Skip to content

0xresetti/JarMalwareScanner

Repository files navigation

JAR Malware Scanner

A Windows desktop application for detecting and removing malware from Minecraft mod JAR files. Built with WPF and .NET 8.0.

image

NOTE: This is VIBECODED - I was testing out Opus 4.6 and wanted to build something in C#, and this scanner was my idea considering I had been analysing a LOT of Minecraft .jar malware. - It is NOT perfect!

Features

  • Multi-layer detection -- variant signatures, bytecode analysis, hash matching, string scanning, and heuristic scoring
  • 8 malware variants detected out of the box (see table below)
  • Java bytecode parser -- reads constant pools, class/method refs, and string constants directly from .class files without a JVM
  • Automated cleaning -- removes malicious classes, repairs entrypoints and mixins, fixes manifests, and rebuilds a clean JAR
  • Drag-and-drop -- drop JAR files onto the window to scan
  • Dark theme UI

How It Works

Scanning

  1. Extract -- JAR is unzipped to a temp directory
  2. Metadata -- fabric.mod.json / quilt.mod.json / mods.toml parsed for mod ID, name, and loader
  3. Bytecode analysis -- every .class file is parsed to extract the constant pool (class refs, method refs, string constants)
  4. Variant signatures -- each IVariantSignature checks for package names, class names, specific strings, and behavioral patterns
  5. Hash matching -- SHA-256 hashes of class files are compared against a known-malicious hash database (Resources/KnownHashes.json)
  6. Heuristic scoring -- cross-variant behavioral checks (custom ClassLoaders, reflection chains, credential theft, exfiltration channels, etc.)
  7. Verdict -- per-variant confidence scores are aggregated: >=50 Infected, >=25 Suspicious, otherwise Clean

Cleaning

When malware is found, the cleaning pipeline:

  1. Deletes all flagged malicious files and directories
  2. Repairs mod entrypoints that referenced removed classes
  3. Fixes mixin configurations
  4. Rebuilds the MANIFEST.MF
  5. Repackages the cleaned files into a new JAR

THE CLEANING AND REBUILDING PROCESS IS NOT PERFECT, SOMETIMES JARS MAY BREAK OR MALWARE MAY STILL BE PRESENT

Requirements

  • .NET 8.0 SDK (or Runtime for pre-built binaries)
  • Windows 10/11

Build

# Debug build
dotnet build

# Release (self-contained, single-file)
dotnet publish -c Release -r win-x64 --self-contained true /p:PublishSingleFile=true

Project Structure

JarMalwareScanner/
  JarMalwareScanner.csproj        # Project config (.NET 8.0, WPF)
  JarMalwareScanner.sln           # Solution file
  App.xaml / App.xaml.cs           # Application entry point
  MainWindow.xaml / .xaml.cs       # Main UI window
  AssemblyInfo.cs
  GlobalUsings.cs
  Models/
    ScanResult.cs                  # Scan result + Verdict enum
    DetectionMatch.cs              # Individual detection hit
    VariantDetection.cs            # Per-variant detection results
    ModInfo.cs                     # Parsed mod metadata
    ClassFileInfo.cs               # Parsed class file data
  ViewModels/
    MainViewModel.cs               # MVVM view model
  Converters/
    VerdictToBrushConverter.cs     # Verdict -> color binding
  Services/
    Extraction/
      JarExtractor.cs              # ZIP extraction + mod metadata parsing
    Bytecode/
      ClassFileParser.cs           # Java .class file parser
      ConstantPool.cs              # Constant pool reader
      ConstantPoolEntry.cs         # Pool entry types
    Detection/
      IDetectionEngine.cs          # Engine interface
      DetectionEngine.cs           # Scan orchestration
      IVariantSignature.cs         # Variant signature interface
      HashDetector.cs              # Known-hash matching
      HeuristicScorer.cs           # Behavioral heuristics
      StringScanner.cs             # String-based detection
      Variants/                    # One class per variant
        NiggawareSignature.cs
        BamboowareSignature.cs
        SilentnetSignature.cs
        WeedhackSignature.cs
        DonutSMPStealerSignature.cs
        MicrostealerSignature.cs
        SilentRavenSignature.cs
        STRRATSignature.cs
    Removal/
      MalwareRemover.cs            # Malicious file removal
      EntrypointRepairer.cs        # Entrypoint repair
      MixinRepairer.cs             # Mixin config repair
    Rebuild/
      ManifestFixer.cs             # MANIFEST.MF repair
      JarRebuilder.cs              # Clean JAR repackaging
  Resources/
    KnownHashes.json               # SHA-256 hash database

Supported Malware Variants

Variant Type Key Indicators
Niggaware RAT / Stealer com/example/loader/ package, reversed URL strings, custom ClassLoader
Bambooware Stealer Bamboo-specific class names and exfiltration patterns
Silentnet RAT Silent network communication, C2 channel setup
Weedhack Stealer Weedhack-specific signatures and string constants
DonutSMP Stealer Session Stealer MC session theft via reflection, getMethod/invoke chains
Microstealer Stealer Micro-scale credential theft, browser DB access
SilentRaven Stealer Silent C2 communication, process injection
STRRAT RAT Java-based RAT, VBS/BAT script creation, registry manipulation

Adding New Variant Signatures

Implement the IVariantSignature interface and register it in DetectionEngine:

using JarMalwareScanner.Models;

namespace JarMalwareScanner.Services.Detection.Variants;

public class MyNewVariantSignature : IVariantSignature
{
    public string VariantName => "MyNewVariant";

    public VariantDetection Analyze(string extractedDir, ModInfo modInfo,
                                     Dictionary<string, ClassFileInfo> parsedClasses)
    {
        var detection = new VariantDetection { VariantName = VariantName };

        // Check for variant-specific indicators:
        // - Package/class names in parsedClasses
        // - String constants (URLs, filenames, etc.)
        // - Method references (API calls, reflection)
        // - Resource files in extractedDir
        // - Mod metadata in modInfo

        detection.ConfidenceScore = detection.Matches.Sum(m => m.Weight);
        return detection;
    }
}

Then add it to DetectionEngine.cs:

_signatures = new List<IVariantSignature>
{
    // ... existing signatures ...
    new MyNewVariantSignature()
};

License

MIT -- 0xresetti

About

Detect and (kinda) remove malware from Minecraft mod JAR files

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors

Languages