Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Id and signature in scan log #99

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Id and signature in scan log #99

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9ac26e5
id and signature in scan log
Oct 21, 2015
eed641f
bugfix
Oct 21, 2015
a8f7edb
excess property isDetected removed
Oct 21, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 67 additions & 55 deletions src/scanner/classes/MalwareDetector.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
require_once('FileInfo.inc.php');
require_once('Writer.inc.php');
require_once('Quarantiner.inc.php');
require_once('SignatureDetect.inc.php');
ob_end_clean();

class MalwareDetector
Expand Down Expand Up @@ -40,7 +41,6 @@ function __construct()

$this->signatures = new DOMDocument();
$this->signatures->load($this->SIGNATURE_FILENAME);

}

function setRequestDelay($delay)
Expand Down Expand Up @@ -116,7 +116,21 @@ function checkForValidPhp($content)
return $valid;
}

function detectMalware($filePath, &$foundFragment, &$pos, $startTime, $timeout, $ext)
function checkRegexpSignature($content, $signature)
{
$position = FALSE;
if (preg_match('#(' . $signature . ')#smi', $content, $found, PREG_OFFSET_CAPTURE)) {
$position = $found[0][1];
}
return $position;
}

function checkSubstringSignature($content, $signature)
{
return strpos($content, $signature);
}

function detectMalware($filePath, $startTime, $timeout, $ext)
{

if (filesize($filePath) > $this->MAX_FILESIZE) {
Expand Down Expand Up @@ -167,52 +181,49 @@ function detectMalware($filePath, &$foundFragment, &$pos, $startTime, $timeout,
}

$normalized = $this->normalizeContent($content);
$signatures = $this->signatures->getElementsByTagName('signature');

$db = $this->signatures->getElementsByTagName('signature');
$detected = false;
foreach ($db as $sig) {
if ($detected) break;
$signatureDetect = new SignatureDetect();

foreach ($signatures as $signature) {

$currentTime = time();
if ($currentTime - $startTime > $timeout) {
return 'timeout';
}

$pos = -1;
$sigContent = $sig->nodeValue;
$attr = $sig->attributes;
$attrId = $attr->getNamedItem('id')->nodeValue;
$attrFormat = $attr->getNamedItem('format')->nodeValue;
$attrChildId = $attr->getNamedItem('child_id')->nodeValue;
$attrSeverity = $attr->getNamedItem('sever')->nodeValue;

switch ($attrFormat) {

case 're':
if ((preg_match('#(' . $sigContent . ')#smi', $content, $found, PREG_OFFSET_CAPTURE)) ||
(preg_match('#(' . $sigContent . ')#smi', $normalized, $found, PREG_OFFSET_CAPTURE))
) {
$detected = true;
$pos = $found[0][1];
continue;
}

$signatureDetect->signature = $signature->nodeValue;
$attributes = $signature->attributes;
$signatureDetect->id = $attributes->getNamedItem('id')->nodeValue;
$attrFormat = $attributes->getNamedItem('format')->nodeValue;
$attrChildId = $attributes->getNamedItem('child_id')->nodeValue;
$signatureDetect->filePath = $filePath;

if ($attrFormat == 're') {
$position = $this->checkRegexpSignature($content, $signatureDetect->signature);
if ($position === FALSE) {
$position = $this->checkRegexpSignature($normalized, $signatureDetect->signature);
}
if ($position !== FALSE) {
$signatureDetect->severity = $attributes->getNamedItem('sever')->nodeValue;
$signatureDetect->position = $position;
break;
case 'const':
if ((($pos = strpos($content, $sigContent)) !== FALSE) ||
(($pos = strpos($normalized, $sigContent)) !== FALSE)
) {
$detected = true;
continue;
}

}
} else if ($attrFormat == 'const') {
$position = $this->checkSubstringSignature($content, $signatureDetect->signature);
if ($position === FALSE) {
$position = $this->checkSubstringSignature($normalized, $signatureDetect->signature);
}
if ($position !== FALSE) {
$signatureDetect->severity = $attributes->getNamedItem('sever')->nodeValue;
$signatureDetect->position = $position;
break;
}
}
}
}

if ($detected) {
$foundFragment = $this->getFragment($content, $pos);
return $attrSeverity;
if ($signatureDetect->severity) {
$signatureDetect->detectedContent = $this->getFragment($content, $signatureDetect->position);
return $signatureDetect;
}
}

Expand Down Expand Up @@ -248,16 +259,13 @@ function repackXMLLog()
$lines = file($this->MALWARE_LOG_FILENAME);

foreach ($lines as $lineNum => $line) {
#Example /home/www/badcode.tk/web_root/robots.txt.dist;detected=;pos=-1;snippet=
$data = explode(';', $line);
$filePath = $data[0];
$detected = substr($data[1], strlen('detected='));
if ($detected) {
$pos = substr($data[2], strlen('pos='));
$snippet = trim(substr($data[3], strlen('snippet=')));
$signatureDetect = new SignatureDetect();
$signatureDetect->fromString($line);

if ($signatureDetect->severity) {

#Getting current element in DOM
$relativePath = str_replace($_SERVER['DOCUMENT_ROOT'], '.', $filePath);
$relativePath = str_replace($_SERVER['DOCUMENT_ROOT'], '.', $signatureDetect->filePath);
$filePathNode = $xpath->query('/website_info/files/file/path[text()="' . $relativePath . '"]')->item(0);
$fileinfoNode = $filePathNode->parentNode;

Expand All @@ -267,9 +275,11 @@ function repackXMLLog()

#Adding detection info to DOM
if ($fileinfoNode) {
$fileinfoNode->setAttribute('detected', $detected);
$fileinfoNode->setAttribute('snippet', $snippet);
$fileinfoNode->setAttribute('pos', $pos);
$fileinfoNode->setAttribute('detected', $signatureDetect->severity);
$fileinfoNode->setAttribute('snippet', base64_encode($signatureDetect->detectedContent));
$fileinfoNode->setAttribute('pos', $signatureDetect->position);
$fileinfoNode->setAttribute('signatureId', $signatureDetect->id);
$fileinfoNode->setAttribute('signature', base64_encode($signatureDetect->signature));
}
}
}
Expand Down Expand Up @@ -301,6 +311,7 @@ function finishMalwareScan()
{
global $php_errormsg;


$xml = $this->repackXMLLog();

if (file_exists($this->MALWARE_LOG_FILENAME)) {
Expand Down Expand Up @@ -354,7 +365,6 @@ function malwareScanRound()
$queueLines = explode("\n", $queueText);

$numFilesScanned = 0;

if (count($queueLines) < 1) {
fclose($fh);
return $this->finishMalwareScan();
Expand All @@ -378,8 +388,10 @@ function malwareScanRound()
$snippet = '';
$fileExtension = pathinfo(basename($filePath), PATHINFO_EXTENSION);

$res = $this->detectMalware($filePath, $snippet, $pos, $this->SCRIPT_START, $this->MAX_EXECUTION_DURATION, $fileExtension);
switch ($res) {
$signatureDetect = $this->detectMalware($filePath, $this->SCRIPT_START, $this->MAX_EXECUTION_DURATION, $fileExtension);
switch ($signatureDetect) {
case NULL:
break;
case 'no_need_to_check':
break;
case 'no_read':
Expand All @@ -392,10 +404,10 @@ function malwareScanRound()
break;
default:
$numFilesScanned++;
$content = $filePath . ';detected=' . $res . ';pos=' . $pos . ';snippet=' . base64_encode($snippet) . PHP_EOL;
file_put_contents2($this->MALWARE_LOG_FILENAME, $content, 'a');
$detectionInfo = $signatureDetect->toString();
file_put_contents2($this->MALWARE_LOG_FILENAME, $detectionInfo . PHP_EOL, 'a');

if ($res) {
if ($signatureDetect) {
$this->queueQuarantine($filePath);
}
}
Expand Down
48 changes: 48 additions & 0 deletions src/scanner/classes/SignatureDetect.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
<?php

ob_start();
require_once('Tskv.inc.php');
ob_end_clean();

//class which represents a detection of a file to maintain malware detection queue
class SignatureDetect
{
function __construct($filePath, $id, $severity, $signature, $position, $detectedContent)
{

$this->filePath = $filePath;
$this->id = $id;
$this->severity = $severity;
$this->signature = $signature;
$this->position = $position;
$this->detectedContent = $detectedContent;
}

function toString()
{
$elements = array('filePath' => $this->filePath,
'severity' => $this->severity,
);
if ($this->severity) {
$elements['id'] = $this->id;
$elements['signature'] = $this->signature;
$elements['position'] = $this->position;
$elements['detectedContent'] = $this->detectedContent;
}
return toTskv($elements);
}

function fromString($tskvString)
{
$keyValuePairs = fromTskv($tskvString);
$this->filePath = $keyValuePairs['filePath'];
$this->severity = $keyValuePairs['severity'];
if ($this->severity) {
$this->id = $keyValuePairs['id'];
$this->signature = $keyValuePairs['signature'];
$this->position = $keyValuePairs['position'];
$this->detectedContent = $keyValuePairs['detectedContent'];
}
}

}
22 changes: 22 additions & 0 deletions src/scanner/classes/Tskv.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
<?php

//dump associative array to tab separated key-value string
function toTskv($dict)
{
$keyValuePairs = array();
foreach($dict as $key => $value) {
array_push($keyValuePairs, "$key=$value");
}
return join("\t", $keyValuePairs);
}

//parse tab separated key-value string to assisiative array
function fromTskv($tskvString)
{
$dict = array();
foreach(explode("\t", $tskvString) as $keyValuePair) {
$keyValue = explode("=", $keyValuePair, 2);
$dict[$keyValue[0]] = $keyValue[1];
}
return $dict;
}