link from:http://www.crowdstrike.com/blog/native-java-bytecode-debugging-without-source-code/index.html

Native Java Bytecode Debugging without Source Code

Feb 12, 2014 | Jason Geffner, Sr. Security Researcher

At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwindbecoming increasingly prevalent. Reverse engineering Java is typically very straightforward, since excellent Java binary decompilers have existed for years. Tools like JD-GUI make Java analysis a breeze and do an excellent job at recovering Java binaries’ source code (minus the comments). In cases where we need to dynamically debug Java programs, decompiled Java can be exported from the decompiler and then imported into a Java IDE like Eclipse as part of a new Java project. This allows us to build a project using the decompiled code and then dynamically debug it through the IDE. However, this all goes out the window when dealing with Java bytecode-based obfuscation, as most Java IDEs won’t compile raw JVM instructions, nor allow you to step through these instructions without the original source code.

Decompiled Non-Obfuscated Java

Decompiled Obfuscated Java

The best solution we’ve found for debugging malware’s native Java bytecode is Dr. Garbage’s Bytecode Visualizer. We haven’t seen any thorough walkthroughs on installing and using Bytecode Visualizer, so this blog entry serves as a step-by-step guide on how to dynamically analyze native Java bytecode with Bytecode Visualizer:

1. Install the Java SE JDK

The Java Standard Edition Development Kit can be downloaded from Oracle’s website athttp://www.oracle.com/technetwork/java/javase/downloads/index.html. JDK 7 is currently the latest version and can be downloaded directly fromhttp://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1....

During the JDK installation, be sure to have the JDK installer install the Public JRE as well if it isn’t already installed:

Installation Options

2. Install Eclipse

The Eclipse IDE for Java Developers can be downloaded fromhttps://www.eclipse.org/downloads/packages/eclipse-ide-java-developers/keplersr1 (the download links are on the right side of the page).

3. Install Bytecode Visualizer

Run Eclipse and in the menu bar go to Help → Eclipse Marketplace…

In the Search tab of Eclipse Marketplace window, type “Dr. Garbage” into the Find textbox and press the Go button:

Eclipse Marketplace

Scroll to Bytecode Visualizer and press the Install button. Once installation is completed, restart Eclipse when prompted.

4. Load the JAR to be Analyzed

Once Eclipse restarts, close the Welcome tab, and in the menu bar go to File → New → Java Project. Specify any project name you like and press the Next button:

Create a Java Project

In the Java Settings window, click the Libraries tab. In the Libraries tab, press the Add External JARs button and select the JAR file you want to debug, thereby adding it to the Java project’s build path:

Java Settings

Once the JAR has been added to the build path, press the Finish button.

5. Open the JAR’s Code with Bytecode Visualizer

In the Package Explorer tab, expand your project’s Referenced Libraries to find your JAR file. Right-click on the class you want to debug and select Open with Bytecode Visualizer:

Open with Bytecode Visualizer

6. Set Breakpoints

With the JAR’s code now visible in Bytecode Visualizer, you can set breakpoints by double-clicking on the vertical gray bar to the left of the disassembled Java code: 

Setting a Breakpoint

Note that Bytecode Visualizer only allows you to set breakpoints on method entrypoints (the first instruction of a method); you can’t set breakpoints on arbitrary instructions.

7. Debugging the Disassembled Code

You can now run the disassembled code by right-clicking on the class you want to debug and choosing Debug As → Java Application:

Debug as Java Application

In the Debug perspective view, there are buttons to Step Into Bytecode and Step Over Bytecode (circled in red below). Use the Step Over Bytecode button to perform standard single-stepping; use the Step Into Bytecode button only to step into calls. The Debug perspective also allows you to see local variable in the Variables tab, and to add your own watches in the Expressions tab (you can add this tab via Window→ Show View → Expressions in the menu bar); you can see below that I added a watch/expression for variable b:

Debug Perspective

As far as we’ve seen, Bytecode Visualizer does not offer a view of the raw JVM stack, but even without it, tracing the code flow via single-stepping and examining memory with the Variables and Expressions tabs should typically allow you to successfully debug your target as needed.

For more information on Java-based malware or the adversaries using it, including detection logic or any of the adversaries tracked by CrowdStrike, please contact: intelligence@crowdstrike.com and inquire about our Intelligence subscription.

[转]Native Java Bytecode Debugging without Source Code的更多相关文章

  1. Artistic Style 3.1 A Free, Fast, and Small Automatic Formatter for C, C++, C++/CLI, Objective‑C, C#, and Java Source Code

    Artistic Style - Index http://astyle.sourceforge.net/ Artistic Style 3.1 A Free, Fast, and Small Aut ...

  2. Java Sound : generate play sine wave - source code

    转载自:http://ganeshtiwaridotcomdotnp.blogspot.com/2011/12/java-sound-generate-play-sine-wave.html Work ...

  3. Sound (audio file) player in java - working source code example

    转载自:http://ganeshtiwaridotcomdotnp.blogspot.com/2011/12/sound-audio-file-player-in-java-working.html ...

  4. 转: Source Code Lookup in Eclipse(主要讲的是java的)

    Source Code Lookup in Eclipse https://www.intertech.com/Blog/source-code-lookup-in-eclipse/

  5. view class source code with JAD plugin in Eclipse

    The default class viewer doesn't decompile the class file so you cannot open and check the source co ...

  6. Attach source code to a Netbeans Library Wrapper Module

    http://rubenlaguna.com/wp/2008/02/22/attach-source-code-to-a-netbeans-library-wrapper-module/ Attach ...

  7. UI5 Source code map机制的细节介绍

    在我的博客A debugging issue caused by source code mapping里我介绍了在我做SAP C4C开发时遇到的一个曾经困扰我很久的问题,最后结论是这个问题由于Jav ...

  8. 阿里巴巴 fastjson-1.2.12.jar json解析异常java.lang.ClassFormatError: Invalid method Code length 66865 in class file com/alibaba/fastjson/serializer/ASMSerializer_6_UserKdlb

    承接上篇:fastjson反序列化LocalDateTime失败的问题java.time.format.DateTimeParseException: Text '2019-05-24 13:52:1 ...

  9. 小师妹学JVM之:java的字节码byte code简介

    目录 简介 Byte Code的作用 查看Byte Code字节码 java Byte Code是怎么工作的 总结 简介 Byte Code也叫做字节码,是连接java源代码和JVM的桥梁,源代码编译 ...

随机推荐

  1. html浏览器兼容性 JavaScript语法

    1.      在FireFox中能够使用与HTML节点对象ID属性值同样的JS变量名称,可是IE中不行. 解决的方法:在命名上区分HTML节点对象ID属性值和JS变量 2.      IE不支持JS ...

  2. HDU1203_I NEED A OFFER!【01背包】

    I NEED A OFFER! Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/32768 K (Java/Others) ...

  3. android如何在代码中设置margin

    1.首先看你要设置组件的父容器是什么. 例如,我是FrameLayout其中包括组件.如果调用bottomLayout这是: FrameLayout.LayoutParams lp = new Fra ...

  4. T4模版引擎之生成数据库实体类

    在通过T4模版引擎之基础入门 对T4有了初步印象后,我们开始实战篇.T4模板引擎可以当做一个代码生成器,代码生成器的职责当然是用来生成代码(这不是废话吗).而这其中我们使用的最普遍的是根据数据库生成实 ...

  5. ArcGIS网络分析之Silverlight客户端路径分析(三)

    原文:ArcGIS网络分析之Silverlight客户端路径分析(三) 首先贴上最终的效果图: a.路径查询 2.最近设施点查询 3.服务区分析 说明: 1.以上的示例使用的数据是随意在ArcMap中 ...

  6. nginx 开展对RT5350

    编译成功nginx的mips该平台后,,至make install生成的文件到一个角落rt5350文件系统. 必须指出的是,在,被放置在文件系统中需要安装文件夹和编译一致:候有release的文件夹, ...

  7. 观察者模式的程序实例C++

    一.什么是观察者模式 Observer模式也叫观察者模式,是由GoF提出的23种软件设计模式的一种.Observer模式是行为模式之中的一个,它的作用是当一个对象的状态发生变化时,可以自己主动通知其它 ...

  8. MVC 验证码

    验证码类 public class VerifyCode { public string checkCode = String.Empty; public byte[] BuildImg() { in ...

  9. c# 数据类型转换 as(C# 参考)

    as    运算符类似于强制转换操作.               但是,因此,如果转换是不可能的,as 返回 null 而不引发异常.  请看下面的示例: expression is type ? ...

  10. VC++.Net CAD编程架构

    1.每个对应的菜单项的图形抽象的, 图形抽象基类, 取决于改变来自子(如矩形.椭圆形) 2.在Doc对象管理列表管理,图形对象,当图形需要重绘或序列存储,通过遍历该列表的对象可以是 3. 每个类的职责 ...