0

所以,我正在编写一个 AV,并且我正在为沙盒事物开发钩子,但我遇到了一个问题:我无法编辑 java.lang.* 文件,也无法用类加载器覆盖它们。每当我尝试编辑类文件的字节时,都没有好事发生。说,我有一份来自运行时的源代码副本(对受限位进行反射),与 java.lang 中的源代码 100% 相同,我无法修改字节以将所有引用从 lang 一更改为我的定制一个。看这个,我编译这个类,就是打开notepad.exe:

Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V...........java/lang/Runtime........getRuntime...()Ljava/lang/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException.. .....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'

我从 HxD 获得了文本转储。

然后我用 JavaProphet/JoustJAV/sandbox/Runtime 替换所有出现的 java/lang/Runtime,我得到了这个:

Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V...........JavaProphet/JoustJAV/sandbox/Runtime........getRuntime...()LJavaProphet/JoustJAV/sandbox/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException.. .....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'

现在,如果我运行第一个文件,记事本打开,如果我打开第二个文件,我收到此错误:

Exception in thread "AWT-EventQueue-0" java.lang.ClassFormatError: Unknown constant tag 74 in class file Start
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at JavaProphet.JoustJAV.SandboxCL.findClass(SandboxCL.java:152)
at JavaProphet.JoustJAV.SandboxCL.loadClass(SandboxCL.java:97)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at JavaProphet.JoustJAV.FileScanner.sandboxFile(FileScanner.java:335)
at JavaProphet.JoustJAV.FileScanner.sandboxFile(FileScanner.java:348)
at JavaProphet.JoustJAV.MainWindow$4.actionPerformed(MainWindow.java:120)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2018)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2341)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
at java.awt.Component.processMouseEvent(Component.java:6505)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3321)
at java.awt.Component.processEvent(Component.java:6270)
at java.awt.Container.processEvent(Container.java:2229)
at java.awt.Component.dispatchEventImpl(Component.java:4861)
at java.awt.Container.dispatchEventImpl(Container.java:2287)
at java.awt.Component.dispatchEvent(Component.java:4687)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4832)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4492)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4422)
at java.awt.Container.dispatchEventImpl(Container.java:2273)
at java.awt.Window.dispatchEventImpl(Window.java:2713)
at java.awt.Component.dispatchEvent(Component.java:4687)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:707)
at java.awt.EventQueue.access$000(EventQueue.java:101)
at java.awt.EventQueue$3.run(EventQueue.java:666)
at java.awt.EventQueue$3.run(EventQueue.java:664)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:87)
at java.awt.EventQueue$4.run(EventQueue.java:680)
at java.awt.EventQueue$4.run(EventQueue.java:678)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:677)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:211)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:128)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:117)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:113)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

现在,我假设这些点是整数或类文件中数据的某种索引,但我需要更改什么才能让这个类文件工作?我研究过 ASM,但没有看到类替换机制。建议,有人吗?

4

1 回答 1

0

我想到了!我只是将十六进制数据的每个字节转换为十进制,并将其与相对长度进行比较,等等等等,所以我更改了以下内容:

Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V..........$JavaProphet/JoustJAV/sandbox/Runtime........getRuntime..(()LJavaProphet/JoustJAV/sandbox/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException.. .....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'

如果您仔细观察,您会发现我的自定义类的开始符号不同,所以现在我的沙箱可以安全地运行使用运行时的文件(我正在使用 processbuilder)来检索对病毒敏感的运行内容。

于 2013-08-17T10:54:55.020 回答