Java Agent通灵之术
一、概述
1、通灵之术
通灵之术:在《火影忍者》中,通灵之术,属于时空间忍术的一种。
如下图,可以召唤通灵兽。
那么,"通灵之术",在Java领域,代表什么意思呢?
就是将正在运行的JVM当中的class进行导出。
借助Java Agent将class文件从JVM当中导出。
HelloWorld.class在JVM中运行,通过Java Agent把 HelloWorld.class从JVM中下载出来。
2、Java Agent
曾经有一篇文章《Retrieving .class files from a running app》,最初是发表在Sun公司的网站,后来转移到了Oracle的网站,再后来就从Oracle网站消失了。
Sometimes it is better to dump .class files of generated/modified classes for off-line debugging - for example, we may want to view such classes using tools like jclasslib.
===============================================================
ClassDumpAgent.java
import java.lang.instrument.Instrumentation;
import java.lang.instrument.UnmodifiableClassException;
import java.util.ArrayList;
import java.util.List;
/**
* This is a java.lang.instrument agent to dump .class files
* from a running Java application.
*/
public class ClassDumpAgent {
public static void premain(String agentArgs, Instrumentation inst) {
agentmain(agentArgs, inst);
}
/**
*
* @param agentArgs:输出路径/正则表达式
* @param inst:JVM传参
*/
@SuppressWarnings("rawtypes")
public static void agentmain(String agentArgs, Instrumentation inst) {
System.out.println("agentArgs: " + agentArgs);
ClassDumpUtils.parseArgs(agentArgs);
inst.addTransformer(new ClassDumpTransformer(), true);
// by the time we are attached, the classes to be
// dumped may have been loaded already.
// So, check for candidates in the loaded classes.
Class[] classes = inst.getAllLoadedClasses();
List<Class> candidates = new ArrayList<>();
for (Class c : classes) {
String className = c.getName();
// 第一步,排除法:不考虑JDK自带的类
if (className.startsWith("java")) continue;
if (className.startsWith("javax")) continue;
if (className.startsWith("jdk")) continue;
if (className.startsWith("sun")) continue;
if (className.startsWith("com.sun")) continue;
// 第二步,筛选法:只留下感兴趣的类(正则表达式匹配)
boolean isModifiable = inst.isModifiableClass(c);
boolean isCandidate = ClassDumpUtils.isCandidate(className);
if (isModifiable && isCandidate) {
candidates.add(c);
}
// 不重要:打印调试信息
String message = String.format("[DEBUG] Loaded Class: %s ---> Modifiable: %s, Candidate: %s", className, isModifiable, isCandidate);
System.out.println(message);
}
try {
// 第三步,将具体的class进行dump操作
// if we have matching candidates, then retransform those classes
// so that we will get callback to transform.
if (!candidates.isEmpty()) {
inst.retransformClasses(candidates.toArray(new Class[0]));
// 不重要:打印调试信息
String message = String.format("[DEBUG] candidates size: %d", candidates.size());
System.out.println(message);
}
}
catch (UnmodifiableClassException ignored) {
}
}
}ClassDumpTransformer.java
import java.lang.instrument.ClassFileTransformer;
import java.security.ProtectionDomain;
public class ClassDumpTransformer implements ClassFileTransformer {
@SuppressWarnings("rawtypes")
public byte[] transform(ClassLoader loader,
String className,
Class redefinedClass,
ProtectionDomain protDomain,
byte[] classBytes) {
// check and dump .class file
if (ClassDumpUtils.isCandidate(className)) {
ClassDumpUtils.dumpClass(className, classBytes);
}
// we don't mess with .class file, just return null
return null;
}
}ClassDumpUtils.java
import java.io.File;
import java.io.FileOutputStream;
import java.util.regex.Pattern;
public class ClassDumpUtils {
// directory where we would write .class files
// .class 输出路径
private static String dumpDir;
// classes with name matching this pattern will be dumped
// 正则表达式
private static Pattern classes;
// parse agent args of the form arg1=value1,arg2=value2
public static void parseArgs(String agentArgs) {
if (agentArgs != null) {
String[] args = agentArgs.split(",");
for (String arg : args) {
String[] tmp = arg.split("=");
if (tmp.length == 2) {
String name = tmp[0];
String value = tmp[1];
if (name.equals("dumpDir")) {
dumpDir = value;
}
else if (name.equals("classes")) {
classes = Pattern.compile(value);
}
}
}
}
if (dumpDir == null) {
dumpDir = ".";
}
if (classes == null) {
classes = Pattern.compile(".*");
}
System.out.println("[DEBUG] dumpDir: " + dumpDir);
System.out.println("[DEBUG] classes: " + classes);
}
public static boolean isCandidate(String className) {
// ignore array classes
if (className.charAt(0) == '[') {
return false;
}
// convert the class name to external name
className = className.replace('/', '.');
// check for name pattern match
return classes.matcher(className).matches();
}
public static void dumpClass(String className, byte[] classBuf) {
try {
// create package directories if needed
className = className.replace("/", File.separator);
StringBuilder buf = new StringBuilder();
buf.append(dumpDir);
buf.append(File.separatorChar);
int index = className.lastIndexOf(File.separatorChar);
if (index != -1) {
String pkgPath = className.substring(0, index);
buf.append(pkgPath);
}
String dir = buf.toString();
new File(dir).mkdirs();
// write .class file
String fileName = dumpDir + File.separator + className + ".class";
FileOutputStream fos = new FileOutputStream(fileName);
fos.write(classBuf);
fos.close();
System.out.println("[DEBUG] FileName: " + fileName);
}
catch (Exception ex) {
ex.printStackTrace();
}
}
}manifest.txt
Premain-Class: ClassDumpAgent
Agent-Class: ClassDumpAgent
Can-Redefine-Classes: true
Can-Retransform-Classes: true
注意:在结尾处添加一个空行。
===>编译打包
把上面文件放到同目录下,进行编译,打包生成classdumper.jar文件。
1、进行编译
javac src/ClassDump*.java
2、在Windows操作系统,如果遇到错误: 编码GBK的不可映射字符
3、可以添加-encoding选项:
javac -encoding UTF-8 src/ClassDump*.java
4、生成jar文件
jar -cvfm classdumper.jar manifest.txt ClassDump*.class3、测试代码
HelloWorld.java
public class HelloWorld {
public static int add(int a,int b) {
return a + b;
}
public static int sub(int a,int b) {
return a - b;
}
}Program.java---->测试启动程序
import java.lang.management.ManagementFactory;
import java.util.Random;
import java.util.concurrent.TimeUnit;
public class Program {
public static void main(String[] args) throws InterruptedException {
//打印进程ID
String runningMxName = ManagementFactory.getRuntimeMXBean().getName();
System.out.println(runningMxName);
int count = 600;
for (int i = 0; i < count; i++) {
String info = String.format("|%03d| %s remains %03d seconds", i,runningMxName,(count - i));
System.out.println(info);
Random rand = new Random(System.currentTimeMillis());
int a = rand.nextInt(10);
int b = rand.nextInt(10);
boolean flag = rand.nextBoolean();
String message;
if (flag) {
message = String.format("a + b = %d", HelloWorld.add(a, b));
}else {
message = String.format("a - b = %d", HelloWorld.sub(a, b));
}
System.out.println(message);
TimeUnit.SECONDS.sleep(1);
}
}
}此测试代码,可以编译运行,可以在idea/eclipse中运行。
4、Tools Attach
将一个Agent Jar与一个正在运行的java程序建立联系,需要用到Attach机制:
Agent Jar ---> Tools Attach ---> JAVA运行程序(JVM)
与Attach机制相关的类,定义在tools.jar文件:
JDK_HOME/lib/tools.jarAttach.java-->启动需要传3个参数:
<pid> <agent-jar-full-path> [<agent-args>]
进程ID agent打包jar全路径 参数:.class出力路径,正则表达式限制.class条件
import com.sun.tools.attach.VirtualMachine;
/**
* Simple attach-on-demand client tool
* that loads the given agent into the given Java process.
*/
public class Attach {
public static void main(String[] args) throws Exception {
if (args.length < 2) {
System.out.println("usage: java Attach <pid> <agent-jar-full-path> [<agent-args>]");
System.exit(1);
}
// JVM is identified by process id (pid).
VirtualMachine vm = VirtualMachine.attach(args[0]);
String agentArgs = (args.length > 2) ? args[2] : null;
// load a specified agent onto the JVM
vm.loadAgent(args[1], agentArgs);
vm.detach();
System.out.println("complete");
}
}此Attach代码,可以编译运行,也可以在idea/eclipse中运行。
需要引入jar包JDK_HOME/lib/tools.jar
编译
# 编译(Linux)
$ javac -cp "${JAVA_HOME}/lib/tools.jar":. Attach.java
# 编译(MINGW64)
$ javac -cp "${JAVA_HOME}/lib/tools.jar"\;. Attach.java
# 编译(Windows)
$ javac -cp "%JAVA_HOME%/lib/tools.jar";. Attach.java 运行
# 运行(Linux)
java -cp "${JAVA_HOME}/lib/tools.jar":. Attach <pid> <full-path-of-classdumper.jar> dumpDir=<dir>,classes=<name-pattern>
# 运行(MINGW64)
java -cp "${JAVA_HOME}/lib/tools.jar"\;. Attach <pid> <full-path-of-classdumper.jar> dumpDir=<dir>,classes=<name-pattern>
# 运行(Windows)
java -cp "%JAVA_HOME%/lib/tools.jar";. Attach <pid> <full-path-of-classdumper.jar> dumpDir=<dir>,classes=<name-pattern>示例:
# 运行(Windows)
java -cp "%JAVA_HOME%/lib/tools.jar";. Attach <pid> D:/dev/classdumper.jar dumpDir=D:/dev/out,classes=lwz\.HelloWorldeclipse中 右键--->Run As--->Run Configurations...--->Arguments--->Program arguments:
输入:<pid> D:/dev/classdumper.jar dumpDir=D:/dev/out,classes=lwz\.HelloWorld
-----------------------------------------------------------------------------
<pid>为:Program.java---->测试启动程序,日志中进程ID,如下则是:3696
3696@MS-SKYFSYTUHFPM
|000| 3696@MS-SKYFSYTUHFPM remains 600 seconds
a + b = 9
|001| 3696@MS-SKYFSYTUHFPM remains 599 seconds
a - b = 0
|002| 3696@MS-SKYFSYTUHFPM remains 598 seconds
a - b = 2-----------------------------------------------------------------------------
测试过程中遇到的问题:
D:\dev\javaAgent\out>java -cp "%JAVA_HOME%/lib/tools.jar";. Attach 16716 D:/dev/classdumper.jar dumpDir=D:/dev/out,classes=lwz\.HelloWorld
java.util.ServiceConfigurationError: com.sun.tools.attach.spi.AttachProvider: Provider sun.tools.attach.WindowsAttachProvider could not be instantiated
Exception in thread "main" com.sun.tools.attach.AttachNotSupportedException: no providers installed
at com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:203)
at Attach.main(Attach.java:15)解决方式:${JAVA_HOME}/jre/bin/attach.dll 文件没有找到,将这个文件复制到${JAVA_HOME}/bin/目录下即可;前提是${JAVA_HOME}/bin/目录已经加入到操作系统的path环境变量下;
5、总结
第一点,主要功能。从功能的角度来讲,是如何从一个正在运行的JVM当中将某一个class文件导出到磁盘上。
第二点,实现方式。从实现方式上来说,是借助于Java Agent和正则表达式(区配类名)来实现功能。
第三点,注意事项。在Java 8的环境下,想要将Agent Jar加载到一个正在运行的JVM当中,需要用到tools.jar。
天下事有难易乎?为之,则难者亦易矣;不为,则易者亦难矣。
今天多学一份本事,明天少说一句求人的话。