PHP scanner crashes

[killmasta93]

Hi
Currently trying to run it locally and on docker it starts scanning then crashes

[esurov]

@killmasta93 thank you for your report! could you please provide more details? does it crash due to the max memory limit?

[killmasta93]

hi @esurov thanks for the reply, nope i just run it but after a while it crashes when you say memory limit do you mean of the VM?

[esurov]

Hi @killmasta93 Does it produce any output upon the crash? With the memory limit I mean the PHP setting in your php.ini. You might want to change it to something like this:

memory_limit = 2G

[killmasta93]

HI @esurov Thank you for the reply im attaching picture, it starts running then after checksum it start

i was checking logs didnt find anything with issue on memory limit as for the php.ini do you mean on the host or the docker container?
Thank you

im attaching the logs that shows

2023-10-02 21:55:31] [INFO] Scan date: 2023-10-02 21:55:31
[2023-10-02 21:55:31] [INFO] Scanning /root/PHP-Antimalware-Scanner/dist
[2023-10-02 21:55:31] [INFO] Mapping and retrieving checksums, please wait
[2023-10-02 21:55:31] [INFO] Verifying files checksum
[2023-10-02 21:55:31] [INFO] Found 0 files to check
[2023-10-02 21:55:31] [INFO] Checking files
[2023-10-02 21:55:31] [SUCCESS] Scan finished!
[2023-10-02 21:55:31] [INFO] Files scanned: 0
[2023-10-02 21:55:31] [INFO] Files edited: 0
[2023-10-02 21:55:31] [INFO] Files quarantined: 0
[2023-10-02 21:55:31] [INFO] Files whitelisted: 0
[2023-10-02 21:55:31] [INFO] Files ignored: 0
[2023-10-02 21:55:31] [INFO] Malware detected: 0
[2023-10-02 21:55:31] [INFO] Malware removed: 0
[2023-10-02 21:55:55] [INFO] Scan date: 2023-10-02 21:55:55
[2023-10-02 21:55:55] [INFO] Scanning /scsi1/xxxxx
[2023-10-02 21:55:55] [INFO] Mapping and retrieving checksums, please wait
[2023-10-02 21:55:58] [SUCCESS] Found WordPress 6.2.2 (en_US) at "/scsi1/xxx"
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Akeeba Backup CORE for WordPress 7.8.0.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Pro 3.11.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Pro 3.7.7
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor 3.11.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin ElementsKit Lite 2.8.5
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Envato Elements 2.0.11
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Essential Addons for Elementor 5.6.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Essential Blocks 4.0.2
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Site Kit by Google 1.95.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Header & Footer Builder 1.6.13
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin MetForm 3.2.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Really Simple SSL 6.2.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Simple Chat Button 1.5.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Themesflat Addons For Elementor 1.9.6
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin WP Sticky Button - Click to Chat 1.4.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Yoast SEO 20.2.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin WP Mail SMTP 3.7.0
[2023-10-02 21:55:58] [INFO] Retrieving checksums of Wordpress 6.2.2
[2023-10-02 21:55:59] [INFO] Verifying files checksum
[2023-10-02 21:56:11] [INFO] Found 1883 files to check
[2023-10-02 21:56:11] [INFO] Checking files
[2023-10-02 21:56:12] [DANGER] PROBABLE MALWARE FOUND!
[2023-10-02 21:56:12] [WARNING] Checksum: 7c30e6993591b043f8f685b35f699868
[2023-10-02 21:56:12] [WARNING] File path: /scsi1/xxxx/wp-content/plugins/elementor-pro/wp-cron.php
[2023-10-02 21:56:12] [DANGER] Evil code found: [!] Exploit (hex_char) [line 46] - Hex char is usually used for the obfuscation of malicious code => \x5f
[2023-10-02 21:56:25] [SUCCESS] File '/scsi1/lxxxxwp-content/plugins/elementor-pro/wp-cron.php' skipped!
[2023-10-02 21:56:25] [DANGER] PROBABLE MALWARE FOUND!
[2023-10-02 21:56:25] [WARNING] Checksum: e808c392175886a9b2ca099e11cdd3de
[2023-10-02 21:56:25] [WARNING] File path: /scsi1/lxxxxxxx/wp-content/plugins/elementor-pro/core/integrations/actions/email/email.php
[2023-10-02 21:56:25] [DANGER] Evil code found: [!] Exploit (double_var2) [line 95] - Double var technique is usually used for the obfuscation of malicious code => ${$field}
[2023-10-02 21:56:28] [SUCCESS] File '/scsi1/xxxxxxwp-content/plugins/elementor-pro/core/integrations/actions/email/email.php' skipped!

[esurov]

Hi @killmasta93 !
Thanks for providing these details. If you're running the scanner in docker then it could be that memory limit is hit on default PHP settings. Maybe it could be a good idea to make a PR to increase the memory limit.

[Borcejn]

Hi all,

I'm re-pasting my message here again. :)
(from: #72)

The problem is in the file: vendor/marcocesarato/amwscan/src/Deobfuscator.php
The following "calc" function is defined in mentioned file:

private function calc($expr)
    {
        if (is_array($expr)) {
            $expr = $expr[0];
        }
        preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
        if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
            return $exprArr[1](explode(',', $exprArr[2]));
        }

        preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
        if (!empty($exprArr[1]) && !empty($exprArr[2])) {
            if (in_array('*', $exprArr[2], true)) {
                $pos = array_search('*', $exprArr[2], true);
                $res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
                $expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('/', $exprArr[2], true)) {
                $pos = array_search('/', $exprArr[2], true);
                $res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('-', $exprArr[2], true)) {
                $pos = array_search('-', $exprArr[2], true);
                $res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('+', $exprArr[2], true)) {
                $pos = array_search('+', $exprArr[2], true);
                $res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } else {
                return $expr;
            }
        }

        return $expr;

As you can see, this is a recursive function that - for some reason - has an erroneous stop condition for the file you indicated and goes into very, very deep levels of recursion (in my case, about ~281000 - until the memory on the stack is exhausted).

I haven't had time to disarm this function and analyze the stop condition, but it seems that a simple and sufficient workaround is to add an additional guard in the form:

if($level>100000) return "";

This will interrupt further nesting if it goes too far :)

So, all the correct function code will therefore look as follows:

    private function calc($expr, $level = 0)
    {
		if($level>100000) return "";
		
        if (is_array($expr)) {
            $expr = $expr[0];
        }
        preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
        if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
            return $exprArr[1](explode(',', $exprArr[2]));
        }

        preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
        if (!empty($exprArr[1]) && !empty($exprArr[2])) {
            if (in_array('*', $exprArr[2], true)) {
                $pos = array_search('*', $exprArr[2], true);
                $res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
                $expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr, $level+1);
            } elseif (in_array('/', $exprArr[2], true)) {
                $pos = array_search('/', $exprArr[2], true);
                $res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr, $level+1);
            } elseif (in_array('-', $exprArr[2], true)) {
                $pos = array_search('-', $exprArr[2], true);
                $res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr,$level+1);
            } elseif (in_array('+', $exprArr[2], true)) {
                $pos = array_search('+', $exprArr[2], true);
                $res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr,$level+1);
            } else {
                return $expr;
            }
        }

        return $expr;
    }

This is completely sufficient (at least for my needs).

I sincerely greet you and warm hugs for the file that helped me to solve this problem,
~WB

[killmasta93]

@Borcejn thank you so much