├── .gitattributes
├── .gitignore
├── README.md
├── pom.xml
└── src
    └── main
        └── java
            └── dev
                └── sim0n
                    └── antiagent
                        └── Example.java


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Set default behaviour, in case users don't have core.autocrlf set.
 2 | * text=auto
 3 | 
 4 | # Explicitly declare text files we want to always be normalized and converted
 5 | # to native line endings on checkout.
 6 | *.java text
 7 | *.xml text
 8 | *.yml text
 9 | README.md text
10 | 
11 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Eclipse stuff
 2 | .classpath
 3 | .project
 4 | .settings/
 5 | 
 6 | # netbeans
 7 | nbproject/
 8 | nbactions.xml
 9 | 
10 | # we use maven!
11 | build.xml
12 | 
13 | # maven
14 | target/
15 | dependency-reduced-pom.xml
16 | 
17 | # vim
18 | .*.sw[a-p]
19 | 
20 | # various other potential build files
21 | build/
22 | bin/
23 | dist/
24 | manifest.mf
25 | 
26 | # Mac filesystem dust
27 | .DS_Store/
28 | 
29 | # intellij
30 | *.iml
31 | *.ipr
32 | *.iws
33 | .idea/
34 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## anti-java-agent
2 | This is a basic example of preventing instrumentation via attaching a [Java Agent](https://docs.oracle.com/javase/7/docs/api/java/lang/instrument/package-summary.html). This can be bypassed pretty easily but should still prevent the skids.
3 | 
4 | ### How does it work?
5 | It works by loading our own class, which is a fake of Sun's Java side JPLIS implementation. Now, to make sure we always create that class we need to make sure no one is loading an agent at the start, so we check the VM options before we load our class.


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <!-- Project information -->
 8 |     <groupId>dev.sim0n</groupId>
 9 |     <artifactId>anti-java-agent</artifactId>
10 |     <version>1.0-SNAPSHOT</version>
11 | 
12 |     <name>anti-java-agent</name>
13 | 
14 |     <!-- Build Configuration -->
15 |     <build>
16 |         <plugins>
17 |             <plugin>
18 |                 <groupId>org.apache.maven.plugins</groupId>
19 |                 <artifactId>maven-compiler-plugin</artifactId>
20 |                 <version>3.8.0</version>
21 |                 <configuration>
22 |                     <source>8</source>
23 |                     <target>8</target>
24 |                 </configuration>
25 |             </plugin>
26 | 
27 |             <plugin>
28 |                 <groupId>org.apache.maven.plugins</groupId>
29 |                 <artifactId>maven-jar-plugin</artifactId>
30 |                 <configuration>
31 |                     <archive>
32 |                         <manifest>
33 |                             <mainClass>dev.sim0n.antiagent.Example</mainClass>
34 |                         </manifest>
35 |                     </archive>
36 |                 </configuration>
37 |             </plugin>
38 |         </plugins>
39 |     </build>
40 | 
41 |     <!-- Additional Properties -->
42 |     <properties>
43 |         <maven.compiler.source>8</maven.compiler.source>
44 |         <maven.compiler.target>8</maven.compiler.target>
45 |     </properties>
46 | 
47 | </project>


--------------------------------------------------------------------------------
/src/main/java/dev/sim0n/antiagent/Example.java:
--------------------------------------------------------------------------------
 1 | package dev.sim0n.antiagent;
 2 | 
 3 | import sun.misc.Unsafe;
 4 | 
 5 | import java.lang.management.ManagementFactory;
 6 | import java.lang.reflect.Field;
 7 | import java.util.Arrays;
 8 | import java.util.List;
 9 | import java.util.Optional;
10 | 
11 | public class Example {
12 |     private static final List<String> BAD_INPUT_FLAGS = Arrays.asList(
13 |             "-javaagent",
14 |             "-agentlib"
15 |     );
16 | 
17 |     private static final byte[] EMPTY_CLASS_BYTES =
18 |             {
19 |                     -54, -2, -70, -66, 0, 0, 0, 49, 0, 5, 1, 0, 34, 115, 117, 110,
20 |                     47, 105, 110, 115, 116, 114, 117, 109, 101, 110, 116, 47, 73,
21 |                     110, 115, 116, 114, 117, 109, 101, 110, 116, 97, 116, 105, 111,
22 |                     110, 73, 109, 112, 108, 7, 0, 1, 1, 0, 16, 106, 97, 118, 97, 47,
23 |                     108, 97, 110, 103, 47, 79, 98, 106, 101, 99, 116, 7, 0, 3, 0, 1,
24 |                     0, 2, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0
25 |             };
26 | 
27 |     public static void main(String[] args) {
28 |         Optional<String> inputFlag = ManagementFactory.getRuntimeMXBean().getInputArguments().stream()
29 |                 .filter(input -> BAD_INPUT_FLAGS.stream().anyMatch(input::contains))
30 |                 .findFirst();
31 | 
32 |         // if there's a bad input flag present in the vm options
33 |         // then InstrumentationImpl will already have been loaded
34 |         if (inputFlag.isPresent()) {
35 |             throw new IllegalArgumentException(String.format("Bad VM option \"%s\"", inputFlag.get()));
36 |         }
37 | 
38 |         Unsafe unsafe = Example.getUnsafe();
39 | 
40 |         unsafe.defineClass("sun.instrument.InstrumentationImpl", EMPTY_CLASS_BYTES, 0, EMPTY_CLASS_BYTES.length, null, null);
41 | 
42 |         // this is for testing purposes to make sure it's actually loaded
43 |         try {
44 |             Class.forName("sun.instrument.InstrumentationImpl");
45 |         } catch (ClassNotFoundException e) {
46 |             e.printStackTrace();
47 |         }
48 |     }
49 | 
50 |     private static Unsafe getUnsafe() {
51 |         try {
52 |             Field unsafeField = Unsafe.class.getDeclaredField("theUnsafe");
53 | 
54 |             unsafeField.setAccessible(true);
55 | 
56 |             return (Unsafe) unsafeField.get(null);
57 |         } catch (NoSuchFieldException | IllegalAccessException e) {
58 |             e.printStackTrace();
59 |             return null;
60 |         }
61 |     }
62 | }
63 | 


--------------------------------------------------------------------------------