Giter VIP home page Giter VIP logo

Comments (7)

Borcejn avatar Borcejn commented on September 17, 2024 1

Hi all,

I'm re-pasting my message here again. :)
(from: #72)

The problem is in the file: vendor/marcocesarato/amwscan/src/Deobfuscator.php
The following "calc" function is defined in mentioned file:

private function calc($expr)
    {
        if (is_array($expr)) {
            $expr = $expr[0];
        }
        preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
        if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
            return $exprArr[1](explode(',', $exprArr[2]));
        }

        preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
        if (!empty($exprArr[1]) && !empty($exprArr[2])) {
            if (in_array('*', $exprArr[2], true)) {
                $pos = array_search('*', $exprArr[2], true);
                $res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
                $expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('/', $exprArr[2], true)) {
                $pos = array_search('/', $exprArr[2], true);
                $res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('-', $exprArr[2], true)) {
                $pos = array_search('-', $exprArr[2], true);
                $res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('+', $exprArr[2], true)) {
                $pos = array_search('+', $exprArr[2], true);
                $res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } else {
                return $expr;
            }
        }

        return $expr;

As you can see, this is a recursive function that - for some reason - has an erroneous stop condition for the file you indicated and goes into very, very deep levels of recursion (in my case, about ~281000 - until the memory on the stack is exhausted).

I haven't had time to disarm this function and analyze the stop condition, but it seems that a simple and sufficient workaround is to add an additional guard in the form:

if($level>100000) return "";

This will interrupt further nesting if it goes too far :)

So, all the correct function code will therefore look as follows:

    private function calc($expr, $level = 0)
    {
		if($level>100000) return "";
		
        if (is_array($expr)) {
            $expr = $expr[0];
        }
        preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
        if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
            return $exprArr[1](explode(',', $exprArr[2]));
        }

        preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
        if (!empty($exprArr[1]) && !empty($exprArr[2])) {
            if (in_array('*', $exprArr[2], true)) {
                $pos = array_search('*', $exprArr[2], true);
                $res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
                $expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr, $level+1);
            } elseif (in_array('/', $exprArr[2], true)) {
                $pos = array_search('/', $exprArr[2], true);
                $res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr, $level+1);
            } elseif (in_array('-', $exprArr[2], true)) {
                $pos = array_search('-', $exprArr[2], true);
                $res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr,$level+1);
            } elseif (in_array('+', $exprArr[2], true)) {
                $pos = array_search('+', $exprArr[2], true);
                $res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr,$level+1);
            } else {
                return $expr;
            }
        }

        return $expr;
    }

This is completely sufficient (at least for my needs).

I sincerely greet you and warm hugs for the file that helped me to solve this problem,
~WB

from php-antimalware-scanner.

esurov avatar esurov commented on September 17, 2024

@killmasta93 thank you for your report! could you please provide more details? does it crash due to the max memory limit?

from php-antimalware-scanner.

killmasta93 avatar killmasta93 commented on September 17, 2024

hi @esurov thanks for the reply, nope i just run it but after a while it crashes when you say memory limit do you mean of the VM?

from php-antimalware-scanner.

esurov avatar esurov commented on September 17, 2024

Hi @killmasta93 Does it produce any output upon the crash? With the memory limit I mean the PHP setting in your php.ini. You might want to change it to something like this:

memory_limit = 2G

from php-antimalware-scanner.

killmasta93 avatar killmasta93 commented on September 17, 2024

HI @esurov Thank you for the reply im attaching picture, it starts running then after checksum it start
image

i was checking logs didnt find anything with issue on memory limit as for the php.ini do you mean on the host or the docker container?
Thank you

im attaching the logs that shows


2023-10-02 21:55:31] [INFO] Scan date: 2023-10-02 21:55:31
[2023-10-02 21:55:31] [INFO] Scanning /root/PHP-Antimalware-Scanner/dist
[2023-10-02 21:55:31] [INFO] Mapping and retrieving checksums, please wait
[2023-10-02 21:55:31] [INFO] Verifying files checksum
[2023-10-02 21:55:31] [INFO] Found 0 files to check
[2023-10-02 21:55:31] [INFO] Checking files
[2023-10-02 21:55:31] [SUCCESS] Scan finished!
[2023-10-02 21:55:31] [INFO] Files scanned: 0
[2023-10-02 21:55:31] [INFO] Files edited: 0
[2023-10-02 21:55:31] [INFO] Files quarantined: 0
[2023-10-02 21:55:31] [INFO] Files whitelisted: 0
[2023-10-02 21:55:31] [INFO] Files ignored: 0
[2023-10-02 21:55:31] [INFO] Malware detected: 0
[2023-10-02 21:55:31] [INFO] Malware removed: 0
[2023-10-02 21:55:55] [INFO] Scan date: 2023-10-02 21:55:55
[2023-10-02 21:55:55] [INFO] Scanning /scsi1/xxxxx
[2023-10-02 21:55:55] [INFO] Mapping and retrieving checksums, please wait
[2023-10-02 21:55:58] [SUCCESS] Found WordPress 6.2.2 (en_US) at "/scsi1/xxx"
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Akeeba Backup CORE for WordPress 7.8.0.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Pro 3.11.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Pro 3.7.7
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor 3.11.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin ElementsKit Lite 2.8.5
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Envato Elements 2.0.11
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Essential Addons for Elementor 5.6.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Essential Blocks 4.0.2
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Site Kit by Google 1.95.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Header & Footer Builder 1.6.13
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin MetForm 3.2.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Really Simple SSL 6.2.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Simple Chat Button 1.5.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Themesflat Addons For Elementor 1.9.6
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin WP Sticky Button - Click to Chat 1.4.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Yoast SEO 20.2.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin WP Mail SMTP 3.7.0
[2023-10-02 21:55:58] [INFO] Retrieving checksums of Wordpress 6.2.2
[2023-10-02 21:55:59] [INFO] Verifying files checksum
[2023-10-02 21:56:11] [INFO] Found 1883 files to check
[2023-10-02 21:56:11] [INFO] Checking files
[2023-10-02 21:56:12] [DANGER] PROBABLE MALWARE FOUND!
[2023-10-02 21:56:12] [WARNING] Checksum: 7c30e6993591b043f8f685b35f699868
[2023-10-02 21:56:12] [WARNING] File path: /scsi1/xxxx/wp-content/plugins/elementor-pro/wp-cron.php
[2023-10-02 21:56:12] [DANGER] Evil code found: [!] Exploit (hex_char) [line 46] - Hex char is usually used for the obfuscation of malicious code => \x5f
[2023-10-02 21:56:25] [SUCCESS] File '/scsi1/lxxxxwp-content/plugins/elementor-pro/wp-cron.php' skipped!
[2023-10-02 21:56:25] [DANGER] PROBABLE MALWARE FOUND!
[2023-10-02 21:56:25] [WARNING] Checksum: e808c392175886a9b2ca099e11cdd3de
[2023-10-02 21:56:25] [WARNING] File path: /scsi1/lxxxxxxx/wp-content/plugins/elementor-pro/core/integrations/actions/email/email.php
[2023-10-02 21:56:25] [DANGER] Evil code found: [!] Exploit (double_var2) [line 95] - Double var technique is usually used for the obfuscation of malicious code => ${$field}
[2023-10-02 21:56:28] [SUCCESS] File '/scsi1/xxxxxxwp-content/plugins/elementor-pro/core/integrations/actions/email/email.php' skipped!

from php-antimalware-scanner.

esurov avatar esurov commented on September 17, 2024

Hi @killmasta93 !
Thanks for providing these details. If you're running the scanner in docker then it could be that memory limit is hit on default PHP settings. Maybe it could be a good idea to make a PR to increase the memory limit.

from php-antimalware-scanner.

killmasta93 avatar killmasta93 commented on September 17, 2024

@Borcejn thank you so much

from php-antimalware-scanner.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.