Java：方法挂钩&查找对象实例 [英] Java: Method hooking & Finding object instances

问题描述

我有2个问题。

情况是我正在为Windows写一个 Java API 还提供了将代码注入进程然后操作目标的工具。我已经实现了注入部分，例如将jar注入另一个jar。此时我的jar被调用（目标已经在运行时），并以完整的静态上下文开始。

Hi, I have 2 problems.
The situation is that I'm writing a Java API for Windows that also provides tools for injecting code into a process and then manipulate the target. I have already implemented the injection-part, for example injecting a jar into another jar. At this point my jar gets called (while the target already is at runtime) and starts in a complete static context.

从这里我有两个目标：

1. 我想要与目标对象互动，因此我需要引用。对于许多对象，这已经成为可能，因为它们提供对其实例的静态访问。例如， awt.Frames #getFrames（）提供对所有已创建的Frame对象的访问。但如果有可能在堆上获得访问任意对象，那将是非常棒的。类似' Heap＃getAllObjectInstances（）'。


2. 给定一个对象实例，我想连接任意函数这个对象。例如，每当 BufferStrategy＃show（）被调用时，我希望它首先调用另一个方法。

1. I'd like to interact with the targets objects, thus I need references. For many objects this is already possible because they provide static access to their instances. For example awt.Frames#getFrames() provides access to all created Frame objects. But it would be awesome if there is a possibility to get access to arbitrary objects on the heap. Something like 'Heap#getAllObjectInstances()'.
2. Given an object instance, I'd like to hook up onto arbitrary functions of this object. For example whenever BufferStrategy#show() gets called, I want it to call another method first.

所以我总结问题如下：

1. 如何从静态上下文中获取任意对象引用？


2. 如何连接到任意函数？

备注

到目前为止我做了什么，评论和想法：

Remarks

What I've done so far, remarks and ideas:

1. JDI （ Java调试器接口）通过 VirtualMachine＃allClasses（） - > ReferenceType＃instances（0）提供这样的方法。但是JDI需要使用调试参数启动目标JVM ，对我来说没有选择。可以使用低级别进行分析，并使用内存工具分析堆，但我希望有人知道更强大的高级方法。使用Windows API对我来说是一个选项，因为我熟悉 JNA / JNI ，但我不知道这样的工具。


2. 最后一个度假将使用 IAT挂钩与C-Code，一种非常低级的方法，我想避免这种。我可以假设此时有一个对象引用， Reflection API 可能提供了一种更改对象方​​法的方法吗？或者至少简单地提供一个钩子机制？

1. The JDI (Java Debugger Interface) provides such a method via VirtualMachine#allClasses() -> ReferenceType#instances(0). But the JDI needs the target JVM to be started with additional debug parameter which is no option for me. One could go down to low-level and analyze the heap with memory tools, but I hope someone knows a more high-level approach. Using the Windows API would be an option for me as I'm familiar with JNA/JNI, but I don't know such a tool.
2. The last resort would be to use IAT hooking with C-Code, a very low-level approach, I'd like to avoid this. As I can assume having a object reference at this point, maybe does the Reflection API provide a method to change an objects method? Or at least simply provide a hooking mechanism?

请注意，更改目标代码当然不是我的选择。并且它已经在运行时，因此ByteCode-Manipulation也可以是一个选项。

Be aware that changing the targeted code certainly is no option for me. And that it is already at runtime, thus ByteCode-Manipulation could also be an option.

A这会派上用场：

目标是游戏，部署为jar。它使用 BufferStrategy 类以 Double-Buffer-Strategy 呈现。它使用 BufferStrategy＃show（）显示图像。我们在游戏中注入jar并喜欢绘制带有附加信息的叠加层。为此，我们获得对使用过的 BufferStrategy 的引用，并连接到 show -method。因此，只要每次调用它都会调用drawOverlay-method ，然后我们会传回原来的 show-method 。

A scenario where this would come in handy:
The target is a game, deployed as jar. It renders with a Double-Buffer-Strategy, using the BufferStrategy class. It displays the image with BufferStrategy#show(). We inject our jar inside the game and like to draw an overlay with additional information. For this we get an reference to the used BufferStrategy and hook up onto its show-method. So that it calls our drawOverlay-method everytime it gets called, then we pass back to the original show-method.

推荐答案

您需要的是JVMTI代理 - 一个使用 JVM工具接口。

What you need is JVMTI agent - a native library that makes use of JVM Tool Interface.

可以使用附加API 。

参见 VirtualMachine.loadAgentPath 。

1. 获取给定的所有实例class use JVMTI IterateOverInstancesOfClass 函数。
   
   请参阅相关问题了解详情。

要拦截外来类的方法，您需要JVMTI RetransformClasses API。使用Java级别的检测API也可以实现相同的目的，参见 Instrumentation.retransformClasses 。

To intercept a method of a foreign class you'll need JVMTI RetransformClasses API. The same can be also achieved by using Java-level instrumentation API, see Instrumentation.retransformClasses.

对于JVMTI级方法拦截的示例，请参阅Oracle JDK演示和示例包中的 demo / jvmti / mtrace 。

For the example of JVMTI-level method interception refer to demo/jvmti/mtrace from Oracle JDK demos and samples package.

使用字节码操作库（如 Byte Buddy ）可以更轻松地使用Java级别的工具。

Java-level instrumentation will be easier with bytecode manipulation libraries like Byte Buddy.

这篇关于Java：方法挂钩&查找对象实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！