Java Encrypted Memory Class Loader

Question

I'll get right to the point so you don't have to read a lot.

Basically, I have an AES-128bit Encrypted Jar file. I want to make a launcher so that I can load this encrypted Jar into memory and run it (using the key).

I have a simple Class Loader working although unless I decrypt it to a directory and run it, it obviously won't do what I am needing (decrypt & memory load).

TL;DR: I need to make an AES-128bit Encrypted Jar run in memory.

Any help is much appreciated, feel free to ask questions!

Answer 1

For sample code on how to load a jar/class from byte[] (which should be the result you get after decrypting it in memory/no need to save it anywhere in the filesystem) see http://www.javaworld.com/javaworld/jw-10-1996/indepth/indepth.src.html

Basically you need to use defineClass to achieve what you want.

BUT beware that this offers no real security since all ends up (after decryption) as Java Byte code in memory and can thus be accessed/manipulated/saved etc.

A little bit of security would be possible by implementing a custom JVM and/or pre-JITing the code so that it is native... for some information see for example How to create encrypted Jar file?

Answer 2

This article is a good read that illustrates nicely why air-tight protection of your code is simply not possible. You can make it harder, very hard even by staying as low-level as possible, e.g. compile your code down to native instructions that are not (cleanly) representable using regular language constructs.

But you should keep in mind that in any case, ultimately your encrypted data will have to be decrypted using some key and this key will, even if only briefly, but the important point is that it will, end up in memory. There's no way around this with common operating systems and hardware. So as a hacker you can always fall back to fetching the key from memory and work your way backwards from there on. Not something that average users are capable of, but it is certainly possible.