Java: URLClassLoader keeps loaded classes in Temp dir

StackOverflow https://stackoverflow.com/questions/22611364

Domanda

I'm trying to load jar file from web using URLClassLoader, all works fine, but all loaded classes keeps stored in Windows temp directory, and can be copied for deobfuscation until I call classLoader.close(); which in turn will cause a program ClassNotFoundException.

Can I load classes without saving to disk?

(Only memory) Another solution encrypt jar classes, and write custom ClassLoader that will decrypt classes, but i don't find any examples.

I tried to look for docs or articles on this topic, but found nothing :(

Please tell me whether it is possible to implement and where I can take the material on the topic? Thanks!

È stato utile?

Soluzione

You do realize that anyone with access to the machine you're running the code on could always get a hold of the code that will do the custom classloading, right? This means that they could simply decompile that class itself and make it write out the decrypted classes, rendering this whole exercise pointless. True, most people won't know how to do it, but it is possible.

My advice would be to just obfuscate the code, if you really must do so. Worrying about people getting a hold of your library won't get you far, as there's very little you could do to protect it from being decompiled, unless you're using obfuscating code constructs which will confuse the decompiler (or features jad and the likes do not support and thus cause them to produce seriously broken decompiled code).

Anyone with sufficient knowledge and proper motivation will figure out a way to do it.

Altri suggerimenti

It is fairly straightforward to create your own ClassLoader that retrieves classes from over a network. In Java documentation example for Classloader:

class NetworkClassLoader extends ClassLoader {
     String host;
     int port;

     public Class findClass(String name) {
         byte[] b = loadClassData(name);
         return defineClass(name, b, 0, b.length);
     }

     private byte[] loadClassData(String name) {
         // load the class data from the connection
          . . .
     }
 }

You only have to implement loadClassData and everything else is handled for you. In that loadClassData function, you can have encryption or anything else.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top