The agent library is just a DLL that needs to export an Agent_OnLoad<\/em> function. I quickly prepared a test DLL with a dummy export and got it to load as shown below:<\/p>\n So, the first takeaway is that if there is java.exe on the system, you can use it to load unsigned DLL, same way as xwizards<\/a>, and tones of other similar tricks from @subtee<\/a>.<\/p>\n Having a way to load DLL is one thing, being able to load it persistently is another.<\/p>\n This is where JAVA_TOOL_OPTIONS<\/a> environment variable comes handy.<\/p>\n Once you set it to f.ex.:<\/p>\n the library will be loaded anytime java.exe starts.<\/p>\n Obviously, these errors shown on the screenshots is just me being lazy – my dummy library should return appropriate value for the java.exe to be happy about, and so it can actually continue the execution. Ignoring that, the second takeaway is that as long as you make the JAVA_TOOL_OPTIONS variable persistent f.ex. via the Registry:<\/p>\n – the library will be loaded anytime java.exe starts.<\/p>\n The JAVA_TOOL_OPTIONS has a few undocumented sibling variables called _JAVA_OPTIONS and IBM_JAVA_OPTIONS as explained here<\/a>. These can be leveraged as well. The Windows Java version I tested (jre1.8.0_144) refers to _JAVA_OPTIONS during the start-up, so you can add persistence via this Registry entry:<\/p>\n I have not confirmed the below, but I guess there are other options for toying around with persistence using Java. Looking at the CLI help we can see the following possible avenues for exploration:<\/p>\n There is also another variable worth looking at: _ALT_JAVA_HOME_DIR. By changing it, you can manipulate the path that Java Virtual Machine uses while it is looking for Java Run-Time Environment. This may open some possibilities for companion virus-like persistence.<\/p>\n","protected":false},"excerpt":{"rendered":" Looking for new ways to load code persistently I had a quick glance at Java. While it may not be present on all systems, it’s out there on at least 3 billions devices (so the ad claims). The first thing … Continue reading \n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/09\/javaagent.png\")
<\/a><\/p>\n\n
<\/a><\/p>\nset JAVA_TOOL_OPTIONS=-agentpath:c:\\Test\\javaagent.dll<\/pre>\n
<\/a><\/p>\nHKCU\\Environment\\JAVA_TOOL_OPTIONS=\r\n-agentpath:c:\\Test\\javaagent.dll\r\n<\/pre>\n
HKCU\\Environment\\_JAVA_OPTIONS=\r\n-agentpath:c:\\Test\\javaagent.dll<\/pre>\n
\n