diff options
| author | jvoisin | 2017-02-21 17:24:37 +0100 |
|---|---|---|
| committer | jvoisin | 2017-02-21 17:24:37 +0100 |
| commit | dfe0fa93925d08fbede127796f7d7793dc04485b (patch) | |
| tree | a22b01fc21baf909697ab3dec7501212fc96ff37 | |
| parent | be0b64f9bc936c459a6b32e76c6365bc54591b81 (diff) | |
Add another simple hex-string pattern
| -rw-r--r-- | php-malware-finder/common.yar | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index bde83c7..184e5ce 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar | |||
| @@ -51,6 +51,7 @@ private rule hex | |||
| 51 | $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase | 51 | $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase |
| 52 | $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase | 52 | $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase |
| 53 | $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase | 53 | $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase |
| 54 | $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase | ||
| 54 | 55 | ||
| 55 | condition: | 56 | condition: |
| 56 | any of them | 57 | any of them |