Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HMCL EXE 文件报毒 #432

Open
1a2s3d4f1 opened this issue Aug 22, 2018 · 35 comments

Comments

Projects
None yet
8 participants
@1a2s3d4f1
Copy link

commented Aug 22, 2018

Edited by @yushijinhun : 因为 EXE 版 HMCL 打包方式较为特殊,所以可能会引起杀软误报。如果你的 HMCL 是通过官方渠道下载的,则不必担心安全问题。你可以将 HMCL 添加到杀软白名单,或下载不会引起误报的 JAR 版 HMCL。

此问题已被确认,请不要再向此 Issue 添加扫毒报告。我们正在寻找解决误报问题的方法。


今天晚上打开HMCL时杀毒软件突然报毒,然后JDK一查全中木马了,出现了大量以前没有的文件,把JDK杀毒再卸载后打开HMCL又报毒。
之后电脑的CPU一直占用100%,我用任务管理器结束了占CPU的程序和javaw.exe才解决。
mcbbs论坛上其他人也报毒了。
我在GitHUB下的HMCL下午还好好的,晚上就这样了

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

你所使用的 HMCL-3.1.94.exe 的 SHA-1 值为多少?

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2018

哪里可以看SHA-1值

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2018

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

HMCL.exe 是完整的。

但 HMCLauncher.exe 是什么版本的 HMCL?

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2018

就是HMCL里面的一个文件

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

还有,你使用的是什么杀毒软件?

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2018

360
一开始启动报毒,然后扫描java发现java有毒就卸载了java。然后昨天晚上一启动就报毒。
今天早上又不报了

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

你单独下载一个 HMCL 3.1.94,用 360 扫描,会报毒吗?

顺便请附上扫描报告截图。

@ExDragine

This comment has been minimized.

Copy link

commented Aug 23, 2018

使用腾讯哈勃分析系统比较好一些。

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

腾讯哈勃没有报毒。

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2018

https://upload.cc/i1/2018/08/23/1y6Mzl.png
https://upload.cc/i1/2018/08/23/QBItGr.png
昨天晚上到GitHub下载报毒。
今天就没事了

@AndyChen2005121

This comment has been minimized.

Copy link

commented Aug 23, 2018

@yushijinhun @huanghongxun 通过这个issue希望作者能在下载页公布SHA和MD5值方便查验。

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

在 CI 可以找到文件的 SHA-1(那些 .sha1 结尾的文件):https://ci.huangyuhui.net/job/HMCL/

HMCL 在自动更新时首先会对文件进行 SHA-1 校验,然后对 JAR 中内容进行数字签名校验,因此自动更新是不可能发生被篡改的情况的。

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2018

@yushijinhun 现在有报毒了,然而SHA-1值没有发生改变

Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。

C:\Users\Administrator>certutil -hashfile E:\MC1.10.2\HMCL-3.1.94.exe SHA1
SHA1 哈希(文件 E:\MC1.10.2\HMCL-3.1.94.exe):
b3 d7 0d 58 0b e7 6e 72 13 33 ef 41 6d 2c dd d4 d6 9f 3d 8e
CertUtil: -hashfile 命令成功完成。

C:\Users\Administrator>

现在JDK也报毒。
https://upload.cc/i1/2018/08/23/Cz2w1M.png

https://upload.cc/i1/2018/08/23/2ViZzx.png
难道HMCL里有后门?
一到晚上就报毒

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

94之前的版本呢,比如93,会不会误报?

@huanghongxun

This comment has been minimized.

Copy link
Owner

commented Aug 23, 2018

你重装了JDK?

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

我检查了版本发布的所有流程,可以确定你下载到的版本就是从代码库中构建出来的,中间没有经过任何篡改。因此,我更倾向于这是误报

HMCL.exe 是在 HMCL.jar 文件头部添加一个 HMCLauncher.exe 产生的,也就是说其内容是一个 EXE + ZIP。如果说真的有毒,那就是上传到代码库中的 EXE 被感染了,而该 EXE 最后一次修改是在 3a294e3

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2018

@yushijinhun 94以前的版本晚上不报毒。报毒就是到晚上就开始报毒,然后JDK也报毒
是卸载了重装jdk
好像不只我误报

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

我可以 100% 确定是 360 误报。

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2018

jdk也是误报吗? 94版本的误报率好高

@1a2s3d4f1 1a2s3d4f1 closed this Aug 23, 2018

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 23, 2018

样本已经提交给垃圾三鹿灵了。保持此 issue 打开以追踪问题解决进程。

@yushijinhun yushijinhun reopened this Aug 23, 2018

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 23, 2018

连JDK也报毒也是够了

@VinylChloride

This comment has been minimized.

Copy link

commented Aug 24, 2018

@yushijinhun 本地下载被Avira 查杀,这里给出VirusTotal的扫描结果
ScanResult

这是我本地的扫描结果
image

@ExDragine

This comment has been minimized.

Copy link

commented Aug 24, 2018

@1a2s3d4f1

This comment has been minimized.

Copy link
Author

commented Aug 25, 2018

mcbbs上有人说win10自带的防火墙都报毒。
目前就94版本容易误报

@huanghongxun

This comment has been minimized.

Copy link
Owner

commented Aug 26, 2018

1.9.7: http://r.virscan.org/report/be246d95f6a3c9a01745d9265b1cf258
2.0.1: http://r.virscan.org/report/9454612daa416cc7f64bdbbb66b63da5
2.0.5: http://r.virscan.org/report/5a48ecdc534b93f43f8785571b48d38e
2.0.7: http://r.virscan.org/report/767029f8af03bde1e5df6b2643bfa739
2.1.2: http://r.virscan.org/report/7de44d4930d9e40f56990b0dfc71b451
2.2.2: http://r.virscan.org/report/d937ac4029e80a861548e183ea6f068c
2.2.8: http://r.virscan.org/report/381f077b8e82ee7ce16b869352d9ee71
2.2.9: http://r.virscan.org/report/569c5da23f4051a53c7fed456dc718f6
2.3.1: http://r.virscan.org/report/c4c62b871022d78b25edc4e439c0f4ea
2.3.3: http://r.virscan.org/report/4ecb0fbd6b8aa073bed34e0675836128
2.3.4: http://r.virscan.org/report/02243046bfbcd028556c4ee07cac04bf
2.3.5.0: http://r.virscan.org/language/zh-cn/report/53df3b0ce5afd2d5a73bdcc28bc3c79a
2.3.5.1: http://r.virscan.org/language/zh-cn/report/9653e6d9aa2cd1dab7546312a6c80f02
2.3.5.4: http://r.virscan.org/report/535909f1884330ef9a5a68da50a17c56
2.3.5.6: http://r.virscan.org/language/zh-cn/report/e68169501384d9ee7662392611feb90a
2.4.0.233: http://r.virscan.org/report/6e27b686e9b4e09fc69efa73bc8bcd34
2.4.1.6: http://r.virscan.org/report/1492bf9c6e11f3d590ad8761dea78386
2.4.1.38: http://r.virscan.org/language/en/report/479b0ed27c253769a1b312a8593e75aa
2.5.1.79: http://r.virscan.org/language/zh-cn/report/4f1e8896a0e9e66d01cdd948085393ec
2.7.9.52: http://r.virscan.org/language/zh-cn/report/065a02df4fb7398a25698d73027bafd0
3.1.64: http://r.virscan.org/language/zh-cn/report/64f729969781c1269478e1fe8fca4576
3.1.77: http://r.virscan.org/language/zh-cn/report/f8a8930b963d5a137df9923226c7ad2b
3.1.89: http://r.virscan.org/language/zh-cn/report/b4fda836a58869c533709f3b2bd258f1
3.1.94: http://r.virscan.org/language/zh-cn/report/b6892a97a76a70ed55560dfbb98f41ef

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Aug 26, 2018

@VinylChloride 误报样本已提交 Avira。

@izern

This comment has been minimized.

Copy link

commented Oct 26, 2018

吓的我赶紧把Windows卸载了

@ExDragine

This comment has been minimized.

Copy link

commented Oct 28, 2018

image
老哥,HMCL-3.1.111
环境Windows 10 1803
Java 191.
Trojan:Win32/Zpevdo.A
@yushijinhun @huanghongxun

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Oct 28, 2018

@ExDragine

This comment has been minimized.

Copy link

commented Oct 28, 2018

单独扫描没问题,不是这个模块的问题。

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Oct 28, 2018

HMCL的exe版本是由HMCLauncher.exe文件和JAR文件拼接起来的,这就是报毒的原因。

见:nwjs/nw.js#843

@yushijinhun yushijinhun changed the title HMCL 3.1.94报毒 HMCL EXE 文件报毒 Oct 28, 2018

@pinglun

This comment has been minimized.

Copy link

commented Oct 30, 2018

我是在 https://hmcl.huangyuhui.net/download 下的111的开发版,因为上面的稳定版一直加载不出来……
报了,所以猜想是不是渠道不对于是乎找到了这儿。
仔细和上面ExDragine发的截图对比过,一样的报毒信息,而且环境也一样,
Windows 10 1803 ;
java version "1.8.0_191"
看上面说94以前的没事,嗯,果真没事,现在使用的93

@yushijinhun

This comment has been minimized.

Copy link
Collaborator

commented Oct 30, 2018

我们已知晓此问题,请不要再上传报毒截图了。

@yushijinhun yushijinhun pinned this issue Dec 23, 2018

@huanghongxun huanghongxun unpinned this issue Jan 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.