Tools in deployed environments

Making non-graphical Java monitoring and development tools is probably a good idea in at least lower environments. Whilst the tools allow substantial information exposure and could be exploited for lateral movement, any ability to perform code execution in a networked environment may be used to install and launch the binaries.


Profilers may use JVMTI sockets or native communication with a JVM to extract events. In either case, remember that the JVM hosting the profiler must be configured appropriately to cope with the volume of events raised by the application under profiling.

Sampling Java profilers that don't use the AsyncGetCallTrace interface are prone to misrepresenting the relative cost of method calls due to safepoint bias, since they're only able to inspect threads' stacks when they're in safepoints. These occur when a thread is:

  • Blocked on a synchronisation event.
  • Blocked on a monitor.
  • Blocked on an I/O wait.
  • Parked.
  • Executing JNI and not locking GC.
  • Honouring a JVM request to enter a safepoint during a memory allocation, or loop or method transition in compiled code.

Heap analysis

Eclipse MAT post-processes

  1. Flight Recorder
  2. Mission Control
  3. jaotc
  4. jcmd
  5. jconsole
  6. jinfo
  7. jmap
  8. jstack
  9. jstat
  10. jvisualvm