SANS Digital Forensics and Incident Response Blog

Reverse Enginnering Java

You have just come across a site compromise. You believe that the client was impacted due to a malicious java .class file on a rogue website that they visited. The class file is compiled, what can you do?

Luckily, java class files are simple to reverse engineer. In fact, using just the native JDK, the process could not be much simpler (the setting of classpath and ensuring that your java JDK is configured correctly is critical).

At the simplest, the process would be to use the command:

  • javac -c classfile

The '-c' option is used to specify that you want to decompile the java bytecode.

The term 'classfile' is where you specify the file that you are seeking to decode.

When reversing java based malware, the chances are that the code will have been obscured. This means that the stages above are not the totality of accessing the code. Compression and cryptors are some of the methods deployed. This will add a layer of obsfucation to the code.

For instance, a compressed class file could be called by the code you have decoded. This initial layer of code would hence form a shell that makes the code that actually did the damage harder to analyse. On top of this, a few simple techniques (such as using Unicode to hide strings) can be deployed.

You may not get a native java file, but at least you have the constructors and variables used and this gets you a long way into understanding the code.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He is engaged in his second doctorate, a PhD on the quantification of information system risk at CSU.