Code style formatting

This commit is contained in:
Gabor Gyorvari
2018-03-02 18:36:24 +01:00
parent 7b2b1068e1
commit 99801506e7

217
scan.php
View File

@@ -19,38 +19,38 @@
class MalwareScanner class MalwareScanner
{ {
//Pretty Colors //Pretty Colors
private $ANSI_GREEN = "\033[32m"; private $ANSI_GREEN = "\033[32m";
private $ANSI_RED = "\033[31m"; private $ANSI_RED = "\033[31m";
private $ANSI_YELLOW = "\033[33m"; private $ANSI_YELLOW = "\033[33m";
private $ANSI_BLUE = "\033[36m"; private $ANSI_BLUE = "\033[36m";
private $ANSI_OFF = "\033[0m"; private $ANSI_OFF = "\033[0m";
private $dir = ''; private $dir = '';
private $extension = '.php'; private $extension = '.php';
private $flagBase64 = false; private $flagBase64 = false;
private $flagChecksum = false; private $flagChecksum = false;
private $flagComments = false; private $flagComments = false;
private $flagHideOk = false; private $flagHideOk = false;
private $flagHideWhitelist = false; private $flagHideWhitelist = false;
private $flagNoStop = false; private $flagNoStop = false;
private $flagPattern = false; private $flagPattern = false;
private $flagTime = false; private $flagTime = false;
private $extraCheck = false; private $extraCheck = false;
private $whitelist = array(); private $whitelist = array();
private $ignore = array(); private $ignore = array();
private $stat = array( private $stat = array(
'directories' => 0, 'directories' => 0,
'files_scanned' => 0, 'files_scanned' => 0,
'files_infected' => 0, 'files_infected' => 0,
); );
private $followSymlink = false; private $followSymlink = false;
//Pattern File Attributes //Pattern File Attributes
private $patterns_raw = array(); private $patterns_raw = array();
private $patterns_iraw = array(); private $patterns_iraw = array();
private $patterns_re = array(); private $patterns_re = array();
private $patterns_b64functions = array(); private $patterns_b64functions = array();
private $patterns_b64keywords = array(); private $patterns_b64keywords = array();
//Constructor - Likes to do as little as possible. //Constructor - Likes to do as little as possible.
public function __construct() public function __construct()
@@ -65,11 +65,11 @@ class MalwareScanner
//Allows the -n/--no-color flag to easily remove color characters. //Allows the -n/--no-color flag to easily remove color characters.
private function disableColor() private function disableColor()
{ {
$this->ANSI_GREEN = ''; $this->ANSI_GREEN = '';
$this->ANSI_RED = ''; $this->ANSI_RED = '';
$this->ANSI_YELLOW = ''; $this->ANSI_YELLOW = '';
$this->ANSI_BLUE = ''; $this->ANSI_BLUE = '';
$this->ANSI_OFF = ''; $this->ANSI_OFF = '';
} }
//Prints the passed 'string' in red text, calls showHelp(). //Prints the passed 'string' in red text, calls showHelp().
@@ -85,19 +85,19 @@ class MalwareScanner
//Handles pattern loading and saving to the class object //Handles pattern loading and saving to the class object
private function initializePatterns() private function initializePatterns()
{ {
//Loads either the primary scanning patterns or the base64 patterns depending on -b/--base64 flag $dir = dirname(__FILE__);
//Loads either the primary scanning patterns or the base64 patterns depending on -b/--base64 flag
if (!$this->flagBase64) { if (!$this->flagBase64) {
$this->patterns_raw = $this->loadPatterns(dirname(__FILE__) . '/definitions/patterns_raw.txt'); $this->patterns_raw = $this->loadPatterns($dir . '/definitions/patterns_raw.txt');
$this->patterns_iraw = $this->loadPatterns(dirname(__FILE__) . '/definitions/patterns_iraw.txt'); $this->patterns_iraw = $this->loadPatterns($dir . '/definitions/patterns_iraw.txt');
$this->patterns_re = $this->loadPatterns(dirname(__FILE__) . '/definitions/patterns_re.txt'); $this->patterns_re = $this->loadPatterns($dir . '/definitions/patterns_re.txt');
} } else {
else { $this->patterns_b64functions = $this->loadPatterns($dir . '/base64_patterns/php_functions.txt');
$this->patterns_b64functions = $this->loadPatterns(dirname(__FILE__). '/base64_patterns/php_functions.txt'); $this->patterns_b64keywords = $this->loadPatterns($dir . '/base64_patterns/php_keywords.txt');
$this->patterns_b64keywords = $this->loadPatterns(dirname(__FILE__). '/base64_patterns/php_keywords.txt');
} }
//Adds additional checks to patterns_raw //Adds additional checks to patterns_raw
//This may be something to move into a pattern file rather than leave hardcoded. //This may be something to move into a pattern file rather than leave hardcoded.
if ($this->extraCheck) { if ($this->extraCheck) {
$this->patterns_raw['googleBot'] = '# '; $this->patterns_raw['googleBot'] = '# ';
$this->patterns_raw['htaccess'] = '# '; $this->patterns_raw['htaccess'] = '# ';
@@ -137,8 +137,8 @@ class MalwareScanner
continue; continue;
} }
//Check if first char in pattern is a '#' which indicates a comment and skips. //Check if first char in pattern is a '#' which indicates a comment and skips.
//Stores the comment to be stored with the pattern in the list as key:value pairs. //Stores the comment to be stored with the pattern in the list as key:value pairs.
//The pattern is the key and the comment is the value. //The pattern is the key and the comment is the value.
if ($pattern[0] === '#') { if ($pattern[0] === '#') {
$last_comment = $pattern; $last_comment = $pattern;
continue; continue;
@@ -166,25 +166,27 @@ class MalwareScanner
//All flag handling stuff should be setup here. //All flag handling stuff should be setup here.
private function parseArgs() private function parseArgs()
{ {
$options = getopt( 'd:e:i:abmcxlhkwnspt', $options = getopt(
array( 'd:e:i:abmcxlhkwnspt',
'directory:', array(
'extension:', 'directory:',
'ignore:', 'extension:',
'all-output', 'ignore:',
'base', 'all-output',
'checksum', 'base',
'comment', 'checksum',
'extra-check', 'comment',
'follow-link', 'extra-check',
'help', 'follow-link',
'hide-ok', 'help',
'hide-whitelist', 'hide-ok',
'no-color', 'hide-whitelist',
'no-stop', 'no-color',
'pattern', 'no-stop',
'time' 'pattern',
)); 'time'
)
);
//Help Option should be first //Help Option should be first
if (isset($options['help']) || isset($options['h'])) { if (isset($options['help']) || isset($options['h'])) {
@@ -210,12 +212,15 @@ class MalwareScanner
//Simple Flag Options //Simple Flag Options
if (isset($options['all-output']) || isset($options['a'])) { if (isset($options['all-output']) || isset($options['a'])) {
$this->flagChecksum = true; $this->flagComments = true; $this->flagPattern = true; $this->flagTime = true; $this->flagChecksum = true;
$this->flagComments = true;
$this->flagPattern = true;
$this->flagTime = true;
} }
if (isset($options['base64']) || isset($options['b'])) { if (isset($options['base64']) || isset($options['b'])) {
$this->flagBase64 = true; $this->flagBase64 = true;
} }
if (isset($options['checksum']) || isset($options['m'])) { if (isset($options['checksum']) || isset($options['m'])) {
$this->flagChecksum = true; $this->flagChecksum = true;
} }
if (isset($options['comment']) || isset($options['c'])) { if (isset($options['comment']) || isset($options['c'])) {
@@ -289,18 +294,20 @@ class MalwareScanner
//OK //OK
if (!$found) { if (!$found) {
if ($this->flagHideOk){return;} if ($this->flagHideOk) {
return;
}
$state = 'OK'; $state = 'OK';
$hash = ' '; $hash = ' ';
$state_color = $this->ANSI_GREEN; $state_color = $this->ANSI_GREEN;
} } //WL
//WL
elseif ($this->inWhitelist($hash)) { elseif ($this->inWhitelist($hash)) {
if ($this->flagHideWhitelist) {return;} if ($this->flagHideWhitelist) {
return;
}
$state = 'WL'; $state = 'WL';
$state_color = $this->ANSI_YELLOW; $state_color = $this->ANSI_YELLOW;
} } //ER
//ER
else { else {
$state = 'ER'; $state = 'ER';
$state_color = $this->ANSI_RED; $state_color = $this->ANSI_RED;
@@ -311,12 +318,12 @@ class MalwareScanner
if ($this->flagTime) { if ($this->flagTime) {
$changed_time = filectime($path); $changed_time = filectime($path);
$htime = date('H:i d-m-Y', $changed_time); $htime = date('H:i d-m-Y', $changed_time);
$output_string = $output_string . $this->ANSI_BLUE . $htime . $this->ANSI_OFF . ' '; $output_string = $output_string . $this->ANSI_BLUE . $htime . $this->ANSI_OFF . ' ';
} }
//Include Checksum/Hash //Include Checksum/Hash
if ($this->flagChecksum) { if ($this->flagChecksum) {
$output_string = $output_string . $this->ANSI_BLUE . $hash . $this->ANSI_OFF . ' '; $output_string = $output_string . $this->ANSI_BLUE . $hash . $this->ANSI_OFF . ' ';
} }
//Append Path //Append Path
@@ -391,7 +398,7 @@ class MalwareScanner
private function run($dir) private function run($dir)
{ {
//Make sure a directory was specified. //Make sure a directory was specified.
if ($this->dir === '') { if ($this->dir === '') {
$this->error('No directory specified'); $this->error('No directory specified');
} }
@@ -401,11 +408,11 @@ class MalwareScanner
$this->error('Specified path is not a directory: ' . $dir); $this->error('Specified path is not a directory: ' . $dir);
} }
//Load Patterns //Load Patterns
$this->initializePatterns(); $this->initializePatterns();
//Load Whitelist //Load Whitelist
$this->loadWhitelist(); $this->loadWhitelist();
$start = time(); $start = time();
$this->process($dir . '/'); $this->process($dir . '/');
@@ -419,18 +426,17 @@ class MalwareScanner
$this->stat['files_scanned']++; $this->stat['files_scanned']++;
$fileContent = file_get_contents($path); $fileContent = file_get_contents($path);
$found = false; $found = false;
$hash = ''; $hash = '';
$toSearch = ''; $toSearch = '';
$comment = ''; $comment = '';
if (!$this->flagBase64) { if (!$this->flagBase64) {
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_raw, $path, $found, $hash); $this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_raw, $path, $found, $hash);
$this->scanLoop('scanFunc_STRI', $fileContent, $this->patterns_iraw, $path, $found, $hash); $this->scanLoop('scanFunc_STRI', $fileContent, $this->patterns_iraw, $path, $found, $hash);
$this->scanLoop('scanFunc_RE', $fileContent, $this->patterns_re, $path, $found, $hash); $this->scanLoop('scanFunc_RE', $fileContent, $this->patterns_re, $path, $found, $hash);
} } else {
else { $this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64functions, $path, $found, $hash);
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64functions, $path, $found, $hash); $this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64keywords, $path, $found, $hash);
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64keywords, $path, $found, $hash);
} }
if (!$found) { if (!$found) {
@@ -442,7 +448,7 @@ class MalwareScanner
return false; return false;
} }
$this->stat['files_infected']++; $this->stat['files_infected']++;
return true; return true;
} }
@@ -479,13 +485,17 @@ class MalwareScanner
{ {
if (!$found || $this->flagNoStop) { if (!$found || $this->flagNoStop) {
foreach ($patterns as $pattern => $comment) { foreach ($patterns as $pattern => $comment) {
//Call the function that is named in $scanFunction //Call the function that is named in $scanFunction
//This allows multiple search/match functions to be used without duplicating the loop code. //This allows multiple search/match functions to be used without duplicating the loop code.
if ($this->$scanFunction($pattern, $fileContent)) { if ($this->$scanFunction($pattern, $fileContent)) {
$found = true; $found = true;
if ($hash === ''){$hash = md5($fileContent);} if ($hash === '') {
$hash = md5($fileContent);
}
$this->printPath($found, $path, $pattern, $comment, $hash); $this->printPath($found, $path, $pattern, $comment, $hash);
if (!$this->flagNoStop){return;} if (!$this->flagNoStop) {
return;
}
} }
} }
} }
@@ -494,27 +504,26 @@ class MalwareScanner
//Prints out the usage menu options. //Prints out the usage menu options.
private function showHelp() private function showHelp()
{ {
echo 'Usage: php scan.php -d <directory>' . PHP_EOL; echo 'Usage: php scan.php -d <directory>' . PHP_EOL;
echo ' -h --help Show this help message' . PHP_EOL; echo ' -h --help Show this help message' . PHP_EOL;
echo ' -d <directory> --directory Directory for searching' . PHP_EOL; echo ' -d <directory> --directory Directory for searching' . PHP_EOL;
echo ' -e <file extension> --extension File Extension to Scan' . PHP_EOL; echo ' -e <file extension> --extension File Extension to Scan' . PHP_EOL;
echo ' -i <directory|file> --ignore Directory of file to ignore' . PHP_EOL; echo ' -i <directory|file> --ignore Directory of file to ignore' . PHP_EOL;
echo ' -a --all-output Enables --checksum,--comment,--pattern,--time' . PHP_EOL; echo ' -a --all-output Enables --checksum,--comment,--pattern,--time' . PHP_EOL;
echo ' -b --base64 Scan for base64 encoded PHP keywords' . PHP_EOL; echo ' -b --base64 Scan for base64 encoded PHP keywords' . PHP_EOL;
echo ' -m --checksum Display MD5 Hash/Checksum of file' . PHP_EOL; echo ' -m --checksum Display MD5 Hash/Checksum of file' . PHP_EOL;
echo ' -c --comment Display comments for matched patterns' . PHP_EOL; echo ' -c --comment Display comments for matched patterns' . PHP_EOL;
echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL; echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL; echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL;
echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL; echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL;
echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL; echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL;
echo ' -n --no-color Disable color mode' . PHP_EOL; echo ' -n --no-color Disable color mode' . PHP_EOL;
echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL; echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL;
echo ' -p --pattern Show Patterns next to the file name' . PHP_EOL; echo ' -p --pattern Show Patterns next to the file name' . PHP_EOL;
echo ' -t --time Show time of last file change' . PHP_EOL; echo ' -t --time Show time of last file change' . PHP_EOL;
} }
} }
//Creates a new MalwareScanner object which does all the work. //Creates a new MalwareScanner object which does all the work.
new MalwareScanner(); new MalwareScanner();
?>