summaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
authorMathieu Deous2022-04-15 22:02:16 +0200
committerGitHub2022-04-15 22:02:16 +0200
commit61126b35771eaa7537757362f264dbc8b6a32ed7 (patch)
tree9732a52f1c39c8ae3d8a1a35e8cd9e45d7f2cfea /README.md
parent98fb222eb0a878df2abb6b13386a5ebc46b835c3 (diff)
Rewrite shell script in Go
Diffstat (limited to 'README.md')
-rw-r--r--README.md47
1 files changed, 24 insertions, 23 deletions
diff --git a/README.md b/README.md
index 1b60ce1..6ae0b07 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
1[![Build Status](https://travis-ci.org/jvoisin/php-malware-finder.svg?branch=master)](https://travis-ci.org/jvoisin/php-malware-finder) 1![Test Suite](https://github.com/jvoisin/php-malware-finder/actions/workflows/test.yml/badge.svg)
2 2
3# PHP Malware Finder 3# PHP Malware Finder
4 4
@@ -54,38 +54,39 @@ Detection is performed by crawling the filesystem and testing files against a
54[set](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/php.yar) 54[set](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/php.yar)
55of [YARA](http://virustotal.github.io/yara/) rules. Yes, it's that simple! 55of [YARA](http://virustotal.github.io/yara/) rules. Yes, it's that simple!
56 56
57Instead of using an *hash-based* approach, 57Instead of using a *hash-based* approach,
58PMF tries as much as possible to use semantic patterns, to detect things like 58PMF tries as much as possible to use semantic patterns, to detect things like
59"a `$_GET` variable is decoded two times, unzipped, 59"a `$_GET` variable is decoded two times, unzipped,
60and then passed to some dangerous function like `system`". 60and then passed to some dangerous function like `system`".
61 61
62## Installation 62## Installation
63- [Install Yara](https://yara.readthedocs.io/en/stable/gettingstarted.html#compiling-and-installing-yara). 63- Install Go (using your package manager, or [manually](https://go.dev/doc/install))
64This is also possible via some Linux package managers: 64- Install libyara >= 4.2 (using your package manager, or [from source](https://yara.readthedocs.io/en/stable/gettingstarted.html))
65 - Debian: `sudo apt-get install yara` 65- Download php-malware-finder: `git clone https://github.com/jvoisin/php-malware-finder.git`
66 - Red Hat: `yum install yara` (requires the [EPEL repository](https://fedoraproject.org/wiki/EPEL)) 66- Build php-malware-finder: `cd php-malware-finder && make`
67
68You can also compile it from source:
69
70```
71git clone git@github.com:VirusTotal/yara.git
72cd yara/
73YACC=bison ./configure
74make
75```
76
77- Download php-malware-finder `git clone https://github.com/jvoisin/php-malware-finder.git`
78 67
79## How to use it? 68## How to use it?
80 69
81``` 70```
82$ ./phpmalwarefinder -h 71$ ./phpmalwarefinder -h
83Usage phpmalwarefinder [-cfhtvl] <file|folder> ... 72Usage:
84 -c Optional path to a rule file 73 phpmalwarefinder [OPTIONS] [Target]
85 -f Fast mode 74
86 -h Show this help message 75Application Options:
87 -t Specify the number of threads to use (8 by default) 76 -r, --rules-dir= Rules location (default: /etc/phpmalwarefinder or .)
88 -v Verbose mode 77 -a, --show-all Display all matched rules
78 -f, --fast Enable YARA's fast mode'
79 -R, --rate-limit= Max. filesystem ops per second, 0 for no limit (default: 0)
80 -v, --verbose Verbose mode
81 -w, --workers= Number of workers to spawn for scanning (default: 32)
82 -L, --long-lines Check long lines
83 -c, --exclude-common Do not scan files with common extensions
84 -i, --exclude-imgs Do not scan image files
85 -x, --exclude-ext= Additional file extensions to exclude
86 -u, --update Update rules
87
88Help Options:
89 -h, --help Show this help message
89``` 90```
90 91
91Or if you prefer to use `yara`: 92Or if you prefer to use `yara`: