Java bytecode protection solution providing JAR encryption and runtime dynamic decryption capabilities, effectively preventing decompilation and code theft.
Compatible with frameworks like Spring and Spring Boot that perform bytecode operations.
Mitigates the risk of decryption method exposure inherent in conventional Java agent (-javaagent) and native agent (-agentlib) approaches.
The core workflow and functionality are fully implemented. Future improvements include: documentation enhancement, JRE environment signature verification, and class execution support.
- Bytecode Encryption: AES-GCM-256 encryption for class constants and method bytecode.
- Resource Protection: Block-level encryption for any resource files within JARs.
- Secure Launcher: Native Rust launcher preventing decryption logic exposure.
- Signature Verification: ED25519 signature validation ensuring code integrity.
- Zero-Intrusion: No business code modification required.
- JVM Integration: Directly launches the application via JVM instead of invoking Java as a subprocess.
If you already have a compiled JAR package, you can ignore the Maven environment requirements and directly jump to 3. Encrypt JAR and Launch with Launcher
- JDK 1.8+
- Maven 3.0+
- Rust 1.41+
# 1. Clone the repository
git clone --depth 1 https://github.com/kyle-derrick/java-guard.git
cd java-guard
git submodule update --initFor offline usage, pre-cache jg-launcher dependencies (Note: Dependencies are platform-specific)
- Download dependencies in the subproject
jg-launcher:
cd jg-launcher
# Generate/update lockfile
cargo generate-lockfile
# Download all dependency source code to vendor directory
cargo vendor ./vendor- Add cargo configuration
Windows users can perform equivalent operations
# Create the .cargo directory
mkdir .cargo
# Create the .cargo/config.toml file and write the configuration
echo "[source.crates-io]
replace-with = 'vendored-sources'
[source.vendored-sources]
directory = '$(pwd)/vendor'" > .cargo/config.toml
# Back to project root path
cd ..# 2. Build the project
mvn clean package- !!! Note that jg-launcher compilation requires the JAVA_HOME environment variable
# 3. Generate key pair
mkdir key
ssh-keygen -t ed25519 -f key/id_ed25519
# 4. Encrypt JAR (example)
# After successfully executing java-guard, the process will automatically continue with jg-launcher compilation
java -jar target/java-guard-*.jar \
-c ./config.yml \
-o ./out \
-l \
your-application.jar
# 5. Launch encrypted application
./out/jg-launcher -jar out/your-application.jar
# For Windows systems:
# .\out\jg-launcher.exe -jar out\your-application.jar# ./config.yml
matches:
- "com/yourcompany/**" # Encryption path pattern
- "META-INF/resources/*"
key: your_encryption_key # AES key (optional, default to automatic generation)
privateKey: key/id_ed25519 # ED25519 private key path
publicKey: key/id_ed25519.pub # ED25519 public key pathgraph TD
A[Original JAR] --> B{Java Guard}
B --> C[Encrypted Bytecode]
B --> D[Encrypted Resources]
C --> E[Secure Launcher]
D --> E
E --> F[JVM ClassFileLoadHook]
E --> G[URL Class Extension]
F --> H[Runtime Decryption]
G --> H
| Feature | Description |
|---|---|
| Constant & Method Encryption | Encrypts critical data while preserving class structure integrity |
| JAR Signature Verification | Adds private key signature during encryption, verifies with public key at startup |
| Native Launcher | Rust implementation increases reverse-engineering difficulty |
| Transparent URL Extension | Dynamically extends bytecode to resolve encrypted resource access |
- JRE environment and classpath JAR signature verification: Enhance runtime security validation mechanisms
- Anti-disassembly detection and protection mechanisms: Add detection and protection capabilities against code disassembly attempts
We welcome contributions through:
- Submitting issues for bugs/feature requests
- Forking repository and creating PRs
- Improving documentation or adding test cases
Distributed under MIT License