[ chapter 1 ]
    introduction 

    This chapter is a basic introduction to the format of java binary class files. The following code was assembled with the JDK's javac compiler to produce a class file. A hex dump of the file is represented below as well as an analysis of the class file. You should view this code in conjunction with a copy of the Java Virtual Machine specification, more importantly the java class file specification. To effectively infect class files one must be able to understand the way in which they are constructed and executed. 

    analysis 
     

  • information

    • Compile java source files with the javac command 
    eg. javac HelloWorld.java 

    Disassemble java class files with the javap command 
    eg. javap -c HelloWorld 
     

  • source code 

    • public class HelloWorld { 
        public static void main(String argv[]) { 
            System.out.println("Hello World!"); 
        } 
    } 
     

  • dissassembly 

    • public synchronized class HelloWorld extends java.lang.Object 
        /* ACC_SUPER bit set */ 
    { 
        public static void main(java.lang.String[]); 
        public HelloWorld(); 
    } 

    Method void main(java.lang.String[]) 
       0 getstatic #7 <Field java.io.PrintStream out> 
       3 ldc #1 <String "Hello World!"> 
       5 invokevirtual #8 <Method void println(java.lang.String)> 
       8 return 

    Method HelloWorld() 
       0 aload_0 
       1 invokespecial #6 <Method java.lang.Object()> 
       4 return 
     

  • hexadecimal dump
147B:0100 CA FE BA BE 00 03 00 2D-00 20 08 00 13 07 00 14 .......-. ......  
147B:0110 07 00 1A 07 00 1B 07 00-1C 0A 00 04 00 09 09 00 ................  
147B:0120 05 00 0A 0A 00 03 00 0B-0C 00 0F 00 0C 0C 00 1E ................  
147B:0130 00 17 0C 00 1F 00 0D 01-00 03 28 29 56 01 00 15 ..........()V...  
147B:0140 28 4C 6A 61 76 61 2F 6C-61 6E 67 2F 53 74 72 69 (Ljava/lang/Stri  
147B:0150 6E 67 3B 29 56 01 00 16-28 5B 4C 6A 61 76 61 2F ng;)V...([Ljava/  
147B:0160 6C 61 6E 67 2F 53 74 72-69 6E 67 3B 29 56 01 00 lang/String;)V..  
147B:0170 06 3C 69 6E 69 74 3E 01-00 04 43 6F 64 65 01 00 .<init>...Code..  
147B:0180 0D 43 6F 6E 73 74 61 6E-74 56 61 6C 75 65 01 00 .ConstantValue..  
147B:0190 0A 45 78 63 65 70 74 69-6F 6E 73 01 00 0C 48 65 .Exceptions...He  
147B:01A0 6C 6C 6F 20 57 6F 72 6C-64 21 01 00 0A 48 65 6C llo World!...Hel  
147B:01B0 6C 6F 57 6F 72 6C 64 01-00 0F 48 65 6C 6C 6F 57 loWorld...HelloW  
147B:01C0 6F 72 6C 64 2E 6A 61 76-61 01 00 0F 4C 69 6E 65 orld.java...Line  
147B:01D0 4E 75 6D 62 65 72 54 61-62 6C 65 01 00 15 4C 6A NumberTable...Lj  
147B:01E0 61 76 61 2F 69 6F 2F 50-72 69 6E 74 53 74 72 65 ava/io/PrintStre  
147B:01F0 61 6D 3B 01 00 0E 4C 6F-63 61 6C 56 61 72 69 61 am;...LocalVaria  
147B:0200 62 6C 65 73 01 00 0A 53-6F 75 72 63 65 46 69 6C bles...SourceFil  
147B:0210 65 01 00 13 6A 61 76 61-2F 69 6F 2F 50 72 69 6E e...java/io/Prin  
147B:0220 74 53 74 72 65 61 6D 01-00 10 6A 61 76 61 2F 6C tStream...java/l  
147B:0230 61 6E 67 2F 4F 62 6A 65-63 74 01 00 10 6A 61 76 ang/Object...jav  
147B:0240 61 2F 6C 61 6E 67 2F 53-79 73 74 65 6D 01 00 04 a/lang/System...  
147B:0250 6D 61 69 6E 01 00 03 6F-75 74 01 00 07 70 72 69 main...out...pri  
147B:0260 6E 74 6C 6E 00 21 00 02-00 04 00 00 00 00 00 02 ntln.!..........  
147B:0270 00 09 00 1D 00 0E 00 01-00 10 00 00 00 25 00 02 .............%..  
147B:0280 00 01 00 00 00 09 B2 00-07 12 01 B6 00 08 B1 00 ................  
147B:0290 00 00 01 00 16 00 00 00-0A 00 02 00 00 00 0D 00 ................  
147B:02A0 08 00 0B 00 01 00 0F 00-0C 00 01 00 10 00 00 00 ................  
147B:02B0 1D 00 01 00 01 00 00 00-05 2A B7 00 06 B1 00 00 .........*......  
147B:02C0 00 01 00 16 00 00 00 06-00 01 00 00 00 09 00 01 ................  
147B:02D0 00 19 00 00 00 02 00 15  
 
  • composition

    • magic 0xCAFEBABE 
    minor_version 0x0003 
    major_version 0x002D 
    constant_pool_count 0x0020 
    constant_pool[1]  
             tag 0x08 CONSTANT_String 
             string_index 0x0013 constant_pool[13]  
             CONSTANT_Utf8 Hello World!  
    constant_pool[2]  
             tag 0x07 CONSTANT_Class  
             name_index 0x0014 constant_pool[14] 
             CONSTANT_Utf8 HelloWorld  
    constant_pool[3]   
              tag 0x07 CONSTANT_Class  
             name_index constant_pool[1A]  
             CONSTANT_Utf8 java/io/PrintStream  
    constant_pool[4]  
              tag 0x07 CONSTANT_Class 
             name_index constant_pool[1B]  
             CONSTANT_Utf8 java/lang/Object  
    constant_pool[5] 
              tag 0x07 CONSTANT_Class 
             name_index constant_pool[1C]  
             CONSTANT_Utf8 java/lang/System  
    constant_pool[6]   
             tag 0x0A CONSTANT_Methodref 
             class_index 0x0004 constant_pool[4]  
             CONSTANT_Class java/lang/Object  
             name_and_type_index 0x0009 constant_pool[9]  
             CONSTANT_NameAndType 
    constant_pool[7]  
             tag 0x09 CONSTANT_Fieldref  
             class_index 0x0005 constant_pool[5]  
             CONSTANT_Class java/lang/System  
             name_and_type_index 0x000A constant_pool[A]  
             CONSTANT_NameAndType 
    constant_pool[8]   
             tag 0x0A CONSTANT_Methodref  
             class_index 0x0003 constant_pool[3]  
             CONSTANT_Class java/io/PrintStream  
             name_and_type_index 0x000B constant_pool[B]  
             CONSTANT_NameAndType 
    constant_pool[9]  
             tag 0x0C CONSTANT_NameAndType 
             name_index 0x000F constant_pool[F]  
             CONSTANT_Utf8 <init>  
             descriptor_index 0x00C constant_pool[C]  
             CONSTANT_Utf8 ()V  
    constant_pool[A]  
             tag 0x0C CONSTANT_NameAndType 
             name_index 0x001E constant_pool[1E]  
             CONSTANT_Utf8 out  
             descriptor_index 0x0017 constant_pool[17]  
             CONSTANT_Utf8 Ljava/io/PrintStream;  
    constant_pool[B]  
             tag 0x0C CONSTANT_NameAndType 
             name_index 0x001F constant_pool[1F]  
             CONSTANT_Utf8 println  
             descriptor_index 0x000D constant_pool[D]  
             CONSTANT_Utf8 (Ljava/lang/String;)V  
    constant_pool[C]  
             tag 0x01 CONSTANT_Utf8 
             length 0x0003 
             bytes[length] 0x282956 ()V  
    constant_pool[D]  
             tag 0x01 CONSTANT_Utf8 
             length 0x0015 
             bytes[length]  
             0x284C6A6176612F6C616E672F537472696E673B2956  
             (Ljava/lang/String;)V  
    constant_pool[E]  
             tag 0x01 CONSTANT_Utf8  
             length 0x0016 
             bytes[length]  
             0x285B4C6A6176612F6C616E672F537472696E673B2956 
             (Ljava/lang/String;)V  
    constant_pool[F] 
             tag 0x01 CONSTANT_Utf8  
             length 0x0006 
             bytes[length] 0x63C696E69743E <init>  
    constant_pool[10]  
             tag 0x01 CONSTANT_Utf8  
             length 0x0004 
             bytes[length] 0x436F6465 Code  
    constant_pool[11]  
             tag 0x01 CONSTANT_Utf8  
             length 0x000D 
             bytes[length] 0x436F6E7374616E7456616C7565  
             ConstantValue  
    constant_pool[12]  
             tag 0x01 CONSTANT_Utf8  
             length 0x000A 
             bytes[length] 0x457863657074696F6E73  
             Exceptions  
    constant_pool[13]  
             tag 0x01 CONSTANT_Utf8  
             length 0x000C 
             bytes[length] 0x48656C6C6F20576F726C6421  
             Hello World!  
    constant_pool[14]  
             tag 0x01 CONSTANT_Utf8  
             length 0x000A 
             bytes[length] 0x48656C6C6F576F726C64  
             HelloWorld  
    constant_pool[15]  
             tag 0x01 CONSTANT_Utf8  
             length 0x000F 
             bytes[length]   
             0x48656C6C6F576F726C642E6A617661  
             HelloWorld.java  
    constant_pool[16]  
             tag 0x01 CONSTANT_Utf8  
             length 0x000F 
             bytes[length] 0x4C696E656F726C642E6A617661  
             LineNumberTable  
    constant_pool[17]  
             tag 0x01 CONSTANT_Utf8 
             length 0x0015 
             bytes[length]  
             0x4C6A6176612F696F2F5072696E7453747265616D3B   
             Ljava/io/PrintStream;  
    constant_pool[18]  
             tag 0x01 CONSTANT_Utf8 
             length 0x000E 
             bytes[length] 0x4C6F63616C5661726961626C6573  
             LocalVariables  
    constant_pool[19]  
             tag 0x01 CONSTANT_Utf8 
             length 0x000A 
             bytes[length] 0x536F7572636546696C65   
             SourceFile  
    constant_pool[1A]  
             tag 0x01 CONSTANT_Utf8  
             length 0x0013 
             bytes[length]  
             0x6A6176612F696F2F5072696E7453747265616D  
             java/io/PrintStream  
    constant_pool[1B]  
             tag 0x01 CONSTANT_Utf8 
             length 0x0010 
             bytes[length]  
             0x6A6176612F6C616E672F4F626A656374  
             java/lang/Object  
    constant_pool[1C]  
             tag 0x01 CONSTANT_Utf8  
             length 0x0010 
             bytes[length]  
             0x6A6176612F6C616E672F53797374656D  
             java/lang/System  
    constant_pool[1D]  
             tag 0x01 CONSTANT_Utf8  
             length 0x0004 
             bytes[length] 0x6D61696E main  
    constant_pool[1E]  
             tag 0x01 CONSTANT_Utf8  
             length 0x0003 
             bytes[length] 0x6F7574 out  
    constant_pool[1F]  
             tag 0x01 CONSTANT_Utf8  
             length 0x0007 
             bytes[length] 0x7072696E746C6E println  
    access_flags 0x0021 ACC_SUPER and ACC_PUBLIC 
    this_class 0x0002 
    super_class 0x0004 
    interfaces_count 0x0000 
    fields_count 0x0000 
    methods_count 0x0002 
    method_info[1] 
       access_flags 0x0009 ACC_STATIC and ACC_PUBLIC 
       name_index 0x001D constant_pool[1D]  
       CONSTANT_Utf8 main  
       descriptor_index 0x000E constant_pool[E]  
       CONSTANT_Utf8 ([Ljava/lang/String;)V  
       attributes_count 0x0001 
       attribute_info 
         attribute_name_index 0x0010 constant_pool[10]  
         CONSTANT_Utf8 code  
         attribute_length 0x00000025 
         max_stack 0x0002 
         max_locals 0x0001 
         code_length 0x00000009  
         code 0xB200071201B60008B1  
         exception_table_length 0x0000 
         attributes_count 0x0001 
            attribute_name_index 0x0016 constant_pool[16]  
            CONSTANT_Utf8 LineNumberTable  
            attribute_length 0x0000000A 
            line_number_table_length 0x0002  
            line_number_table[0]  
                start_pc 0x0000  
                line_number 0x000D 
            line_number_table[1] 
                start_pc 0x0008 
                line_number 0x000B 
    method_info[2] 
       access_flags 0x0001 ACC_PUBLIC 
       name_index 0x000F constant_pool[F]  
       CONSTANT_Utf8 <init> 
       descriptor_index 0x000C constant_pool[C]  
       CONSTANT_Utf8 ()V  
       attributes_count 0x0001 
       attribute_info 
          attribute_name_index 0x0010 constant_pool[10]  
          CONSTANT_Utf8 code  
          attribute_length 0x0000001D 
          max_stack 0x0001 
          max_locals 0x0001 
          code_length 0x00000005  
          code 0x2AB70006B1  
          exception_table_length 0x0000 
          attributes_count 0x0001 
             attribute_name_index 0x0016 
             attribute_length 0x00000006 
             attribute 0x000100000009 
    attributes_count 0x0001 
    attribute_info 
       attribute_name_index 0x0019 constant_pool[19]  
       CONSTANT_Utf8 sourcefile 
       attribute_length 0x00000002 
       attributes 0x0015 constant_pool[15]  
       CONSTANT_Utf8 HelloWorld.java  

    conclusion 

    To reiterate once more, to successfully infect any file whether it be a PE executable or a shell script you must be able to understand the format of the file. By examining this HelloWorld text a couple of times you should have some sort of a feel for the way in which a java binary class file looks on the inside.