Add Hpack detection method

2 files changed, 18 insertions, 1 deletions

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 82d1235..3559b79 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -57,6 +57,20 @@ private rule hex
         any of them
 }
 
+private rule Hpack
+{
+    strings:
+                $globals = "474c4f42414c53" nocase
+        $eval = "6576616C28" nocase
+        $exec = "65786563" nocase
+        $system = "73797374656d" nocase
+        $preg_replace = "707265675f7265706c616365" nocase
+        $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
+    
+    condition:
+        any of them
+}
+
 private rule strrev
 {
     strings:
@@ -73,7 +87,7 @@ private rule strrev
 rule SuspiciousEncoding
 {
     condition:
-        (base64 or hex or strrev) and not IsWhitelisted
+        (base64 or hex or strrev or Hpack) and not IsWhitelisted
 }
 
 rule DodgyStrings
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index a261199..39ad3bd 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -94,6 +94,9 @@ run_test real/guidtz.php '0x12d8:$non_printables:'
 run_test real/ice.php 'double_var'
 run_test real/srt.php '$register_function'
 
+# real
+run_test undetected/smart.php '0x6:$extract:'
+
 # Asp files
 run_test_asp classic/cmdasp.asp 'DodgyStrings'