From 48936efa96ae17295be4e0a71be3294f0ec6aef8 Mon Sep 17 00:00:00 2001 From: Mathieu Deous Date: Mon, 2 May 2022 20:18:23 +0200 Subject: Make application go-install-able and create a docker image --- README.md | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 6ae0b07..2ee0606 100644 --- a/README.md +++ b/README.md @@ -60,22 +60,28 @@ PMF tries as much as possible to use semantic patterns, to detect things like and then passed to some dangerous function like `system`". ## Installation + +### From source + - Install Go (using your package manager, or [manually](https://go.dev/doc/install)) - Install libyara >= 4.2 (using your package manager, or [from source](https://yara.readthedocs.io/en/stable/gettingstarted.html)) - Download php-malware-finder: `git clone https://github.com/jvoisin/php-malware-finder.git` - Build php-malware-finder: `cd php-malware-finder && make` +or replace the last 2 steps with `go install github.com/jvoisin/php-malware-finder`, +which will directly compile and install PMF in your `${GOROOT}/bin` folder. + ## How to use it? ``` -$ ./phpmalwarefinder -h +$ ./php-malware-finder -h Usage: - phpmalwarefinder [OPTIONS] [Target] + php-malware-finder [OPTIONS] [Target] Application Options: - -r, --rules-dir= Rules location (default: /etc/phpmalwarefinder or .) + -r, --rules-dir= Alternative rules location (default: embedded rules) -a, --show-all Display all matched rules - -f, --fast Enable YARA's fast mode' + -f, --fast Enable YARA's fast mode -R, --rate-limit= Max. filesystem ops per second, 0 for no limit (default: 0) -v, --verbose Verbose mode -w, --workers= Number of workers to spawn for scanning (default: 32) @@ -84,6 +90,7 @@ Application Options: -i, --exclude-imgs Do not scan image files -x, --exclude-ext= Additional file extensions to exclude -u, --update Update rules + -V, --version Show version number and exit Help Options: -h, --help Show this help message @@ -92,7 +99,7 @@ Help Options: Or if you prefer to use `yara`: ``` -$ yara -r ./php.yar /var/www +$ yara -r ./data/php.yar /var/www ``` Please keep in mind that you should use at least YARA 3.4 because we're using @@ -103,6 +110,16 @@ have support for hashes. Oh, and by the way, you can run the *comprehensive* testsuite with `make tests`. +### Docker + +If you want to avoid having to install Go and libyara, you can also use our +docker image and simply mount the folder you want to scan to the container's +`/data` directory: + +``` +$ docker run --rm -v /folder/to/scan:/data ghcr.io/jvoisin/php-malware-finder +``` + ## Whitelisting Check the [whitelist.yar](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/whitelist.yar) file. @@ -115,7 +132,7 @@ Because: - It doesn't use [a single rule per sample]( https://github.com/Neo23x0/signature-base/blob/e264d66a8ea3be93db8482ab3d639a2ed3e9c949/yara/thor-webshells.yar ), since it only cares about finding malicious patterns, not specific webshells -- It has a [complete testsuite](https://travis-ci.org/jvoisin/php-malware-finder), to avoid regressions +- It has a [complete testsuite](https://github.com/jvoisin/php-malware-finder/actions), to avoid regressions - Its whitelist system doesn't rely on filenames - It doesn't rely on (slow) [entropy computation]( https://en.wikipedia.org/wiki/Entropy_(information_theory) ) - It uses a ghetto-style static analysis, instead of relying on file hashes -- cgit v1.3