Search This Blog

Tuesday, November 8, 2016

Inspect java code with javasnoop

To inspect the java code on run time for local jvms, download the javasnoop from the below url
https://code.google.com/archive/p/javasnoop/
Once downloaded extract and change the startup.bat to point to your JDK not jre.
i changed to this to make it work with jdk 8 
echo %JAVA_HOME% | find /i "8" > NUL
not startup snoop via the bat or shell.
 
image
 
 
Now either attach to a local jvm process or specify the new process
 
Let me attach to my local eclipse code which i want to debug.
image
 
image
 
image
Add new hook to your class methods
image
 
Now you can print the variables while hook is active and tamper with the parameter and return values at run time.
 
image
 
If hook is active you might see this
image
 
 
 
change the variables in the jvm from here
image
 
Let me rename the variable to another value and see what happens in the target jvm.
i changed the variable to India and return value to india1
image
image
 
 
 
You can see that target jvm has new values now
image
 
This is very helpfull in debugging the COTS products where we don’t have the souce code and neither we are able to regenrate the source code by looking at the decompiiled binaries via JAD or whatever.
 
This will display the actual variables values at run time inside the jvm.
 
Oh one more thing, you can also execute custom scripts after your hooks are active as shown below.
click on this
image
 
image
 
execute now
 
image
Another cool feature is you can track your input data across the methods and classes.
 
You can find out where is the user data going by going into the CANARY mode.
 
Lets see how to enable this.
Go to actions and enable canary mode.
 
Enter the data you are interested in.
image
 
As the code is executed which is operating on the input data there will be a chirp in the canary mode as shown above.
Now you can directly hook all the methods your data is flowing throw, Cool isn’t it ?
I think its a life saver, i used to decompile the binaries from different decompilers and attach the generated source in eclipse to debug earlier, but i guess this is better and faster.
 
Make sure you use JDK to run eclipse else you will get error “ target jvm doesn’t have providers to attach to kinda stuff”
 
Steps required to Demo
  • Run the below code in eclipse using JDK and put a breat point at “ String value = a(abhi);”
  • Now debug the code and let the breakpoint hit the above line.
  • Now seperate cmd window open snoop and attach to the existing jvm.
  • Attach the hook, once attached resume the breakpoint in the eclipse.
  • Your hook will become active and you are ready to rock.
 
 
My source which was running in eclipse,
//
package javacode;

import java.lang.Integer;
import java.util.HashMap;

public class Main
{
private static final String String = null;


public static void main (String[] args) throws java.lang.Exception
{
   
    String abhi="df";
String value = a(abhi);

Thread.sleep(10000);
   
System.out.println(value);
   
}


public static String a(String abhi ) {
    // TODO Auto-generated method stub
   
    System.out.println(abhi);
   
    return abhi;
   
}
}












































































1 comment:

  1. thanks for this post, can you elaborate the custom script with example

    ReplyDelete