This is a very quick demo to show that arbitrary process injection is possible in Oracle and OpenJDK's JVMs. This is apparently a somewhat known issue. The attack works like this:
- Identify a target process. In my demo video, I do this manually using jps. However jps is written in Java so it stands to reason you can automate this.
- Pass the pid of the target process to VirtualMachine.attach(pid)
- Specify an agent(special code that usually legitimately instruments a java process)
- Your code is injected!
This code has 2 functions: It serves as the code that can attach to other processes and as the java agent. Java has an instrumentation API that is primarily accessible through a specific process. However, this process usually involves the code being instrumented specifying an agent to intercept and manipulate the code as its running. The code in this repository bypasses that requirement.
The code to attach can be found in AttachDemo.java.
The agent code can be found in SimpleAgent.java. Please note that for agents being injected at runtime, the code you want to inject belongs in the agentmain method.
It turns out, there is a real-world example of this that I found after some digging.
To use this demo, download this code and type ./gradlew jar. This will create the agent jar you need in the build/libs folder. Then specify the path of the jar to AttachDemo in the code (or make it a command line argument).
You should get a result similar to the following:
