summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--php-malware-finder/common.yar16
-rwxr-xr-xphp-malware-finder/tests.sh3
2 files changed, 18 insertions, 1 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 82d1235..3559b79 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -57,6 +57,20 @@ private rule hex
57 any of them 57 any of them
58} 58}
59 59
60private rule Hpack
61{
62 strings:
63 $globals = "474c4f42414c53" nocase
64 $eval = "6576616C28" nocase
65 $exec = "65786563" nocase
66 $system = "73797374656d" nocase
67 $preg_replace = "707265675f7265706c616365" nocase
68 $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
69
70 condition:
71 any of them
72}
73
60private rule strrev 74private rule strrev
61{ 75{
62 strings: 76 strings:
@@ -73,7 +87,7 @@ private rule strrev
73rule SuspiciousEncoding 87rule SuspiciousEncoding
74{ 88{
75 condition: 89 condition:
76 (base64 or hex or strrev) and not IsWhitelisted 90 (base64 or hex or strrev or Hpack) and not IsWhitelisted
77} 91}
78 92
79rule DodgyStrings 93rule DodgyStrings
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index a261199..39ad3bd 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -94,6 +94,9 @@ run_test real/guidtz.php '0x12d8:$non_printables:'
94run_test real/ice.php 'double_var' 94run_test real/ice.php 'double_var'
95run_test real/srt.php '$register_function' 95run_test real/srt.php '$register_function'
96 96
97# real
98run_test undetected/smart.php '0x6:$extract:'
99
97# Asp files 100# Asp files
98run_test_asp classic/cmdasp.asp 'DodgyStrings' 101run_test_asp classic/cmdasp.asp 'DodgyStrings'
99 102