问题
I have to evaluate how difficult it would be to extract some object (e.g. java.security.PrivateKey) from memory of a running java program.
I'm not very into this low level memory stuff, so I started out with small C programs and familiarized myself with gdb, /proc/<pid>/maps, /proc/<pid>/mem and a script that dumps all the memory areas.
However, things change when switching to java. Memory is allocated and managed very differently with java thanks to garbage collection. In C programs I'd look at a stack address and know for certain that it contained the variable I wanted to extract.
So my questions are:
- Do Java objects have some kind of type ID so I can locate objects of that type in a memory dump?
- If so, how do I find out the ID of a type (e.g. what's the ID of a
String)? - If there is no such type ID, what other possibilities would attackers have to extract, let's say, a
java.security.PrivateKeyfrom a java process?
Suppose that JMX is turned off.
Thanks for your help
回答1:
This is even easier than you might think :)
HotSpot Serviceability Agent does the magic. It can open a core dump or attach to a live Java process using ptrace and then extract the layout of JVM structures and all Java objects. No cooperation from target JVM is needed. This works even when JMX and Attach Mechanism are disabled.
Here is an example how to inspect the instances of a given class in the remote JVM.sa-jdi.jar must be in the classpath to work with Serviceability Agent.
Finally the easiest solution ever. Run
jmap -F -dump:format=b,file=heap.bin PID
Note -F argument - it forces jmap to use Serviceability Agent to make the heap dump.
P.S. Here are the sources of SA if you'd like to know how it works under the hood.
来源:https://stackoverflow.com/questions/32605962/locate-and-read-objects-of-a-specific-type-from-memory-of-a-running-java-program