Binary patching of Java classes for fun and profit - Jfokus 2011

Post on 10-May-2015

2.806 views 2 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

Transcript of Binary patching of Java classes for fun and profit - Jfokus 2011

Binary patching of Java classes for fun

and profitJfokus 2011, Stockholm

whoami

http://arhipov.blogspot.com@antonarhipov

@javarebel

Anton ArhipovZeroTurnaround

JRebel

http://arhipov.blogspot.com/

What’s Binary Patching?

1010101010111000101010101010100010001000111011011101011

1010101010111100001010101010100010001000111011011101110

Ninja.class

Ninja.class’

Why Binary Patching?

MyClass.class

New code:10010100100100101011001010

ClassLoader

MyObject

JRebel agent

Why Binary Patching?

MyClass.class

New code:10010100100100101011001010

ClassLoader

MyObject

JRebel agent

Fra

mew

ork

Why Binary Patching?

MyClass.class

New code:10010100100100101011001010

ClassLoader

MyObject

JRebel agent

Configuration(XML,

annotations)

Fra

mew

ork

How?

Using –javaagent to hook into class loading processUsing bytecode manipulation libraries (e.g. Javassist)

java.lang.instrumentimport java.lang.instrument.ClassFileTransformer;import java.lang.instrument.Instrumentation;

public class Agent { public static void premain(String args, Instrumentation inst) throws Exception { inst.addTransformer(new ClassFileTransformer { … }); }}

java.lang.instrumentimport java.lang.instrument.ClassFileTransformer;import java.lang.instrument.Instrumentation;

public class Agent { public static void premain(String args, Instrumentation inst) throws Exception { inst.addTransformer(new ClassFileTransformer { … }); }}

META-INF/MANIFEST.MFAgent-Class: Agent

java.lang.instrumentimport java.lang.instrument.ClassFileTransformer;import java.lang.instrument.Instrumentation;

public class Agent { public static void premain(String args, Instrumentation inst) throws Exception { inst.addTransformer(new ClassFileTransformer { … }); }}

META-INF/MANIFEST.MFAgent-Class: Agent

java –javaagent:agent.jar …

java.lang.instrument + Javassist

new ClassFileTransformer() { public byte[] transform(ClassLoader loader, String className, Class<?>classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer){

}}

java.lang.instrument + Javassist

new ClassFileTransformer() { public byte[] transform(ClassLoader loader, String className, Class<?>classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer){

ClassPool cp = ClassPool.getDefault(); CtClass ct = pool.makeClass(new ByteArrayInputStream(classfileBuffer));

}}

java.lang.instrument + Javassist

new ClassFileTransformer() { public byte[] transform(ClassLoader loader, String className, Class<?>classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer){

ClassPool cp = ClassPool.getDefault(); CtClass ct = pool.makeClass(new ByteArrayInputStream(classfileBuffer));

transformClass(ct, cp);

}}

java.lang.instrument + Javassist

new ClassFileTransformer() { public byte[] transform(ClassLoader loader, String className, Class<?>classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer){

ClassPool cp = ClassPool.getDefault(); CtClass ct = pool.makeClass(new ByteArrayInputStream(classfileBuffer));

transformClass(ct, cp);

return ct.toBytecode(); }}

JRebel SDK

Javassist + JRebel

cp.importPackage("org.zeroturnaround.javarebel");

Javassist + JRebel

cp.importPackage("org.zeroturnaround.javarebel");

ct.addInterface( cp.get(ClassEventListener.class.getName()));

Javassist + JRebel

cp.importPackage("org.zeroturnaround.javarebel");

ct.addInterface( cp.get(ClassEventListener.class.getName()));

ct.addMethod(CtNewMethod.make("public void onClassEvent(int eventType, Class clazz) {"+ "cache.evict();" + "}", ct));

Javassist + JRebel

CtClass ct = …CtConstructor[] cs = ct.getConstructors();

Javassist + JRebel

CtClass ct = …CtConstructor[] cs = ct.getConstructors();

for (CtConstructor c : cs) { if (c.callsSuper()) { c.insertAfter("ReloaderFactory.getInstance() .addClassReloadListener($0);"); }}

Javassist + JRebel

CtClass ct = …

ct.getDeclaredMethod("service").insertBefore( "ReloaderFactory.getInstance() .checkAndReload(Application.class);");

Integration Highlights

Implement ClassEventListenerRegister listener instance to JRebel

Trigger the re-load event

ReloaderFactory#addClassReloadListener(…);

ReloaderFactory#checkAndReload(…);

Pros/Cons

Pros/Cons

Pros/Cons

Thx!

Want JRebel free? Come to our booth!

Top related

Android Jumpstart Jfokus
 Technology
Devoteam Group - Jfokus
 Documents
Jfokus 2012: PaaSing a Java EE Application
 Technology
webcomponents (Jfokus 2015)
 Technology
Antonio Bianchi Automatic Binary University of California, Santa … · 2016-12-13 · Automatic Binary Exploitation and Patching using Mechanical [Shell]Phish 2 A team of security
 Documents
PowerPC Binary Patching for Base Station Analysis
 Documents
Binary patching for fun and profit @ JUG.ru, 25.02.2012
 Technology
Floor Patching
 Documents
Effective Scala @ Jfokus
 Technology
Android Application Development at JFokus 2011
 Technology
patching whitepaper.pdf
 Documents
Download - Jfokus
 Documents
Patching 11
 Documents
Jfokus - Hazlecast
 Software
Patching a Patch Software Updates Using Horizontal Patching
 Documents
Biohacking - Jfokus#JFokus #biohacking @per_siko Disclaimer Me: They’re offering free chip implants and I’m thinking about taking one. What do you think? #JFokus #biohacking @per_siko
 Documents
Beyond The Basics of Patching (Patching 201)
 Software
Testing Angular Applications - Jfokus 2017
 Technology
Online Patching
 Documents
Android my Scala @ JFokus 2013
 Documents

Copyright © 2022 FDOCUMENTS