Skip to content

Commit 63ccd17

Browse files
author
Ian Bouchard
committed
Updates readme
1 parent 019e1fc commit 63ccd17

File tree

1 file changed

+25
-8
lines changed

1 file changed

+25
-8
lines changed

README.md

+25-8
Original file line numberDiff line numberDiff line change
@@ -41,14 +41,31 @@ Simply pass a display option and an OPcache file.
4141

4242

4343
## OPcache Malware Hunter
44-
This tool helps detect malware hidden in OPcache files by searching specific keywords in the file's opcodes.
45-
46-
Pass an OPcache file or directory and the hunter will recursively go through all the `.php.bin` files.
47-
48-
$ ./opcache_malware_hunt.py malware.php.bin
49-
Checking malware.php.bin
50-
Found potentially dangerous keyword 'preg_replace'.
51-
Found potentially dangerous keyword 'str_rot13'.
44+
This tool helps detect malware hidden in OPcache files by looking for manipulated OPcache files. It compiles its own version of the source code, compares the compiled file
45+
with the current cache file and checks for differences. **You must run this tool on the same system as the one where the cache files
46+
have been compiled originally.**
47+
48+
OPcache malware hunter requires three parameters :
49+
- The location of the cache folder
50+
- The system_id
51+
- The php.ini file used
52+
53+
$ ./opcache_malware_hunt.py /tmp/cache 2d3b19863f4c71f9a3adda4c957752e2 /etc/php/7.0/cli/php.ini
54+
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin
55+
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin
56+
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin
57+
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin
58+
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-load.php.bin
59+
...
60+
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin
61+
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin
62+
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin
63+
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin
64+
Potentially infected files :
65+
- /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin
66+
67+
In the situation where a potentially infected cache file is found, OPcache Malware Hunter will generate an HTML report
68+
in the filesystem showing the differences between the source code and the infected cache file.
5269

5370
## Demo
5471
To setup the demo, run the following two commands :

0 commit comments

Comments
 (0)