From da208cf3ac7947dcee230f715eb0b6f81981c122 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 13 Jul 2016 20:08:39 +0200
Subject: Fix the whitelist generation

---
 php-malware-finder/generate_whitelist.py | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/php-malware-finder/generate_whitelist.py b/php-malware-finder/generate_whitelist.py
index a8ed8f8..af6be27 100755
--- a/php-malware-finder/generate_whitelist.py
+++ b/php-malware-finder/generate_whitelist.py
@@ -11,11 +11,6 @@ except ImportError:
     print('Please install python-yara')
     sys.exit(1)
 
-print("/!\\ THIS SCRIPT IS BROKEN AND SHOULD NOT BE USED /!\\")
-print("IF YOU WANT ANYWAY, EDIT IT TO REMOVE THIS WARNING")
-sys.exit(0)
-
-
 if len(sys.argv) != 3:
     print('Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0])
     sys.exit(1)
@@ -28,19 +23,18 @@ rules = yara.compile('./php.yar', includes=True, error_on_warning=True)
 
 output_list = list()
 
-for cpt, (root, dirnames, filenames) in enumerate(os.walk(sys.argv[2])):
+for curdir, dirnames, filenames in os.walk(sys.argv[2]):
     for filename in fnmatch.filter(filenames, '*.ph*'):
-        fname = os.path.join(root, filename)
-        if os.stat(fname).st_size:
-            matches = rules.match(os.path.join(root, filename), fast=True)
+        fname = os.path.join(curdir, filename)
+        if 0 < os.stat(fname).st_size < 5 * 1024 * 1024:
+            matches = rules.match(fname, fast=True)
             if matches:
-                hasher = hashlib.sha1()
-                with open(fname, 'rb') as ifile:
-                    hasher.update(ifile.read())
-                output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (hasher.hexdigest(), fname))
+                with open(fname, 'rb') as f:
+                    digest = hashlib.sha1(f.read()).hexdigest()
+                output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (digest, fname))
 
 
-output_rule = 'import "hash"\n\nprivate rule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1])
+output_rule = 'import "hash"\n\nrule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1])
 output_list.append(output_list.pop().replace(' or ', '    '))
 output_rule += '\n\t\t'.join(output_list)
 output_rule += '\n}'
-- 
cgit v1.3