From 4d9bcd171b3483958ae13b8c6fdedf2f1874ae2f Mon Sep 17 00:00:00 2001
From: nichogenius <nichogenius@gmail.com>
Date: Mon, 31 Jul 2017 12:56:15 -0600
Subject: [PATCH] Adding str_, function, echo and include in base64

str_ will match 13 separate php functions, many of which can be used for string/modifcation aka obfuscation
function added to catch function defining.
echo added as it is a  common php  keyword, though experimental... may cause a of false positives
include added as it is often used to link in other malware files.
---
 patterns_raw.txt | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/patterns_raw.txt b/patterns_raw.txt
index 57607b3..848569f 100644
--- a/patterns_raw.txt
+++ b/patterns_raw.txt
@@ -62,11 +62,31 @@ cmVwbGFjZ
 JlcGxhY2
 yZXBsYWNl
 
+# "str_" in base64
+c3RyX
+N0cl
+zdHJf
+
 # "exec" in base64
 ZXhlYy
 V4ZWMo
 leGVjK
 
+# "echo" in base64
+ZWNob
+VjaG
+lY2hv
+
+# "function" in base64
+ZnVuY3Rpb2
+Z1bmN0aW9u
+mdW5jdGlvb
+
+# "include" in base64
+aW5jbHVkZ
+luY2x1ZG
+pbmNsdWRl
+
 # "base64" in base64
 YmFzZTY0
 Jhc2U2N