12 September, 2007

Java code injection via WinAPI's CreateRemoteThread function

There is the way to inject some functionality into JVM (Java Virtual Machine) from another process or another JVM.

It works only in Windows NT/200/XP and uses WinAPI functions.
Today I publish this solution.

How it works:
  • User compiles Injector.class, Injector.dll, Insider.dll from sources (via make.bat)

  • User starts java application (e.g.: start java -jar %JAVA_HOME%\demo\jfc\Notepad\notepad.jar) in the JVM-1

  • User recognises the PID (process id) of started application (via Task Manager)

  • User executes java -Djava.library.path=. Injector (starts JVM-2) and enters PID of JVM-1


  • JVM-1 calls Injector.dll's native function

  • Injector.dll calls CreateRemoteThread WinAPI function and loads Insider.dll into JVM-1

  • Insider.dll attaches to JVM-1 via JNI, defines new class from bytes array and loads it.
    !!! In this case class's bytecode stores as a jbyte clazz[] array within the Insider.dll

  • And then new class works in the JVM-1





Injected class only prints numbers within JVM-1's console:




Sources:

Bin2H.java
Injector.cpp
Injector.java
Insider.java
insider.cpp
make.bat

listed below:


Bin2H.java

public class Bin2H {
public static void main(String[] args) throws Exception {
System.out.print("#include <jni.h>\nconst jbyte clazz[]={");
for (int i = System.in.read(); i >= 0; i = System.in.read())
System.out.print(Integer.toString(i) + ",");
System.out.print("};");
}
}



Injector.cpp

#include <windows.h>
#include <jni.h>
#include "injector.h"


void Inject (unsigned long PID, const char *dllname)
{
DWORD hLibModule;

HMODULE hKernel32 = GetModuleHandle (TEXT ("Kernel32"));

void *hProcess = OpenProcess (PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
PROCESS_VM_WRITE, false, PID);
int cch = strlen (dllname) + 1;
void *pLibRemote = VirtualAllocEx (hProcess, NULL, cch, MEM_COMMIT,
PAGE_READWRITE);

WriteProcessMemory (hProcess, pLibRemote, (void *) dllname, cch, NULL);

HANDLE hThread = CreateRemoteThread (hProcess, NULL, 0,
(PTHREAD_START_ROUTINE)
GetProcAddress (hKernel32,
"LoadLibraryA"),
pLibRemote, 0, NULL);

WaitForSingleObject (hThread, INFINITE);
GetExitCodeThread( hThread, &hLibModule );
CloseHandle (hThread);

VirtualFreeEx (hProcess, pLibRemote, sizeof (dllname), MEM_RELEASE);

hThread = CreateRemoteThread (hProcess, NULL, 0,
(PTHREAD_START_ROUTINE) GetProcAddress (hKernel32,
"FreeLibrary"),
(void *) hLibModule, 0, NULL);
WaitForSingleObject (hThread, INFINITE);
CloseHandle (hThread);
}

void JNICALL Java_Injector_inject (JNIEnv * env, jclass, jint pid, jstring dll)
{
try
{
Inject (pid, env->GetStringUTFChars (dll, NULL));
} catch (...)
{
MessageBox (NULL, "Exception::Inject", "Injector", MB_ICONERROR);
}
}




Injector.java

import java.io.File;
import java.io.IOException;

public class Injector {
public static native void inject(int pid, String dll);

public static void main(String[] args) {
System.loadLibrary("Injector");
byte[] str = new byte[5];
try {
System.in.read(str);
System.out.println(new File("").getAbsolutePath()+"\\insider.dll");
inject(Integer.parseInt(new String(str).trim()), new File("").getAbsolutePath()+"\\insider.dll");
} catch (IOException e) {
e.printStackTrace();
}
}
}




insider.cpp

#include <windows.h>
#include <jni.h>
#include "insider.h"

BOOL APIENTRY
DllMain (HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
JavaVM *vmBuf;
JNIEnv *env;
jsize nVMs;
jint res = 0;
jclass resjclass = NULL;
try
{
res = JNI_GetCreatedJavaVMs (&vmBuf, 1, &nVMs);
if (res != JNI_OK || nVMs < 1)
{
MessageBox (NULL, "JVMs not found", "Insider", MB_ICONERROR);
return FALSE;
}

}
catch (...)
{
MessageBox (NULL, "Exception:JNI_GetCreatedJavaVMs", "Insider",
MB_ICONERROR);
return FALSE;
}


try
{
res = vmBuf[0].AttachCurrentThread ((void **) &env, NULL);
if (res != JNI_OK)
{
MessageBox (NULL, "Can't attach to JVM", "Insider", MB_ICONERROR);
return FALSE;
}
}
catch (...)
{
MessageBox (NULL, "Exception:AttachCurrentThread", "Insider",
MB_ICONERROR);
return FALSE;
}

try
{
resjclass = env->DefineClass ("Insider", NULL, clazz, sizeof (clazz));
if (resjclass == NULL)
{
MessageBox (NULL, "Error Define Class", "Insider", MB_ICONERROR);
return FALSE;
}
resjclass = env->FindClass ("Insider");
if (resjclass == NULL)
{
MessageBox (NULL, "Error Load Class", "Insider", MB_ICONERROR);
return FALSE;
}
}
catch (...)
{
MessageBox (NULL, "Exception:DefineClass,FindClass", "Insider",
MB_ICONERROR);
}
try
{
vmBuf[0].DetachCurrentThread ();
}
catch (...)
{
MessageBox (NULL, "Exception:DetachCurrentThread", "Insider",
MB_ICONERROR);
return FALSE;
}

}

return TRUE;
}




Insider.java

//Warning: Make Insider as single class!

public class Insider implements Runnable {
static {
Thread t = new Thread(new Insider());
t.setPriority(Thread.MIN_PRIORITY);
t.setDaemon(true);
t.start();
}

public void run() {
int i = 0;
while (true) {
System.out.println(i++);
try {
Thread.sleep(300);
} catch (InterruptedException e) {
break;
}
}
}
}




make.bat

@echo off
call "E:\Devel\Microsoft Visual Studio\VC98\Bin\vcvars32.bat"
set JAVA_HOME=E:\Devel\jdk1.5.0_09

set PATH=%PATH%;%JAVA_HOME%\bin

rd /Q /S out
md out

javac -d out Injector.java
javah -classpath out Injector
javac -source 1.3 -target 1.1 Insider.java
javac Bin2H.java
type Insider.class |java Bin2H >insider.h
del Bin2H.class
del Insider.class

cl.exe /c -GX /I%JAVA_HOME%\include /I%JAVA_HOME%\include\win32 Injector.cpp
link /DLL /OUT:out/Injector.dll kernel32.lib user32.lib gdi32.lib Injector.obj

cl.exe /c -GX /I%JAVA_HOME%\include /I%JAVA_HOME%\include\win32 Insider.cpp
link /DLL /OUT:out/Insider.dll kernel32.lib user32.lib gdi32.lib %JAVA_HOME%\lib\jvm.lib Insider.obj

del Insider.obj
del Injector.obj
del Injector.h
del Insider.h
del out\Injector.exp
del out\Injector.lib

echo java -Djava.library.path=. Injector>out\injector.bat
echo start java -jar %JAVA_HOME%\demo\jfc\Notepad\notepad.jar Notepad >out\demo.bat



How do you like it?



You may download these sources from Xantorohara.blogspot.com samples

11 September, 2007

HTML Encoder

I've released new online service: HTML Encoder
It replaces ampersands, tabs, less/greater braces and prepares source code for posting into blog.

If you prefer shell scripts, you may use this:

sed -e 's/\x26/\&amp;/g;s/\x3c/\&lt;/g;s/\x3e/\&gt;/g' sourcefile.txt | expand -t 4 >sourcefile.blog


See this project on GitHub

10 September, 2007

Javascript injection

There is the way to include javascript into any html pages via 'javascript:' protocol. Internet Explorer and FireFox support this.
Just open web page and replace site's URL with some javascript e.g.: javascript: alert('WOW!');

I've released online tool for web developers that based on this feature - Hyperbox. Developers can use it for design tasks.

It is simple to use:
  • Open any site (e.g.: google.com).
  • Replace site's URL with this string:

    javascript:(function(){var s=document.createElement('script'); s.src='http://xantorohara.jino-net.ru/hyperbox/hyperbox.js'; s.type='text/javascript'; document.getElementsByTagName('head')[0].appendChild(s); })();

  • Move it, resize, change color and borders, measure.



This javascript tool is absolutely free for using and modifying.
Everybody may download the script from my site and investigate it.

09 September, 2007

Lord of the Rings. MSSP, MSDP ring protection

I was system architect in the telecommunication company several years ago.
And I am the author of the Network Managament System (NMS) for SDH, PDH, Ethernet networks and equipment.
The most interesting things in the SDH/PDH - theirs protection schemes:

  • MSDP Ring (Dedicated ring). One unidirectional ring for main traffic and one for protection.

  • MSSP Ring 2-Fiber (Shared ring). 1/2 of bidirectional ring for main traffic and 1/2 for protection.

  • MSSP Ring 4-Fiber (Shared ring). One bidirectional ring for main traffic and one for protection.


It is possible to use protecting channels for not protected (NOP) traffic while ring works without breaks.

OS input events generation

The simplest way to generate system input events (mouse and keyboard) is using Robot class from Java API.

Source code that listed below, moves mouse over the screen and presses mouse's button.


JRobot.java

import java.awt.AWTException;
import java.awt.Dimension;
import java.awt.Point;
import java.awt.Robot;
import java.awt.Toolkit;
import java.awt.event.InputEvent;

public class JRobot {
private Robot robot = null;

private Point point = new Point(0, 0);

private void relativeMouseMove(int x, int y) {
point.x+=x;
point.y+=y;
robot.mouseMove(point.x, point.y);
}

private JRobot() {
try {
robot = new Robot();
} catch (AWTException e) {
e.printStackTrace();
return;
}
robot.setAutoDelay(1);

Dimension screen = Toolkit.getDefaultToolkit().getScreenSize();
relativeMouseMove(32, screen.height - 8);
robot.mousePress(InputEvent.BUTTON1_MASK);

for (int i = 0; i < 256; i++) {
relativeMouseMove(0, -1);
}
robot.delay(300);
robot.waitForIdle();
for (int i = 0; i < 256; i++) {
relativeMouseMove(1, 0);
}

}

public static void main(String[] args) {
new JRobot();
}
}



It is possible to use Robot for the various purposes ;-)

Interactive Graphical System

In the earliest days of my programming career I wrote many simple-minded programs.

One of them - Interactive Graphical System (IGS), in that (х31у32х2у+а3ху24х25у26ху+а7х+а8у+а9=0) mathematical formula was implemented.



It was written on Borland C++, at university, many years ago...

SWT events capturing

Year ago I wrote this small SWT application that introduces how grab of SWT events works.


Launcher.java

import java.util.Hashtable;
import java.util.Map;
import java.util.Set;

import org.eclipse.swt.SWT;
import org.eclipse.swt.widgets.Button;
import org.eclipse.swt.widgets.Display;
import org.eclipse.swt.widgets.Event;
import org.eclipse.swt.widgets.Listener;
import org.eclipse.swt.widgets.MessageBox;
import org.eclipse.swt.widgets.Shell;

public class Launcher {
private Shell shell;

private Map<Integer, String> eventMap = new Hashtable<Integer, String>();
{
eventMap.put(SWT.Paint, "Paint");
eventMap.put(SWT.Selection, "Selection");
eventMap.put(SWT.DefaultSelection, "DefaultSelection");
eventMap.put(SWT.Dispose, "Dispose");
eventMap.put(SWT.FocusIn, "FocusIn");
eventMap.put(SWT.FocusOut, "FocusOut");
eventMap.put(SWT.Hide, "Hide");
eventMap.put(SWT.Show, "Show");
eventMap.put(SWT.KeyDown, "KeyDown");
eventMap.put(SWT.KeyUp, "KeyUp");
eventMap.put(SWT.MouseDown, "MouseDown");
eventMap.put(SWT.MouseUp, "MouseUp");
eventMap.put(SWT.MouseDoubleClick, "MouseDoubleClick");
eventMap.put(SWT.MouseMove, "MouseMove");
eventMap.put(SWT.Resize, "Resize");
eventMap.put(SWT.Move, "Move");
eventMap.put(SWT.Close, "Close");
eventMap.put(SWT.Activate, "Activate");
eventMap.put(SWT.Deactivate, "Deactivate");
eventMap.put(SWT.Iconify, "Iconify");
eventMap.put(SWT.Deiconify, "Deiconify");
eventMap.put(SWT.Expand, "Expand");
eventMap.put(SWT.Collapse, "Collapse");
eventMap.put(SWT.Modify, "Modify");
eventMap.put(SWT.Verify, "Verify");
eventMap.put(SWT.Help, "Help");
eventMap.put(SWT.Arm, "Arm");
eventMap.put(SWT.MouseExit, "MouseExit");
eventMap.put(SWT.MouseEnter, "MouseEnter");
eventMap.put(SWT.MouseHover, "MouseHover");
eventMap.put(SWT.Traverse, "Traverse");
}

private Listener uniListener = new Listener() {
public void handleEvent(Event event) {
String eventName = eventMap.get(event.type);
if (eventName != null)
System.out
.println(eventName + " \t " + event.widget.getClass());
}
};

private void addHooks(Display display) {
Set<Integer> eventTypes = eventMap.keySet();
for (Integer eventType : eventTypes)
display.addFilter(eventType, uniListener);
}

private void removeHooks(Display display) {
Set<Integer> eventTypes = eventMap.keySet();
for (Integer eventType : eventTypes)
display.removeFilter(eventType, uniListener);
}

public Launcher() {
super();
Display display = new Display();
shell = new Shell(display);
shell.setText("SWTAppNQ3");
shell.setSize(320, 240);
Button button = new Button(shell, SWT.NONE);
button.setText("Cool Button");
button
.addSelectionListener(new org.eclipse.swt.events.SelectionAdapter() {
public void widgetSelected(
org.eclipse.swt.events.SelectionEvent e) {
MessageBox messageBox = new MessageBox(shell);
messageBox.setMessage("Pressed");
messageBox.open();
}
});

button.pack();
addHooks(display);

shell.open();

while (!shell.isDisposed()) {
if (!display.readAndDispatch()) {
display.sleep();
}
}
removeHooks(display);
display.dispose();
}

public static void main(String[] args) {
new Launcher();
}
}


This program in action:

SWT development quick start

SWT: The Standard Widget Toolkit - is open source UI toolkit for Java applications.

SWT contains powerful set of widgets - UI components.
SWT applications work fast, because this toolkit based on native OS libraries.
And development of SWT applications is pretty simple.

  • List of SWT UI components you can see at Widgets page.

  • Snippets page contains many SWT samples. It is a good idea to download all these examples and review theirs.

  • Start Eclipse, create new Java project.

  • Put downloaded snippets into the project's src directory.

  • Add SWT library to the project's build path from the Eclipse's plugins directory (e.g.: plugins/org.eclipse.swt.win32.win32.x86_3.2.0.v3232m.jar).

  • Then select on of the snippets and run it.

  • Does it work? :-)






You may download these sources from Xantorohara.blogspot.com samples