Added "ignore system classes" and "ignore platform classes" options.

Added presorting of classes.
Added better error suppression of duplicated class dumps caused by "invalid byte code" while fast dumping (probably due to kotlin bytecode shenanigans)

Author: BenjaminSoelberg

README.md

@@ -20,31 +20,38 @@ Designed for **forensic analysis, debugging, and reverse engineering**, making i
 
 Download the latest release JAR from [here](https://github.com/BenjaminSoelberg/JavaForensicsToolkit/releases).
 
+## build
+```
+mvn clean package
+```
+
 ## Usage
 
 ```
 java -jar JavaForensicsToolkit-<version>.jar 
 
 ---------------------------------------------------------
---> Java Forensics Toolkit v1.0.2 by Benjamin Sølberg <--
+--> Java Forensics Toolkit v1.1.0 by Benjamin Sølberg <--
 ---------------------------------------------------------
 https://github.com/BenjaminSoelberg/JavaForensicsToolkit
 
-usage: java -jar JavaForensicsToolkit.jar [-v] [-e] [-d destination.jar] [-f filter]... [-x] <pid>
+usage: java -jar JavaForensicsToolkit.jar [-v] [-e] [-d destination.jar] [-s] [-p] [-f filter]... [-x] <pid>
 
 options:
 -v      verbose agent logging
 -e      agent will log to stderr instead of stdout
 -d      jar file destination of dumped classes
         Relative paths will be relative with respect to the target process.
         A jar file in temp will be generated if no destination was provided.
+-s      ignore system class loader (like java.lang.String)
+-p      ignore platform class loader (like system extensions)
 -f      regular expression class name filter
         Can be specified multiple times.
 -x      exclude classes matching the filter
 pid     process id of the target java process
 
 example:
-java -jar JavaForensicsToolkit.jar -d dump.jar -f java\\..* -f sun\\..* -f jdk\\..* -f com\\.sun\\..* -x 123456
+java -jar JavaForensicsToolkit.jar -d dump.jar -f 'java\\..*' -f 'sun\\..*' -f 'jdk\\..*' -f 'com\\.sun\\..*' -x 123456
 ```
 
 ## Example

src/main/java/io/github/benjaminsoelberg/jft/ClassDumper.java

@@ -9,6 +9,7 @@
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
+import java.util.Comparator;
 import java.util.jar.JarOutputStream;
 import java.util.zip.ZipEntry;
 
@@ -32,10 +33,7 @@ public static void agentmain(String cmdline, Instrumentation instrumentation) th
         report.println("Agent loaded with options: %s%n", String.join(" ", args));
 
         report.println("Querying classes...");
-        Class<?>[] classes = Arrays.stream(instrumentation.getAllLoadedClasses())
-                .filter(instrumentation::isModifiableClass)
-                .filter(clazz -> options.getFilterPredicate().test(clazz.getName()))
-                .toArray(Class<?>[]::new);
+        Class<?>[] classes = getAllLoadedClasses(instrumentation, options);
         report.println("");
 
         // The transformer could (as a side effect by the JVM) be called with classes not in the list which is why we pass the filtered classes to it as well
@@ -46,26 +44,9 @@ public static void agentmain(String cmdline, Instrumentation instrumentation) th
             instrumentation.addTransformer(dumper, true);
 
             report.println("Dumping started...");
-
             // Invoke the transformer and remove it when filtered classes are processed
             try {
-                for (int from = 0; from < classes.length; from += DUMP_BATCH_SIZE) {
-                    int to = Math.min(from + DUMP_BATCH_SIZE, classes.length);
-                    Class<?>[] batch = Arrays.copyOfRange(classes, from, to);
-                    try {
-                        // Transform the full batch in one go, and if this throws an exception, no classes have been retransformed.
-                        instrumentation.retransformClasses(batch);
-                    } catch (Throwable ignored) {
-                        // Transform classes one-by-one if batch transformation failed
-                        for (Class<?> clazz : batch) {
-                            try {
-                                instrumentation.retransformClasses(clazz);
-                            } catch (Throwable th) {
-                                report.println("Failed to dump %s", clazz.getName());
-                            }
-                        }
-                    }
-                }
+                retransformClasses(instrumentation, classes, report);
             } finally {
                 instrumentation.removeTransformer(dumper);
             }
@@ -76,7 +57,7 @@ public static void agentmain(String cmdline, Instrumentation instrumentation) th
 
         // Validate that no exceptions were generated during the dump process
         if (dumper.getLastException() != null) {
-            report.println("WARNING: One or more exceptions occurred while dumping classes.");
+            report.println("WARNING: One or more transformer exceptions occurred while dumping classes.");
             report.dump(dumper.getLastException());
             report.println("");
         }
@@ -85,10 +66,12 @@ public static void agentmain(String cmdline, Instrumentation instrumentation) th
 
         report.println("Creating jar...");
         try (JarOutputStream jar = new JarOutputStream(new FileOutputStream(destination))) {
-            dumper.getClassInfos().stream().sorted().forEach(classInfo -> {
+            dumper.getClassInfos().entrySet().stream().sorted(Comparator.comparing(o -> o.getKey().getName())).forEach(entry -> {
+                Class<?> clazz = entry.getKey();
+                byte[] bytecode = entry.getValue();
                 try {
-                    report.dump(classInfo);
-                    writeZipEntry(jar, classInfo.getNativeClassName() + ".class", classInfo.getBytecode());
+                    report.dump(clazz, bytecode);
+                    writeZipEntry(jar, Utils.toNativeClassName(clazz.getName()) + ".class", bytecode);
                 } catch (IOException e) {
                     throw new RuntimeException(e);
                 }
@@ -98,35 +81,69 @@ public static void agentmain(String cmdline, Instrumentation instrumentation) th
         report.println("%nDumped classes, including report.txt, can be found in: %s", options.getDestination());
     }
 
+    private static Class<?>[] getAllLoadedClasses(Instrumentation instrumentation, Options options) {
+        return Arrays.stream(instrumentation.getAllLoadedClasses())
+                .filter(instrumentation::isModifiableClass)
+                .filter(clazz -> options.getFilterPredicate().test(clazz.getName()))
+                .filter(clazz -> !options.isIgnoreSystemClassloader() || clazz.getClassLoader() != null)
+                .filter(clazz -> !options.isIgnorePlatformClassloader() || clazz.getClassLoader() != ClassLoader.getPlatformClassLoader())
+                .sorted(Comparator.comparing(Class::getName))
+                .toArray(Class<?>[]::new);
+    }
+
+    private static void retransformClasses(Instrumentation instrumentation, Class<?>[] classes, Report report) {
+        for (int from = 0; from < classes.length; from += DUMP_BATCH_SIZE) {
+            int to = Math.min(from + DUMP_BATCH_SIZE, classes.length);
+            Class<?>[] batch = Arrays.copyOfRange(classes, from, to);
+            try {
+                // Transform the full batch in one go, and if this throws an exception some classes may have been dumped but we deduplicate later on.
+                instrumentation.retransformClasses(batch);
+            } catch (Throwable ignored) {
+                // Transform classes one-by-one if batch transformation failed
+                for (Class<?> clazz : batch) {
+                    try {
+                        instrumentation.retransformClasses(clazz);
+                    } catch (Throwable th) {
+                        report.println("Failed to dump %s", clazz.getName());
+                    }
+                }
+            }
+        }
+    }
+
+
     private static void writeZipEntry(JarOutputStream jar, String name, byte[] data) throws IOException {
         jar.putNextEntry(new ZipEntry(name));
         jar.write(data);
     }
 
+    @SuppressWarnings("ConcatenationWithEmptyString")
     private static String getHeader() {
         return "" +
                 "---------------------------------------------------------%n" +
-                "--> Java Forensics Toolkit v1.0.2 by Benjamin Sølberg <--%n" +
+                "--> Java Forensics Toolkit v1.1.0 by Benjamin Sølberg <--%n" +
                 "---------------------------------------------------------%n" +
                 "https://github.com/BenjaminSoelberg/JavaForensicsToolkit%n%n";
     }
 
     private static void showUsage() {
-        System.out.println("usage: java -jar JavaForensicsToolkit.jar [-v] [-e] [-d destination.jar] [-f filter]... [-x] <pid>");
+        System.out.println("usage: java -jar JavaForensicsToolkit.jar [-v] [-e] [-d destination.jar] [-s] [-p] [-f filter]... [-x] <pid>");
         System.out.println();
         System.out.println("options:");
         System.out.println("-v\tverbose agent logging");
         System.out.println("-e\tagent will log to stderr instead of stdout");
         System.out.println("-d\tjar file destination of dumped classes");
         System.out.println("\tRelative paths will be relative with respect to the target process.");
         System.out.println("\tA jar file in temp will be generated if no destination was provided.");
+        System.out.println("-s\tignore system class loader (like java.lang.String)");
+        System.out.println("-p\tignore platform class loader (like system extensions)");
         System.out.println("-f\tregular expression class name filter");
         System.out.println("\tCan be specified multiple times.");
         System.out.println("-x\texclude classes matching the filter");
         System.out.println("pid\tprocess id of the target java process");
         System.out.println();
         System.out.println("example:");
-        System.out.println("java -jar JavaForensicsToolkit.jar -d dump.jar -f java\\\\..* -f sun\\\\..* -f jdk\\\\..* -f com\\\\.sun\\\\..* -x 123456");
+        System.out.println("java -jar JavaForensicsToolkit.jar -d dump.jar -f 'java\\\\..*' -f 'sun\\\\..*' -f 'jdk\\\\..*' -f 'com\\\\.sun\\\\..*' -x 123456");
     }
 
     /**

src/main/java/io/github/benjaminsoelberg/jft/ClassInfo.java

@@ -11,12 +11,16 @@ public class Options {
     public static final String VERBOSE_OPTION = "-v";
     public static final String LOG_TO_STD_ERR_OPTION = "-e";
     public static final String DESTINATION_OPTION = "-d";
+    public static final String IGNORE_SYSTEM_CLASS_LOADER_OPTION = "-s";
+    public static final String IGNORE_PLATFORM_CLASS_LOADER_OPTION = "-p";
     public static final String FILTER_OPTION = "-f";
     public static final String INVERTED_FILTER_OPTION = "-x";
     private final ArrayList<Pattern> filter = new ArrayList<>();
     private boolean verbose;
     private boolean logToStdErr;
     private String destination;
+    private boolean ignoreSystemClassloader;
+    private boolean ignorePlatformClassloader;
     private boolean invertedFilter;
     private String pid;
 
@@ -40,13 +44,19 @@ public Options(String[] args) throws ParserException {
                         case FILTER_OPTION:
                             filter.add(Pattern.compile(iterator.next()));
                             break;
+                        case IGNORE_SYSTEM_CLASS_LOADER_OPTION:
+                            ignoreSystemClassloader = true;
+                            break;
+                        case IGNORE_PLATFORM_CLASS_LOADER_OPTION:
+                            ignorePlatformClassloader = true;
+                            break;
                         case INVERTED_FILTER_OPTION:
                             invertedFilter = true;
                             break;
                         default:
                             throw new ParserException(String.format("Unknown option [%s]", token));
                     }
-                } catch (NoSuchElementException nsee) {
+                } catch (NoSuchElementException ignored) {
                     throw new ParserException(String.format("Too few arguments for [%s]", token));
                 }
             } else {
@@ -102,6 +112,12 @@ public String[] getArgs() {
             args.add(DESTINATION_OPTION);
             args.add(destination);
         }
+        if (ignoreSystemClassloader) {
+            args.add(IGNORE_SYSTEM_CLASS_LOADER_OPTION);
+        }
+        if (ignorePlatformClassloader) {
+            args.add(IGNORE_PLATFORM_CLASS_LOADER_OPTION);
+        }
         for (Pattern p : filter) {
             args.add(FILTER_OPTION);
             args.add(p.pattern());
@@ -135,6 +151,14 @@ public boolean isInvertedFilter() {
         return invertedFilter;
     }
 
+    public boolean isIgnoreSystemClassloader() {
+        return ignoreSystemClassloader;
+    }
+
+    public boolean isIgnorePlatformClassloader() {
+        return ignorePlatformClassloader;
+    }
+
     public String getDestination() {
         return destination;
     }

src/main/java/io/github/benjaminsoelberg/jft/Options.java

@@ -37,8 +37,8 @@ public void dump(Throwable throwable) {
         add(Utils.toString(throwable));
     }
 
-    public void dump(ClassInfo classInfo) {
-        println("Class info: " + classInfo.toString());
+    public void dump(Class<?> clazz, byte[] bytecode) {
+        println("Class info: %s via %s, %d bytes", clazz.getName(), Utils.toClassLoaderName(clazz), bytecode.length);
     }
 
     public String generate() {

src/main/java/io/github/benjaminsoelberg/jft/Report.java

@@ -3,40 +3,41 @@
 import java.lang.instrument.ClassFileTransformer;
 import java.security.ProtectionDomain;
 import java.util.Arrays;
-import java.util.Collection;
 import java.util.List;
-import java.util.concurrent.ConcurrentLinkedQueue;
+import java.util.concurrent.ConcurrentHashMap;
 
 public class Transformer implements ClassFileTransformer {
     private static final String FILTER_JFT_CLASSES = Utils.toNativeClassName(Transformer.class.getPackageName()) + "/";
-    private final ConcurrentLinkedQueue<ClassInfo> classInfos = new ConcurrentLinkedQueue<>();
+    private final ConcurrentHashMap<Class<?>, byte[]> classInfos = new ConcurrentHashMap<>();
     private final Report report;
-    private final List<Class<?>> classes;
+    private final List<Class<?>> expectedClasses;
     private volatile Throwable lastException;
 
-    public Transformer(Report report, Class<?>[] classes) {
+    public Transformer(Report report, Class<?>[] expectedClasses) {
         this.report = report;
-        this.classes = Arrays.asList(classes);
+        this.expectedClasses = Arrays.asList(expectedClasses);
     }
 
     @Override
     public byte[] transform(ClassLoader loader, String nativeClassName, Class<?> classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer) {
-        // Ignore initial class load as we only want to dump classes that was previously accepted by the filter
-        if (classBeingRedefined == null) {
-            return null;
-        }
-
         try {
+            // Ignore initial class load as we only want to dump classes that was previously accepted by the filter
+            if (nativeClassName == null || classBeingRedefined == null || classfileBuffer == null) {
+                return null;
+            }
+
             // Ignore our own classes
             if (nativeClassName.startsWith(FILTER_JFT_CLASSES)) {
                 report.println("Ignoring %s", classBeingRedefined.getName());
                 return null;
             }
 
             // Save the class info if it previously passed the filtering
-            if (classes.contains(classBeingRedefined)) {
-                report.println("Dumping %s", Utils.toJavaClassName(nativeClassName));
-                classInfos.add(new ClassInfo(nativeClassName, loader, protectionDomain, classfileBuffer));
+            if (expectedClasses.contains(classBeingRedefined)) {
+                classInfos.computeIfAbsent(classBeingRedefined, clazz -> {
+                    report.println("Dumping %s", Utils.toJavaClassName(nativeClassName));
+                    return classfileBuffer;
+                });
             }
         } catch (Throwable throwable) {
             // Keep latest exception for later retrieval
@@ -51,7 +52,7 @@ public Throwable getLastException() {
         return lastException;
     }
 
-    public Collection<ClassInfo> getClassInfos() {
+    public ConcurrentHashMap<Class<?>, byte[]> getClassInfos() {
         return classInfos;
     }
 }