diff options
| author | Julien (jvoisin) Voisin | 2016-03-23 17:18:30 +0100 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-03-23 17:36:50 +0100 |
| commit | 620ec0de2e39a7b0db8cbae75e16de455a7229fc (patch) | |
| tree | 884ce390eb57e3bd9b46e484c9434b2c4da287bc | |
| parent | 99997e428333e866979ec62f6138454a12007280 (diff) | |
Make PMF work on yara-git
| -rw-r--r-- | php-malware-finder/malwares.yara | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 929164b..f4e2dac 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -68,8 +68,8 @@ rule ObfuscatedPhp | |||
| 68 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 68 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
| 69 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html | 69 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html |
| 70 | $variable_variable = /\${\$[0-9a-zA-z]+}/ | 70 | $variable_variable = /\${\$[0-9a-zA-z]+}/ |
| 71 | $too_many_chr = /(chr\([\d]+\)\.){2,}?/ // concatenation of more than two `chr()` | 71 | $too_many_chr = /(chr\([\d]+\)\.){2}/ // concatenation of more than two `chr()` |
| 72 | $concat = /(\$[^\n\r]+\.){5,}?/ // concatenation of more than 5 words | 72 | $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words |
| 73 | $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ | 73 | $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ |
| 74 | $gif = /^GIF89/ | 74 | $gif = /^GIF89/ |
| 75 | condition: | 75 | condition: |