diff options
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 9 |
1 files changed, 8 insertions, 1 deletions
| @@ -51,13 +51,20 @@ both) category, and should re-read the previous statement. | |||
| 51 | 51 | ||
| 52 | Detection is performed by crawling the filesystem and testing files against a | 52 | Detection is performed by crawling the filesystem and testing files against a |
| 53 | [set](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/php.yar) | 53 | [set](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/php.yar) |
| 54 | of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple! | 54 | of [YARA](http://virustotal.github.io/yara/) rules. Yes, it's that simple! |
| 55 | 55 | ||
| 56 | Instead of using an *hash-based* approach, | 56 | Instead of using an *hash-based* approach, |
| 57 | PMF tries as much as possible to use semantic patterns, to detect things like | 57 | PMF tries as much as possible to use semantic patterns, to detect things like |
| 58 | "a `$_GET` variable is decoded two times, unziped, | 58 | "a `$_GET` variable is decoded two times, unziped, |
| 59 | and then passed to some dangerous function like `system`". | 59 | and then passed to some dangerous function like `system`". |
| 60 | 60 | ||
| 61 | ## Installation | ||
| 62 | - [Install Yara](https://yara.readthedocs.io/en/v3.7.0/gettingstarted.html#compiling-and-installing-yara). | ||
| 63 | This is also possible via some Linux package managers: | ||
| 64 | Debian: `sudo apt-get install yara` | ||
| 65 | Red Hat: `yum install yara` (requires the [EPEL repository](https://fedoraproject.org/wiki/EPEL)) | ||
| 66 | |||
| 67 | - Download php-maleware-finder `git clone https://github.com/nbs-system/php-malware-finder.git` | ||
| 61 | 68 | ||
| 62 | ## How to use it? | 69 | ## How to use it? |
| 63 | 70 | ||