Java字节码操作？

Question

所以，我正在编写一个 AV，并且我正在为沙盒事物开发钩子，但我遇到了一个问题： 我不能编辑 java.lang.* 文件，也不能用类加载器覆盖它们。 每当我尝试编辑类文件的字节时，都没有好事发生。说，我有一份来自运行时的源代码副本（带有对受限位的反射），与 java.lang 中的源代码 100% 相同，我无法修改字节以将所有引用从 lang 一更改为我的定制一个。看这个，我编译这个类，就是打开notepad.exe：

Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V...........java/lang/Runtime........getRuntime...()Ljava/lang/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException.. .....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'

我从 HxD 获得了文本转储。

然后我用 JavaProphet/JoustJAV/sandbox/Runtime 替换所有出现的 java/lang/Runtime，我得到了这个：

Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V...........JavaProphet/JoustJAV/sandbox/Runtime........getRuntime...()LJavaProphet/JoustJAV/sandbox/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException.. .....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'

现在，如果我运行第一个文件，记事本会打开，如果我打开第二个文件，我会收到以下错误：

Exception in thread "AWT-EventQueue-0" java.lang.ClassFormatError: Unknown constant tag 74 in class file Start
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at JavaProphet.JoustJAV.SandboxCL.findClass(SandboxCL.java:152)
at JavaProphet.JoustJAV.SandboxCL.loadClass(SandboxCL.java:97)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at JavaProphet.JoustJAV.FileScanner.sandboxFile(FileScanner.java:335)
at JavaProphet.JoustJAV.FileScanner.sandboxFile(FileScanner.java:348)
at JavaProphet.JoustJAV.MainWindow$4.actionPerformed(MainWindow.java:120)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2018)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2341)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
at java.awt.Component.processMouseEvent(Component.java:6505)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3321)
at java.awt.Component.processEvent(Component.java:6270)
at java.awt.Container.processEvent(Container.java:2229)
at java.awt.Component.dispatchEventImpl(Component.java:4861)
at java.awt.Container.dispatchEventImpl(Container.java:2287)
at java.awt.Component.dispatchEvent(Component.java:4687)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4832)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4492)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4422)
at java.awt.Container.dispatchEventImpl(Container.java:2273)
at java.awt.Window.dispatchEventImpl(Window.java:2713)
at java.awt.Component.dispatchEvent(Component.java:4687)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:707)
at java.awt.EventQueue.access$000(EventQueue.java:101)
at java.awt.EventQueue$3.run(EventQueue.java:666)
at java.awt.EventQueue$3.run(EventQueue.java:664)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:87)
at java.awt.EventQueue$4.run(EventQueue.java:680)
at java.awt.EventQueue$4.run(EventQueue.java:678)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:76)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:677)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:211)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:128)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:117)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:113)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

现在，我假设这些点是整数或类文件中数据的某种索引，但是我需要更改哪些内容才能使该类文件正常工作？我研究过 ASM，但没有看到类替换机制。有什么建议吗？

Answer 1

我想通了！我只是把每一个字节的十六进制数据转成十进制，然后和相对长度比较，等等等等，所以我修改了以下内容：

Êþº¾...3.(......Start......java/lang/Object...<init>...()V...Code.............LineNumberTable...LocalVariableTable...this...LStart;...main...([Ljava/lang/String;)V..........$JavaProphet/JoustJAV/sandbox/Runtime........getRuntime..(()LJavaProphet/JoustJAV/sandbox/Runtime;......notepad.exe.............exec..'(Ljava/lang/String;)Ljava/lang/Process;...........java/io/IOException.. .....printStackTrace...args...[Ljava/lang/String;...e...Ljava/io/IOException;...StackMapTable...SourceFile...Start.java.!......................./........*·..±...............................................g........¸....¶..W§..L+¶..±.................................................!.".......#.$...%......L.......&.....'

如果你仔细观察，你会发现我的自定义类的开始符号不同，所以现在我的沙箱可以安全地运行使用运行时的文件（我正在使用 processbuilder）来检索对病毒敏感的运行内容。