Java JAR 文件是否有可能损坏您的系统,您如何检查它在做什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4774712/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is it possible for a Java JAR file to damage your system and how can you check what it's doing?
提问by Benton
I want to evaluate a software solution where multiple people have submitted JAR files to perform a task on Windows.
我想评估一个软件解决方案,其中多人提交了 JAR 文件以在 Windows 上执行任务。
Is it possible to check whether the JAR file performs any additional unwanted behaviors besides those it claims to perform on your machine?
除了声称在您的机器上执行的行为之外,是否可以检查 JAR 文件是否执行任何其他不需要的行为?
回答by nrobey
First, you can use a JVM set with SecurityManagerto do run your application in a way that it can have limited access to sensitive functions.
首先,您可以使用带有SecurityManager的 JVM 集来运行您的应用程序,使其对敏感功能的访问受限。
You can also set up a "sandbox" so the jar cannot have permissions outside of the sandbox... you could use chroot or a similar tool in a linux/unix environment.
您还可以设置一个“沙箱”,这样 jar 就不能在沙箱之外拥有权限……您可以在 linux/unix 环境中使用 chroot 或类似工具。
回答by xx77aBs
1.You could use software from Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb842062
1.您可以使用 Sysinternals 的软件:http: //technet.microsoft.com/en-us/sysinternals/bb842062
You can see is program's writing or deleting something from hard drive with HardMon, or monitor any changes with RegMon... Check out their website, they have much programs and you can monitor practically everything!
您可以使用 HardMon 看到程序正在写入或从硬盘驱动器中删除某些内容,或者使用 RegMon 监控任何更改……查看他们的网站,他们有很多程序,您几乎可以监控所有内容!
2.Or you could install Sandboxie: http://www.sandboxie.com/
2.或者你可以安装 Sandboxie:http: //www.sandboxie.com/
and then run you program within sandbox ("virtual filesystem"). When you run a program inside of sandbox, you can see what files did the program make, and the best thing is that any changes that the program did will be undone when it exists, so it can't harm your system. :)
然后在沙箱(“虚拟文件系统”)中运行你的程序。当你在沙箱中运行一个程序时,你可以看到这个程序做了什么文件,最好的是程序所做的任何更改在它存在时都会被撤消,所以它不会损害你的系统。:)
3.Also, you could try to decompile JAR file: http://www.google.hr/search?sourceid=chrome&ie=UTF-8&q=java+decompiler
3.另外,你可以尝试反编译JAR文件:http: //www.google.hr/search?sourceid=chrome&ie =UTF-8&q =java+decompiler
回答by josefx
Yes and No. By default java programs can do the same things any native program on your system can do. This includes deleting and replacing any file it can access, depending on your operating system and your user privileges this may affect system critical files.
是和否。默认情况下,java 程序可以做与您系统上的任何本地程序可以做的相同的事情。这包括删除和替换它可以访问的任何文件,这取决于您的操作系统和您的用户权限,这可能会影响系统关键文件。
It is possible to restrictwhat java applications can do, applets and webstart programs usually are secured this way. Alternatively you can run any program as a different/restricted user or in a sandbox to limit the damage it can do.
可以限制java 应用程序可以做什么,applet 和 webstart 程序通常以这种方式保护。或者,您可以以不同/受限制的用户身份或在沙箱中运行任何程序,以限制它可能造成的损害。
If you do not trust the library/program always run it in one of the restricted environments mentioned above. It may crash if it does something it should not do, but it will be unable to do any damage.
如果您不信任库/程序,请始终在上述受限环境之一中运行它。如果它做了一些它不应该做的事情,它可能会崩溃,但它不会造成任何损害。
回答by Martin
I tried the solution from jensign.comand it looks like it restricts almost everything. The .jar application that I used to test wasn't even able to download a website. However I'm not an expert at this stuff so I can't tell if it is a 100% safe solution.
我尝试了jensign.com的解决方案,看起来它几乎限制了所有内容。我用来测试的 .jar 应用程序甚至无法下载网站。但是,我不是这方面的专家,所以我不知道它是否是 100% 安全的解决方案。
The JAR'd application can be launched under fully restrictive sandbox conditions (very similar to Java applet default security sandboxing):
java -jar -Djava.security.manager PropsFrame.jar
JAR 的应用程序可以在完全限制性的沙箱条件下启动(非常类似于 Java 小程序默认安全沙箱):
java -jar -Djava.security.manager PropsFrame.jar
回答by LostInTheCode
Try a decompiler, like Java Decompiler: http://jd.benow.ca/
尝试使用反编译器,例如 Java Decompiler:http: //jd.benow.ca/
It decompiles the .jar file, and shows you the source, though keep in mind it might be copyrighted:
它反编译 .jar 文件,并向您显示源代码,但请记住,它可能受版权保护:
By the way, why don't you ask for them to submit the source code as well, instead of just the .jar files?
顺便说一句,你为什么不要求他们也提交源代码,而不仅仅是 .jar 文件?
Basically, .jar files are like souped-up zip files, and I believe even WinRAR can open .jar files. A quote from their site:
基本上,.jar 文件就像加强版的 zip 文件,我相信即使是 WinRAR 也可以打开 .jar 文件。来自他们网站的报价:
Java Archive File (a compressed file for applets and related files) (.JAR)
Short for Java Archive, a file format used to bundle all components required by a Java applet. JAR files simplify the downloading of applets since all the components (.class files, images, sounds, etc.) can be packaged into a single file. Additionally, JAR supports data compression, which further decreases download times.
JAR file support is the same as ZIP file support. JAR = ZIP + manifest. The Microsoft VM supports uncompressed and compressed JAR levels 0 and 1, but not signed JAR.
WinRAR provides basic operations for JAR files created by other tools: view contents, extract files, show comments and archive information.
You can use the convert function to convert .jar files into .rar format.
You do not need to have any external programs to handle these formats.
Java 存档文件(小程序和相关文件的压缩文件)(.JAR)
Java Archive 的缩写,一种文件格式,用于捆绑 Java 小程序所需的所有组件。JAR 文件简化了小程序的下载,因为所有组件(.class 文件、图像、声音等)都可以打包到一个文件中。此外,JAR 支持数据压缩,这进一步减少了下载时间。
JAR 文件支持与 ZIP 文件支持相同。JAR = ZIP + 清单。Microsoft VM 支持未压缩和压缩的 JAR 级别 0 和 1,但不支持签名 JAR。
WinRAR 为其他工具创建的 JAR 文件提供了基本操作:查看内容、提取文件、显示注释和存档信息。
您可以使用 convert 函数将 .jar 文件转换为 .rar 格式。
您不需要任何外部程序来处理这些格式。
After extracting with WinRAR, you can view the source by following this linkas an alternate method to JD.
用WinRAR解压后,可以通过这个链接查看源码,作为京东的替代方法。
