Reverse Engineering the JNI
The title is a misnomer, but the full description would is a little wordy. We're not actually reverse engineering the entire JNI framework, but rather a very specific subset of the conversions that occur between JVM data structures and their native counterparts (C, C++, etc.). Insofar as the intent behind this post is concerned, a more complete title might be :
C Programming Concepts : Reverse Engineering for (*fun)->profit
For starters, a little background. JNI stands for the Java Native Interface. Wikipedia contains a succinct description :
The Java Native Interface (JNI) is a programming framework that enables Java code running in a Java Virtual Machine (JVM) to call, and to be called by, native applications (programs specific to a hardware and operating system platform) and libraries written in other languages such as C, C++ and assembly.
Basically, (the) JNI is used when calling "lower-level" code from an application running on the JVM, as well as the other way around. I recently implemented a simple matrix calculation web API that calls native C code from a Java web-app. The code can be found on GitHub, and it's the work that prompted me to write this post.
I'm intrigued by the mechanics involved in managing the relationship between a higher level environment (such as Java) and the lower level world of C. Being new to both, reverse engineering the JNI conversion functions is a great introduction to some basic C programming principles. Above all, it can help de-mystify some of the abstraction underpinning higher level languages & frameworks.
I want to emphasize that this is first and foremost fun and exploratory. Developing in C is not my day job. If you find any errors, please let me know and I will fix them promptly.
We now know in general terms what the JNI is and used for. Let's look at a specific application and use case. This is lifted straight out of the matrix-path application I referred to earlier, and is the actual code which performs a conversion from an array passed in from Java-land (jintArray matrix_values) and is converted to a jint structure which can be used by the C application (jint *matrix_ptr).
Objective : "convert" a Java array (object) into a data structure C will recognize.
A lot of the heavy lifting here appears to revolve around the env pointer. From the code alone all we can determine is its type (JNIEnv). Further reading is required :
The env pointer is a structure that contains the interface to the JVM. It includes all of the functions necessary to interact with the JVM and to work with Java objects.
To be precise (or pedantic), the env pointer is a pointer to (a pointer to) a structure which contains the interface to the JVM. More about that later. Before we can replicate any functionality, we first need to dig a little deeper.
Analyzing line 6, in particular, opens the door to a number of fascinating C paradigms. For instance, env is a perfectly acceptable variable name. However, we can see env variously referenced as being preceded by an asterisk, as well as being enclosed in parens, *env and (*env) respectively. What does this signify?
We begin with env, previously introduced on line 2 with a data type of JNIEnv
Immediately, we know it is a pointer, since it is identified as such by being preceded with a single asterisk
Back on line 6, we can see that *env is now encircled in parens. The parens are only present to isolate the action occurring within, namely the single asterisk , meaning we are accessing its pointee, which is to say following the pointer to whatever lies at the memory location it points to.
The -> is arrow (or pointer) notation. This notation is used to access the member of a struct referenced by a pointer. This is an important observation, as it means that the de-referenced value of *env is also a pointer.
GetIntArrayElements (a function) is the pointee, and takes 3 parameters : the env pointer itself, the jintArray (JVM) array, and a third param which we will ignore (tldr; it's an output parameter which indicates whether the return value is copied or "pinned")
Please see below for a quick illustration of pointer (to pointer) declarations. The ampersand (&) indicates that we are operating on a memory address, first of my_var (line 4), and then of my_ptr (line 5).
Compiling the above program will produce the following output :
We now know that env is a pointer to a pointer which contains a pointer to a function. You may be wondering how we arrived at the last observation, namely that we are dealing with a pointer to a function, and not a function itself. This is due to the fact that functions in C cannot be truly encapsulated within another structure. However, function pointers can.
From a high level standpoint, the env structure has to contain a series of pointers to functions which can handle conversions from "native" code & data structures to their JVM equivalents.
As we saw above, one such function is GetIntArrayElements, which "converts" a JVM int array object to a native int array. The partner cleanup function is ReleaseIntArrayElements, which we will also look at briefly.
Let's begin by building a few basic structures to simulate the JVM array object and the JNIEnv env struct. An array in Java is basically a C-like array wrapped in an object that adds some basic functionality, such as a variable which tracks the collection size. Our jintArray struct will then be superficially similar to a JVM implementation.
The JNIEnv structure, on the other hand, is a little more involved. What we are recreating is the interface function table the env pointer references. For reference, said table contains pointers to over 200 functions. Piggybacking off the examples laid out in the previous section, we will settle for the implementation of two array manipulation functions : GetIntArrayElements & ReleaseIntArrayElements respectively.
Our interface function table will be a C struct, which are roughly analogous to objects in other higher level languages. As noted earlier, C structs don't actually contain functions. What they can contain are pointers to functions, which we will be defining below.
This is probably also a good time to mention that the order of declaration is important. For instance, we have to declare our structs before being able to use them. Likewise, the main function is located at the tail end of our code. Note that declaration != definition, in that declaration simply means informing the compiler of a variable (or function's) existence, name and data type.
We'll begin with our GetIntArrayElementsFunc function. It is responsible for taking as input a jintArray object and "creating" an array that can be manipulated by native code. As mentioned, a Java array is already a fairly low level construct, so we can create a native counterpart by allocating space and copying the elements of the jvm_array object.
As the refrain often goes, in C a lot responsibility for memory management resides with the developer. This is precisely such an occasion. When instantiating our arrays, we will be allocating memory by invoking malloc, which reserves memory space on the heap.
Of course, we need to include our cleanup function (ReleaseIntArrayElementsFunc). As a rule, any memory that is allocated with malloc will need to be released with free. We can speculate that the purpose of this method will be to free up the memory which we allocated on the heap with our previous function.
Once we've defined our functions & structure (templates), we will need to actually instantiate them. In some ways this can be thought of as analogous to creating a new instance of a Class in higher level languages. Of course, structs are not classes, and it's important to keep in mind where the similarities between the two begin and end.
In the case of the jintArray, we populated our mock-object's array (.elements) with 5 ints. Note the use of malloc to allocate memory for our array pointer on the heap. We had previously defined jintArray.elements as being a pointer (to an intarray), and it is for that pointer (.elements) for which we are allocating space.
Thought experiment : in the code provided, we allocate new space on the heap for our "native" array. Is this necessary? After all, the jintArray is an object wrapper around an array. How might you optimize this function?
Our version of the interface function table, aka the env structure, contains references to the two functions which we defined earlier. Note the use of the ampersand, which indicates that we are associating our struct "fields" with the memory location of the functions. By implication, then, our env table now contains function pointers.
Last but not least, the execution code itself. We will be making all our calls & declarations from within the main function, defined at the end of our program. Notice that lines 11 & 12 are very similar to those we saw in the actual JNI function calls. Some differences being that we use the C int data type and not jint. We also don't include some of the additional parameters passed to the JNI functions (such as isCopy), for simplicity.
You might note that a somewhat hacky workaround was applied in order to get the execution code to mimic precisely that shown at the top of this post. If you recall back to the breakdown of the JNI function call, this all boils down to env not being a pointer to the struct which contains JNI functions, but a pointer to a pointer to a struct.
Beginning with the declaration of env_struct on line 5 we then create a pointer (*env_ptr) which points to the location of env_struct (&env_struct). Then, we create a second pointer with double asterisk notation (indicating a pointer-to-a-pointer), and point it to the location of env_ptr (&env_ptr).
Lastly, on line 12, we call our cleanup function ReleaseIntArrayElements. Our version is essentially a wrapper around free, which de-allocates the memory we originally reserved for the *native_array pointer with malloc in the GetIntArrayElements(Func) function.
I hope this was helpful and, to the extent possible, clear. A lot of the discrete parts of this program could be turned into a discussion unto themselves, and I may build on this in the future. In particular, the concept and application of using pointers-to-pointers is fascinating, and something I intend to explore further.
Source Code & Related Projects :
JNI Reverse Engineering (gist w/ full source code)
Matrix Weight Path (Java & C web-api using JNI)
References & Further Reading :
Learn C the Hard Way
Calling C Code from Java using JNI
C Pointers and memory allocation
##C on Freenode
germansingergirl
discoholicmusic
gummygunk
turnnoffyourmind
snowghoul
kaledo-art
theartofmadeline
prguitarman