Wishful Thinking: "Packet Capture"-ish functionality

[GoogleCodeExporter]

What is the expected output? What do you see instead?
It would be awesome to somehow hook everything automatically and dump 
somewhere. Being on the slow bus, I have no idea what functions or methods I 
want to hook initially. If I could somehow dump everything from point A to B 
and then offline search, JavaSnoop would make me that much more happy. It makes 
me happy as is. I'm just a bit sullen at the moment and javasnoop would help me 
get out of my rut.

What version of the product are you using? On what operating system?
1.0 FINAL, WinXP SP3

Please provide any additional information below.
I still love Arshan even if he doesn't want to implement this.

Original issue reported on code.google.com by jon.pas...@aspectsecurity.com on 18 Jan 2011 at 7:55

[GoogleCodeExporter]

I'm not sure what you mean. You want to record every movement of the JVM? I 
think a good next step would be to attach to the program with VisualVM (which 
uses JVMTI instrumentation, which is much faster). Then take a heap dump 
snapshot, and walk around and see what classes/instances are there and maybe 
even query them with OQL (another cheap sort of canary mode to find your data).

Original comment by arshan.d...@gmail.com on 21 Jan 2011 at 4:15

• Added labels: Priority-Low, Type-Enhancement
• Removed labels: Priority-Medium, Type-Defect

[GoogleCodeExporter]

Here's the problem and goal. I'm looking at a brand new application in a black 
box setting. I perform some business function with the application, say buy 
widget Foo. I would like to understand all of the method calls that happen when 
I click on Foo to buy it.

Perhaps I could click on a "Start Dump" button. From that point, every method 
call is logged. I click on the app's Buy button. Then I click on "Stop Dump". I 
know there would be a lot of GUI methods called. But, this allows me to search 
through the log to see the magical method that fired when I initiated the 
purchase. From there, I can hook as normal.

It's this analysis time that's a pain. The current procedure is to hope that 
the application's methods are in English and search for "buy" in functions. 
Then hook the ones that seem intuitive. Dump to console / file. Review dumps. 
Keep on doing this until the magical method is found. Sometimes this is easy to 
do. But on an app I'm reviewing right now it's tedious.

Or, maybe there's a better process I can follow?

Original comment by jon.pas...@aspectsecurity.com on 21 Jan 2011 at 4:41

[GoogleCodeExporter]

Well, ideally your process includes decompiling the code into an IDE and using 
your regular whitebox analysis techniques. I think you'd like the heap dump I 
discussed - give it a shot.

Obfuscated code, however, is altogether different.

Original comment by arshan.d...@gmail.com on 23 Jan 2011 at 9:50

[GoogleCodeExporter]

It sounds like what you need is a canary mode that works, but didn't for your 
app. Another note - canary mode hooks many, many methods - probably 10-20% on 
average if I had to guess, and it's extremely slow. Hooking all the methods in 
the JVM might bring the entire thing to a crawl.

Original comment by arshan.d...@gmail.com on 23 Jan 2011 at 9:53

[GoogleCodeExporter]

Original comment by arshan.d...@gmail.com on 24 Feb 2011 at 6:33

• Changed state: WontFix