Starts working on cache file comparison

Ian Bouchard · Ian Bouchard · commit 189313a3835a · 2016-05-11T20:23:24.000Z
diff --git a/analysis_tools/compile.php b/analysis_tools/compile.php
@@ -3,6 +3,7 @@
 
   if ($handle) {
     while (($line = fgets($handle)) !== false) {
+      $line = trim($line);
       opcache_compile_file($line);
     }
     fclose($handle);
diff --git a/analysis_tools/opcache_malware_hunt.py b/analysis_tools/opcache_malware_hunt.py
@@ -3,13 +3,14 @@
 # Copyright (c) 2016 GoSecure Inc.
 
 from opcache_disassembler import OPcacheDisassembler
+from opcache_parser import OPcacheParser
 import sys
 import os
 import subprocess
 import shutil
 
 hunt_source_files = "hunt_source_files.tmp"
-hunt_ini          = "hunt.ini.tmp"
+hunt_ini          = "hunt.ini"
 hunt_opcache      = "hunt_opcache"
 
 def list_opcache_files(path):
@@ -61,6 +62,9 @@ def setup_env(phpini_path):
                 if "opcache.enable=" in line:
                     line = "opcache.enable=1"
 
+                if "opcache.file_cache_only=" in line:
+                    line = "opcache.file_cache_only=0"
+
                 h.write(line)
 
     # cache folder location
@@ -91,6 +95,15 @@ def compile_source_files():
     command = "php -c {0} compile.php {1}".format(hunt_ini, hunt_source_files)
     subprocess.call(command.split(), shell=False)
 
+def parse_file(file):
+    return OPcacheParser(file)
+
+def compare_parsed_files(file1, file2):
+
+    # Compare opcodes
+    print [f.opcode for f in file1['script']['main_op_array']['opcodes']]
+    print [f.opcode for f in file2['script']['main_op_array']['opcodes']]
+
 def show_help():
     """ Show the help menu"""
 
@@ -121,13 +134,33 @@ def show_help():
     source_folder = prefix.split(system_id, 1)[1]
 
     # Source files list
-    source_files = [source_folder + file.split(source_folder, 1)[1][:-4] for file in opcache_files ]
+    if len(opcache_files) > 1:
+        source_files = [source_folder + file.split(source_folder, 1)[1][:-4] for file in opcache_files ]
+    else:
+        source_files = [source_folder[:-4]]
 
     # Dump source files
     dump_source_file_list(source_files)
 
     # Compile source files
     compile_source_files()
 
+    # Compare original cache files with new ones
+    for idx, file in enumerate(opcache_files):
+        new_cache_file = os.path.join(hunt_opcache, system_id)
+        new_cache_file += os.path.join(new_cache_file, source_files[idx])
+        new_cache_file += ".bin"
+
+        print "Checking " + file
+        print "Checking " + new_cache_file
+
+        # Parse files
+        original_file = parse_file(file)
+        new_parsed = parse_file(new_cache_file)
+
+        # Compare files
+        compare_parsed_files(original_file, new_parsed)
+        break
+
     # Remove temporary files and folders
     cleanup()

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`
`4`	`4`	`if ($handle) {`
`5`	`5`	`while (($line = fgets($handle)) !== false) {`
	`6`	`+ $line = trim($line);`
`6`	`7`	`opcache_compile_file($line);`
`7`	`8`	`}`
`8`	`9`	`fclose($handle);`