From 8b7406123865b83743ba24539304ad0b08ef518f Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Thu, 7 Jul 2016 17:26:51 +0200
Subject: Add more images detection

---
 php-malware-finder/php.yar | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index cd31593..c7af3f2 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -37,9 +37,11 @@ rule HiddenInAFile
 {
     strings:
         $gif = {47 49 46 38 ?? 61} // GIF8[version]a
+        $png = {89 50 4E 47 0D 0a 1a 0a} // \X89png\X0D\X0A\X1A\X0A
+        $jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
 
     condition:
-        $gif at 0
+        $gif at 0 or $png at 0 or $jpeg at 0
 }
 
 rule PasswordProtection
-- 
cgit v1.3