link from：http://www.crowdstrike.com/blog/native-java-bytecode-debugging-without-source-code/index.html

At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwindbecoming increasingly prevalent. Reverse engineering Java is typically very straightforward, since excellent Java binary decompilers have existed for years. Tools like JD-GUI make Java analysis a breeze and do an excellent job at recovering Java binaries’ source code (minus the comments). In cases where we need to dynamically debug Java programs, decompiled Java can be exported from the decompiler and then imported into a Java IDE like Eclipse as part of a new Java project. This allows us to build a project using the decompiled code and then dynamically debug it through the IDE. However, this all goes out the window when dealing with Java bytecode-based obfuscation, as most Java IDEs won’t compile raw JVM instructions, nor allow you to step through these instructions without the original source code.

Decompiled Non-Obfuscated Java

Decompiled Obfuscated Java

The best solution we’ve found for debugging malware’s native Java bytecode is Dr. Garbage’s Bytecode Visualizer. We haven’t seen any thorough walkthroughs on installing and using Bytecode Visualizer, so this blog entry serves as a step-by-step guide on how to dynamically analyze native Java bytecode with Bytecode Visualizer:

1. Install the Java SE JDK

The Java Standard Edition Development Kit can be downloaded from Oracle’s website athttp://www.oracle.com/technetwork/java/javase/downloads/index.html. JDK 7 is currently the latest version and can be downloaded directly fromhttp://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1....

During the JDK installation, be sure to have the JDK installer install the Public JRE as well if it isn’t already installed:

Installation Options

2. Install Eclipse

The Eclipse IDE for Java Developers can be downloaded fromhttps://www.eclipse.org/downloads/packages/eclipse-ide-java-developers/keplersr1 (the download links are on the right side of the page).

3. Install Bytecode Visualizer

Run Eclipse and in the menu bar go to Help → Eclipse Marketplace…

In the Search tab of Eclipse Marketplace window, type “Dr. Garbage” into the Find textbox and press the Go button:

Eclipse Marketplace

Scroll to Bytecode Visualizer and press the Install button. Once installation is completed, restart Eclipse when prompted.

4. Load the JAR to be Analyzed

Once Eclipse restarts, close the Welcome tab, and in the menu bar go to File → New → Java Project. Specify any project name you like and press the Next button:

Create a Java Project

In the Java Settings window, click the Libraries tab. In the Libraries tab, press the Add External JARs button and select the JAR file you want to debug, thereby adding it to the Java project’s build path:

Java Settings

Once the JAR has been added to the build path, press the Finish button.

5. Open the JAR’s Code with Bytecode Visualizer

In the Package Explorer tab, expand your project’s Referenced Libraries to find your JAR file. Right-click on the class you want to debug and select Open with Bytecode Visualizer:

Open with Bytecode Visualizer

6. Set Breakpoints

With the JAR’s code now visible in Bytecode Visualizer, you can set breakpoints by double-clicking on the vertical gray bar to the left of the disassembled Java code: 

Setting a Breakpoint

Note that Bytecode Visualizer only allows you to set breakpoints on method entrypoints (the first instruction of a method); you can’t set breakpoints on arbitrary instructions.

7. Debugging the Disassembled Code

You can now run the disassembled code by right-clicking on the class you want to debug and choosing Debug As → Java Application:

Debug as Java Application

In the Debug perspective view, there are buttons to Step Into Bytecode and Step Over Bytecode (circled in red below). Use the Step Over Bytecode button to perform standard single-stepping; use the Step Into Bytecode button only to step into calls. The Debug perspective also allows you to see local variable in the Variables tab, and to add your own watches in the Expressions tab (you can add this tab via Window→ Show View → Expressions in the menu bar); you can see below that I added a watch/expression for variable b:

Debug Perspective

As far as we’ve seen, Bytecode Visualizer does not offer a view of the raw JVM stack, but even without it, tracing the code flow via single-stepping and examining memory with the Variables and Expressions tabs should typically allow you to successfully debug your target as needed.

For more information on Java-based malware or the adversaries using it, including detection logic or any of the adversaries tracked by CrowdStrike, please contact: intelligence@crowdstrike.com and inquire about our Intelligence subscription.

[转]Native Java Bytecode Debugging without Source Code的更多相关文章

1. Artistic Style 3.1 A Free, Fast, and Small Automatic Formatter for C, C++, C++/CLI, Objective‑C, C#, and Java Source Code

   Artistic Style - Index http://astyle.sourceforge.net/ Artistic Style 3.1 A Free, Fast, and Small Aut ...

2. Java Sound : generate play sine wave - source code

   转载自:http://ganeshtiwaridotcomdotnp.blogspot.com/2011/12/java-sound-generate-play-sine-wave.html Work ...

3. Sound (audio file) player in java - working source code example

   转载自:http://ganeshtiwaridotcomdotnp.blogspot.com/2011/12/sound-audio-file-player-in-java-working.html ...

4. 转： Source Code Lookup in Eclipse(主要讲的是java的)

   Source Code Lookup in Eclipse https://www.intertech.com/Blog/source-code-lookup-in-eclipse/

5. view class source code with JAD plugin in Eclipse

   The default class viewer doesn't decompile the class file so you cannot open and check the source co ...

6. Attach source code to a Netbeans Library Wrapper Module

   http://rubenlaguna.com/wp/2008/02/22/attach-source-code-to-a-netbeans-library-wrapper-module/ Attach ...

7. UI5 Source code map机制的细节介绍

   在我的博客A debugging issue caused by source code mapping里我介绍了在我做SAP C4C开发时遇到的一个曾经困扰我很久的问题,最后结论是这个问题由于Jav ...

8. 阿里巴巴 fastjson-1.2.12.jar json解析异常java.lang.ClassFormatError: Invalid method Code length 66865 in class file com/alibaba/fastjson/serializer/ASMSerializer_6_UserKdlb

   承接上篇:fastjson反序列化LocalDateTime失败的问题java.time.format.DateTimeParseException: Text '2019-05-24 13:52:1 ...

9. 小师妹学JVM之:java的字节码byte code简介

   目录 简介 Byte Code的作用 查看Byte Code字节码 java Byte Code是怎么工作的 总结 简介 Byte Code也叫做字节码,是连接java源代码和JVM的桥梁,源代码编译 ...

随机推荐

1. HashSet HashTable 与 TreeSet

   HashSet<T>类 HashSet<T>类主要是设计用来做高性能集运算的,例如对两个集合求交集.并集.差集等.集合中包含一组不重复出现且无特性顺序的元素. HashSet& ...

2. sql增删改查-转载

   一.增:有2种方法 1.使用insert插入单行数据: 语法:insert [into] <表名> [列名] values <列值> 例:insert into Strdent ...

3. BZOJ 3362&colon; &lbrack;Usaco2004 Feb&rsqb;Navigation Nightmare 导航噩梦

   Description 给你每个点与相邻点的距离和方向,求两点间的曼哈顿距离. \(n \leqslant 4\times 10^4\) . Sol 加权并查集. 像向量合成一样合并就可以了,找 \( ...

4. Lattice Diamond 学习之编译、检查和设置约束

   在新建工程以及完成代码的输入之后.则就要进行编译,并检测错误. 一. Generate Hierarchy(产生层次结构). 1. 点击Generate Hierarchy 图标或者Design -- ...

5. bootstrap-进度条

   <div class="container"> <div class="row"> <div class="col-lg ...

6. Linux命令行--使用linux环境变量（转）

   5.1 什么时环境变量 bash shell用一个成为环境变量的特性来存储有关的shell回话和工作环境的信息,这是它们成为环境变量的原因.它允许你在内存中存储数据,以便运行在账户.系统.shell的 ...

7. Linux下scp命令的用法

   scp 对拷文件夹 和 文件夹下的所有文件 对拷文件并重命名 对拷文件夹 (包括文件夹本身) scp -r   /home/wwwroot/www/charts/util root@192.168.1 ...

8. TCP&sol;IP协议原理与应用笔记21：路由选择的方法

   1. 路由选择的方法 (1)基本思想 不是收到IP分组后才能为其选路,而是预先获得所有的目的的路由(Routing Protocol) IP报文按预定的路由转发(route table) (2)预定路 ...

9. Oracle11g新特性导致空表不能导出问题

       ORACLE 11G在用EXP导出时,发现空表(没有数据或者没有用过的表)不能导出了.     查了一下资料,说是Oracle 11G中有个新特性,当表无数据时,不分配segment,以节省空 ...

10. Android 启动Activity的方式

    Activity的启动分为两种方式,显示方式和隐式方式,显示方式就是在通过intent启动Activity时指定了Activity的包名和类名. 而隐式方式则在初始化Intent时仅仅指定action ...