Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Id and signature in scan log #99

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Id and signature in scan log #99

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9ac26e5
id and signature in scan log
Oct 21, 2015
eed641f
bugfix
Oct 21, 2015
a8f7edb
excess property isDetected removed
Oct 21, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
129 changes: 71 additions & 58 deletions src/scanner/classes/MalwareDetector.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,15 @@
require_once('FileInfo.inc.php');
require_once('Writer.inc.php');
require_once('Quarantiner.inc.php');
require_once('SignatureDetect.inc.php');
ob_end_clean();

class MalwareDetector
{
function __construct()
{
global $projectRootDir, $projectTmpDir;

if (!function_exists('escapedHexToHex') || !function_exists('escapedOctDec')) {
die('escapedHexToHex or escapedOctDec is missing');
}
Expand Down Expand Up @@ -40,7 +41,6 @@ function __construct()

$this->signatures = new DOMDocument();
$this->signatures->load($this->SIGNATURE_FILENAME);

}

function setRequestDelay($delay)
Expand Down Expand Up @@ -116,7 +116,21 @@ function checkForValidPhp($content)
return $valid;
}

function detectMalware($filePath, &$foundFragment, &$pos, $startTime, $timeout, $ext)
function checkRegexpSignature($content, $signature)
{
$position = FALSE;
if (preg_match('#(' . $signature . ')#smi', $content, $found, PREG_OFFSET_CAPTURE)) {
$position = $found[0][1];
}
return $position;
}

function checkSubstringSignature($content, $signature)
{
return strpos($content, $signature);
}

function detectMalware($filePath, $startTime, $timeout, $ext)
{

if (filesize($filePath) > $this->MAX_FILESIZE) {
Expand Down Expand Up @@ -167,52 +181,50 @@ function detectMalware($filePath, &$foundFragment, &$pos, $startTime, $timeout,
}

$normalized = $this->normalizeContent($content);
$signatures = $this->signatures->getElementsByTagName('signature');

$db = $this->signatures->getElementsByTagName('signature');
$detected = false;
foreach ($db as $sig) {
if ($detected) break;
$signatureDetect = new SignatureDetect();

foreach ($signatures as $signature) {

$currentTime = time();
if ($currentTime - $startTime > $timeout) {
return 'timeout';
}

$pos = -1;
$sigContent = $sig->nodeValue;
$attr = $sig->attributes;
$attrId = $attr->getNamedItem('id')->nodeValue;
$attrFormat = $attr->getNamedItem('format')->nodeValue;
$attrChildId = $attr->getNamedItem('child_id')->nodeValue;
$attrSeverity = $attr->getNamedItem('sever')->nodeValue;

switch ($attrFormat) {

case 're':
if ((preg_match('#(' . $sigContent . ')#smi', $content, $found, PREG_OFFSET_CAPTURE)) ||
(preg_match('#(' . $sigContent . ')#smi', $normalized, $found, PREG_OFFSET_CAPTURE))
) {
$detected = true;
$pos = $found[0][1];
continue;
}

$signatureDetect->signature = $signature->nodeValue;
$attributes = $signature->attributes;
$signatureDetect->id = $attributes->getNamedItem('id')->nodeValue;
$attrFormat = $attributes->getNamedItem('format')->nodeValue;
$attrChildId = $attributes->getNamedItem('child_id')->nodeValue;
$signatureDetect->severity = $attributes->getNamedItem('sever')->nodeValue;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Я в предыдущем коммите делал конвертацию в массив. При поиске по массиву будет работать быстрее, требует меньше памяти, решение получается более гибкое (можно, например, кэшировать его сериализацией на момент сканирования). Может стоит сюда это перенести?

Еще был фикс ошибки с конструктором Auth - я переименовывал метод auth(), чтобы не было Constructor is already defined на некоторых версиях PHP.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Фикс перенесем обязательно. Про массив - надо померить, кажется. Если действительно с классом будет значительное увеличение накладных ресурсов, то да, надо сделать массив.
Дай день-другой на сравнение.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Есть подозрение, что если и есть увеличение, то незначительное, а часть с формированием очереди так удобно вынести, как мне кажется.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

http://stackoverflow.com/questions/2193049/php-objects-vs-arrays
arrays: 1.8451430797577

memory: 460416

Array
(
[aaa] => aaa
[bbb] => bbb
[ccc] => aaabbb
)

arrays: 1.8294548988342

memory: 275696

SomeClass Object
(
[aaa] => aaa
[bbb] => bbb
[ccc] => aaabbb
)

$signatureDetect->filePath = $filePath;

if ($attrFormat == 're') {
$position = $this->checkRegexpSignature($content, $signatureDetect->signature);
if ($position === FALSE) {
$position = $this->checkRegexpSignature($normalized, $signatureDetect->signature);
}
if ($position !== FALSE) {
$signatureDetect->isDetected = '1';
$signatureDetect->position = $position;
break;
case 'const':
if ((($pos = strpos($content, $sigContent)) !== FALSE) ||
(($pos = strpos($normalized, $sigContent)) !== FALSE)
) {
$detected = true;
continue;
}

}
} else if ($attrFormat == 'const') {
$position = $this->checkSubstringSignature($content, $signatureDetect->signature);
if ($position === FALSE) {
$position = $this->checkSubstringSignature($normalized, $signatureDetect->signature);
}
if ($position !== FALSE) {
$signatureDetect->isDetected = '1';
$signatureDetect->position = $position;
break;
}
}
}
}

if ($detected) {
$foundFragment = $this->getFragment($content, $pos);
return $attrSeverity;
if ($signatureDetect->isDetected == '1') {
$signatureDetect->detectedContent = base64_encode($this->getFragment($content, $signatureDetect->position));
return $signatureDetect;
}
}

Expand Down Expand Up @@ -248,16 +260,13 @@ function repackXMLLog()
$lines = file($this->MALWARE_LOG_FILENAME);

foreach ($lines as $lineNum => $line) {
#Example /home/www/badcode.tk/web_root/robots.txt.dist;detected=;pos=-1;snippet=
$data = explode(';', $line);
$filePath = $data[0];
$detected = substr($data[1], strlen('detected='));
if ($detected) {
$pos = substr($data[2], strlen('pos='));
$snippet = trim(substr($data[3], strlen('snippet=')));
$signatureDetect = new SignatureDetect();
$signatureDetect->fromString($line);

if ($signatureDetect->isDetected == 1) {

#Getting current element in DOM
$relativePath = str_replace($_SERVER['DOCUMENT_ROOT'], '.', $filePath);
$relativePath = str_replace($_SERVER['DOCUMENT_ROOT'], '.', $signatureDetect->filePath);
$filePathNode = $xpath->query('/website_info/files/file/path[text()="' . $relativePath . '"]')->item(0);
$fileinfoNode = $filePathNode->parentNode;

Expand All @@ -267,9 +276,11 @@ function repackXMLLog()

#Adding detection info to DOM
if ($fileinfoNode) {
$fileinfoNode->setAttribute('detected', $detected);
$fileinfoNode->setAttribute('snippet', $snippet);
$fileinfoNode->setAttribute('pos', $pos);
$fileinfoNode->setAttribute('detected', $signatureDetect->severity);
$fileinfoNode->setAttribute('snippet', $signatureDetect->detectedContent);
$fileinfoNode->setAttribute('pos', $signatureDetect->position);
$fileinfoNode->setAttribute('signatureId', $signatureDetect->id);
$fileinfoNode->setAttribute('signature', $signatureDetect->signature);
}
}
}
Expand Down Expand Up @@ -301,6 +312,7 @@ function finishMalwareScan()
{
global $php_errormsg;


$xml = $this->repackXMLLog();

if (file_exists($this->MALWARE_LOG_FILENAME)) {
Expand Down Expand Up @@ -354,10 +366,9 @@ function malwareScanRound()
$queueLines = explode("\n", $queueText);

$numFilesScanned = 0;

if (count($queueLines) < 1) {
fclose($fh);
return $this->finishMalwareScan();
return $this->finishMalwareScan();
}

foreach ($queueLines as $line) {
Expand All @@ -378,8 +389,10 @@ function malwareScanRound()
$snippet = '';
$fileExtension = pathinfo(basename($filePath), PATHINFO_EXTENSION);

$res = $this->detectMalware($filePath, $snippet, $pos, $this->SCRIPT_START, $this->MAX_EXECUTION_DURATION, $fileExtension);
switch ($res) {
$signatureDetect = $this->detectMalware($filePath, $this->SCRIPT_START, $this->MAX_EXECUTION_DURATION, $fileExtension);
switch ($signatureDetect) {
case NULL:
break;
case 'no_need_to_check':
break;
case 'no_read':
Expand All @@ -391,11 +404,11 @@ function malwareScanRound()
$this->throwTimeout($filePath);
break;
default:
$numFilesScanned++;
$content = $filePath . ';detected=' . $res . ';pos=' . $pos . ';snippet=' . base64_encode($snippet) . PHP_EOL;
file_put_contents2($this->MALWARE_LOG_FILENAME, $content, 'a');
$numFilesScanned++;
$detectionInfo = $signatureDetect->toString();
file_put_contents2($this->MALWARE_LOG_FILENAME, $detectionInfo . PHP_EOL, 'a');

if ($res) {
if ($signatureDetect) {
$this->queueQuarantine($filePath);
}
}
Expand Down
51 changes: 51 additions & 0 deletions src/scanner/classes/SignatureDetect.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<?php

ob_start();
require_once('Tskv.inc.php');
ob_end_clean();


class SignatureDetect
{
function __construct($filePath, $isDetected, $id, $severity, $signature, $position, $detectedContent)
{

$this->filePath = $filePath;
$this->isDetected = $isDetected;
$this->id = $id;
$this->severity = $severity;
$this->signature = $signature;
$this->position = $position;
$this->detectedContent = $detectedContent;
}

function toString()
{
$elements = array('filePath' => $this->filePath,
'isDetected' => $this->isDetected,
);
if ($this->isDetected == 1) {
$elements['id'] = $this->id;
$elements['severity'] = $this->severity;
$elements['signature'] = base64_encode($this->signature);
$elements['position'] = $this->position;
$elements['detectedContent'] = $this->detectedContent;
}
return toTskv($elements);
}

function fromString($tskvString)
{
$keyValuePairs = fromTskv($tskvString);
$this->filePath = $keyValuePairs['filePath'];
$this->isDetected = $keyValuePairs['isDetected'];
if ($this->isDetected == 1) {
$this->id = $keyValuePairs['id'];
$this->severity = $keyValuePairs['severity'];
$this->signature = base64_decode($keyValuePairs['signature']);
$this->position = $keyValuePairs['position'];
$this->detectedContent = $keyValuePairs['detectedContent'];
}
}

}
22 changes: 22 additions & 0 deletions src/scanner/classes/Tskv.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
<?php

//dump assisiative array to tab separated key-value string
function toTskv($dict)
{
$keyValuePairs = array();
foreach($dict as $key => $value) {
array_push($keyValuePairs, "$key=$value");
}
return join("\t", $keyValuePairs);
}

//parse tab separated key-value string to assisiative array
function fromTskv($tskvString)
{
$dict = array();
foreach(explode("\t", $tskvString) as $keyValuePair) {
$keyValue = explode("=", $keyValuePair, 2);
$dict[$keyValue[0]] = $keyValue[1];
}
return $dict;
}