diff options
| author | jvoisin | 2016-01-05 14:11:54 +0100 |
|---|---|---|
| committer | jvoisin | 2016-01-05 14:11:54 +0100 |
| commit | 692db78fed2beae3f8fee2de350df678052228b1 (patch) | |
| tree | 54492c1b5bc9fafb1712f51001ae5015712275e7 | |
| parent | f43dbd42d43f227fc45fd6a9d648b91929c1bdf9 (diff) | |
Update the documentation
| -rw-r--r-- | README.md | 12 |
1 files changed, 9 insertions, 3 deletions
| @@ -14,7 +14,8 @@ Detect potentially malicious PHP files. | |||
| 14 | 14 | ||
| 15 | ## What does it detect? | 15 | ## What does it detect? |
| 16 | 16 | ||
| 17 | PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells. | 17 | PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as |
| 18 | files using PHP functions often used in malwares/webshells. | ||
| 18 | 19 | ||
| 19 | The following list of encoders/obfuscators/webshells are also detected: | 20 | The following list of encoders/obfuscators/webshells are also detected: |
| 20 | 21 | ||
| @@ -32,10 +33,13 @@ The following list of encoders/obfuscators/webshells are also detected: | |||
| 32 | * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ ) | 33 | * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ ) |
| 33 | * [tennc]( http://tennc.github.io/webshell/ ) | 34 | * [tennc]( http://tennc.github.io/webshell/ ) |
| 34 | 35 | ||
| 36 | Of course it's easy to bypass PMF, but its goal is to catch kiddies and idiots, | ||
| 37 | not people with a working brain. | ||
| 35 | 38 | ||
| 36 | ## How does it work? | 39 | ## How does it work? |
| 37 | 40 | ||
| 38 | Detection is performed by crawling the filesystem and testing files against a [set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara ) | 41 | Detection is performed by crawling the filesystem and testing files against a |
| 42 | [set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara ) | ||
| 39 | of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple! | 43 | of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple! |
| 40 | 44 | ||
| 41 | 45 | ||
| @@ -47,6 +51,7 @@ Usage phpmalwarefinder [-cfhw] <file|folder> ... | |||
| 47 | -c Optional path to a configuration file | 51 | -c Optional path to a configuration file |
| 48 | -f Fast mode | 52 | -f Fast mode |
| 49 | -h Show this help message | 53 | -h Show this help message |
| 54 | -t Specify the number of threads to use (8 by default) | ||
| 50 | -v Verbose mode | 55 | -v Verbose mode |
| 51 | ``` | 56 | ``` |
| 52 | 57 | ||
| @@ -59,7 +64,8 @@ $ yara -r ./malwares.yara /var/www | |||
| 59 | ## Whitelisting | 64 | ## Whitelisting |
| 60 | 65 | ||
| 61 | Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file. | 66 | Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file. |
| 62 | If you're lazy, you can generate whitelists for entire folders with the [generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script. | 67 | If you're lazy, you can generate whitelists for entire folders with the |
| 68 | [generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script. | ||
| 63 | 69 | ||
| 64 | ## Licensing | 70 | ## Licensing |
| 65 | 71 | ||