- Joined
- Jan 8, 2019
- Messages
- 56,623
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,456
- Points
- 2,313
- Credits
- 32,750
6 Years of Service
76%
PHP malware finder does it is very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malware/webshells.
The following list of encoders/obfuscators/webshells are also detected:
Best PHP Obfuscator
Carbylamine
Cipher Design
Cyklodev
Joes Web Tools Obfuscator
P.A.S
PHP Jiami
Php Obfuscator Encode
SpinObf
Weevely3
atomiku
cobra obfuscator
phpencode
tennc
web-malware-collection
webtoolsvn
novahot
Of course, it’s trivial to bypass PMF, but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or both) category and should re-read the previous statement.
How does it work?
Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it’s that simple!
Instead of using an hash-based approach, PMF tries as much as possible to use semantic patterns, to detect things like “a $_GET variable is decoded two times, unziped, and then passed to some dangerous function like system“.