Issues with Java class file encryption

In addition to obfuscation, class file encryption is an easily conceived method of code protection. Many schemes employ the use of agents to encrypt class files and decrypt them during class loading. However, these schemes overlook an important point, the JVM's built-in attachment mechanism.

JVM attachment mechanism

In order to facilitate the analysis and monitoring of program operation, ordinary JVMs come with attachments. Users can use tools like jhsdb to attach to the JVM process, view and analyze its memory data. Moreover, these memory data are properly organized according to the data structure in the source file, which can also be understood as a built-in backdoor mechanism of JVM.

The following article introduces how to use the JVM attach mechanism to read and save class file information in memory.

In addition to using the jhsdb tool provided by JDK, you can also use Alibaba's Arthas to analyze running Java processes.

Some protection methods dynamically load class information through reflection, and this approach can also be used to obtain real-time loaded class information through DLL injection. For more details, please refer to the following two projects.


Due to the existence of JVM attachment mechanism or binary HOOK mechanism, all so-called encrypted codes that have not been detached from normal JVM operation can be easily read using attachment tools or hooked through DLL injection. Therefore, this is the most ineffective protection solution.