SANS Digital Forensics and Incident Response Blog: Tag - decompilation

Reverse Enginnering Java

You have just come across a site compromise. You believe that the client was impacted due to a malicious java .class file on a rogue website that they visited. The class file is compiled, what can you do?

Luckily, java class files are simple to reverse engineer. In fact, using just the native JDK, the process could not be much simpler (the setting of classpath and ensuring that your java JDK is configured correctly is critical).

At the simplest, the process would be to use the command:

  • javac -c classfile

The '-c' option is used to specify that you want to decompile the java bytecode.

The term 'classfile' is where you specify the file that you are seeking to decode.

When reversing java based malware, the chances are that the code will have been obscured. This means that the stages above are not the totality of accessing the code. Compression and cryptors are some of the methods deployed. This will add a layer of

... Continue reading Reverse Enginnering Java