diff options
| author | Julien (jvoisin) Voisin | 2016-07-07 17:26:51 +0200 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-07-07 17:26:51 +0200 |
| commit | 8b7406123865b83743ba24539304ad0b08ef518f (patch) | |
| tree | fef67814a0c5434bf69312bd9914fe0592e6b55f | |
| parent | e3b54db29f29aeb5e37ab7b8a4a140260eeab98f (diff) | |
Add more images detection
| -rw-r--r-- | php-malware-finder/php.yar | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index cd31593..c7af3f2 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -37,9 +37,11 @@ rule HiddenInAFile | |||
| 37 | { | 37 | { |
| 38 | strings: | 38 | strings: |
| 39 | $gif = {47 49 46 38 ?? 61} // GIF8[version]a | 39 | $gif = {47 49 46 38 ?? 61} // GIF8[version]a |
| 40 | $png = {89 50 4E 47 0D 0a 1a 0a} // \X89png\X0D\X0A\X1A\X0A | ||
| 41 | $jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png | ||
| 40 | 42 | ||
| 41 | condition: | 43 | condition: |
| 42 | $gif at 0 | 44 | $gif at 0 or $png at 0 or $jpeg at 0 |
| 43 | } | 45 | } |
| 44 | 46 | ||
| 45 | rule PasswordProtection | 47 | rule PasswordProtection |