Comments (11)
@58legend oh no, you cannot edit .phar directly. It's like trying to edit a zip/tar archive in notepad :) Instead you need to download all files of this project and then edit mentioned script. After fix run awmscan/src/index.php (you can set "scanner" as an alias for this localization in your environment).
from php-antimalware-scanner.
I understand what you mean. Downloaded and edited Dist, after this build new phar file.
It works!!! @Borcejn Thank you)
Now I have fixed scanner here:
wget https://raw.githubusercontent.com/58legend/scanner/main/scanner --no-check-certificate
and here my favorite command to scan:
php scanner ./ -r --path-report ./virusscan_$(date +%d-%b-%y).htm
from php-antimalware-scanner.
Same here on another wordpress website :
File responsible for the crash is here :
I move it to the quarantine, and now the scan is OK.
Again, triggering the scan on the quarantine does not crash the scanner ...
from php-antimalware-scanner.
Hi kdescoubes,
The problem is in the file: vendor/marcocesarato/amwscan/src/Deobfuscator.php
The following "calc" function is defined in mentioned file:
private function calc($expr)
{
if (is_array($expr)) {
$expr = $expr[0];
}
preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
return $exprArr[1](explode(',', $exprArr[2]));
}
preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
if (!empty($exprArr[1]) && !empty($exprArr[2])) {
if (in_array('*', $exprArr[2], true)) {
$pos = array_search('*', $exprArr[2], true);
$res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
$expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('/', $exprArr[2], true)) {
$pos = array_search('/', $exprArr[2], true);
$res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('-', $exprArr[2], true)) {
$pos = array_search('-', $exprArr[2], true);
$res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('+', $exprArr[2], true)) {
$pos = array_search('+', $exprArr[2], true);
$res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} else {
return $expr;
}
}
return $expr;
As you can see, this is a recursive function that - for some reason - has an erroneous stop condition for the file you indicated and goes into very, very deep levels of recursion (in my case, about ~281000 - until the memory on the stack is exhausted).
I haven't had time to disarm this function and analyze the stop condition, but it seems that a simple and sufficient workaround is to add an additional guard in the form:
if($level>100000) return "";
This will interrupt further nesting if it goes too far :)
So, all the correct function code will therefore look as follows:
private function calc($expr, $level = 0)
{
if($level>100000) return "";
if (is_array($expr)) {
$expr = $expr[0];
}
preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
return $exprArr[1](explode(',', $exprArr[2]));
}
preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
if (!empty($exprArr[1]) && !empty($exprArr[2])) {
if (in_array('*', $exprArr[2], true)) {
$pos = array_search('*', $exprArr[2], true);
$res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
$expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr, $level+1);
} elseif (in_array('/', $exprArr[2], true)) {
$pos = array_search('/', $exprArr[2], true);
$res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr, $level+1);
} elseif (in_array('-', $exprArr[2], true)) {
$pos = array_search('-', $exprArr[2], true);
$res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr,$level+1);
} elseif (in_array('+', $exprArr[2], true)) {
$pos = array_search('+', $exprArr[2], true);
$res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr,$level+1);
} else {
return $expr;
}
}
return $expr;
}
This is completely sufficient (at least for my needs).
I sincerely greet you and warm hugs for the file that helped me to solve this problem,
~WB
from php-antimalware-scanner.
Hi, @Borcejn
What should I do after changing this piece of code to execute the scanner?
from php-antimalware-scanner.
@AldoTapiaInnova Just run index.php from src
from php-antimalware-scanner.
I too have the same experience. Malware is present, yet the scanner fails. I had to use strace -e trace=file to discover the offending php scan file.
It would be great if the scanner failed with a report, and maybe the file it was last scanning.
Thank you.
from php-antimalware-scanner.
I have the same problem. The scanner "takes off" when it encounters a file.
Change in code "if($level>100000) return "";" did not help
After that, the scanner stopped starting at all.
I changed the file name from PHP to TXT
from php-antimalware-scanner.
@58legend my fix definitely helps (I checked it just now). If the scanner crashed, you did something wrong.
Note you need to replace the entire piece of code, not just add one line...
from php-antimalware-scanner.
@Borcejn Thank you for your reply. This is very important to me. I appreciate your help.
What I do and what my actions are:
- I download the scanner:
wget https://raw.githubusercontent.com/marcocesarato/PHP-Antimalware-Scanner/master/dist/scanner --no-check-certificate
(if I scan, the scanner "freezes" on the virus file) - I change lines number 7110-7149 to the code of your function private function calc
- After that I started scan and I get an error:
root@ip-172-31-37-200:/home/ubuntu# php7.4 scanner ./virus -r --path-report ./virusscan_$(date +%d-%b-%y).html
PHP Fatal error: Uncaught PharException: phar "/home/ubuntu/scanner" has a broken signature in /home/ubuntu/scanner:8
Stack trace:
#0 /home/ubuntu/scanner(8): Phar::webPhar()
#1 {main}
thrown in /home/ubuntu/scanner on line 8
What am i doing wrong?
from php-antimalware-scanner.
Related Issues (20)
- dist version has been detected as malware HOT 1
- Add new signature
- Chosen Dot-Files on font loading in console mode prevents scanning
- false positive on doubleval
- The "files finding" gives inconsistent result across platforms based on same set of files. HOT 4
- Could not open input file: awscan
- Scanner stops at 96%
- Scanning wordpress site HOT 1
- Should identify compose packages and validate their checksums
- Dependency Dashboard
- too many false positives. HOT 1
- Install via composer
- Lack of unit tests
- Open with VIM open at line HOT 2
- Build fails HOT 2
- Commit fails HOT 2
- PHP scanner crashes HOT 7
- FTP Scan :)
- Is this project up to date HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from php-antimalware-scanner.