Rewrite shell script in Go #84
Conversation
|
No idea about the CI, it might be a good idea to ask the github.com/hillu/go-yara folks about this. |
|
This is the error, in case anyone wants to give a try at fixing the CI: |
|
Woohoo!!! @jvoisin I finally managed to fix the CI and have the test suite pass! :D |
README.md
Outdated
| ``` | ||
|
|
||
| - Download php-malware-finder `git clone https://github.com/jvoisin/php-malware-finder.git` | ||
| - [Install YARA](https://yara.readthedocs.io/en/stable/gettingstarted.html). |
There was a problem hiding this comment.
Maybe add a note about installing go as well?
There was a problem hiding this comment.
There is no need to install yara, only libyara
There was a problem hiding this comment.
Good catch, I'll add/fix that!
There was a problem hiding this comment.
About libyara, YARA documentation doesn't provide any guidance about installing libyara alone that I could link to, but I can add a note for people installing it using their package manager.
There was a problem hiding this comment.
I updated it, lmk what you think
| os.Exit(1) | ||
| } else { | ||
| if args.Verbose { | ||
| fmt.Printf("DEBUG: scan workers: %d\n", args.Workers) |
There was a problem hiding this comment.
You might want to use go's logging module, instead of fmt.Printf
There was a problem hiding this comment.
It could be a good idea, having the timestamps could allow to ingest the logs in a SIEM or what not, but then we should probably change some of the output to be more useful as logs (for example the "you should look at these files" header should be turned into a prefix of each finding). Wdyt?
There was a problem hiding this comment.
I gave it a try, here is what the output looks like:
2022/04/07 22:57:24 [DEBUG] rules directory: /home/mde/Code/php-malware-finder/php-malware-finder
2022/04/07 22:57:24 [DEBUG] excluded file extensions: bz2,yml,exe,rar,md,jpg,svg,zip,yaml,dll,jpeg,gif,xz,7z,tar,bundle,ico,min,txt,gz,map,less,png,coffee,rst,bmp,csv,css,tgz,json,so,bin,js
2022/04/07 22:57:24 [DEBUG] ruleset loaded: /home/mde/Code/php-malware-finder/php-malware-finder/php.yar
2022/04/07 22:57:24 [DEBUG] scan workers: 32
2022/04/07 22:57:24 [DEBUG] target: samples
2022/04/07 22:57:24 [DEBUG] delay between fs ops: 1ns
2022/04/07 22:57:24 [WARNING] match found: samples/artificial/dodgy.php (DodgyPhp)
2022/04/07 22:57:24 [WARNING] match found: samples/classic/ajaxshell.php (DodgyPhp)
2022/04/07 22:57:24 [WARNING] match found: samples/artificial/bypasses.php (ObfuscatedPhp)
[...]
2022/04/07 22:57:24 [WARNING] dangerous file found: samples/real/novahot.php
2022/04/07 22:57:24 [WARNING] dangerous file found: samples/artificial/obfuscated.php
2022/04/07 22:57:24 [WARNING] dangerous file found: samples/classic/simattacker.php
2022/04/07 22:57:24 [DEBUG] scanned 28 files in 145.848134ms
|
🎉 |
This PR is a rewrite in Go of the old and ugly shell script. It adds huge performance improvements, as well as a few enhancements like allowing to exclude common files from the scan, or to set the max filesystem operations per second the application will perform.
It does not pass the CI tests as
. I didn't look much into solving this issue, if you have any ideas feel free to tell me or to add commits to that PR.
go get "github.com/hillu/go-yara"seems to fail to compile the module, probably due to the location YARA is installed in, buttests pass on my machineThis somehow solves #65.