I am trying to access a java package loaded into memory and dump it to a file. Here is how the security works: there is an exe packed with Themida that contains the java main class code to be loaded. At runtime the Themida exe loads the clean main class java code into memory. The software is structured with the loader being contained within the exe, but several external libraries can access the packages contained within the exe. So, exe contains com.mysoft.mainloader. But the clean jar library Mylib.jar can call functions within com.mysoft.mainloader. How to I dump com.mysoft.mainloader to a jar file? Can I modify Mylib.jar to dump it as it has access to the package once it is loaded as well?

CodePudding user response：

There is no supported Java SE mechanism to read / retrieve a ".class" that has been loaded by a classloader. So your options would be:

• Modify the custom classloader you are using to capture the ".class" before (or after) the classloader calls defineClass.

• Burrow into the JVM data structures to try and figure out whether the entire ".class" stream is captured somewhere and then retrieve it.

• Modify the JVM ...

Any of these could be feasible. All will be relatively difficult.

CodePudding user response：

It is possible to get loaded classes in runtime using Dynamic Attach and Instrumentation API.

The idea is to inject a Java Agent into the running application.
The agent gets an array of all loaded classes with Instrumentation.getAllLoadedClasses method, then gets their bytecode using Instrumentation.retransformClasses.

The working implementation can be found in the class-file-extractor project.

Usage:

java -jar extractor.jar <pid> mainloader.jar com.mysoft.mainloader

where

• <pid> is the process ID of the target JVM application;
• mainloader.jar is the output file name;
• com.mysoft.mainloader is the name prefix of the classes to extract.