From b7b53ab7f517fd1f7d86cbaf7a1c7005243bef1a Mon Sep 17 00:00:00 2001 From: MatToufoutu Date: Sat, 9 Jul 2016 19:50:59 +0200 Subject: attempt at fixing whitelist generation --- php-malware-finder/generate_whitelist.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) mode change 100644 => 100755 php-malware-finder/generate_whitelist.py diff --git a/php-malware-finder/generate_whitelist.py b/php-malware-finder/generate_whitelist.py old mode 100644 new mode 100755 index 04bcc91..a8ed8f8 --- a/php-malware-finder/generate_whitelist.py +++ b/php-malware-finder/generate_whitelist.py @@ -11,6 +11,11 @@ except ImportError: print('Please install python-yara') sys.exit(1) +print("/!\\ THIS SCRIPT IS BROKEN AND SHOULD NOT BE USED /!\\") +print("IF YOU WANT ANYWAY, EDIT IT TO REMOVE THIS WARNING") +sys.exit(0) + + if len(sys.argv) != 3: print('Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0]) sys.exit(1) @@ -29,11 +34,13 @@ for cpt, (root, dirnames, filenames) in enumerate(os.walk(sys.argv[2])): if os.stat(fname).st_size: matches = rules.match(os.path.join(root, filename), fast=True) if matches: - matches = matches.pop() # only one match, since we're scaning files - output_list.append('hash.sha1(0, filename) == %s or // %s' % (hashlib.sha1(fname.encode('utf-8')).hexdigest(), fname)) + hasher = hashlib.sha1() + with open(fname, 'rb') as ifile: + hasher.update(ifile.read()) + output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (hasher.hexdigest(), fname)) -output_rule = 'private rule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1]) +output_rule = 'import "hash"\n\nprivate rule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1]) output_list.append(output_list.pop().replace(' or ', ' ')) output_rule += '\n\t\t'.join(output_list) output_rule += '\n}' -- cgit v1.3