........JavaProphet/JoustJAV/sandbox/Runtime........getRuntime...()LJavaProphet/JoustJAV/sandbox/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException.. .....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'

Now, if I run the first file, notepad opens, if I open the second file, I get this error: 现在,如果我运行第一个文件,则记事本会打开,如果我打开第二个文件,则会出现此错误: 

Exception in thread "AWT-EventQueue-0" java.lang.ClassFormatError: Unknown constant tag 74 in class file Start
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at JavaProphet.JoustJAV.SandboxCL.findClass(SandboxCL.java:152)
at JavaProphet.JoustJAV.SandboxCL.loadClass(SandboxCL.java:97)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at JavaProphet.JoustJAV.FileScanner.sandboxFile(FileScanner.java:335)
at JavaProphet.JoustJAV.FileScanner.sandboxFile(FileScanner.java:348)
at JavaProphet.JoustJAV.MainWindow$4.actionPerformed(MainWindow.java:120)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2018)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2341)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
at java.awt.Component.processMouseEvent(Component.java:6505)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3321)
at java.awt.Component.processEvent(Component.java:6270)
at java.awt.Container.processEvent(Container.java:2229)
at java.awt.Component.dispatchEventImpl(Component.java:4861)
at java.awt.Container.dispatchEventImpl(Container.java:2287)
at java.awt.Component.dispatchEvent(Component.java:4687)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4832)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4492)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4422)
at java.awt.Container.dispatchEventImpl(Container.java:2273)
at java.awt.Window.dispatchEventImpl(Window.java:2713)
at java.awt.Component.dispatchEvent(Component.java:4687)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:707)
at java.awt.EventQueue.access$000(EventQueue.java:101)
at java.awt.EventQueue$3.run(EventQueue.java:666)
at java.awt.EventQueue$3.run(EventQueue.java:664)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:87)
at java.awt.EventQueue$4.run(EventQueue.java:680)
at java.awt.EventQueue$4.run(EventQueue.java:678)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:677)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:211)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:128)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:117)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:113)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

Now, I assume that those dots are integers or some sort of indexing for the data in the class file, but what do I need to change to get this class file to work? 现在,我假设这些点是类文件中数据的整数或某种形式的索引,但是我需要更改些什么才能使该类文件起作用? I've looked into ASM, but I didn't see a class replacement mechanism. 我研究了ASM,但是没有看到类替换机制。 Suggestions, anyone? 建议,有人吗?

1 个解决方案

解决方案1
 0  2013-08-17 10:54:55

I figured it out! 我想到了! I just turned each byte of hex data into deciaml, and compared it with relative lengths, blah blah blah, so I changed the following: 我只是将十六进制数据的每个字节都转换为deciaml,并将其与相对长度进行比较,等等,所以我更改了以下内容: 

Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V..........$JavaProphet/JoustJAV/sandbox/Runtime........getRuntime..(()LJavaProphet/JoustJAV/sandbox/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException.. .....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'

If you look closely, you can see the beginning symbols are different for my custom class, so now my sandbox can safely run file that use runtime(I'm working on processbuilder) to retrieve virus-sensitive running things. 如果仔细观察,您会发现我的自定义类的开始符号不同,因此现在我的沙箱可以安全地运行使用运行时的文件(我正在使用processbuilder进行操作)来检索对病毒敏感的运行中的东西。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Android和java字节码操作 - Android and java bytecode manipulation Java字节码操作库建议 - Java Bytecode Manipulation Library Suggestions 字节码操作-将字节码表示形式转换为Java代码表示形式 - Bytecode manipulation - converting Bytecode representation to Java code representation 字节码操作/增强和 Java Instrumentation API - Bytecode manipulation/enhancement and Java Instrumentation API Java字节码操作-如何在方法中间注入? - Java Bytecode Manipulation - How to inject in middle of method? Java 无外部库的字节码操作 - Java Bytecode Manipulation Without External Library Java ASM 字节码操作 - 如何在方法中间注入? - Java ASM Bytecode Manipulation - How to inject in middle of method? 字节码操纵模式 - Bytecode manipulation patterns 字节码操作安全吗 - Is bytecode manipulation safe 字节码操作清单条目 - Bytecode manipulation manifest entries
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM