130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page

Was this helpful?

  1. Application Security
  2. Modifying and Protecting Java Class Files
  3. Techniques to Protect Java Class Files

Runtime Decryption in WebLogic

Here are the detailed steps for encrypting and decrypting Java class files at runtime in a WebLogic server environment:

Step 1: Encrypt the Class Files

  1. Generate an AES Encryption Key:

    • Use a secure method to generate an AES key.

    import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import java.util.Base64;

public class KeyGeneratorExample {
    public static void main(String[] args) throws Exception {
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        keyGen.init(256); // 256-bit key
        SecretKey secretKey = keyGen.generateKey();
        String encodedKey = Base64.getEncoder().encodeToString(secretKey.getEncoded());
        System.out.println("AES Key: " + encodedKey);
    }
}

    • Save the generated key securely. Example output: AES Key: abcdefghijklmnopqrstuvwxyz1234567890ABCDEF

  2. Encrypt the Class File:

    • Use the AES key to encrypt the class file.

    import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;

public class EncryptClassFile {
    public static void main(String[] args) throws Exception {
        String key = "your_base64_encoded_key"; // Replace with your key
        byte[] keyBytes = Base64.getDecoder().decode(key);
        SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES");

        Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);

        byte[] classFileBytes = Files.readAllBytes(Paths.get("YourClassFile.class"));
        byte[] encryptedClassFile = cipher.doFinal(classFileBytes);

        Files.write(Paths.get("YourClassFile.class.enc"), encryptedClassFile);
        System.out.println("Class file encrypted successfully.");
    }
}

    • Replace "YourClassFile.class" with the path to your class file.

Step 2: Deploy the Encrypted WAR File

  1. Replace Original Class Files with Encrypted Ones:

    • Rename the encrypted class file with the .class.enc extension and place it in the same directory within the WAR file.

    mv YourClassFile.class.enc /path/to/war/WEB-INF/classes/YourClassFile.class.enc

  2. Repackage the WAR File:

    • Use the jar command to repackage the WAR file.

    cd /path/to/war
jar -cvf ../encrypted.war *

  3. Deploy the WAR File:

    • Deploy the encrypted WAR file to your WebLogic server using the WebLogic Administration Console or the command line.

Step 3: Configure Runtime Decryption

  1. Modify the Application to Decrypt at Runtime:

    • Add decryption logic to your application to decrypt the class files at runtime before loading them.

  2. Load the Decryption Key Securely:

    • Store the decryption key securely, such as in a secure key management service or environment variable.

  3. Implement Custom ClassLoader:

    • Implement a custom ClassLoader that loads and decrypts the class files at runtime.

    import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;

public class EncryptedClassLoader extends ClassLoader {
    private SecretKeySpec secretKey;

    public EncryptedClassLoader(ClassLoader parent, String key) {
        super(parent);
        byte[] keyBytes = Base64.getDecoder().decode(key);
        this.secretKey = new SecretKeySpec(keyBytes, "AES");
    }

    @Override
    protected Class<?> findClass(String name) throws ClassNotFoundException {
        try {
            String path = name.replace('.', '/') + ".class.enc";
            byte[] encryptedClassFile = Files.readAllBytes(Paths.get(getClass().getResource("/" + path).toURI()));

            Cipher cipher = Cipher.getInstance("AES");
            cipher.init(Cipher.DECRYPT_MODE, secretKey);
            byte[] classFileBytes = cipher.doFinal(encryptedClassFile);

            return defineClass(name, classFileBytes, 0, classFileBytes.length);
        } catch (Exception e) {
            throw new ClassNotFoundException(name, e);
        }
    }

    public static void main(String[] args) throws Exception {
        String decryptionKey = "your_base64_encoded_key"; // Replace with your key
        EncryptedClassLoader classLoader = new EncryptedClassLoader(ClassLoader.getSystemClassLoader(), decryptionKey);
        Class<?> clazz = classLoader.loadClass("YourClassName");
        Object instance = clazz.newInstance();
        // Invoke methods on the instance
    }
}

  4. Package Your Custom ClassLoader:

    Compile your custom ClassLoader and package it into a JAR file. This JAR file will be included in your WebLogic server's classpath or within your application.

  5. Modify weblogic.xml:

    The weblogic.xml deployment descriptor is used to configure various settings specific to WebLogic Server. To ensure WebLogic uses your custom ClassLoader, follow these steps:

    • Open the weblogic.xml file located in the WEB-INF directory of your application.

    • Add the necessary configurations to use your custom ClassLoader.

    Here’s an example of what your weblogic.xml might look like:

    xml

    <?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app
    http://xmlns.oracle.com/weblogic/weblogic-web-app/1.4/weblogic-web-app.xsd">

    <context-root>/yourapp</context-root>

    <container-descriptor>
        <prefer-application-packages>
            <package-name>com.yourpackage.*</package-name>
        </prefer-application-packages>
    </container-descriptor>

    <library-ref>
        <library-name>custom-classloader-lib</library-name>
        <specification-version>1.0</specification-version>
        <implementation-version>1.0</implementation-version>
    </library-ref>

    <class-loader-structure>
        <class-loader-structure>
            <class-loader>
                <name>customClassLoader</name>
                <system-properties>
                    <property>
                        <name>encryptedClassLoader</name>
                        <value>com.yourpackage.EncryptedClassLoader</value>
                    </property>
                    <property>
                        <name>decryptionKey</name>
                        <value>your_base64_encoded_key</value>
                    </property>
                </system-properties>
            </class-loader>
        </class-loader-structure>
    </class-loader-structure>
</weblogic-web-app>

  6. Deploy the Application:

    • Ensure the custom ClassLoader JAR file is included in your WAR file or placed in the WebLogic server's classpath.

    • Deploy the WAR file to your WebLogic server.

Important Considerations

  • Security: Ensure that the decryption key is stored securely and not hard-coded in the application.

  • Performance: Runtime decryption may introduce performance overhead.

  • Testing: Thoroughly test the application to ensure that the decryption process works correctly and does not introduce any issues.

PreviousTechniques to Protect Java Class FilesNextJAVA Program

Last updated 5 months ago

Was this helpful?