Saturday, August 17, 2013

Java bytecode manipulation?

Java bytecode manipulation?

So, I'm writing an AV, and I'm developing hooks for a sandbox thing, and I
have a problem: I can't edit the java.lang.* files, nor can I overwrite
them with a classloader. Whenever I try to edit the bytes of a class file,
no good happens. Say, I have a copy of the source code from Runtime(with
reflection for the restricted bits), works 100% the same as the one in
java.lang, I can't modify the bytes to change all references from the lang
one to my custom one. Look at this, I compile this class, which just opens
notepad.exe:
Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V...........java/lang/Runtime........getRuntime...()Ljava/lang/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException..
.....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'
I got the text dump from HxD.
Then I replace all occurrences of java/lang/Runtime with
JavaProphet/JoustJAV/sandbox/Runtime and I get this:
Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V...........JavaProphet/JoustJAV/sandbox/Runtime........getRuntime...()LJavaProphet/JoustJAV/sandbox/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException..
.....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'
Now, if I run the first file, notepad opens, if I open the second file, I
get this error:
Exception in thread "AWT-EventQueue-0" java.lang.ClassFormatError: Unknown
constant tag 74 in class file Start
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at JavaProphet.JoustJAV.SandboxCL.findClass(SandboxCL.java:152)
at JavaProphet.JoustJAV.SandboxCL.loadClass(SandboxCL.java:97)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at JavaProphet.JoustJAV.FileScanner.sandboxFile(FileScanner.java:335)
at JavaProphet.JoustJAV.FileScanner.sandboxFile(FileScanner.java:348)
at JavaProphet.JoustJAV.MainWindow$4.actionPerformed(MainWindow.java:120)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2018)
at
javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2341)
at
javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at
javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
at java.awt.Component.processMouseEvent(Component.java:6505)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3321)
at java.awt.Component.processEvent(Component.java:6270)
at java.awt.Container.processEvent(Container.java:2229)
at java.awt.Component.dispatchEventImpl(Component.java:4861)
at java.awt.Container.dispatchEventImpl(Container.java:2287)
at java.awt.Component.dispatchEvent(Component.java:4687)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4832)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4492)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4422)
at java.awt.Container.dispatchEventImpl(Container.java:2273)
at java.awt.Window.dispatchEventImpl(Window.java:2713)
at java.awt.Component.dispatchEvent(Component.java:4687)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:707)
at java.awt.EventQueue.access$000(EventQueue.java:101)
at java.awt.EventQueue$3.run(EventQueue.java:666)
at java.awt.EventQueue$3.run(EventQueue.java:664)
at java.security.AccessController.doPrivileged(Native Method)
at
java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at
java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:87)
at java.awt.EventQueue$4.run(EventQueue.java:680)
at java.awt.EventQueue$4.run(EventQueue.java:678)
at java.security.AccessController.doPrivileged(Native Method)
at
java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:677)
at
java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:211)
at
java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:128)
at
java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:117)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:113)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Now, I assume that those dots are integers or some sort of indexing for
the data in the class file, but what do I need to change to get this class
file to work? I've looked into ASM, but I didn't see a class replacement
mechanism. Suggestions, anyone?
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)