Skip to content

Minecraft-Malware-Prevention-Alliance/concoction

Repository files navigation

Concoction

A shared Java malware scanner capable of static and dynamic analysis.

Usage

Concoction can be used either as a Java library or as a command line application.

Scan models

The format of scan models is described here.

As a library

First add Concoction as a library to your project. It is available on maven central:

<!-- Maven dependency declaration, for the latest version see the project releases page -->
<dependency>
    <groupId>info.mmpa</groupId>
    <artifactId>concoction</artifactId>
    <version>${version}</version>
</dependency>
// Gradle dependency declaration
implementation "info.mmpa:concoction:${version}"

For code examples on using Concoction as a library, see the test cases.

As a GUI application

GUI usage demo

Concoction is available as a Java application, requiring at least Java 8, that allows you to:

  • Choose files to scan
  • Choose models to match against
  • Act on detections in provided files
    • Export detection reports as a ZIP archive
    • Delete files with detections, with the option to exclude certain entries

As a command line application

Usage as shown from --help:

Usage: Concoction [-h] [-v] [-V] [-dd=<directoryDepth>] [-i=<input>]
                  [-id=<inputDir>] [-im=<archiveMode>] [-m=<model>]
                  [-md=<modelDir>] [-rcm=<consoleOutputMode>]
Dynamic Shared Malware Scanner
  -dd, --dirDepth=<directoryDepth>
                            Directory depth to scan for with --modelDir and
                              --inputDir
  -h, --help                Show this help message and exit.
  -i, --input=<input>       Path to single file to scan (jar)
  -id, --inputDir=<inputDir>Directory containing files to scan (jar)
  -im, --inputMode=<archiveMode>
                            Mode to use when parsing jar/zip files.
                             - RANDOM_ACCESS_JAR: Used when inputs are loaded
                              dynamically via 'java.util.zip.ZipFile' or 'java.
                              util.zip.JarFile'
                             - RUNNABLE_JAR:      Used when inputs are treated
                              as a program run via 'java -jar' or 'java -cp'
                             - STREAMED_JAR:      Used when inputs are loaded
                              dynamically via streaming such as with 'java.util.
                              zip.ZipInputStream' or 'java.util.zip.
                              JarInputStream'

  -m, --model=<model>       Path to single concoction scan model file (json)
  -md, --modelDir=<modelDir>Directory containing concoction scan model files
                              (json)
  -rcm, --resultsConsoleMode=<consoleOutputMode>
                            Console output display mode for results
  -v, --verbose             Enables more verbose logging and error details
  -V, --version             Print version information and exit.

Upon scan completion, results are printed to the console based on the value provided by --resultsConsoleMode. Currently, the output format is CSV form. The first column is the file path, and the second column is the detections matched, separated by :.

An example of the CSV output would look like:

mods/Sample1.jar,detection1
mods/Sample1and2.jar,detection2:detection2

The application's exit codes also indicate the scan status.

  • Negative values indicate errors reading inputs
  • Zero indicates no detections were found
  • Positive values indicate the number of files with detections found

About

Dynamic Shared Malware Scanner

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages