mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
Updated with patterns_iraw.txt and text2base64.py
This commit is contained in:
nichogenius
38
README.md
38
README.md
@@ -29,16 +29,52 @@ Usage: php scan.php -d <directory>
|
|||||||
|
|
||||||
Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.
|
Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.
|
||||||
|
|
||||||
|
Extension argument defaults to .php .
|
||||||
|
|
||||||
|
--base64 is an alternative scan mode which ignores the main pattern files and uses a large list of php keywords and functions that have been converted to base64. Slower and prone to false positives, but gives additional base64 scanning coverage. These pattern files are located in base64_patterns and were derived from php 7 keywords and functions. Not many PHP extensions are included.
|
||||||
|
|
||||||
|
--comment flag will display the last comment to appear in the pattern file before the matched pattern, so documenting the pattern files is important.
|
||||||
|
|
||||||
|
--pattern flag will display the pattern string that was matched.
|
||||||
|
|
||||||
Patterns
|
Patterns
|
||||||
--------
|
--------
|
||||||
|
|
||||||
There are two different pattern source, each line in these files is a patter so patterns_raw.txt lines searched as-is, patterns_re.txt used with preg_match function.
|
There are three main pattern files the cover different typtes of pattern matching. There is one pattern per line. All lines where the very first character is a '#' is considered a comment and not used as a pattern. Whitespace in the pattern files is not used.
|
||||||
|
|
||||||
|
-patterns_raw.txt -- Raw string matching
|
||||||
|
-patterns-iraw.txt -- Case insensitive raw string matching
|
||||||
|
-patterns-re.txt -- Regular expression matching.
|
||||||
|
|
||||||
Whitelisting
|
Whitelisting
|
||||||
------------
|
------------
|
||||||
|
|
||||||
See [whitelist.txt](https://github.com/scr34m/php-malware-scanner/blob/master/whitelist.txt) file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.
|
See [whitelist.txt](https://github.com/scr34m/php-malware-scanner/blob/master/whitelist.txt) file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.
|
||||||
|
|
||||||
|
Tools
|
||||||
|
---------
|
||||||
|
-text2base64.py
|
||||||
|
Takes a plaintext string as input and returns 3 base64 string equivalents.
|
||||||
|
Python script that needs to be executed from the terminal to be used.
|
||||||
|
|
||||||
|
Marking as executable is required.
|
||||||
|
~$ chmod +x text2base64.py
|
||||||
|
|
||||||
|
It is worth noting that the presence of one of the three output strings in a block of text does not 100% guarantee that the string was
|
||||||
|
present in the original code. It is guaranteed that IF the subject string was present in the original code, then one of the three
|
||||||
|
outputted strings will be present in the base64 version.
|
||||||
|
|
||||||
|
usage:
|
||||||
|
./text2base64.py 'base64_decode'
|
||||||
|
YmFzZTY0X2RlY29kZ
|
||||||
|
Jhc2U2NF9kZWNvZG
|
||||||
|
iYXNlNjRfZGVjb2Rl
|
||||||
|
|
||||||
|
An example: The presence of 'YmFzZTY0X2RlY29kZ' does not guarantee that 'base64_decode' is in the plain text code.
|
||||||
|
It is guaranteed that IF 'base64_decode' was present in the plain text code, then one of these three base64 strings WILL be present.
|
||||||
|
The presence of 'YmFzZTY0X2RlY29kZ' in a block of code may be because 'ase64_decod' was in the original code. Note the missing edge
|
||||||
|
characters which is due to bit misalignments and character bleed.
|
||||||
|
|
||||||
Resources
|
Resources
|
||||||
---------
|
---------
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user