This document discusses binary patching techniques using bytecode manipulation libraries like Javassist. It explains how to use the java.lang.instrument API to add a Java agent that will hook into the class loading process using a ClassFileTransformer. The transformer can then manipulate class bytecodes to add aspects or intercept method calls using libraries like Javassist that provide an easy way to modify bytecode through source-like APIs and on-the-fly compilation of injected code. Examples demonstrate how to add interfaces and methods, implement simple AOP through proxies, and intercept statements. The document also briefly mentions the JRebel SDK for dynamic class reloading in development.

1. Binary Patching for
Fun and Profit
with
JRebel SDK

2. Binary Patching
Ninja.class Ninja.class’
10101010101 10101010101
11000101010 11100001010
10101010001 10101010001
00010001110 00010001110
11011101011 11011101110
a.k.a instrumentation

3. Binary Patching
ClassLoader
Application
MyClass.class
New code:
1001010010010
Transformer
0101011001010
MyObject

4. Why?
• Programming model (AOP, ORM)
• Tooling (profilers, coverage)
• Legacy integration
… or maybe you’re just bored? 

5. How?
• Add –javaagent to hook into class loading
process
• Implement ClassFileTransformer
• Use bytecode manipulation libraries
(Javassist, cglib, asm) to add any custom logic
java.lang.instrument

6. java.lang.instrument
import java.lang.instrument.ClassFileTransformer;
import java.lang.instrument.Instrumentation;
public class Agent {
public static void premain(String args, Instrumentation inst)
throws Exception {
inst.addTransformer(new ClassFileTransformer { … });
}
}

7. java.lang.instrument
import java.lang.instrument.ClassFileTransformer;
import java.lang.instrument.Instrumentation;
public class Agent {
public static void premain(String args, Instrumentation inst)
throws Exception {
inst.addTransformer(new ClassFileTransformer { … });
}
}

8. java.lang.instrument
import java.lang.instrument.ClassFileTransformer;
import java.lang.instrument.Instrumentation;
META-INF/MANIFEST.MF
public class Agent { Premain-Class: Agent
public static void premain(String args, Instrumentation inst)
throws Exception {
inst.addTransformer(new ClassFileTransformer { … });
}
}
java –javaagent:agent.jar …

9. j.l.instrument.ClassFileTransformer
new ClassFileTransformer() {
public byte[] transform(ClassLoader loader, String className,
Class<?>classBeingRedefined,
ProtectionDomain protectionDomain,
byte[] classfileBuffer){
ClassPool cp = ClassPool.getDefault();
CtClass ct = cp.makeClass(new
ByteArrayInputStream(classfileBuffer));
transformClass(ct, cp);
return ct.toBytecode();
}
}

10. j.l.instrument.ClassFileTransformer
new ClassFileTransformer() {
public byte[] transform(ClassLoader loader, String className,
Class<?>classBeingRedefined,
ProtectionDomain protectionDomain,
byte[] classfileBuffer){
ClassPool cp = ClassPool.getDefault();
CtClass ct = cp.makeClass(new
ByteArrayInputStream(classfileBuffer));
transformClass(ct, cp);
return ct.toBytecode();
}
}

11. j.l.instrument.ClassFileTransformer
new ClassFileTransformer() {
public byte[] transform(ClassLoader loader, String className,
Class<?>classBeingRedefined,
ProtectionDomain protectionDomain,
byte[] classfileBuffer){
ClassPool cp = ClassPool.getDefault();
CtClass ct = cp.makeClass(new
ByteArrayInputStream(classfileBuffer));
transformClass(ct, cp);
return ct.toBytecode();
}
}

12. j.l.instrument.ClassFileTransformer
new ClassFileTransformer() {
public byte[] transform(ClassLoader loader, String className,
Class<?>classBeingRedefined,
ProtectionDomain protectionDomain,
byte[] classfileBuffer){
ClassPool cp = ClassPool.getDefault();
CtClass ct = cp.makeClass(new
ByteArrayInputStream(classfileBuffer));
transformClass(ct, cp);
return ct.toBytecode();
}
}

13. Javassist
1-2-3

14. Javassist
• Bytecode manipulation made easy
• Source-level and bytecode-level API
• Uses the vocabulary of Java language
• On-the-fly compilation of the injected code
• http://www.jboss.org/javassist

15. Adding Interfaces
ClassPool cp = ClassPool.getDefault();
CtClass ct = cp.get("org.geecon.Alarm");
ct.addInterface(cp.get(Listener.class.getName()));
ct.addMethod(CtNewMethod.make("public void fire(){ alert(); }", ct));
public class Alarm { public interface Listener {
void alert() {} void fire();
} }

16. Adding Interfaces
ClassPool cp = ClassPool.getDefault();
CtClass ct = cp.get("org.geecon.Alarm");
ct.addInterface(cp.get(Listener.class.getName()));
ct.addMethod(CtNewMethod.make("public void fire(){ alert(); }", ct));
public class Alarm { public interface Listener {
void alert() {} void fire();
} }

17. Adding Interfaces
ClassPool cp = ClassPool.getDefault();
CtClass ct = cp.get("org.geecon.Alarm");
ct.addInterface(cp.get(Listener.class.getName()));
ct.addMethod(CtNewMethod.make("public void fire(){ alert(); }", ct));
public class Alarm { public interface Listener {
void alert() {} void fire();
} }

18. Adding Interfaces
ClassPool cp = ClassPool.getDefault();
CtClass ct = cp.get("org.geecon.Alarm");
ct.addInterface(cp.get(Listener.class.getName()));
ct.addMethod(CtNewMethod.make("public void fire(){ alert(); }", ct));
public class Alarm { public interface Listener {
void alert() {} void fire();
} }

19. Simple AOP
ProxyFactory pf = new ProxyFactory();
pf.setSuperclass(Notifier.class);
pf.setFilter(new MethodFilter() { … });
Notifier notifier = (Notifier) pf.createClass().newInstance();
((ProxyObject) notifier).setHandler(new MethodHandler() { … });
System.out.println("calling on()");
notifier.on(); public class Notifier {
System.out.println("calling off()"); public void on(){ }
notifier.off();
@Pointcut
public void off(){}
}

20. Intercept Statements
ClassPool pool = ClassPool.getDefault();
CtClass ct = pool.get("org.geecon.PaymentMachine");
ct.getDeclaredMethod("process")
.instrument(new ExprEditor() {
public void edit(NewExpr e)
throws CannotCompileException {
e.replace("$_ = $proceed($$);");
}
});

21. JRebel SDK
Ö_õ

22. IDEs Containers Frameworks
Build Tools
More at http://www.jrebel.com/features