Merge pull request #80 from elliotkendall/master

Cast $needle in calls to strpos/stripos to string to avoid automatic …
Cast $needle in calls to strpos/stripos to string to avoid automatic ordinal conversion of integer patterns
2026-06-16 12:30:35 +00:00 · 2022-07-25 19:15:19 +02:00 · 2022-07-25 09:52:27 -07:00 · 2022-07-22 11:28:18 +02:00 · 2022-07-17 08:17:20 +02:00
4 changed files with 48 additions and 6 deletions
--- a/definitions/patterns_iraw.txt
+++ b/definitions/patterns_iraw.txt
@@ -19,4 +19,45 @@ surfright
 # symantec - removed because already a TLD too so generate many false positives

 # SEO poison, pharmacy redirect
-dealonline.su
+dealonline.su
+
+# functions escaped as hexadecimal string
+7068705f756e616d65
+70687076657273696f6e
+6368646972
+676574637764
+707265675f73706c6974
+636f7079
+66696c655f6765745f636f6e74656e7473
+6261736536345f6465636f6465
+69735f646972
+6f625f656e645f636c65616e28293b
+756e6c696e6b
+6d6b646972
+63686d6f64
+7363616e646972
+7374725f7265706c616365
+68746d6c7370656369616c6368617273
+7661725f64756d70
+666f70656e
+667772697465
+66636c6f7365
+64617465
+66696c656d74696d65
+737562737472
+737072696e7466
+66696c657065726d73
+746f756368
+66696c655f657869737473
+72656e616d65
+69735f6172726179
+69735f6f626a656374
+737472706f73
+69735f7772697461626c65
+69735f7265616461626c65
+737472746f74696d65
+66696c6573697a65
+726d646972
+6f625f6765745f636c65616e
+7265616466696c65
+617373657274
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -391,5 +391,6 @@ Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
 # eval url decoded string
 eval(rawurldecode('

-# simple obfuscated gzuncompress
-'gz'.'unc'.'ompress'
+# simple obfuscated function
+'gz'.'unc'.'ompress'
+'create'.'_'.'function'
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -95,7 +95,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 ("[a-z0-9]+"\.chr\(\d+\)\.){3,}

 # nested function call used variables
-\$[a-z]+\(\$[a-z0-9]+\(
+\$[a-z0-9_]+\(\$[a-z0-9_]+\(

 # GLOBALS inject with escaped content
 \$GLOBALS;\$\{"\\x
--- a/scan.php
+++ b/scan.php
@@ -709,14 +709,14 @@ class MalwareScanner
    //Returns true if the raw string exists in the file contents.
    private function scanFunc_STR(&$pattern, &$content)
    {
-        return strpos($content, $pattern);
+        return strpos($content, (string)$pattern);
    }

    //Performs raw string, case insensitive matching.
    //Returns true if the raw string exists in the file contents, ignoring case.
    private function scanFunc_STRI(&$pattern, &$content)
    {
-        return stripos($content, $pattern);
+        return stripos($content, (string)$pattern);
    }

    //Performs regular expression matching.
Author	SHA1	Message	Date
Győrvári Gábor	cd1164dbb5	Merge pull request #80 from elliotkendall/master Cast $needle in calls to strpos/stripos to string to avoid automatic …	2022-07-25 19:15:19 +02:00
Elliot Kendall	77ebd8abd7	Cast $needle in calls to strpos/stripos to string to avoid automatic ordinal conversion of integer patterns	2022-07-25 09:52:27 -07:00
Gabor Gyorvari	29e6c73558	Webshell matching pattern update	2022-07-22 11:28:18 +02:00
Gabor Gyorvari	bf13288367	Nested function call pattern update	2022-07-17 08:17:20 +02:00