Giter VIP home page Giter VIP logo

Comments (11)

Borcejn avatar Borcejn commented on August 14, 2024 1

@58legend oh no, you cannot edit .phar directly. It's like trying to edit a zip/tar archive in notepad :) Instead you need to download all files of this project and then edit mentioned script. After fix run awmscan/src/index.php (you can set "scanner" as an alias for this localization in your environment).

from php-antimalware-scanner.

58legend avatar 58legend commented on August 14, 2024 1

I understand what you mean. Downloaded and edited Dist, after this build new phar file.
It works!!! @Borcejn Thank you)
Now I have fixed scanner here:
wget https://raw.githubusercontent.com/58legend/scanner/main/scanner --no-check-certificate
and here my favorite command to scan:
php scanner ./ -r --path-report ./virusscan_$(date +%d-%b-%y).htm

from php-antimalware-scanner.

kdescoubes avatar kdescoubes commented on August 14, 2024

Same here on another wordpress website :

image

File responsible for the crash is here :

themes.php.txt

I move it to the quarantine, and now the scan is OK.

Again, triggering the scan on the quarantine does not crash the scanner ...

from php-antimalware-scanner.

Borcejn avatar Borcejn commented on August 14, 2024

Hi kdescoubes,

The problem is in the file: vendor/marcocesarato/amwscan/src/Deobfuscator.php
The following "calc" function is defined in mentioned file:

private function calc($expr)
    {
        if (is_array($expr)) {
            $expr = $expr[0];
        }
        preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
        if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
            return $exprArr[1](explode(',', $exprArr[2]));
        }

        preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
        if (!empty($exprArr[1]) && !empty($exprArr[2])) {
            if (in_array('*', $exprArr[2], true)) {
                $pos = array_search('*', $exprArr[2], true);
                $res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
                $expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('/', $exprArr[2], true)) {
                $pos = array_search('/', $exprArr[2], true);
                $res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('-', $exprArr[2], true)) {
                $pos = array_search('-', $exprArr[2], true);
                $res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('+', $exprArr[2], true)) {
                $pos = array_search('+', $exprArr[2], true);
                $res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } else {
                return $expr;
            }
        }

        return $expr;

As you can see, this is a recursive function that - for some reason - has an erroneous stop condition for the file you indicated and goes into very, very deep levels of recursion (in my case, about ~281000 - until the memory on the stack is exhausted).

I haven't had time to disarm this function and analyze the stop condition, but it seems that a simple and sufficient workaround is to add an additional guard in the form:

if($level>100000) return "";

This will interrupt further nesting if it goes too far :)

So, all the correct function code will therefore look as follows:

    private function calc($expr, $level = 0)
    {
		if($level>100000) return "";
		
        if (is_array($expr)) {
            $expr = $expr[0];
        }
        preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
        if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
            return $exprArr[1](explode(',', $exprArr[2]));
        }

        preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
        if (!empty($exprArr[1]) && !empty($exprArr[2])) {
            if (in_array('*', $exprArr[2], true)) {
                $pos = array_search('*', $exprArr[2], true);
                $res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
                $expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr, $level+1);
            } elseif (in_array('/', $exprArr[2], true)) {
                $pos = array_search('/', $exprArr[2], true);
                $res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr, $level+1);
            } elseif (in_array('-', $exprArr[2], true)) {
                $pos = array_search('-', $exprArr[2], true);
                $res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr,$level+1);
            } elseif (in_array('+', $exprArr[2], true)) {
                $pos = array_search('+', $exprArr[2], true);
                $res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr,$level+1);
            } else {
                return $expr;
            }
        }

        return $expr;
    }

This is completely sufficient (at least for my needs).

I sincerely greet you and warm hugs for the file that helped me to solve this problem,
~WB

from php-antimalware-scanner.

AldoTapiaInnova avatar AldoTapiaInnova commented on August 14, 2024

Hi, @Borcejn
What should I do after changing this piece of code to execute the scanner?

from php-antimalware-scanner.

Borcejn avatar Borcejn commented on August 14, 2024

@AldoTapiaInnova Just run index.php from src

from php-antimalware-scanner.

stovesy avatar stovesy commented on August 14, 2024

I too have the same experience. Malware is present, yet the scanner fails. I had to use strace -e trace=file to discover the offending php scan file.
It would be great if the scanner failed with a report, and maybe the file it was last scanning.
Thank you.

from php-antimalware-scanner.

58legend avatar 58legend commented on August 14, 2024

I have the same problem. The scanner "takes off" when it encounters a file.
Change in code "if($level>100000) return "";" did not help
After that, the scanner stopped starting at all.
I changed the file name from PHP to TXT

osjtcnhr.txt

from php-antimalware-scanner.

Borcejn avatar Borcejn commented on August 14, 2024

@58legend my fix definitely helps (I checked it just now). If the scanner crashed, you did something wrong.
Note you need to replace the entire piece of code, not just add one line...

from php-antimalware-scanner.

58legend avatar 58legend commented on August 14, 2024

@Borcejn Thank you for your reply. This is very important to me. I appreciate your help.
What I do and what my actions are:

  1. I download the scanner:
    wget https://raw.githubusercontent.com/marcocesarato/PHP-Antimalware-Scanner/master/dist/scanner --no-check-certificate
    (if I scan, the scanner "freezes" on the virus file)
  2. I change lines number 7110-7149 to the code of your function private function calc
  3. After that I started scan and I get an error:
root@ip-172-31-37-200:/home/ubuntu# php7.4 scanner ./virus -r --path-report ./virusscan_$(date +%d-%b-%y).html
PHP Fatal error:  Uncaught PharException: phar "/home/ubuntu/scanner" has a broken signature in /home/ubuntu/scanner:8
Stack trace:
#0 /home/ubuntu/scanner(8): Phar::webPhar()
#1 {main}
  thrown in /home/ubuntu/scanner on line 8

What am i doing wrong?

from php-antimalware-scanner.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.