From e5560e053a754ba3ab189e01cbfa9c5a95437a6c Mon Sep 17 00:00:00 2001 From: Julien (jvoisin) Voisin Date: Tue, 30 Aug 2016 15:44:55 +0200 Subject: Improve a bit the README file --- README.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 3371ca7..5d6a4d9 100644 --- a/README.md +++ b/README.md @@ -26,16 +26,17 @@ The following list of encoders/obfuscators/webshells are also detected: * [Cipher Design]( http://cipherdesign.co.uk/service/php-obfuscator ) * [Cyklodev]( http://sysadmin.cyklodev.com/online-php-obfuscator/ ) * [Joes Web Tools Obfuscator]( http://www.joeswebtools.com/security/php-obfuscator/ ) +* [P.A.S]( http://profexer.name/pas/download.php ) +* [PHP Jiami]( http://www.phpjiami.com/ ) * [Php Obfuscator Encode]( http://w3webtools.com/encode-php-online/ ) * [SpinObf]( http://mohssen.org/SpinObf.php ) * [Weevely3]( https://github.com/epinna/weevely3 ) * [atomiku]( http://atomiku.com/online-php-code-obfuscator/ ) * [cobra obfuscator]( http://obfuscator.uk/example/ ) * [phpencode]( http://phpencode.org ) -* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ ) * [tennc]( http://tennc.github.io/webshell/ ) * [web-malware-collection]( https://github.com/nikicat/web-malware-collection ) -* [P.A.S]( http://profexer.name/pas/download.php ) +* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ ) Of course it's **trivial** to bypass PMF, @@ -43,7 +44,7 @@ but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or -both) category, and should re-read the previous sentence. +both) category, and should re-read the previous statement. ## How does it work? @@ -83,7 +84,7 @@ whitelist system, and greedy regexps. Please note that if you plan to build yara from sources, libssl-dev must be installed on your system in order to have support for hashes. -Ho, and by the way, you can run the comprehensive testsuite with `make test`. +Ho, and by the way, you can run the *comprehensive* testsuite with `make test`. ## Whitelisting @@ -97,9 +98,9 @@ Because: https://github.com/Neo23x0/signature-base/blob/e264d66a8ea3be93db8482ab3d639a2ed3e9c949/yara/thor-webshells.yar ), since it only cares about finding malicious patterns, not specific webshells - Its whitelist system doesn't rely on filenames -- It doesn't rely on (slow) entropy calculation +- It doesn't rely on (slow) [entropy computation]( https://en.wikipedia.org/wiki/Entropy_(information_theory) ) - It uses a ghetto-style static analysis, instead of relying on file hashes -- Thanks to the aforementioned pseudo-static analysis, it works on obfuscated files too +- Thanks to the aforementioned pseudo-static analysis, it works (especially) on obfuscated files too ## Licensing -- cgit v1.3