New flag to specify custom white list file

Feature flagHideErr #66

README.md

@@ -26,6 +26,7 @@ Usage: php scan.php -d <directory>
     -x                   --extra-check        Adds GoogleBot and htaccess to Scan List
     -l                   --follow-symlink     Follow symlinked directories
     -k                   --hide-ok            Hide results with 'OK' status
+    -r                   --hide-err           Hide results with 'ER' status
     -w                   --hide-whitelist     Hide results with 'WL' status
     -n                   --no-color           Disable color mode
     -s                   --no-stop            Continue scanning file after first hit
@@ -35,6 +36,7 @@ Usage: php scan.php -d <directory>
     -o                   --output-format      Custom defined output format
     -j                   --wordpress-version  Version of wordpress to get md5 signatures
                          --combined-whitelist Combined whitelist
+                         --custom-whitelist   Loads whitelist from specified file and merge with existing
                          --disable-stats      Disable statistics output
 ```
 
@@ -113,6 +115,22 @@ It is guaranteed that IF 'base64_decode' was present in the plain text code, the
 The presence of 'YmFzZTY0X2RlY29kZ' in a block of code may be because 'ase64_decod' was in the original code.  
 ote the missing edge characters which is due to bit misalignment and character bleed.
 
+Using as library
+----------------
+
+The scan.php perform a check, that it's called by commandline or not, so to use as library use different directory than scan.php it self.
+ 
+```php
+<?php
+
+require_once '../scan.php';
+
+$scan = new MalwareScanner();
+$scan->setFlagHideWhitelist(true);
+$scan->setFlagHideOk(true);
+$scan->run('../samples/test');
+```
+
 Resources
 ---------
 

definitions/patterns_raw.txt

@@ -108,11 +108,6 @@ SFRUUF9VU0VSX0FHRU5U
 hUVFBfVVNFUl9BR0VOV
 IVFRQX1VTRVJfQUdFTl
 
-# "file" in base64
-ZmlsZ
-ZpbG
-maWxl
-
 # "gzinflate" in base64
 Z3ppbmZsYXRl
 d6aW5mbGF0Z
@@ -201,6 +196,7 @@ eval(base64_decode(
 $data = base64_decode("
 edoced_46esab
 base=base64_encode
+'b'.'ase6'.'4_e'.'ncode'
 cr"."eat"."e_fun"."cti"."on
 gz'.'inf'.'late
 # fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
@@ -260,6 +256,9 @@ itsoknoproblembro
 tmhapbzcerff
 IndoXploit
 FaisaL Ahmed aka rEd X
+smisbot
+smotherbot
+Indonesian Hacker Rulez
 
 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd

scan.php

@@ -2,13 +2,13 @@
 
 /*
  * Copyright (c) 2016 Gabor Gyorvari
- * 
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *  http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -31,6 +31,7 @@ class MalwareScanner
     private $flagChecksum = false;
     private $flagComments = false;
     private $flagHideOk = false;
+    private $flagHideErr = false;
     private $flagHideWhitelist = false;
     private $flagNoStop = false;
     private $flagPattern = false;
@@ -41,6 +42,7 @@ class MalwareScanner
     private $flagScanEverything = false;
     private $flagCombinedWhitelist = false;
     private $flagDisableStats = false;
+    private $customWhitelist = array();
     private $outputFormat = '';
     private $whitelist = array();
     private $ignore = array();
@@ -190,20 +192,25 @@ class MalwareScanner
         return $list;
     }
 
-    //Loads the whitelist file
-    public function loadWhitelist()
+    /**
+     * Loads the whitelist files
+     */
+    public function loadWhitelists()
     {
-        if (!is_file(__DIR__ . '/whitelist.txt')) {
-            return;
-        }
-        $fp = fopen(__DIR__ . '/whitelist.txt', 'r');
-        while (!feof($fp)) {
-            $line = fgets($fp);
-            $this->whitelist[] = substr($line, 0, 32);
+        $a = array_merge([__DIR__ . '/whitelist.txt'], $this->customWhitelist);
+        foreach ($a as $file) {
+            if (is_file($file)) {
+                $fp = fopen($file, 'r');
+                while (!feof($fp)) {
+                    $line = fgets($fp);
+                    $this->whitelist[] = substr($line, 0, 32);
+                }
+                fclose($fp);
+            }
         }
     }
 
-    private function addWordpressChecksums($wp_version)
+    public function addWordpressChecksums($wp_version)
     {
         $apiurl = 'https://api.wordpress.org/core/checksums/1.0/?version=' . $wp_version;
         $json = json_decode(file_get_contents($apiurl));
@@ -247,6 +254,7 @@ class MalwareScanner
                 'wordpress-version:',
                 'scan-everything',
                 'combined-whitelist',
+                'custom-whitelist:',
                 'disable-stats'
             )
         );
@@ -298,6 +306,9 @@ class MalwareScanner
         if (isset($options['hide-ok']) || isset($options['k'])) {
             $this->setFlagHideOk(true);
         }
+        if (isset($options['hide-err']) || isset($options['r'])) {
+            $this->setFlagHideErr(true);
+        }
         if (isset($options['hide-whitelist']) || isset($options['w'])) {
             $this->setFlagHideWhitelist(true);
         }
@@ -330,6 +341,13 @@ class MalwareScanner
         if (isset($options['combined-whitelist'])) {
             $this->setFlagCombinedWhitelist(true);
         }
+        if (isset($options['custom-whitelist'])) {
+            $a = $options['custom-whitelist'];
+            if (!is_array($a)) {
+                $a = array($a);
+            }
+            $this->setCustomWhitelist(array_unique($a));
+        }
         if (isset($options['disable-stats'])) {
             $this->setFlagDisableStats(true);
         }
@@ -396,6 +414,11 @@ class MalwareScanner
         $this->flagHideOk = $b;
     }
 
+    public function setFlagHideErr($b)
+    {
+        $this->flagHideErr = $b;
+    }
+
     public function setFlagHideWhitelist($b)
     {
         $this->flagHideWhitelist = $b;
@@ -426,6 +449,11 @@ class MalwareScanner
         $this->flagDisableStats = $b;
     }
 
+    public function setCustomWhitelist($a)
+    {
+        $this->customWhitelist = $a;
+    }
+
     // @see http://stackoverflow.com/a/13914119
     private function pathMatches($path, $pattern, $ignoreCase = false)
     {
@@ -490,6 +518,9 @@ class MalwareScanner
             $state = 'WL';
             $state_color = $this->ANSI_YELLOW;
         } else {
+            if ($this->flagHideErr) {
+                return;
+            }
             $state = 'ER';
             $state_color = $this->ANSI_RED;
         }
@@ -614,7 +645,7 @@ class MalwareScanner
     {
         $this->initializePatterns();
 
-        $this->loadWhitelist();
+        $this->loadWhitelists();
 
         if ($this->flagCombinedWhitelist && !$this->updateCombinedWhitelist()) {
             return false;
@@ -820,6 +851,7 @@ class MalwareScanner
         echo '    -x                   --extra-check        Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
         echo '    -l                   --follow-symlink     Follow symlinked directories' . PHP_EOL;
         echo '    -k                   --hide-ok            Hide results with \'OK\' status' . PHP_EOL;
+        echo '    -r                   --hide-err           Hide results with \'ER\' status' . PHP_EOL;
         echo '    -w                   --hide-whitelist     Hide results with \'WL\' status' . PHP_EOL;
         echo '    -n                   --no-color           Disable color mode' . PHP_EOL;
         echo '    -s                   --no-stop            Continue scanning file after first hit' . PHP_EOL;