To solve this problem we have created a Java Runtime Agent that injects into the JVM of the target process and performs bytecode modification of the class to do a System.out.println each time a method is called. In a number of tests performed recently this has provided a fast and efficient way of targeting useful functionality which we then intercept using JavaSnoop to obtain the desired results.
Java agents can either be launched from the command line using the "javaagent" option:
java -javaagent:agent.jar Application.jar
Or injected at runtime using the Attach API (see previous blog post).
We have created a generic JVM injector that lists all available Java processes and allows the user to inject the agent at runtime.
Fixulate Injector |
This generic injector can be reused for other example projects, it is the actual agent that does the bytecode modification and that can be specified from within the GUI.
The agent itself is made up of 3 classes, the AgentMain which contains the premain method as specified within the manifest file, an AgentForm which provides a GUI after being injected into the target process, and finally the transformation class which uses the ASM library to perform the bytecode modification to each method that is called.
After attaching (using the Injector GUI above) the AgentMain GUI is presented to the user - at this point yo are running within the target process and can kill the Injector GUI as it is no longer needed. Although the agent has been injected, the transformation is not yet active and needs to be started using the "Activate" button. We also provide a list of classes that can be edited within the GUI that are to be blacklisted by the transformation agent, this is to reduce noise and allow the tester to focus on classes that are likely to be of interest. For example we do not want to transform javax.swing classes and be flooded with notification of their method calls.
Fixulate Runtime Agent |
Console output showing blacklisted classes and then obfuscated method calls |
We will be uploading the Fixulate Injector and Runtime Agent to the resources section very soon.
No comments:
Post a Comment