从正在运行的Java程序的内存中查找和读取特定类型的对象 [英] Locate and read objects of a specific type from memory of a running java program
问题描述
我必须评估从正在运行的Java程序的内存中提取某些对象(例如java.security.PrivateKey)有多困难.
I have to evaluate how difficult it would be to extract some object (e.g. java.security.PrivateKey) from memory of a running java program.
我不太喜欢这种低级内存,因此我从小型C程序开始,熟悉gdb,/proc/<pid>/maps,/proc/<pid>/mem和
I'm not very into this low level memory stuff, so I started out with small C programs and familiarized myself with gdb, /proc/<pid>/maps, /proc/<pid>/mem and a script that dumps all the memory areas.
但是,切换到Java时情况发生了变化.由于使用了垃圾回收,因此使用Java分配和管理内存的方式非常不同.在C程序中,我将查看一个堆栈地址,并确定其中包含我要提取的变量.
However, things change when switching to java. Memory is allocated and managed very differently with java thanks to garbage collection. In C programs I'd look at a stack address and know for certain that it contained the variable I wanted to extract.
所以我的问题是:
- Java对象是否具有某种类型ID,以便我可以在内存转储中找到该类型的对象?
- 如果是这样,我如何找出类型的ID(例如,
String的ID是什么)? - 如果没有这样的类型ID,攻击者还必须从Java进程中提取
java.security.PrivateKey的其他可能性吗?
- Do Java objects have some kind of type ID so I can locate objects of that type in a memory dump?
- If so, how do I find out the ID of a type (e.g. what's the ID of a
String)? - If there is no such type ID, what other possibilities would attackers have to extract, let's say, a
java.security.PrivateKeyfrom a java process?
假设 JMX 已关闭.
感谢您的帮助
推荐答案
这比您想象的还要容易:)
This is even easier than you might think :)
HotSpot可服务性代理发挥了神奇的作用.它可以使用 ptrace ,然后提取JVM结构和所有Java对象的布局.不需要目标JVM的合作.即使在禁用JMX和附加机制的情况下,此方法也有效.
HotSpot Serviceability Agent does the magic. It can open a core dump or attach to a live Java process using ptrace and then extract the layout of JVM structures and all Java objects. No cooperation from target JVM is needed. This works even when JMX and Attach Mechanism are disabled.
这是一个示例如何在远程JVM中检查给定类的实例.
sa-jdi.jar必须在类路径中才能与Serviceability Agent一起使用.
Here is an example how to inspect the instances of a given class in the remote JVM.
sa-jdi.jar must be in the classpath to work with Serviceability Agent.
最后是最简单的解决方案.跑
jmap -F -dump:format=b,file=heap.bin PID
注意-F参数-它强制jmap使用可维护性代理进行堆转储.
Finally the easiest solution ever. Run
jmap -F -dump:format=b,file=heap.bin PID
Note -F argument - it forces jmap to use Serviceability Agent to make the heap dump.
PS 这是 SA的来源,如果您想了解它的幕后运作方式.
P.S. Here are the sources of SA if you'd like to know how it works under the hood.
这篇关于从正在运行的Java程序的内存中查找和读取特定类型的对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
