From 659f847d0346077b1ad6934dedef461798923a6e Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 28 Apr 2017 16:24:02 +0200
Subject: Add Hpack detection method

---
 php-malware-finder/common.yar | 16 +++++++++++++++-
 php-malware-finder/tests.sh   |  3 +++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 82d1235..3559b79 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -57,6 +57,20 @@ private rule hex
         any of them
 }
 
+private rule Hpack
+{
+    strings:
+		$globals = "474c4f42414c53" nocase
+        $eval = "6576616C28" nocase
+        $exec = "65786563" nocase
+        $system = "73797374656d" nocase
+        $preg_replace = "707265675f7265706c616365" nocase
+        $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
+    
+    condition:
+        any of them
+}
+
 private rule strrev
 {
     strings:
@@ -73,7 +87,7 @@ private rule strrev
 rule SuspiciousEncoding
 {
     condition:
-        (base64 or hex or strrev) and not IsWhitelisted
+        (base64 or hex or strrev or Hpack) and not IsWhitelisted
 }
 
 rule DodgyStrings
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index a261199..39ad3bd 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -94,6 +94,9 @@ run_test real/guidtz.php '0x12d8:$non_printables:'
 run_test real/ice.php 'double_var'
 run_test real/srt.php '$register_function'
 
+# real
+run_test undetected/smart.php '0x6:$extract:'
+
 # Asp files
 run_test_asp classic/cmdasp.asp 'DodgyStrings'
 
-- 
cgit v1.3