利用反射hacking java程序

最新推荐文章于 2021-08-09 16:44:30 发布

江南一风

最新推荐文章于 2021-08-09 16:44:30 发布

阅读量180

点赞数

CC 4.0 BY-SA版权

分类专栏：编程语言机制 Java虚拟机 Hacking Java 文章标签： jvm reflect hack

本文链接：https://blog.youkuaiyun.com/dintau/article/details/84184656

编程语言机制同时被 3 个专栏收录

7 篇文章

订阅专栏

Java虚拟机

1 篇文章

订阅专栏

Hacking Java

1 篇文章

订阅专栏

本文介绍如何使用Java反射机制调用私有方法、创建单例类的新实例以及修改私有静态字段等内容。通过具体示例展示了反射的强大功能。

一般来说，client程序不能直接调用private方法，但是通过反射，可以实现。


package chentao;

public class A
{
	private static String getPassword() {
		return "call the method!";
	}
}

package chentao;

import java.lang.reflect.InvocationTargetException;

public class Test
{

	/**
	 * @param args
	 * @throws ClassNotFoundException 
	 * @throws InvocationTargetException 
	 * @throws IllegalAccessException 
	 * @throws IllegalArgumentException 
	 */
	public static void main(String[] args) throws ClassNotFoundException, IllegalArgumentException, IllegalAccessException, InvocationTargetException
	{
		// ERROR
		/*String password = A.getPassword();
		System.out.println("I got it:" + password);*/

		Class cl = Class.forName("chentao.A");
		java.lang.reflect.Method[] m = cl.getDeclaredMethods();
		m[0].setAccessible(true);
		String password = (String) m[0].invoke(null, null);
		System.out.println("I got it:" + password);

	}	
}

/*output:
I got it:call the method!*/

OK，singleton模式可以保证获取的实例唯一性，下面通过反射可以改变这一限制。


package chentao;

public class B
{
	public static final B singleton = new B("I'm the only instance of class B");
	private String name; 
	private B(String name) {
	    this.name = name;
	}
	public String toString() {
	    return this.name;
	}
}
package chentao;

package chentao;

import java.lang.reflect.InvocationTargetException;

public class TestB
{

	/**
	 * @param args
	 * @throws ClassNotFoundException 
	 * @throws InvocationTargetException 
	 * @throws IllegalAccessException 
	 * @throws IllegalArgumentException 
	 * @throws InstantiationException 
	 */
	public static void main(String[] args) throws ClassNotFoundException, IllegalArgumentException, IllegalAccessException, InvocationTargetException, InstantiationException
	{
		Class cl = Class.forName("chentao.B");
		java.lang.reflect.Constructor[] c = cl.getDeclaredConstructors();
		c[0].setAccessible(true);
		B anotherB  = (B) c[0].newInstance(new Object[]{"Not anymore!!"});
		System.out.println(B.singleton);
		System.out.println(anotherB);
	}	
}

/*output:
	I'm the only instance of class B
	Not anymore!!
	*/

最后一个例子，Runtime类有一个private static field用来表示当前的runtime实例。我们首先获得当前的runtime实例并打印。然后，因为currentRuntime在class初始化时会被初始化，所以我们设置Runtime.currentRuntime静态域为null，为了验证这次修改，我们再次获取runtime实例并打印。最后，我们通过当前runtime实例调用dos命令dir试试看...


package chentao;

import java.lang.reflect.InvocationTargetException;

public class TestRuntime
{

	/**
	 * @param args
	 * @throws ClassNotFoundException 
	 * @throws InvocationTargetException 
	 * @throws IllegalAccessException 
	 * @throws IllegalArgumentException 
	 * @throws InstantiationException 
	 */
	public static void main(String[] args) throws Exception
	{
		Runtime r = Runtime.getRuntime();
		System.out.println("Before: Runtime.getRuntime() yields " + r);

		Class cl = Class.forName("java.lang.Runtime");
		java.lang.reflect.Field f = cl.getDeclaredField("currentRuntime");
		f.setAccessible(true);
		f.set(null, null);

		r = Runtime.getRuntime();
		System.out.println("After: Runtime.getRuntime() yields " + r);

		r.exec("dir"); //raises NullPointerException!!

	}	
}

/*Output:

	 Before: Runtime.getRuntime() yields java.lang.Runtime@cac268
	 After: Runtime.getRuntime() yields null
	 Exception in thread "main" java.lang.NullPointerException
	       at Test.main(Test.java:59)
	 */