diff options
| author | jvoisin | 2016-07-13 20:08:39 +0200 |
|---|---|---|
| committer | jvoisin | 2016-07-13 23:36:37 +0200 |
| commit | da208cf3ac7947dcee230f715eb0b6f81981c122 (patch) | |
| tree | 54c4ed34c3c2f82e6aade2f8eeef5822b5d0e962 | |
| parent | b7b53ab7f517fd1f7d86cbaf7a1c7005243bef1a (diff) | |
Fix the whitelist generation
| -rwxr-xr-x | php-malware-finder/generate_whitelist.py | 22 |
1 files changed, 8 insertions, 14 deletions
diff --git a/php-malware-finder/generate_whitelist.py b/php-malware-finder/generate_whitelist.py index a8ed8f8..af6be27 100755 --- a/php-malware-finder/generate_whitelist.py +++ b/php-malware-finder/generate_whitelist.py | |||
| @@ -11,11 +11,6 @@ except ImportError: | |||
| 11 | print('Please install python-yara') | 11 | print('Please install python-yara') |
| 12 | sys.exit(1) | 12 | sys.exit(1) |
| 13 | 13 | ||
| 14 | print("/!\\ THIS SCRIPT IS BROKEN AND SHOULD NOT BE USED /!\\") | ||
| 15 | print("IF YOU WANT ANYWAY, EDIT IT TO REMOVE THIS WARNING") | ||
| 16 | sys.exit(0) | ||
| 17 | |||
| 18 | |||
| 19 | if len(sys.argv) != 3: | 14 | if len(sys.argv) != 3: |
| 20 | print('Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0]) | 15 | print('Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0]) |
| 21 | sys.exit(1) | 16 | sys.exit(1) |
| @@ -28,19 +23,18 @@ rules = yara.compile('./php.yar', includes=True, error_on_warning=True) | |||
| 28 | 23 | ||
| 29 | output_list = list() | 24 | output_list = list() |
| 30 | 25 | ||
| 31 | for cpt, (root, dirnames, filenames) in enumerate(os.walk(sys.argv[2])): | 26 | for curdir, dirnames, filenames in os.walk(sys.argv[2]): |
| 32 | for filename in fnmatch.filter(filenames, '*.ph*'): | 27 | for filename in fnmatch.filter(filenames, '*.ph*'): |
| 33 | fname = os.path.join(root, filename) | 28 | fname = os.path.join(curdir, filename) |
| 34 | if os.stat(fname).st_size: | 29 | if 0 < os.stat(fname).st_size < 5 * 1024 * 1024: |
| 35 | matches = rules.match(os.path.join(root, filename), fast=True) | 30 | matches = rules.match(fname, fast=True) |
| 36 | if matches: | 31 | if matches: |
| 37 | hasher = hashlib.sha1() | 32 | with open(fname, 'rb') as f: |
| 38 | with open(fname, 'rb') as ifile: | 33 | digest = hashlib.sha1(f.read()).hexdigest() |
| 39 | hasher.update(ifile.read()) | 34 | output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (digest, fname)) |
| 40 | output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (hasher.hexdigest(), fname)) | ||
| 41 | 35 | ||
| 42 | 36 | ||
| 43 | output_rule = 'import "hash"\n\nprivate rule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1]) | 37 | output_rule = 'import "hash"\n\nrule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1]) |
| 44 | output_list.append(output_list.pop().replace(' or ', ' ')) | 38 | output_list.append(output_list.pop().replace(' or ', ' ')) |
| 45 | output_rule += '\n\t\t'.join(output_list) | 39 | output_rule += '\n\t\t'.join(output_list) |
| 46 | output_rule += '\n}' | 40 | output_rule += '\n}' |