mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
Code style formatting
This commit is contained in:
217
scan.php
217
scan.php
@@ -19,38 +19,38 @@
|
|||||||
class MalwareScanner
|
class MalwareScanner
|
||||||
{
|
{
|
||||||
//Pretty Colors
|
//Pretty Colors
|
||||||
private $ANSI_GREEN = "\033[32m";
|
private $ANSI_GREEN = "\033[32m";
|
||||||
private $ANSI_RED = "\033[31m";
|
private $ANSI_RED = "\033[31m";
|
||||||
private $ANSI_YELLOW = "\033[33m";
|
private $ANSI_YELLOW = "\033[33m";
|
||||||
private $ANSI_BLUE = "\033[36m";
|
private $ANSI_BLUE = "\033[36m";
|
||||||
private $ANSI_OFF = "\033[0m";
|
private $ANSI_OFF = "\033[0m";
|
||||||
|
|
||||||
private $dir = '';
|
private $dir = '';
|
||||||
private $extension = '.php';
|
private $extension = '.php';
|
||||||
private $flagBase64 = false;
|
private $flagBase64 = false;
|
||||||
private $flagChecksum = false;
|
private $flagChecksum = false;
|
||||||
private $flagComments = false;
|
private $flagComments = false;
|
||||||
private $flagHideOk = false;
|
private $flagHideOk = false;
|
||||||
private $flagHideWhitelist = false;
|
private $flagHideWhitelist = false;
|
||||||
private $flagNoStop = false;
|
private $flagNoStop = false;
|
||||||
private $flagPattern = false;
|
private $flagPattern = false;
|
||||||
private $flagTime = false;
|
private $flagTime = false;
|
||||||
private $extraCheck = false;
|
private $extraCheck = false;
|
||||||
private $whitelist = array();
|
private $whitelist = array();
|
||||||
private $ignore = array();
|
private $ignore = array();
|
||||||
private $stat = array(
|
private $stat = array(
|
||||||
'directories' => 0,
|
'directories' => 0,
|
||||||
'files_scanned' => 0,
|
'files_scanned' => 0,
|
||||||
'files_infected' => 0,
|
'files_infected' => 0,
|
||||||
);
|
);
|
||||||
private $followSymlink = false;
|
private $followSymlink = false;
|
||||||
|
|
||||||
//Pattern File Attributes
|
//Pattern File Attributes
|
||||||
private $patterns_raw = array();
|
private $patterns_raw = array();
|
||||||
private $patterns_iraw = array();
|
private $patterns_iraw = array();
|
||||||
private $patterns_re = array();
|
private $patterns_re = array();
|
||||||
private $patterns_b64functions = array();
|
private $patterns_b64functions = array();
|
||||||
private $patterns_b64keywords = array();
|
private $patterns_b64keywords = array();
|
||||||
|
|
||||||
//Constructor - Likes to do as little as possible.
|
//Constructor - Likes to do as little as possible.
|
||||||
public function __construct()
|
public function __construct()
|
||||||
@@ -65,11 +65,11 @@ class MalwareScanner
|
|||||||
//Allows the -n/--no-color flag to easily remove color characters.
|
//Allows the -n/--no-color flag to easily remove color characters.
|
||||||
private function disableColor()
|
private function disableColor()
|
||||||
{
|
{
|
||||||
$this->ANSI_GREEN = '';
|
$this->ANSI_GREEN = '';
|
||||||
$this->ANSI_RED = '';
|
$this->ANSI_RED = '';
|
||||||
$this->ANSI_YELLOW = '';
|
$this->ANSI_YELLOW = '';
|
||||||
$this->ANSI_BLUE = '';
|
$this->ANSI_BLUE = '';
|
||||||
$this->ANSI_OFF = '';
|
$this->ANSI_OFF = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
//Prints the passed 'string' in red text, calls showHelp().
|
//Prints the passed 'string' in red text, calls showHelp().
|
||||||
@@ -85,19 +85,19 @@ class MalwareScanner
|
|||||||
//Handles pattern loading and saving to the class object
|
//Handles pattern loading and saving to the class object
|
||||||
private function initializePatterns()
|
private function initializePatterns()
|
||||||
{
|
{
|
||||||
//Loads either the primary scanning patterns or the base64 patterns depending on -b/--base64 flag
|
$dir = dirname(__FILE__);
|
||||||
|
//Loads either the primary scanning patterns or the base64 patterns depending on -b/--base64 flag
|
||||||
if (!$this->flagBase64) {
|
if (!$this->flagBase64) {
|
||||||
$this->patterns_raw = $this->loadPatterns(dirname(__FILE__) . '/definitions/patterns_raw.txt');
|
$this->patterns_raw = $this->loadPatterns($dir . '/definitions/patterns_raw.txt');
|
||||||
$this->patterns_iraw = $this->loadPatterns(dirname(__FILE__) . '/definitions/patterns_iraw.txt');
|
$this->patterns_iraw = $this->loadPatterns($dir . '/definitions/patterns_iraw.txt');
|
||||||
$this->patterns_re = $this->loadPatterns(dirname(__FILE__) . '/definitions/patterns_re.txt');
|
$this->patterns_re = $this->loadPatterns($dir . '/definitions/patterns_re.txt');
|
||||||
}
|
} else {
|
||||||
else {
|
$this->patterns_b64functions = $this->loadPatterns($dir . '/base64_patterns/php_functions.txt');
|
||||||
$this->patterns_b64functions = $this->loadPatterns(dirname(__FILE__). '/base64_patterns/php_functions.txt');
|
$this->patterns_b64keywords = $this->loadPatterns($dir . '/base64_patterns/php_keywords.txt');
|
||||||
$this->patterns_b64keywords = $this->loadPatterns(dirname(__FILE__). '/base64_patterns/php_keywords.txt');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//Adds additional checks to patterns_raw
|
//Adds additional checks to patterns_raw
|
||||||
//This may be something to move into a pattern file rather than leave hardcoded.
|
//This may be something to move into a pattern file rather than leave hardcoded.
|
||||||
if ($this->extraCheck) {
|
if ($this->extraCheck) {
|
||||||
$this->patterns_raw['googleBot'] = '# ';
|
$this->patterns_raw['googleBot'] = '# ';
|
||||||
$this->patterns_raw['htaccess'] = '# ';
|
$this->patterns_raw['htaccess'] = '# ';
|
||||||
@@ -137,8 +137,8 @@ class MalwareScanner
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
//Check if first char in pattern is a '#' which indicates a comment and skips.
|
//Check if first char in pattern is a '#' which indicates a comment and skips.
|
||||||
//Stores the comment to be stored with the pattern in the list as key:value pairs.
|
//Stores the comment to be stored with the pattern in the list as key:value pairs.
|
||||||
//The pattern is the key and the comment is the value.
|
//The pattern is the key and the comment is the value.
|
||||||
if ($pattern[0] === '#') {
|
if ($pattern[0] === '#') {
|
||||||
$last_comment = $pattern;
|
$last_comment = $pattern;
|
||||||
continue;
|
continue;
|
||||||
@@ -166,25 +166,27 @@ class MalwareScanner
|
|||||||
//All flag handling stuff should be setup here.
|
//All flag handling stuff should be setup here.
|
||||||
private function parseArgs()
|
private function parseArgs()
|
||||||
{
|
{
|
||||||
$options = getopt( 'd:e:i:abmcxlhkwnspt',
|
$options = getopt(
|
||||||
array(
|
'd:e:i:abmcxlhkwnspt',
|
||||||
'directory:',
|
array(
|
||||||
'extension:',
|
'directory:',
|
||||||
'ignore:',
|
'extension:',
|
||||||
'all-output',
|
'ignore:',
|
||||||
'base',
|
'all-output',
|
||||||
'checksum',
|
'base',
|
||||||
'comment',
|
'checksum',
|
||||||
'extra-check',
|
'comment',
|
||||||
'follow-link',
|
'extra-check',
|
||||||
'help',
|
'follow-link',
|
||||||
'hide-ok',
|
'help',
|
||||||
'hide-whitelist',
|
'hide-ok',
|
||||||
'no-color',
|
'hide-whitelist',
|
||||||
'no-stop',
|
'no-color',
|
||||||
'pattern',
|
'no-stop',
|
||||||
'time'
|
'pattern',
|
||||||
));
|
'time'
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
//Help Option should be first
|
//Help Option should be first
|
||||||
if (isset($options['help']) || isset($options['h'])) {
|
if (isset($options['help']) || isset($options['h'])) {
|
||||||
@@ -210,12 +212,15 @@ class MalwareScanner
|
|||||||
|
|
||||||
//Simple Flag Options
|
//Simple Flag Options
|
||||||
if (isset($options['all-output']) || isset($options['a'])) {
|
if (isset($options['all-output']) || isset($options['a'])) {
|
||||||
$this->flagChecksum = true; $this->flagComments = true; $this->flagPattern = true; $this->flagTime = true;
|
$this->flagChecksum = true;
|
||||||
|
$this->flagComments = true;
|
||||||
|
$this->flagPattern = true;
|
||||||
|
$this->flagTime = true;
|
||||||
}
|
}
|
||||||
if (isset($options['base64']) || isset($options['b'])) {
|
if (isset($options['base64']) || isset($options['b'])) {
|
||||||
$this->flagBase64 = true;
|
$this->flagBase64 = true;
|
||||||
}
|
}
|
||||||
if (isset($options['checksum']) || isset($options['m'])) {
|
if (isset($options['checksum']) || isset($options['m'])) {
|
||||||
$this->flagChecksum = true;
|
$this->flagChecksum = true;
|
||||||
}
|
}
|
||||||
if (isset($options['comment']) || isset($options['c'])) {
|
if (isset($options['comment']) || isset($options['c'])) {
|
||||||
@@ -289,18 +294,20 @@ class MalwareScanner
|
|||||||
|
|
||||||
//OK
|
//OK
|
||||||
if (!$found) {
|
if (!$found) {
|
||||||
if ($this->flagHideOk){return;}
|
if ($this->flagHideOk) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
$state = 'OK';
|
$state = 'OK';
|
||||||
$hash = ' ';
|
$hash = ' ';
|
||||||
$state_color = $this->ANSI_GREEN;
|
$state_color = $this->ANSI_GREEN;
|
||||||
}
|
} //WL
|
||||||
//WL
|
|
||||||
elseif ($this->inWhitelist($hash)) {
|
elseif ($this->inWhitelist($hash)) {
|
||||||
if ($this->flagHideWhitelist) {return;}
|
if ($this->flagHideWhitelist) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
$state = 'WL';
|
$state = 'WL';
|
||||||
$state_color = $this->ANSI_YELLOW;
|
$state_color = $this->ANSI_YELLOW;
|
||||||
}
|
} //ER
|
||||||
//ER
|
|
||||||
else {
|
else {
|
||||||
$state = 'ER';
|
$state = 'ER';
|
||||||
$state_color = $this->ANSI_RED;
|
$state_color = $this->ANSI_RED;
|
||||||
@@ -311,12 +318,12 @@ class MalwareScanner
|
|||||||
if ($this->flagTime) {
|
if ($this->flagTime) {
|
||||||
$changed_time = filectime($path);
|
$changed_time = filectime($path);
|
||||||
$htime = date('H:i d-m-Y', $changed_time);
|
$htime = date('H:i d-m-Y', $changed_time);
|
||||||
$output_string = $output_string . $this->ANSI_BLUE . $htime . $this->ANSI_OFF . ' ';
|
$output_string = $output_string . $this->ANSI_BLUE . $htime . $this->ANSI_OFF . ' ';
|
||||||
}
|
}
|
||||||
|
|
||||||
//Include Checksum/Hash
|
//Include Checksum/Hash
|
||||||
if ($this->flagChecksum) {
|
if ($this->flagChecksum) {
|
||||||
$output_string = $output_string . $this->ANSI_BLUE . $hash . $this->ANSI_OFF . ' ';
|
$output_string = $output_string . $this->ANSI_BLUE . $hash . $this->ANSI_OFF . ' ';
|
||||||
}
|
}
|
||||||
|
|
||||||
//Append Path
|
//Append Path
|
||||||
@@ -391,7 +398,7 @@ class MalwareScanner
|
|||||||
private function run($dir)
|
private function run($dir)
|
||||||
{
|
{
|
||||||
//Make sure a directory was specified.
|
//Make sure a directory was specified.
|
||||||
if ($this->dir === '') {
|
if ($this->dir === '') {
|
||||||
$this->error('No directory specified');
|
$this->error('No directory specified');
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -401,11 +408,11 @@ class MalwareScanner
|
|||||||
$this->error('Specified path is not a directory: ' . $dir);
|
$this->error('Specified path is not a directory: ' . $dir);
|
||||||
}
|
}
|
||||||
|
|
||||||
//Load Patterns
|
//Load Patterns
|
||||||
$this->initializePatterns();
|
$this->initializePatterns();
|
||||||
|
|
||||||
//Load Whitelist
|
//Load Whitelist
|
||||||
$this->loadWhitelist();
|
$this->loadWhitelist();
|
||||||
|
|
||||||
$start = time();
|
$start = time();
|
||||||
$this->process($dir . '/');
|
$this->process($dir . '/');
|
||||||
@@ -419,18 +426,17 @@ class MalwareScanner
|
|||||||
$this->stat['files_scanned']++;
|
$this->stat['files_scanned']++;
|
||||||
$fileContent = file_get_contents($path);
|
$fileContent = file_get_contents($path);
|
||||||
$found = false;
|
$found = false;
|
||||||
$hash = '';
|
$hash = '';
|
||||||
$toSearch = '';
|
$toSearch = '';
|
||||||
$comment = '';
|
$comment = '';
|
||||||
|
|
||||||
if (!$this->flagBase64) {
|
if (!$this->flagBase64) {
|
||||||
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_raw, $path, $found, $hash);
|
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_raw, $path, $found, $hash);
|
||||||
$this->scanLoop('scanFunc_STRI', $fileContent, $this->patterns_iraw, $path, $found, $hash);
|
$this->scanLoop('scanFunc_STRI', $fileContent, $this->patterns_iraw, $path, $found, $hash);
|
||||||
$this->scanLoop('scanFunc_RE', $fileContent, $this->patterns_re, $path, $found, $hash);
|
$this->scanLoop('scanFunc_RE', $fileContent, $this->patterns_re, $path, $found, $hash);
|
||||||
}
|
} else {
|
||||||
else {
|
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64functions, $path, $found, $hash);
|
||||||
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64functions, $path, $found, $hash);
|
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64keywords, $path, $found, $hash);
|
||||||
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64keywords, $path, $found, $hash);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!$found) {
|
if (!$found) {
|
||||||
@@ -442,7 +448,7 @@ class MalwareScanner
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->stat['files_infected']++;
|
$this->stat['files_infected']++;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -479,13 +485,17 @@ class MalwareScanner
|
|||||||
{
|
{
|
||||||
if (!$found || $this->flagNoStop) {
|
if (!$found || $this->flagNoStop) {
|
||||||
foreach ($patterns as $pattern => $comment) {
|
foreach ($patterns as $pattern => $comment) {
|
||||||
//Call the function that is named in $scanFunction
|
//Call the function that is named in $scanFunction
|
||||||
//This allows multiple search/match functions to be used without duplicating the loop code.
|
//This allows multiple search/match functions to be used without duplicating the loop code.
|
||||||
if ($this->$scanFunction($pattern, $fileContent)) {
|
if ($this->$scanFunction($pattern, $fileContent)) {
|
||||||
$found = true;
|
$found = true;
|
||||||
if ($hash === ''){$hash = md5($fileContent);}
|
if ($hash === '') {
|
||||||
|
$hash = md5($fileContent);
|
||||||
|
}
|
||||||
$this->printPath($found, $path, $pattern, $comment, $hash);
|
$this->printPath($found, $path, $pattern, $comment, $hash);
|
||||||
if (!$this->flagNoStop){return;}
|
if (!$this->flagNoStop) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -494,27 +504,26 @@ class MalwareScanner
|
|||||||
//Prints out the usage menu options.
|
//Prints out the usage menu options.
|
||||||
private function showHelp()
|
private function showHelp()
|
||||||
{
|
{
|
||||||
echo 'Usage: php scan.php -d <directory>' . PHP_EOL;
|
echo 'Usage: php scan.php -d <directory>' . PHP_EOL;
|
||||||
echo ' -h --help Show this help message' . PHP_EOL;
|
echo ' -h --help Show this help message' . PHP_EOL;
|
||||||
echo ' -d <directory> --directory Directory for searching' . PHP_EOL;
|
echo ' -d <directory> --directory Directory for searching' . PHP_EOL;
|
||||||
echo ' -e <file extension> --extension File Extension to Scan' . PHP_EOL;
|
echo ' -e <file extension> --extension File Extension to Scan' . PHP_EOL;
|
||||||
echo ' -i <directory|file> --ignore Directory of file to ignore' . PHP_EOL;
|
echo ' -i <directory|file> --ignore Directory of file to ignore' . PHP_EOL;
|
||||||
echo ' -a --all-output Enables --checksum,--comment,--pattern,--time' . PHP_EOL;
|
echo ' -a --all-output Enables --checksum,--comment,--pattern,--time' . PHP_EOL;
|
||||||
echo ' -b --base64 Scan for base64 encoded PHP keywords' . PHP_EOL;
|
echo ' -b --base64 Scan for base64 encoded PHP keywords' . PHP_EOL;
|
||||||
echo ' -m --checksum Display MD5 Hash/Checksum of file' . PHP_EOL;
|
echo ' -m --checksum Display MD5 Hash/Checksum of file' . PHP_EOL;
|
||||||
echo ' -c --comment Display comments for matched patterns' . PHP_EOL;
|
echo ' -c --comment Display comments for matched patterns' . PHP_EOL;
|
||||||
echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
|
echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
|
||||||
echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL;
|
echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL;
|
||||||
echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL;
|
echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL;
|
||||||
echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL;
|
echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL;
|
||||||
echo ' -n --no-color Disable color mode' . PHP_EOL;
|
echo ' -n --no-color Disable color mode' . PHP_EOL;
|
||||||
echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL;
|
echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL;
|
||||||
echo ' -p --pattern Show Patterns next to the file name' . PHP_EOL;
|
echo ' -p --pattern Show Patterns next to the file name' . PHP_EOL;
|
||||||
echo ' -t --time Show time of last file change' . PHP_EOL;
|
echo ' -t --time Show time of last file change' . PHP_EOL;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//Creates a new MalwareScanner object which does all the work.
|
//Creates a new MalwareScanner object which does all the work.
|
||||||
new MalwareScanner();
|
new MalwareScanner();
|
||||||
?>
|
|
||||||
|
|||||||
Reference in New Issue
Block a user