3

This might sound like a ridiculous question, but I have to ask it because I have a working product which is doing this.

I have an applet running inside a browser. This applet is just not just any applet, but a fairly complex package application for CRM/ERP. I was told by a vendor company that they are able to monitor what a user does inside the applet, by replacing applet's main class at runtime before launch with their own. The term used was "endorsing".

I am a bit clueless now. How can you look inside an applet and listen on user clicks and keyboard events, even if you could somehow hack into it? I can tell you that this is a true story, because I have seen this vendor company's applicaiton and it just sits in the background and records all the contextual information (for instance, user filled which textbox in the applet, the name of the textbox and etc).

Are they any hacks at classloading level (I feel stupid asking this), or something else that I have not come across in java that would let you do something 'urban legendary' like this?

Jay
  • 2,394
  • 11
  • 54
  • 98
  • I did a bit of research on this. It looks like one can write your own implementation for standard endorsed libraries and place it in endorsed lib folder for the jre to override standard jdk libraries such as jax-ws, jaxp and so on. Now, in the context of my question, I can't understand how any of the standard endorsed libraries can be used to observe what is going on inside an applet. for instance, let's say I would write my own jax-ws to log all network messages. This is not going to help me because the ERP uses encryption and custom protocol over HTTP and not SOAP. – Jay Apr 11 '16 at 19:07
  • What if they just replace the swing library? – tak3shi Apr 12 '16 at 12:49
  • 1
    in the jre? ok, you mean like use get java code base, write their own code , recompile and replace the jre? - I think that's a long shot. Plausible, but given the magnitude of that task, I don't think they are doing it that way. – Jay Apr 12 '16 at 20:53

2 Answers2

1

Java Applets are loaded using a HTML tags like this:

<applet archive="ApplicationSP1.jar,Application.jar" code="Main.class" name="myApp" width="800" height="600"></applet>

As you can see, the "archive" attribute supports several .jar files.

You could use this technique to load your own versions of the Java Classes of the application by putting them in the ApplicationSP1.jar file. They will be loaded before those classes stored in the second Application.jar.

Obviously, you would need to do some reverse engineering to understand which classes from the original application to override or wrap. Then you have to create new ones named exactly (same package and class name) as those you want to override.

Other option would be developing Aspects to capture events in the application and load these aspects using same technique of multiple .jar in the archive attribute of the HTML applet tag.

Peter Gibbons
  • 406
  • 4
  • 8
0

The solution for capturing Swing/AWT event can be found in Want javax.swing hook that tells me WHICH component in the hierarchy is executing an action

It is difficult for overwriting Swing/AWT class used by applet which launching from browser. They have to breaking the protection of Java security manager and get writing permission of JRE endorsed library folder. For this case, Java Endorsed Standards Override Mechanism is hard to implement without manually operation of end user.

Community
  • 1
  • 1
Beck Yang
  • 3,004
  • 2
  • 21
  • 26
  • They install an activex component/ user software on the end user machine with user permission before applet is launched. Now, even if they have user permission to do something, how will they implement java endorsed standards override mechanism? Which API will they override for applets? The choice is limited too - you can do only apis like JAXB, JAX-WS and etc. – Jay Apr 15 '16 at 19:00