A forum for reverse engineering, OS internals and malware analysis 

Monitoring JAR files loading

Discussion on reverse-engineering and debugging.

Monitoring JAR files loading

 #22088  by Stylo
 Thu Jan 30, 2014 12:45 pm
Hi there :D
I'm quite new to java and its engine (never really got into it)
I believe that it's not working the same as windows loads images into memory, but i'd like to inject a dll and want that dll would notify whenever a jar file is about to get executed
the far i went was to realize that the jar file is being opened with CreateFile and that's it :S
any1 have already done that before and can share knowledge?

thanks

Re: Monitoring JAR files loading

 #22099  by Vrtule
 Fri Jan 31, 2014 12:47 pm
Hello,

I have actually never looked into Java engine in great detail, but I would expect that the java process (java.exe or javaw.exe is its name IIRC) opens the JAR file and extracts its contents either into memory or to a temporary storage somewhere (JAR files are archives). Then, it can intepret and JIT individual .class files as needed.

So, yes, the process will be totally different from one performed by PE loader, with high probability.

Re: Monitoring JAR files loading

 #22145  by Stylo
 Wed Feb 05, 2014 5:06 pm
I'll explain it again more clearly (I think i messed it up a little bit).
I'm trying to get the jar or class that is going to execute when I enter a website that's running a java applet
i.e.
Code: Select all
http://www.cs.stir.ac.uk/~sbj/examples/Java-examples-basic/Puzzle/Puzzle.html
some puzzle..
When I opened api monitor, I found out that my web browser creates two pipes (one for reading and one for writing) to communicate with java (and therefor to pass the jar / class name)
It turns out i was right and it did passed its name using WriteFile api (which is called from jp2native.dll that has a wrapping for WriteFile).
when i got the packet that contains the jar / class name, it looks something like
Code: Select all
00 00 00 01 00 00 00 00 01 00 00 00 02 00 00 01  ............
00 00 00 10 00 43 00 3A 00 5C 00 55 00 73 00 65  ....C.:.\.U.s.e
00 72 00 73 00 5C 00 57 00 69 00 6E 00 37 00 78  .r.s.\.W.i.n.7.x
00 38 00 36 00 00 00 08 01 00 00 00 03 01 00 00  .8.6........
00 80 00 2D 00 58 00 62 00 6F 00 6F 00 74 00 63  .€.-.X.b.o.o.t.c
00 6C 00 61 00 73 00 73 00 70 00 61 00 74 00 68  .l.a.s.s.p.a.t.h
00 2F 00 61 00 3A 00 43 00 3A 00 5C 00 50 00 52  ./.a.:.C.:.\.P.R
00 4F 00 47 00 52 00 41 00 7E 00 31 00 5C 00 4A  .O.G.R.A.~.1.\.J
00 61 00 76 00 61 00 5C 00 6A 00 72 00 65 00 37  .a.v.a.\.j.r.e.7
00 5C 00 6C 00 69 00 62 00 5C 00 64 00 65 00 70  .\.l.i.b.\.d.e.p
00 6C 00 6F 00 79 00 2E 00 6A 00 61 00 72 00 3B  .l.o.y...j.a.r.;
00 43 00 3A 00 5C 00 50 00 52 00 4F 00 47 00 52  .C.:.\.P.R.O.G.R
00 41 00 7E 00 31 00 5C 00 4A 00 61 00 76 00 61  .A.~.1.\.J.a.v.a
00 5C 00 6A 00 72 00 65 00 37 00 5C 00 6C 00 69  .\.j.r.e.7.\.l.i
00 62 00 5C 00 6A 00 61 00 76 00 61 00 77 00 73  .b.\.j.a.v.a.w.s
00 2E 00 6A 00 61 00 72 00 3B 00 43 00 3A 00 5C  ...j.a.r.;.C.:.\
00 50 00 52 00 4F 00 47 00 52 00 41 00 7E 00 31  .P.R.O.G.R.A.~.1
00 5C 00 4A 00 61 00 76 00 61 00 5C 00 6A 00 72  .\.J.a.v.a.\.j.r
00 65 00 37 00 5C 00 6C 00 69 00 62 00 5C 00 70  .e.7.\.l.i.b.\.p
00 6C 00 75 00 67 00 69 00 6E 00 2E 00 6A 00 61  .l.u.g.i.n...j.a
00 72 01 00 00 00 2F 00 2D 00 44 00 6A 00 61 00  .r.../.-.D.j.a.
76 00 61 00 2E 00 63 00 6C 00 61 00 73 00 73 00  v.a...c.l.a.s.s.
2E 00 70 00 61 00 74 00 68 00 3D 00 43 00 3A 00  ..p.a.t.h.=.C.:.
5C 00 50 00 52 00 4F 00 47 00 52 00 41 00 7E 00  \.P.R.O.G.R.A.~.
31 00 5C 00 4A 00 61 00 76 00 61 00 5C 00 6A 00  1.\.J.a.v.a.\.j.
72 00 65 00 37 00 5C 00 63 00 6C 00 61 00 73 00  r.e.7.\.c.l.a.s.
73 00 65 00 73 01 00 00 00 15 00 2D 00 44 00 73  s.e.s....-.D.s
00 75 00 6E 00 2E 00 61 00 77 00 74 00 2E 00 77  .u.n...a.w.t...w
00 61 00 72 00 6D 00 75 00 70 00 3D 00 74 00 72  .a.r.m.u.p.=.t.r
00 75 00 65 01 00 00 00 00 01 00 00 00 00 01 00  .u.e.........
00 00 00 01 00 00 00 01 00 01 00 00 00 00 01 00  ............
00 00 00 01 00 00 00 00                          .......
00 00 00 03 00 01 00 00 00 0B 01 00 00 00 04 00  ...........
63 00 6F 00 6C 00 73 01 00 00 00 06 00 68 00 65  c.o.l.s....h.e
00 69 00 67 00 68 00 74 01 00 00 00 08 00 63 00  .i.g.h.t....c.
6F 00 64 00 65 00 42 00 61 00 73 00 65 01 00 00  o.d.e.B.a.s.e..
00 08 00 73 00 63 00 72 00 61 00 6D 00 62 00 6C  ..s.c.r.a.m.b.l
00 65 01 00 00 00 05 00 61 00 6C 00 69 00 67 00  .e....a.l.i.g.
6E 01 00 00 00 05 00 77 00 69 00 64 00 74 00 68  n....w.i.d.t.h
01 00 00 00 0A 00 6C 00 61 00 75 00 6E 00 63 00  .....l.a.u.n.c.
68 00 6A 00 6E 00 6C 00 70 01 00 00 00 03 00 69  h.j.n.l.p....i
00 6D 00 67 01 00 00 00 04 00 63 00 6F 00 64 00  .m.g....c.o.d.
65 01 00 00 00 08 00 65 00 6D 00 62 00 65 00 64  e....e.m.b.e.d
00 64 00 65 00 64 01 00 00 00 04 00 72 00 6F 00  .d.e.d....r.o.
77 00 73 01 00 00 00 0B 01 00 00 00 01 00 34 01  w.s.......4
00 00 00 03 00 31 00 35 00 32 01 00 00 00 4D 00  ....1.5.2...M.
68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 77 00  h.t.t.p.:././.w.
77 00 77 00 2E 00 63 00 73 00 2E 00 73 00 74 00  w.w...c.s...s.t.
69 00 72 00 2E 00 61 00 63 00 2E 00 75 00 6B 00  i.r...a.c...u.k.
2F 00 7E 00 73 00 62 00 6A 00 2F 00 65 00 78 00  /.~.s.b.j./.e.x.
61 00 6D 00 70 00 6C 00 65 00 73 00 2F 00 4A 00  a.m.p.l.e.s./.J.
61 00 76 00 61 00 2D 00 65 00 78 00 61 00 6D 00  a.v.a.-.e.x.a.m.
70 00 6C 00 65 00 73 00 2D 00 62 00 61 00 73 00  p.l.e.s.-.b.a.s.
69 00 63 00 2F 00 50 00 75 00 7A 00 7A 00 6C 00  i.c./.P.u.z.z.l.
65 00 2F 00 4A 00 61 00 76 00 61 00 43 00 6C 00  e./.J.a.v.a.C.l.
61 00 73 00 73 00 65 00 73 01 00 00 00 02 00 32  a.s.s.e.s....2
00 35 01 00 00 00 03 00 74 00 6F 00 70 01 00 00  .5....t.o.p..
00 03 00 32 00 31 00 33 01 00 00 00 00 01 00 00  ..2.1.3......
00 0F 00 2E 00 2E 00 2F 00 6F 00 6C 00 64 00 2D  ....../.o.l.d.-
00 62 00 72 00 69 00 32 00 2E 00 67 00 69 00 66  .b.r.i.2...g.i.f
01 00 00 00 0C 00 70 00 75 00 7A 00 7A 00 6C 00  .....p.u.z.z.l.
65 00 2E 00 63 00 6C 00 61 00 73 00 73 01 00 00  e...c.l.a.s.s..
00 00 01 00 00 00 01 00 34 00 00 00 00 00 3E 00  ......4.....>.
7A 00 00 00 00 00 01 01 00 00 00 4D 00 68 00 74  z........M.h.t
00 74 00 70 00 3A 00 2F 00 2F 00 77 00 77 00 77  .t.p.:././.w.w.w
00 2E 00 63 00 73 00 2E 00 73 00 74 00 69 00 72  ...c.s...s.t.i.r
00 2E 00 61 00 63 00 2E 00 75 00 6B 00 2F 00 7E  ...a.c...u.k./.~
00 73 00 62 00 6A 00 2F 00 65 00 78 00 61 00 6D  .s.b.j./.e.x.a.m
00 70 00 6C 00 65 00 73 00 2F 00 4A 00 61 00 76  .p.l.e.s./.J.a.v
00 61 00 2D 00 65 00 78 00 61 00 6D 00 70 00 6C  .a.-.e.x.a.m.p.l
00 65 00 73 00 2D 00 62 00 61 00 73 00 69 00 63  .e.s.-.b.a.s.i.c
00 2F 00 50 00 75 00 7A 00 7A 00 6C 00 65 00 2F  ./.P.u.z.z.l.e./
00 50 00 75 00 7A 00 7A 00 6C 00 65 00 2E 00 68  .P.u.z.z.l.e...h
00 74 00 6D 00 6C 00 00 00 00 17 98 D4 10 80 FF  .t.m.l....˜Ô€ÿ
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
FF FF FF FF FF FF FF FF FF FF FF 00              ÿÿÿÿÿÿÿÿÿÿÿ.
as you can see, the class name (puzzle.class) is located inside, but i don't know how to parse that whole packet at all.
I tried even looking through the jdk source (perhaps i'm not going deep enough?!)
Any ideas?
Thanks

Re: Monitoring JAR files loading

 #24958  by not2excel
 Thu Jan 15, 2015 6:24 pm
Seems to me that you're just reading the raw bytes of the class file. Instead you should interpret those bytes and display them as java bytecode, or if you have a bytecode to java source converter convert it to readable code. Don't know about applets, but for clientside jar files if you couldn't directly rip the class files from the compressed file, you'd have to dump them on launch, in which you'd then run it through a bytecode viewer to see the actual code.
 Return to “Reverse Engineering and Debugging”