From d7d85f13c7a0d17a064ada5a86d22fc96627fa13 Mon Sep 17 00:00:00 2001
From: nichogenius <nichogenius@gmail.com>
Date: Thu, 3 Aug 2017 10:33:00 -0600
Subject: [PATCH] Added encoded versions of '_' character.

Added encoded versions of '_' character.
---
 patterns_re.txt | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/patterns_re.txt b/patterns_re.txt
index 9d49c3f..fffaf34 100644
--- a/patterns_re.txt
+++ b/patterns_re.txt
@@ -20,6 +20,12 @@ echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|C
 chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)
 (\$OOO_O_000_\{\d+\}.){3,}
 
+#Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
+\\[Xx](5[Ff])
+
+#Detects the '_' character placed inside a call to the 'chr()' function
+chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)
+
 #Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars.
 #260 was a threshold chosen because strings of 256 characters are common enough.  Might increase later to reduce false positives.
 ['"][A-Za-z0-9+\/]{260,}={0,3}['"]