1 files changed, 96 insertions, 0 deletions
diff --git a/tests.sh b/tests.sh
new file mode 100755
index 0000000..a302031
--- /dev/null
+++ b/tests.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+PMF=./php-malware-finder
+SAMPLES=./data/samples
+type yara 2>/dev/null 1>&2 || (echo "[-] Please make sure that yara is installed" && exit 1)
+CPT=0
+run_test(){
+    NB_DETECTED=$(${PMF} -v -a "$SAMPLES"/"$1" 2>&1 | grep -c "$2" 2>/dev/null)
+    if [[ "$NB_DETECTED" != 1 ]]; then
+        echo "[-] $2 was not detected in $1, sorry"
+        exit 1
+    fi
+    CPT=$((CPT+1))
+}
+# Real samples
+run_test cpanel.php  '0x294d:$eval: {eval('
+run_test freepbx.php 'ObfuscatedPhp'
+run_test freepbx.php '0x72:$eval: { system('
+run_test freepbx.php 'DodgyPhp'
+run_test freepbx.php '0x31d:$execution: system(base64_decode'
+# Classic shells
+run_test classic/ajaxshell.php 'DodgyStrings'
+run_test classic/ajaxshell.php '0x23e2:$: shell_exec'
+run_test classic/ajaxshell.php "0x16e0:\$ini_get: ini_get('safe_mode"
+run_test classic/ajaxshell.php "0x17f1:\$ini_get: ini_get('open_basedir"
+run_test classic/angel.php '0x1b:$disable_magic_quotes:'
+run_test classic/b374k.php 'ObfuscatedPhp'
+run_test classic/b374k.php "0xe9:\$b374k: 'ev'.'al'"
+run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func('
+run_test classic/b374k.php '0xd6:$align: ;$b374k=$func('
+run_test classic/b374k.php '0x43:$: github.com/b374k/b374k'
+run_test classic/sosyete.php '0x194e:$execution: shell_exec($_POST'
+run_test classic/simattacker.php '0x158:$: fpassthru'
+run_test classic/r57.php '0x142a2:$: xp_cmdshell'
+run_test classic/cyb3rsh3ll.php '0x2200d:$udp_dos: fsockopen("udp://'
+run_test classic/c99.php '0x3bb4:$eval: {exec('
+run_test classic/c100.php '0x4f8d:$eval: {eval('
+# Obfuscated php
+run_test obfuscators/cipher_design.php '0x124:$execution: eval(base64_decode'
+run_test obfuscators/cipher_design.php '0x123:$eval: ;eval('
+run_test obfuscators/online_php_obfuscator.php '0x51:$eval: ;preg_replace('
+run_test obfuscators/online_php_obfuscator.php "0x52:\$pr: preg_replace('/.*/e"
+run_test obfuscators/online_php_obfuscator.php "SuspiciousEncoding"
+run_test obfuscators/phpencode.php "ObfuscatedPhp"
+run_test obfuscators/phpencode.php "DodgyPhp"
+# Artificial samples to test some rules
+run_test artificial/obfuscated.php '0x0:$eval: <?php@eval('
+run_test artificial/obfuscated.php '0x17:$eval: <?php'
+run_test artificial/obfuscated.php '0xd1:$align: ;$b374k=$func('
+run_test artificial/obfuscated.php '0xf0:$weevely3:'
+run_test artificial/obfuscated.php '0x103:$c99_launcher:'
+run_test artificial/obfuscated.php '0x117:$variable_variable:'
+run_test artificial/dodgy.php '$basedir_bypass:'
+run_test artificial/dodgy.php '$basedir_bypass2:'
+run_test artificial/dodgy.php '$disable_magic_quotes:'
+run_test artificial/dodgy.php '$execution: eval(base64_decode'
+run_test artificial/dodgy.php '$execution: base64_decode($_GET'
+run_test artificial/dodgy.php '$htaccess:'
+run_test artificial/dodgy.php '0xd7:$iis_com: IIS://localhost/w3svc'
+run_test artificial/dodgy.php "0xef:\$include: include  ( 'lol.png"
+run_test artificial/dodgy.php "\$ini_get: ini_get (  'disable_functions"
+run_test artificial/dodgy.php '$ini_get: ini_set("disable_functions'
+run_test artificial/dodgy.php '$ini_get: ini_restore("allow_url_include'
+run_test artificial/dodgy.php '$shellshock: () { :;};'
+run_test artificial/dodgy.php '$pr: preg_replace ("/\*/e'
+run_test artificial/dodgy.php '$various: <!--#exec cmd='
+run_test artificial/dodgy.php '$: AddType application/x-httpd-php .htaccess'
+run_test artificial/bypasses.php 'DodgyPhp'
+run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
+run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("
+# real
+run_test real/sucuri_2014_04.php '0x67:$execution3:'
+run_test real/novahot.php 'DodgyStrings'
+run_test real/guidtz.php '0x286:$non_printables:'
+run_test real/ice.php 'double_var'
+run_test real/srt.php '$register_function'
+run_test real/awvjtnz.php '$reversed:'
+run_test real/exceptions.php '$eval_comment: eval/\*k\*/('
+run_test real/nano.php '$nano: $x\[f\]('
+run_test real/ninja.php '$nano: $x\[0\]('
+run_test real/ninja.php '$ninja: base64_decode(substr(getallheaders'
+run_test real/include.php ':$silenced_include: @include'
+run_test undetected/smart.php '0x6:$extract:'
+echo "[+] Congratz, the $CPT tests succeeded!"

diff --git a/tests.sh b/tests.sh new file mode 100755 index 0000000..a302031 --- /dev/null +++ b/tests.sh
@@ -0,0 +1,96 @@
	1	#!/bin/bash
	2
	3	PMF=./php-malware-finder
	4	SAMPLES=./data/samples
	5
	6	type yara 2>/dev/null 1>&2 \|\| (echo "[-] Please make sure that yara is installed" && exit 1)
	7
	8	CPT=0
	9	run_test(){
	10	NB_DETECTED=$(${PMF} -v -a "$SAMPLES"/"$1" 2>&1 \| grep -c "$2" 2>/dev/null)
	11
	12	if [[ "$NB_DETECTED" != 1 ]]; then
	13	echo "[-] $2 was not detected in $1, sorry"
	14	exit 1
	15	fi
	16	CPT=$((CPT+1))
	17	}
	18
	19
	20	# Real samples
	21	run_test cpanel.php '0x294d:$eval: {eval('
	22	run_test freepbx.php 'ObfuscatedPhp'
	23	run_test freepbx.php '0x72:$eval: { system('
	24	run_test freepbx.php 'DodgyPhp'
	25	run_test freepbx.php '0x31d:$execution: system(base64_decode'
	26
	27	# Classic shells
	28	run_test classic/ajaxshell.php 'DodgyStrings'
	29	run_test classic/ajaxshell.php '0x23e2:$: shell_exec'
	30	run_test classic/ajaxshell.php "0x16e0:\$ini_get: ini_get('safe_mode"
	31	run_test classic/ajaxshell.php "0x17f1:\$ini_get: ini_get('open_basedir"
	32	run_test classic/angel.php '0x1b:$disable_magic_quotes:'
	33	run_test classic/b374k.php 'ObfuscatedPhp'
	34	run_test classic/b374k.php "0xe9:\$b374k: 'ev'.'al'"
	35	run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func('
	36	run_test classic/b374k.php '0xd6:$align: ;$b374k=$func('
	37	run_test classic/b374k.php '0x43:$: github.com/b374k/b374k'
	38	run_test classic/sosyete.php '0x194e:$execution: shell_exec($_POST'
	39	run_test classic/simattacker.php '0x158:$: fpassthru'
	40	run_test classic/r57.php '0x142a2:$: xp_cmdshell'
	41	run_test classic/cyb3rsh3ll.php '0x2200d:$udp_dos: fsockopen("udp://'
	42	run_test classic/c99.php '0x3bb4:$eval: {exec('
	43	run_test classic/c100.php '0x4f8d:$eval: {eval('
	44
	45	# Obfuscated php
	46	run_test obfuscators/cipher_design.php '0x124:$execution: eval(base64_decode'
	47	run_test obfuscators/cipher_design.php '0x123:$eval: ;eval('
	48	run_test obfuscators/online_php_obfuscator.php '0x51:$eval: ;preg_replace('
	49	run_test obfuscators/online_php_obfuscator.php "0x52:\$pr: preg_replace('/.*/e"
	50	run_test obfuscators/online_php_obfuscator.php "SuspiciousEncoding"
	51	run_test obfuscators/phpencode.php "ObfuscatedPhp"
	52	run_test obfuscators/phpencode.php "DodgyPhp"
	53
	54	# Artificial samples to test some rules
	55	run_test artificial/obfuscated.php '0x0:$eval: <?php@eval('
	56	run_test artificial/obfuscated.php '0x17:$eval: <?php'
	57	run_test artificial/obfuscated.php '0xd1:$align: ;$b374k=$func('
	58	run_test artificial/obfuscated.php '0xf0:$weevely3:'
	59	run_test artificial/obfuscated.php '0x103:$c99_launcher:'
	60	run_test artificial/obfuscated.php '0x117:$variable_variable:'
	61	run_test artificial/dodgy.php '$basedir_bypass:'
	62	run_test artificial/dodgy.php '$basedir_bypass2:'
	63	run_test artificial/dodgy.php '$disable_magic_quotes:'
	64	run_test artificial/dodgy.php '$execution: eval(base64_decode'
	65	run_test artificial/dodgy.php '$execution: base64_decode($_GET'
	66	run_test artificial/dodgy.php '$htaccess:'
	67	run_test artificial/dodgy.php '0xd7:$iis_com: IIS://localhost/w3svc'
	68	run_test artificial/dodgy.php "0xef:\$include: include ( 'lol.png"
	69	run_test artificial/dodgy.php "\$ini_get: ini_get ( 'disable_functions"
	70	run_test artificial/dodgy.php '$ini_get: ini_set("disable_functions'
	71	run_test artificial/dodgy.php '$ini_get: ini_restore("allow_url_include'
	72	run_test artificial/dodgy.php '$shellshock: () { :;};'
	73	run_test artificial/dodgy.php '$pr: preg_replace ("/\*/e'
	74	run_test artificial/dodgy.php '$various: <!--#exec cmd='
	75	run_test artificial/dodgy.php '$: AddType application/x-httpd-php .htaccess'
	76
	77	run_test artificial/bypasses.php 'DodgyPhp'
	78	run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
	79	run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("
	80
	81	# real
	82	run_test real/sucuri_2014_04.php '0x67:$execution3:'
	83	run_test real/novahot.php 'DodgyStrings'
	84	run_test real/guidtz.php '0x286:$non_printables:'
	85	run_test real/ice.php 'double_var'
	86	run_test real/srt.php '$register_function'
	87	run_test real/awvjtnz.php '$reversed:'
	88	run_test real/exceptions.php '$eval_comment: eval/\k\/('
	89	run_test real/nano.php '$nano: $x\[f\]('
	90	run_test real/ninja.php '$nano: $x\[0\]('
	91	run_test real/ninja.php '$ninja: base64_decode(substr(getallheaders'
	92	run_test real/include.php ':$silenced_include: @include'
	93
	94	run_test undetected/smart.php '0x6:$extract:'
	95
	96	echo "[+] Congratz, the $CPT tests succeeded!"