A Windows desktop application for detecting and removing malware from Minecraft mod JAR files. Built with WPF and .NET 8.0.
NOTE: This is VIBECODED - I was testing out Opus 4.6 and wanted to build something in C#, and this scanner was my idea considering I had been analysing a LOT of Minecraft .jar malware. - It is NOT perfect!
- Multi-layer detection -- variant signatures, bytecode analysis, hash matching, string scanning, and heuristic scoring
- 8 malware variants detected out of the box (see table below)
- Java bytecode parser -- reads constant pools, class/method refs, and string constants directly from
.classfiles without a JVM - Automated cleaning -- removes malicious classes, repairs entrypoints and mixins, fixes manifests, and rebuilds a clean JAR
- Drag-and-drop -- drop JAR files onto the window to scan
- Dark theme UI
- Extract -- JAR is unzipped to a temp directory
- Metadata --
fabric.mod.json/quilt.mod.json/mods.tomlparsed for mod ID, name, and loader - Bytecode analysis -- every
.classfile is parsed to extract the constant pool (class refs, method refs, string constants) - Variant signatures -- each
IVariantSignaturechecks for package names, class names, specific strings, and behavioral patterns - Hash matching -- SHA-256 hashes of class files are compared against a known-malicious hash database (
Resources/KnownHashes.json) - Heuristic scoring -- cross-variant behavioral checks (custom ClassLoaders, reflection chains, credential theft, exfiltration channels, etc.)
- Verdict -- per-variant confidence scores are aggregated: >=50 Infected, >=25 Suspicious, otherwise Clean
When malware is found, the cleaning pipeline:
- Deletes all flagged malicious files and directories
- Repairs mod entrypoints that referenced removed classes
- Fixes mixin configurations
- Rebuilds the MANIFEST.MF
- Repackages the cleaned files into a new JAR
THE CLEANING AND REBUILDING PROCESS IS NOT PERFECT, SOMETIMES JARS MAY BREAK OR MALWARE MAY STILL BE PRESENT
- .NET 8.0 SDK (or Runtime for pre-built binaries)
- Windows 10/11
# Debug build
dotnet build
# Release (self-contained, single-file)
dotnet publish -c Release -r win-x64 --self-contained true /p:PublishSingleFile=trueJarMalwareScanner/
JarMalwareScanner.csproj # Project config (.NET 8.0, WPF)
JarMalwareScanner.sln # Solution file
App.xaml / App.xaml.cs # Application entry point
MainWindow.xaml / .xaml.cs # Main UI window
AssemblyInfo.cs
GlobalUsings.cs
Models/
ScanResult.cs # Scan result + Verdict enum
DetectionMatch.cs # Individual detection hit
VariantDetection.cs # Per-variant detection results
ModInfo.cs # Parsed mod metadata
ClassFileInfo.cs # Parsed class file data
ViewModels/
MainViewModel.cs # MVVM view model
Converters/
VerdictToBrushConverter.cs # Verdict -> color binding
Services/
Extraction/
JarExtractor.cs # ZIP extraction + mod metadata parsing
Bytecode/
ClassFileParser.cs # Java .class file parser
ConstantPool.cs # Constant pool reader
ConstantPoolEntry.cs # Pool entry types
Detection/
IDetectionEngine.cs # Engine interface
DetectionEngine.cs # Scan orchestration
IVariantSignature.cs # Variant signature interface
HashDetector.cs # Known-hash matching
HeuristicScorer.cs # Behavioral heuristics
StringScanner.cs # String-based detection
Variants/ # One class per variant
NiggawareSignature.cs
BamboowareSignature.cs
SilentnetSignature.cs
WeedhackSignature.cs
DonutSMPStealerSignature.cs
MicrostealerSignature.cs
SilentRavenSignature.cs
STRRATSignature.cs
Removal/
MalwareRemover.cs # Malicious file removal
EntrypointRepairer.cs # Entrypoint repair
MixinRepairer.cs # Mixin config repair
Rebuild/
ManifestFixer.cs # MANIFEST.MF repair
JarRebuilder.cs # Clean JAR repackaging
Resources/
KnownHashes.json # SHA-256 hash database
| Variant | Type | Key Indicators |
|---|---|---|
| Niggaware | RAT / Stealer | com/example/loader/ package, reversed URL strings, custom ClassLoader |
| Bambooware | Stealer | Bamboo-specific class names and exfiltration patterns |
| Silentnet | RAT | Silent network communication, C2 channel setup |
| Weedhack | Stealer | Weedhack-specific signatures and string constants |
| DonutSMP Stealer | Session Stealer | MC session theft via reflection, getMethod/invoke chains |
| Microstealer | Stealer | Micro-scale credential theft, browser DB access |
| SilentRaven | Stealer | Silent C2 communication, process injection |
| STRRAT | RAT | Java-based RAT, VBS/BAT script creation, registry manipulation |
Implement the IVariantSignature interface and register it in DetectionEngine:
using JarMalwareScanner.Models;
namespace JarMalwareScanner.Services.Detection.Variants;
public class MyNewVariantSignature : IVariantSignature
{
public string VariantName => "MyNewVariant";
public VariantDetection Analyze(string extractedDir, ModInfo modInfo,
Dictionary<string, ClassFileInfo> parsedClasses)
{
var detection = new VariantDetection { VariantName = VariantName };
// Check for variant-specific indicators:
// - Package/class names in parsedClasses
// - String constants (URLs, filenames, etc.)
// - Method references (API calls, reflection)
// - Resource files in extractedDir
// - Mod metadata in modInfo
detection.ConfidenceScore = detection.Matches.Sum(m => m.Weight);
return detection;
}
}Then add it to DetectionEngine.cs:
_signatures = new List<IVariantSignature>
{
// ... existing signatures ...
new MyNewVariantSignature()
};MIT -- 0xresetti