PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
The following list of encoders/obfuscators/webshells are also detected:
Of course it’s trivial to bypass PMF, but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or both) category, and should re-read the previous statement.
How does it work?
Instead of using an hash-based approach, PMF tries as much as possible to use semantic patterns, to detect things like “a
$_GET variable is decoded two times, unzipped, and then passed to some dangerous function like
- Install Yara.
This is also possible via some Linux package managers:
sudo apt-get install yara
- Red Hat:
yum install yara(requires the EPEL repository)
You can also compile it from source:
git clone [email protected]:VirusTotal/yara.git
- Download php-malware-finder
git clone https://github.com/jvoisin/php-malware-finder.git
How to use it?
<div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="$ ./phpmalwarefinder -h Usage phpmalwarefinder [-cfhtvl] … -c Optional path to a rule file -f Fast mode -h Show this help message -t Specify the number of threads to use (8 by default) -v Verbose mode”>
$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhtvl] <file|folder> ...
-c Optional path to a rule file
-f Fast mode
-h Show this help message
-t Specify the number of threads to use (8 by default)
-v Verbose mode