dynamic (run time) analysis about mcantimalware HOT 12 CLOSED

Basically:
If you do not aim to catch evasive (by obfuscation etc.) bad java plugins, this is idea not for you.

My thought was watching the execution of certain methods, one can do it with a security manager as plugin or with jdi (as plugin or as separate process).
Then you can use asm or javassist to redefine some classes of spigot and know when certain methods are executed, also you can get all loaded classes in case some plugins use class encryption and dynamically loaded a class.

You could also require special spigot startup arguments and use a java agent (java.lang.instrument) (or let it connect to a running mcantimalware-debugger) to catch which class loader loaded the additional class).

I'm just showing up possibilities.

from mcantimalware.

Possibly, i'm not really 100% sure how i'd go about some of those.
Which would be effective and worth adding and which would be completely useless

from mcantimalware.

No matter what a spigot plugin is going to be useless due to it easily being bypassable, again by just loading a jar before that and then deleting it

from mcantimalware.

Premain agent through startup arguments would run before spigot main.
You could provide a jar to replace spigot.jar with which would start another jvm with a java agent or debugger connected through startup arguments.

from mcantimalware.

Providing a full working spigot jar would

1. Most likely not be allowed on spigot
2. That's a different jar for every version and/or fork
3. That's going to either make the Anti-Malware a few GBs, or have to be downloaded off the internet

from mcantimalware.

spigot jar would still sit in the same folder lol, sorry I was not very specific there

from mcantimalware.

Ah xD
I mean, i could ASM some code in to the spigot jar,
but i'd still have to take into consideration jars being renamed, versions, spigot, bukkit, paper, any other fork..
and even then my ASM knowledge is incredibly limiting so 🤷‍♂ 🤷‍♀

from mcantimalware.

If you're able to code some of your ideas your self, i suggest forking and PRing 😅 .

from mcantimalware.

Looking through things again
#249 MIGHT be a better solution, assuming it doesn't replace the jars code permanently.
It would appear Javassist requires you to modify the jar which means the jar would call methods it can't access if the AntiMalware isn't used to start said jar

from mcantimalware.

Looking more into it, the project needs to be modular to make supporting this easier due to the requirements of NMS/OBC for both Mixins AND Javassist

from mcantimalware.

The only versions where it's not a huge issue is any version before 1.4.5 however going that far back will have its own issues in some way, shape or form.

from mcantimalware.

Both #249 and the current SecurityManager will help with this, closed

from mcantimalware.