From ea2da42f8eddd51d782996600a1db0f5a711a3fc Mon Sep 17 00:00:00 2001
From: nichogenius <nichogenius@gmail.com>
Date: Sat, 19 Aug 2017 17:24:04 -0600
Subject: [PATCH] Added comment lines for each regex

Added comment lines for each regex
This is to allow the -comment flag to provide either an accurate comment or no comment at all.
---
 patterns_re.txt | 43 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/patterns_re.txt b/patterns_re.txt
index 3737561..88aaf39 100644
--- a/patterns_re.txt
+++ b/patterns_re.txt
@@ -1,35 +1,68 @@
-#PHP Regular Expressions
-#All comment lines must have '#' as the first character of the line. 
-#More critical rules should be put higher in the list as only the first pattern matched is reported to the user.
-
+#eval /* */
 eval\/\*[a-z0-9]+\*\/
+
+#
 eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\);
+
+#
 (chr\(\d+\^\d+\)\.){4,}
+
+#
 (\$[a-z0-9]{3,}\[\d+\]\.){4,}
+
+#
 chr\(\d+\)\.""\.""\.""\.""\.""
+
+#
 \$GLOBALS\[\$GLOBALS['[a-z0-9]{4,}'\]\[\d+\]\.\$GLOBALS\['[a-z-0-9]{4,}'\]\[\d+\].
+
+#
 \$GLOBALS\['[a-z0-9]{5,}'\] = \$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.
+
+#
 eval\([a-z0-9_]+\(base64_decode\(
+
+#
 \$[a-z]{3,}=\$[a-z]{3,}\("",\$[a-z]{3,}\);\$[a-z]{3,}\(\);
+
+#
 {\s*eval\s*\(\s*\$
+
+#
 Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents
+
+#execute base64 code
 eVaL\(\s*trim\(\s*baSe64_deCoDe\(
+
+#
 if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text
+
+# Write HTTP Request to File
 fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[
+
+# Download Remote Code
 echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)
+
+# 'eval' in ascii chr() chars
 chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)
+
+#
 (\$OOO_O_000_\{\d+\}.){3,}
 
 #Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
+# '_' as "\x5f"
 \\[Xx](5[Ff])
 
 #Detects the '_' character placed inside a call to the 'chr()' function
+# '_' as 'chr(95)' or 'chr(0x5f)'
 chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)
 
 #Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars.
 #260 was a threshold chosen because strings of 256 characters are common enough.  Might increase later to reduce false positives.
+#Long base64 quoted string.
 ['"][A-Za-z0-9+\/]{260,}={0,3}['"]
 
 #Detects long single lines contained within PHP tags.
-#We can increase from 750 later if we need to.
+#We can increase from 1100 later if we need to.
+#Long single line of PHP.
 ^.*<\?php.{1100,}\?>.*$