Speaker(s): Jeff Dileo
It's 2018, and analyzing even unobfuscated code running on the JVM is still a pretty miserable experience. And that's just Java, just wait until malware starts getting written in Clojure! Most of the available tooling is focused on minimal tracing of method entry/exits, and many are just different wrappers/clients communicating with the same stale JDWP JVMTI agent that implements jdb's notoriously slow debugging. When one eventually needs more than just basic tracing, JDWP always comes up short.
Why not just hook all the things with dynamic instrumentation? Historically, the answer to this question has been that writing such instrumentation was painful, the instrumentation itself was brittle, and code was modified in very detectable ways. JVM instrumentation techniques have come a long way since then.
This presentation will introduce an ideal framework for the design and implementation of effective function hooks targeting the JVM, including backwards-compatibility, cross-platform, and Java 9 support. In addition, this talk will focus on the following capabilities necessary for usable function hooking, and the design, library, and custom implementation choices made to achieve them in a new open-source cross-platform framework:
- Flexible matching selectors
- Prevention of stack trace corruption
- Hook injection, management, and removal
- Hot reloading of hook code
Jeff Dileo is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He also likes exotic candies.