diff options
| author | Julien (jvoisin) Voisin | 2016-02-25 18:30:06 +0100 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-02-25 18:30:06 +0100 |
| commit | 477a1ee9253ca1ad031bcd921207a85861bc651b (patch) | |
| tree | 19028c43d47490e06a95bff7e0d655ebd94c5186 | |
| parent | ae5f8ca1f9e024352351444e2c9c232cf28120c2 (diff) | |
Add a `concat` rule
This aims to catch things like:
```php
<?php
$a = $p800['y6dfe'][9].$p800['y6dfe'][70].$p800['y6dfe'][48];$p800[$p800['y6dfe'][55].$p800['y6dfe'][8].$p800['y6dfe'][30].$p800['y6dfe'][9];
| -rw-r--r-- | php-malware-finder/malwares.yara | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index bfc4d7a..64c327b 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -64,6 +64,7 @@ rule ObfuscatedPhp | |||
| 64 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html | 64 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html |
| 65 | $variable_variable = /\${\$[0-9a-zA-z]+}/ | 65 | $variable_variable = /\${\$[0-9a-zA-z]+}/ |
| 66 | $too_many_chr = /(chr\([\d]+\)\.){2,}?/ | 66 | $too_many_chr = /(chr\([\d]+\)\.){2,}?/ |
| 67 | $concat = /(\$[^\n\r]+\.){5,}?/ | ||
| 67 | condition: | 68 | condition: |
| 68 | any of them and not IsWhitelisted | 69 | any of them and not IsWhitelisted |
| 69 | } | 70 | } |