diff options
| author | Julien (jvoisin) Voisin | 2016-10-31 14:04:23 +0100 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-10-31 14:08:18 +0100 |
| commit | c8cd3b4fb126be0dd66fd2252226508f8f1b1d0c (patch) | |
| tree | 76e6c971ce721666aa712f77f23d53d198a1ad9e | |
| parent | 3f69e98ca0062e739d9c249d678a8b95bb0222bb (diff) | |
Improves the detection of concatenation-based obfuscation
| -rw-r--r-- | php-malware-finder/php.yar | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index e80dae9..536d880 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -53,6 +53,7 @@ rule ObfuscatedPhp | |||
| 53 | $variable_variable = /\${\$[0-9a-zA-z]+}/ | 53 | $variable_variable = /\${\$[0-9a-zA-z]+}/ |
| 54 | $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()` | 54 | $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()` |
| 55 | $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words | 55 | $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words |
| 56 | $concat_with_spaces = /(\$[^\n\r]+\. ){5}/ // concatenation of more than 5 words, with spaces | ||
| 56 | $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ | 57 | $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ |
| 57 | $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/ // eval /* comment */ (php_code) | 58 | $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/ // eval /* comment */ (php_code) |
| 58 | condition: | 59 | condition: |