From 61126b35771eaa7537757362f264dbc8b6a32ed7 Mon Sep 17 00:00:00 2001 From: Mathieu Deous Date: Fri, 15 Apr 2022 22:02:16 +0200 Subject: Rewrite shell script in Go --- README.md | 47 ++++++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 23 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 1b60ce1..6ae0b07 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.org/jvoisin/php-malware-finder.svg?branch=master)](https://travis-ci.org/jvoisin/php-malware-finder) +![Test Suite](https://github.com/jvoisin/php-malware-finder/actions/workflows/test.yml/badge.svg) # PHP Malware Finder @@ -54,38 +54,39 @@ Detection is performed by crawling the filesystem and testing files against a [set](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/php.yar) of [YARA](http://virustotal.github.io/yara/) rules. Yes, it's that simple! -Instead of using an *hash-based* approach, +Instead of using a *hash-based* approach, PMF tries as much as possible to use semantic patterns, to detect things like "a `$_GET` variable is decoded two times, unzipped, and then passed to some dangerous function like `system`". ## Installation -- [Install Yara](https://yara.readthedocs.io/en/stable/gettingstarted.html#compiling-and-installing-yara). -This is also possible via some Linux package managers: - - Debian: `sudo apt-get install yara` - - Red Hat: `yum install yara` (requires the [EPEL repository](https://fedoraproject.org/wiki/EPEL)) - -You can also compile it from source: - -``` -git clone git@github.com:VirusTotal/yara.git -cd yara/ -YACC=bison ./configure -make -``` - -- Download php-malware-finder `git clone https://github.com/jvoisin/php-malware-finder.git` +- Install Go (using your package manager, or [manually](https://go.dev/doc/install)) +- Install libyara >= 4.2 (using your package manager, or [from source](https://yara.readthedocs.io/en/stable/gettingstarted.html)) +- Download php-malware-finder: `git clone https://github.com/jvoisin/php-malware-finder.git` +- Build php-malware-finder: `cd php-malware-finder && make` ## How to use it? ``` $ ./phpmalwarefinder -h -Usage phpmalwarefinder [-cfhtvl] ... - -c Optional path to a rule file - -f Fast mode - -h Show this help message - -t Specify the number of threads to use (8 by default) - -v Verbose mode +Usage: + phpmalwarefinder [OPTIONS] [Target] + +Application Options: + -r, --rules-dir= Rules location (default: /etc/phpmalwarefinder or .) + -a, --show-all Display all matched rules + -f, --fast Enable YARA's fast mode' + -R, --rate-limit= Max. filesystem ops per second, 0 for no limit (default: 0) + -v, --verbose Verbose mode + -w, --workers= Number of workers to spawn for scanning (default: 32) + -L, --long-lines Check long lines + -c, --exclude-common Do not scan files with common extensions + -i, --exclude-imgs Do not scan image files + -x, --exclude-ext= Additional file extensions to exclude + -u, --update Update rules + +Help Options: + -h, --help Show this help message ``` Or if you prefer to use `yara`: -- cgit v1.3