link from:http://www.crowdstrike.com/blog/native-java-bytecode-debugging-without-source-code/index.html

Native Java Bytecode Debugging without Source Code

Feb 12, 2014 | Jason Geffner, Sr. Security Researcher

At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwindbecoming increasingly prevalent. Reverse engineering Java is typically very straightforward, since excellent Java binary decompilers have existed for years. Tools like JD-GUI make Java analysis a breeze and do an excellent job at recovering Java binaries’ source code (minus the comments). In cases where we need to dynamically debug Java programs, decompiled Java can be exported from the decompiler and then imported into a Java IDE like Eclipse as part of a new Java project. This allows us to build a project using the decompiled code and then dynamically debug it through the IDE. However, this all goes out the window when dealing with Java bytecode-based obfuscation, as most Java IDEs won’t compile raw JVM instructions, nor allow you to step through these instructions without the original source code.

Decompiled Non-Obfuscated Java

Decompiled Obfuscated Java

The best solution we’ve found for debugging malware’s native Java bytecode is Dr. Garbage’s Bytecode Visualizer. We haven’t seen any thorough walkthroughs on installing and using Bytecode Visualizer, so this blog entry serves as a step-by-step guide on how to dynamically analyze native Java bytecode with Bytecode Visualizer:

1. Install the Java SE JDK

The Java Standard Edition Development Kit can be downloaded from Oracle’s website athttp://www.oracle.com/technetwork/java/javase/downloads/index.html. JDK 7 is currently the latest version and can be downloaded directly fromhttp://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1....

During the JDK installation, be sure to have the JDK installer install the Public JRE as well if it isn’t already installed:

Installation Options

2. Install Eclipse

The Eclipse IDE for Java Developers can be downloaded fromhttps://www.eclipse.org/downloads/packages/eclipse-ide-java-developers/keplersr1 (the download links are on the right side of the page).

3. Install Bytecode Visualizer

Run Eclipse and in the menu bar go to Help → Eclipse Marketplace…

In the Search tab of Eclipse Marketplace window, type “Dr. Garbage” into the Find textbox and press the Go button:

Eclipse Marketplace

Scroll to Bytecode Visualizer and press the Install button. Once installation is completed, restart Eclipse when prompted.

4. Load the JAR to be Analyzed

Once Eclipse restarts, close the Welcome tab, and in the menu bar go to File → New → Java Project. Specify any project name you like and press the Next button:

Create a Java Project

In the Java Settings window, click the Libraries tab. In the Libraries tab, press the Add External JARs button and select the JAR file you want to debug, thereby adding it to the Java project’s build path:

Java Settings

Once the JAR has been added to the build path, press the Finish button.

5. Open the JAR’s Code with Bytecode Visualizer

In the Package Explorer tab, expand your project’s Referenced Libraries to find your JAR file. Right-click on the class you want to debug and select Open with Bytecode Visualizer:

Open with Bytecode Visualizer

6. Set Breakpoints

With the JAR’s code now visible in Bytecode Visualizer, you can set breakpoints by double-clicking on the vertical gray bar to the left of the disassembled Java code: 

Setting a Breakpoint

Note that Bytecode Visualizer only allows you to set breakpoints on method entrypoints (the first instruction of a method); you can’t set breakpoints on arbitrary instructions.

7. Debugging the Disassembled Code

You can now run the disassembled code by right-clicking on the class you want to debug and choosing Debug As → Java Application:

Debug as Java Application

In the Debug perspective view, there are buttons to Step Into Bytecode and Step Over Bytecode (circled in red below). Use the Step Over Bytecode button to perform standard single-stepping; use the Step Into Bytecode button only to step into calls. The Debug perspective also allows you to see local variable in the Variables tab, and to add your own watches in the Expressions tab (you can add this tab via Window→ Show View → Expressions in the menu bar); you can see below that I added a watch/expression for variable b:

Debug Perspective

As far as we’ve seen, Bytecode Visualizer does not offer a view of the raw JVM stack, but even without it, tracing the code flow via single-stepping and examining memory with the Variables and Expressions tabs should typically allow you to successfully debug your target as needed.

For more information on Java-based malware or the adversaries using it, including detection logic or any of the adversaries tracked by CrowdStrike, please contact: intelligence@crowdstrike.com and inquire about our Intelligence subscription.

[转]Native Java Bytecode Debugging without Source Code的更多相关文章

  1. Artistic Style 3.1 A Free, Fast, and Small Automatic Formatter for C, C++, C++/CLI, Objective‑C, C#, and Java Source Code

    Artistic Style - Index http://astyle.sourceforge.net/ Artistic Style 3.1 A Free, Fast, and Small Aut ...

  2. Java Sound : generate play sine wave - source code

    转载自:http://ganeshtiwaridotcomdotnp.blogspot.com/2011/12/java-sound-generate-play-sine-wave.html Work ...

  3. Sound (audio file) player in java - working source code example

    转载自:http://ganeshtiwaridotcomdotnp.blogspot.com/2011/12/sound-audio-file-player-in-java-working.html ...

  4. 转: Source Code Lookup in Eclipse(主要讲的是java的)

    Source Code Lookup in Eclipse https://www.intertech.com/Blog/source-code-lookup-in-eclipse/

  5. view class source code with JAD plugin in Eclipse

    The default class viewer doesn't decompile the class file so you cannot open and check the source co ...

  6. Attach source code to a Netbeans Library Wrapper Module

    http://rubenlaguna.com/wp/2008/02/22/attach-source-code-to-a-netbeans-library-wrapper-module/ Attach ...

  7. UI5 Source code map机制的细节介绍

    在我的博客A debugging issue caused by source code mapping里我介绍了在我做SAP C4C开发时遇到的一个曾经困扰我很久的问题,最后结论是这个问题由于Jav ...

  8. 阿里巴巴 fastjson-1.2.12.jar json解析异常java.lang.ClassFormatError: Invalid method Code length 66865 in class file com/alibaba/fastjson/serializer/ASMSerializer_6_UserKdlb

    承接上篇:fastjson反序列化LocalDateTime失败的问题java.time.format.DateTimeParseException: Text '2019-05-24 13:52:1 ...

  9. 小师妹学JVM之:java的字节码byte code简介

    目录 简介 Byte Code的作用 查看Byte Code字节码 java Byte Code是怎么工作的 总结 简介 Byte Code也叫做字节码,是连接java源代码和JVM的桥梁,源代码编译 ...

随机推荐

  1. 使用ArcGIS API for Silverlight + Visifire绘制地图统计图

    原文:使用ArcGIS API for Silverlight + Visifire绘制地图统计图 最近把很久之前做的统计图又拿出来重新做了一遍,感觉很多时候不复习,不记录就真的忘了,时间是最好的稀释 ...

  2. JS Tree

    jQuery插件实例七:一棵Tree的生成史 在需要表示级联.层级的关系中,Tree作为最直观的表达方式常出现在组织架构.权限选择等层级关系中.典型的表现形试类似于: 一颗树的生成常常包括三个部分:1 ...

  3. c# WebBrowser开发参考资料

    原文:c# WebBrowser开发参考资料 c# WebBrowser开发参考资料,所有资料的采集均来自网上 话说有了WebBrowser类,终于不用自己手动封装SHDocVw的AxWebBrows ...

  4. Python编写网页爬虫爬取oj上的代码信息

    OJ升级,代码可能会丢失. 所以要事先备份. 一開始傻傻的复制粘贴, 后来实在不能忍, 得益于大潇的启示和聪神的原始代码, 网页爬虫走起! 已经有段时间没看Python, 这次网页爬虫的原始代码是 p ...

  5. .net mvc4 从客户端中检测到有潜在危险的 Request.Form 值

    [ValidateInput(false)] 即可, 网上说什么Web.Config 里面改,一点用都没有 [HttpPost] [ActionName("Edit")] [Val ...

  6. c++中string类的具体解释

    通过在站点上的资料搜集,得到了非常多关于string类使用方法的文档,通过对这些资料的整理和增加一些自己的代码,就得出了一份比較完整的关于string类函数有哪些和如何用的文档了! 以下先罗列出str ...

  7. Write the code.Change the world.---WWDC2014

  8. hdu 4869 Task(馋)

    题目链接:hdu 4869 Task 题目大意:有n台机器,m个任务.每一个机器和任务都有有xi和yi.要求机器的xi.yi均大于等于任务的xi和yi才干运行任务. 每台机器一天仅仅能运行一个任务.要 ...

  9. hdoj 4324 Triangle LOVE 【拓扑】

    Triangle LOVE Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/65536 K (Java/Others) To ...

  10. CGI编程学习----查询2000W开房数据

    原文:CGI编程学习----查询2000W开房数据 0x01:什么是CGI编程? CGI:Common Gateway Interface CGI代表Common Gateway Interface( ...