External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added encoded versions of '_' character.

Browse Source 
Added encoded versions of '_' character.
This commit is contained in:
nichogenius
2017-08-03 10:33:00 -06:00
committed by GitHub
parent 4d9bcd171b
commit d7d85f13c7
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
patterns_re.txt
View File

@@ -20,6 +20,12 @@ echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|C
chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\) chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)
(\$OOO_O_000_\{\d+\}.){3,} (\$OOO_O_000_\{\d+\}.){3,}
#Detects the '_' character encoded in a string like "\x5F". '_' is present in many functions that malware would want to hide.
\\[Xx](5[Ff])
#Detects the '_' character placed inside a call to the 'chr()' function
chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)
#Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars. #Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars.
#260 was a threshold chosen because strings of 256 characters are common enough. Might increase later to reduce false positives. #260 was a threshold chosen because strings of 256 characters are common enough. Might increase later to reduce false positives.
['"][A-Za-z0-9+\/]{260,}={0,3}['"] ['"][A-Za-z0-9+\/]{260,}={0,3}['"]