2

I have a question regarding to JVM environment settings. I have injected a Java agent into JAVA_TOOL_OPTIONS environment variable setting to monitor Java Applications. Now some of java application detect Java agent is present into JAVA_TOOL_OPTIONS and they do not behave normally.
Now my questions,

  1. Is there any other place in JVM's setting where I can hide my Java agent. What is that place.

  2. Can I modify the visibility or accessibility of my java agent into hidden mode for java application.

Michael
  • 1,505
  • 14
  • 26
Muhammad Abdullah
  • 29
  • 11
  • 1
    What exactly are you trying to accomplish? Why is "hiding" an instrumentation agent important? – brettw Nov 20 '13 at 12:58
  • I am working on a OS which is installed in a virtual machine. And now I have submitted malicious samples and they are not executing because through this agent they gain information, and these samples are pointing the Java agent. If I run same sample on real machine it executes nicely. Now all I need to find any other location where I can place my java agent, instead of JAVA_TOOL_OPTIONS – Muhammad Abdullah Nov 20 '13 at 13:07
  • It sounds like you are trying to do something malicious or possibly illegal. I don't think that any normal application would be trying to "detect" that a Java instrumentation agent is running. What kind of applications are these and what is the purpose of your agent? – brettw Nov 20 '13 at 13:13
  • I am trying to grab malicious files not trying to create them. I have a malicious file which didn't execute due to Java agent on Virtual machine. Now I am trying to hide java agent to hide some other place so that I can check the result and allow the file to execute normally in Virtual System. – Muhammad Abdullah Nov 20 '13 at 13:16
  • They file which I am trying in this experiment is a malicious file. Now at this time I am almost stuck, I am unable to find a suitable solution for this. And again main question remain same, Is their possible way to hide (changing visibility of )Java agent from other application so that they can't find the this is a real system or a virtual system. – Muhammad Abdullah Nov 20 '13 at 13:22
  • Just in case anyone came here for the inverse - it's easy to sniff the JVM args (http://stackoverflow.com/a/1531999/573057) to detect the agent param (obvious proviso that the cunning ASM answer below isn't used) – earcam Oct 24 '15 at 00:19

1 Answers1

1

You do not have to load your agent at startup, it can be loaded dynamically at runtime. See this article in the section called "Dynamic loading of a javaagent at runtime".

brettw
  • 10,664
  • 2
  • 42
  • 59