Added support for dumping class loader & class trees.

BenjaminSoelberg · BenjaminSoelberg · commit 475673324f7d · 2025-10-06T23:52:51.000+02:00
Added "turbo" dumping speed.
Better handling of errors while dumping.
Added more documentation in code.
diff --git a/BrokenJavaCup.jpg b/BrokenJavaCup.jpg
diff --git a/JFT.jpg b/JFT.jpg
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Easy and compact Java Forensics Toolkit
 
-![broken java cup](BrokenJavaCup.jpg)
+![JFT](JFT.jpg)
 
 # Java Forensics Toolkit
 
@@ -51,15 +51,15 @@ options:
 pid     process id of the target java process
 
 example:
-java -jar JavaForensicsToolkit.jar -d dump.jar -f 'java\\..*' -f 'sun\\..*' -f 'jdk\\..*' -f 'com\\.sun\\..*' -x 123456
+java -jar JavaForensicsToolkit.jar -d dump.jar -f 'java\\..*' -f 'sun\\..*' -f 'jdk\\..*' -f 'com\\.sun\\..*' -x 1337
 ```
 
 ## Example
 
-Dump all non-JDK classes from a running process with PID 123456:
+Dump all non-JDK classes loaders from a running process with PID 1337:
 
 ```
-java -jar JavaForensicsToolkit.jar -v -d dump.jar -f java\\..* -f sun\\..* -f jdk\\..* -f com\\.sun\\..* -x 123456
+java -jar JavaForensicsToolkit.jar -v -s -p -d dump.jar 1337
 ```
 
 ## Typical Use Cases
diff --git a/pom.xml b/pom.xml
@@ -48,7 +48,7 @@
                 <configuration>
                     <archive>
                         <manifestEntries>
-                            <Main-Class>io.github.benjaminsoelberg.jft.ClassDumper</Main-Class>
+                            <Main-Class>io.github.benjaminsoelberg.jft.Main</Main-Class>
                             <Agent-Class>io.github.benjaminsoelberg.jft.ClassDumper</Agent-Class>
                             <Can-Retransform-Classes>true</Can-Retransform-Classes>
                         </manifestEntries>
diff --git a/src/main/java/io/github/benjaminsoelberg/jft/ClassDumper.java b/src/main/java/io/github/benjaminsoelberg/jft/ClassDumper.java
diff --git a/src/main/java/io/github/benjaminsoelberg/jft/ClassTree.java b/src/main/java/io/github/benjaminsoelberg/jft/ClassTree.java
@@ -0,0 +1,80 @@
+package io.github.benjaminsoelberg.jft;
+
+import java.util.*;
+import java.util.stream.Collectors;
+
+public final class ClassTree {
+    private final Map<ClassLoader, Node> root = new HashMap<>();
+
+    public static class Node {
+        private final ClassLoader loader;
+        private final List<Node> children = new ArrayList<>();
+        private final Map<Class<?>, byte[]> classes = new HashMap<>();
+
+        public Node(ClassLoader loader) {
+            this.loader = loader;
+        }
+
+        public void add(Node node) {
+            children.add(node);
+        }
+
+        public void add(Class<?> clazz, byte[] bytecode) {
+            // "putIfAbsent" ensures uniqueness
+            classes.putIfAbsent(clazz, bytecode);
+        }
+
+        public ClassLoader getLoader() {
+            return loader;
+        }
+
+        public List<Node> getChildren() {
+            return children;
+        }
+
+        public Map<Class<?>, byte[]> getClasses() {
+            return classes.entrySet()
+                    .stream()
+                    .sorted(Map.Entry.comparingByKey(Comparator.comparing(Class::getName)))
+                    .collect(Collectors.toMap(
+                            Map.Entry::getKey,
+                            Map.Entry::getValue,
+                            (a, b) -> a, // Dummy merge
+                            LinkedHashMap::new  // Preserve order
+                    ));
+        }
+    }
+
+    public ClassTree() {
+        // Create explicit bootstrap root
+        Node bootstrap = new Node(null);
+        root.put(null, bootstrap);
+    }
+
+    public synchronized void add(Class<?> clazz, byte[] bytecode) {
+        ClassLoader loader = clazz.getClassLoader();
+        Node node = ensureNode(loader);
+        node.add(clazz, bytecode);
+    }
+
+    private Node ensureNode(ClassLoader loader) {
+        if (root.containsKey(loader)) {
+            return root.get(loader);
+        }
+
+        Node node = new Node(loader);
+        root.put(loader, node);
+
+        if (loader != null) {
+            Node parent = ensureNode(loader.getParent());
+            parent.add(node);
+        }
+
+        return node;
+    }
+
+    public Node getRoot() {
+        return root.get(null);
+    }
+
+}
diff --git a/src/main/java/io/github/benjaminsoelberg/jft/Main.java b/src/main/java/io/github/benjaminsoelberg/jft/Main.java
@@ -0,0 +1,74 @@
+package io.github.benjaminsoelberg.jft;
+
+import com.sun.tools.attach.VirtualMachine;
+
+import java.io.IOException;
+import java.net.URL;
+
+//TODO: Test on windows (especially file separator)
+public class Main {
+
+    private static void showUsage() {
+        System.out.println("usage: java -jar JavaForensicsToolkit.jar [-v] [-e] [-d destination.jar] [-s] [-p] [-f filter]... [-x] <pid>");
+        System.out.println();
+        System.out.println("options:");
+        System.out.println("-v\tverbose agent logging");
+        System.out.println("-e\tagent will log to stderr instead of stdout");
+        System.out.println("-d\tjar file destination of dumped classes");
+        System.out.println("\tRelative paths will be relative with respect to the target process.");
+        System.out.println("\tA jar file in temp will be generated if no destination was provided.");
+        System.out.println("-s\tignore system class loader (like java.lang.String)");
+        System.out.println("-p\tignore platform class loader (like system extensions)");
+        System.out.println("-f\tregular expression class name filter");
+        System.out.println("\tCan be specified multiple times.");
+        System.out.println("-x\texclude classes matching the filter");
+        System.out.println("pid\tprocess id of the target java process");
+        System.out.println();
+        System.out.println("example:");
+        System.out.println("java -jar JavaForensicsToolkit.jar -d dump.jar -f 'java\\\\..*' -f 'sun\\\\..*' -f 'jdk\\\\..*' -f 'com\\\\.sun\\\\..*' -x 1337");
+    }
+
+    /**
+     * Get the absolut file location of the jar embedding this class
+     *
+     * @return absolut file location of jar
+     */
+    private static String getJarLocation() {
+        URL url = Main.class.getProtectionDomain().getCodeSource().getLocation();
+        String file = url.getFile();
+        if (url.getProtocol().equals("file") && file.startsWith("/") && file.endsWith(".jar")) {
+            return file;
+        }
+        return null;
+    }
+
+    public static void main(String[] args) throws Exception {
+        System.out.printf(Utils.getApplicationHeader() + "%n");
+        String absolutJarLocation = getJarLocation();
+        if (args.length < 1 || absolutJarLocation == null) {
+            showUsage();
+            System.exit(1);
+        }
+
+        // We pre-parse the command line to be sure that it is syntactically correct prior to sending it to agentmain
+        Options options = new Options(args);
+
+        String pid = options.getPid();
+        System.out.println("Injecting agent into JVM with pid: " + pid);
+        VirtualMachine vm = VirtualMachine.attach(pid);
+        try {
+            System.out.println("Dumping classes to: " + options.getDestination());
+            String[] cmdLine = options.getArgs();
+            vm.loadAgent(absolutJarLocation, Utils.encodeArgs(cmdLine));
+        } finally {
+            try {
+                vm.detach();
+            } catch (IOException ioe) {
+                System.out.println("Unable to detach from process");
+            }
+        }
+
+        System.out.println("Done!");
+    }
+
+}
diff --git a/src/main/java/io/github/benjaminsoelberg/jft/Report.java b/src/main/java/io/github/benjaminsoelberg/jft/Report.java
@@ -37,10 +37,6 @@ public void dump(Throwable throwable) {
         add(Utils.toString(throwable));
     }
 
-    public void dump(Class<?> clazz, byte[] bytecode) {
-        println("Class info: %s via %s, %d bytes", clazz.getName(), Utils.toClassLoaderName(clazz), bytecode.length);
-    }
-
     public String generate() {
         return lines.stream().collect(Collectors.joining(System.lineSeparator()));
     }
diff --git a/src/main/java/io/github/benjaminsoelberg/jft/Transformer.java b/src/main/java/io/github/benjaminsoelberg/jft/Transformer.java
diff --git a/src/main/java/io/github/benjaminsoelberg/jft/Utils.java b/src/main/java/io/github/benjaminsoelberg/jft/Utils.java
@@ -74,16 +74,41 @@ public static String[] decodeArgs(String args) {
         return Arrays.stream(args.split(" ")).map(Utils::fromHex).map(Utils::toUtf8String).collect(Collectors.toList()).toArray(new String[]{});
     }
 
-    public static String toClassLoaderName(Class<?> clazz) {
-        ClassLoader classLoader = clazz.getClassLoader();
+    @SuppressWarnings("ConstantConditions")
+    public static String toClassLoaderName(ClassLoader classLoader) {
         if (classLoader == null) {
-            return Utils.toObjectId(null);
+            return toClassLoaderName(classLoader, "bootloader", false);
+        } else if (classLoader == ClassLoader.getPlatformClassLoader()) {
+            return toClassLoaderName(classLoader, "platform", false);
+        } else if (classLoader == ClassLoader.getSystemClassLoader()) {
+            return toClassLoaderName(classLoader, "app", false);
+        } else {
+            return toClassLoaderName(classLoader, "", true);
         }
+    }
+
+    private static String toClassLoaderName(ClassLoader classLoader, String defaultName, boolean appendClassName) {
+        String name = defaultName.trim();
+        if (classLoader != null) {
+            if (classLoader.getName() != null && !classLoader.getName().trim().isBlank()) {
+                name = classLoader.getName().trim();
+            }
+            if (appendClassName) {
+                if (!name.isBlank()) {
+                    name += "_";
+                }
+                name += toObjectId(classLoader);
+            }
+        }
+        return "[" + name + "]";
+    }
 
-        return String.format(
-                "%s%s@%s",
-                classLoader.getClass().getName(),
-                classLoader.getName() != null ? (String.format("(%s)", classLoader.getName())) : "",
-                Integer.toHexString(classLoader.hashCode()));
+    @SuppressWarnings("ConcatenationWithEmptyString")
+    public static String getApplicationHeader() {
+        return "" +
+               "---------------------------------------------------------%n" +
+               "--> Java Forensics Toolkit v1.1.0 by Benjamin Sølberg <--%n" +
+               "---------------------------------------------------------%n" +
+               "https://github.com/BenjaminSoelberg/JavaForensicsToolkit%n";
     }
 }
diff --git a/src/test/java/io/github/benjaminsoelberg/jft/ClassDumperTest.java b/src/test/java/io/github/benjaminsoelberg/jft/ClassDumperTest.java
@@ -15,7 +15,7 @@ class ClassDumperTest {
     @Test
     void testSelfAttachCanDump() throws Exception {
         File manifestJar = createManifest(ClassDumper.class.getName());
-        ClassDumper.TEST_AGENT_CMD_LINE = Utils.encodeArgs(new String[]{"-d", "target/dump.jar", "123456"});
+        ClassDumper.TEST_AGENT_CMD_LINE = Utils.encodeArgs(new String[]{"-d", "target/dump.jar", "1337"});
         sun.instrument.InstrumentationImpl.loadAgent(manifestJar.getCanonicalPath());
         Assertions.assertTrue(new File("target/dump.jar").exists());
     }
@@ -24,17 +24,17 @@ void testSelfAttachCanDump() throws Exception {
      * This will create a jar in the temp dir holding the manifest to allow for self attach without the agent itself
      * having to be placed in a jar file.
      *
-     * @param mainClass for where the agentmain is located
+     * @param agentClass for where the agentmain is located
      * @return a temp jar file containing the manifest needed for testing. Note that it will be deleted upon JVM exit.
      * @throws IOException if the jar file could not be created.
      */
     @SuppressWarnings("ConcatenationWithEmptyString")
-    private File createManifest(String mainClass) throws IOException {
+    private File createManifest(String agentClass) throws IOException {
         String manifestContent = String.format("" +
                 "Manifest-Version: 1.0%n" +
                 "Build-Jdk-Spec: 11%n" +
                 "Launcher-Agent-Class: %1$s%n" +
-                "Can-Retransform-Classes: true%n", mainClass);
+                "Can-Retransform-Classes: true%n", agentClass);
 
         File jarFile = File.createTempFile("test-manifest", ".jar");
         jarFile.deleteOnExit();
diff --git a/src/test/java/io/github/benjaminsoelberg/jft/OptionsTest.java b/src/test/java/io/github/benjaminsoelberg/jft/OptionsTest.java
@@ -70,7 +70,7 @@ void testTheFullMonty() throws ParserException {
                 "-f", "com\\.sun\\..*",
                 "-f", "has spaces in filter",
                 "-x",
-                "123456"
+                "1337"
         };
 
         Options options = new Options(args);
@@ -88,6 +88,6 @@ void testTheFullMonty() throws ParserException {
         Assertions.assertFalse(options.getFilterPredicate().test("has spaces in filter"));
         Assertions.assertTrue(options.getFilterPredicate().test("has spaces in filter."));
         Assertions.assertTrue(options.getFilterPredicate().test(".has spaces in filter"));
-        Assertions.assertEquals("123456", options.getPid());
+        Assertions.assertEquals("1337", options.getPid());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -37,10 +37,6 @@ public void dump(Throwable throwable) {`
`37`	`37`	`add(Utils.toString(throwable));`
`38`	`38`	`}`
`39`	`39`
`40`		`- public void dump(Class<?> clazz, byte[] bytecode) {`
`41`		`- println("Class info: %s via %s, %d bytes", clazz.getName(), Utils.toClassLoaderName(clazz), bytecode.length);`
`42`		`- }`
`43`		`-`
`44`	`40`	`public String generate() {`
`45`	`41`	`return lines.stream().collect(Collectors.joining(System.lineSeparator()));`
`46`	`42`	`}`