diff options
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 47 |
1 files changed, 24 insertions, 23 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | [](https://travis-ci.org/jvoisin/php-malware-finder) | 1 |  |
| 2 | 2 | ||
| 3 | # PHP Malware Finder | 3 | # PHP Malware Finder |
| 4 | 4 | ||
| @@ -54,38 +54,39 @@ Detection is performed by crawling the filesystem and testing files against a | |||
| 54 | [set](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/php.yar) | 54 | [set](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/php.yar) |
| 55 | of [YARA](http://virustotal.github.io/yara/) rules. Yes, it's that simple! | 55 | of [YARA](http://virustotal.github.io/yara/) rules. Yes, it's that simple! |
| 56 | 56 | ||
| 57 | Instead of using an *hash-based* approach, | 57 | Instead of using a *hash-based* approach, |
| 58 | PMF tries as much as possible to use semantic patterns, to detect things like | 58 | PMF tries as much as possible to use semantic patterns, to detect things like |
| 59 | "a `$_GET` variable is decoded two times, unzipped, | 59 | "a `$_GET` variable is decoded two times, unzipped, |
| 60 | and then passed to some dangerous function like `system`". | 60 | and then passed to some dangerous function like `system`". |
| 61 | 61 | ||
| 62 | ## Installation | 62 | ## Installation |
| 63 | - [Install Yara](https://yara.readthedocs.io/en/stable/gettingstarted.html#compiling-and-installing-yara). | 63 | - Install Go (using your package manager, or [manually](https://go.dev/doc/install)) |
| 64 | This is also possible via some Linux package managers: | 64 | - Install libyara >= 4.2 (using your package manager, or [from source](https://yara.readthedocs.io/en/stable/gettingstarted.html)) |
| 65 | - Debian: `sudo apt-get install yara` | 65 | - Download php-malware-finder: `git clone https://github.com/jvoisin/php-malware-finder.git` |
| 66 | - Red Hat: `yum install yara` (requires the [EPEL repository](https://fedoraproject.org/wiki/EPEL)) | 66 | - Build php-malware-finder: `cd php-malware-finder && make` |
| 67 | |||
| 68 | You can also compile it from source: | ||
| 69 | |||
| 70 | ``` | ||
| 71 | git clone git@github.com:VirusTotal/yara.git | ||
| 72 | cd yara/ | ||
| 73 | YACC=bison ./configure | ||
| 74 | make | ||
| 75 | ``` | ||
| 76 | |||
| 77 | - Download php-malware-finder `git clone https://github.com/jvoisin/php-malware-finder.git` | ||
| 78 | 67 | ||
| 79 | ## How to use it? | 68 | ## How to use it? |
| 80 | 69 | ||
| 81 | ``` | 70 | ``` |
| 82 | $ ./phpmalwarefinder -h | 71 | $ ./phpmalwarefinder -h |
| 83 | Usage phpmalwarefinder [-cfhtvl] <file|folder> ... | 72 | Usage: |
| 84 | -c Optional path to a rule file | 73 | phpmalwarefinder [OPTIONS] [Target] |
| 85 | -f Fast mode | 74 | |
| 86 | -h Show this help message | 75 | Application Options: |
| 87 | -t Specify the number of threads to use (8 by default) | 76 | -r, --rules-dir= Rules location (default: /etc/phpmalwarefinder or .) |
| 88 | -v Verbose mode | 77 | -a, --show-all Display all matched rules |
| 78 | -f, --fast Enable YARA's fast mode' | ||
| 79 | -R, --rate-limit= Max. filesystem ops per second, 0 for no limit (default: 0) | ||
| 80 | -v, --verbose Verbose mode | ||
| 81 | -w, --workers= Number of workers to spawn for scanning (default: 32) | ||
| 82 | -L, --long-lines Check long lines | ||
| 83 | -c, --exclude-common Do not scan files with common extensions | ||
| 84 | -i, --exclude-imgs Do not scan image files | ||
| 85 | -x, --exclude-ext= Additional file extensions to exclude | ||
| 86 | -u, --update Update rules | ||
| 87 | |||
| 88 | Help Options: | ||
| 89 | -h, --help Show this help message | ||
| 89 | ``` | 90 | ``` |
| 90 | 91 | ||
| 91 | Or if you prefer to use `yara`: | 92 | Or if you prefer to use `yara`: |