Beginning of new implementation for the opcache_malware_hunt tool

Author: Ian Bouchard

.gitignore

@@ -1 +1,3 @@
 *.pyc
+*.tmp
+hunt_opcache

analysis_tools/compile.php

@@ -0,0 +1,10 @@
+<?php
+  $handle = fopen($argv[1], "r");
+
+  if ($handle) {
+    while (($line = fgets($handle)) !== false) {
+      opcache_compile_file($line);
+    }
+    fclose($handle);
+  }
+?>

analysis_tools/opcache_malware_hunt.py

@@ -5,53 +5,17 @@
 from opcache_disassembler import OPcacheDisassembler
 import sys
 import os
-import re
-from termcolor import colored
-
-dangerous_keywords = [
-    "(eval)",
-    "(exec)",
-    "(preg_replace).*(?=SEND_VAL\(.*/e.*\);)",
-    "(system)",
-    "(assert)",
-    "(str_rot13)",
-    "(base64_encode)"
-]
+import subprocess
+import shutil
 
-def show_help():
-    """ Show the help menu"""
-
-    print "Usage : {0} [file|directory]".format(sys.argv[0])
-
-def check_dangerous_keywords(ast, disassembler):
-    """ Check for dangerous keywords
-
-        Arguments :
-            ast : The AST to check against
-            disassembler : The disassembler to use
-    """
-
-    main_op_array = disassembler.convert_branch_to_pseudo_code(ast, "main_op_array")
-    function_table = disassembler.convert_branch_to_pseudo_code(ast, "function_table")
-    class_table = disassembler.convert_branch_to_pseudo_code(ast, "class_table")
-
-    code = main_op_array + function_table + class_table
-
-    for keyword in dangerous_keywords:
-        result = re.search(keyword, code, re.DOTALL)
-        if result:
-            print colored("\tFound potentially dangerous keyword '{0}'.".format(result.group(1)), 'yellow')
-
-if __name__ == "__main__":
-
-    if len(sys.argv) < 2:
-        show_help()
-        exit(0)
+hunt_source_files = "hunt_source_files.tmp"
+hunt_ini          = "hunt.ini.tmp"
+hunt_opcache      = "hunt_opcache"
 
-    path = sys.argv[1]
+def list_opcache_files(path):
+    """ List every opcache (.php.bin) file found in a given path """
 
-    # Create a disassembler
-    disassembler = OPcacheDisassembler()
+    opcache_files = []
 
     # Check if arg[1] is a folder or a file
     if os.path.isdir(path):
@@ -63,38 +27,107 @@ def check_dangerous_keywords(ast, disassembler):
                 # Only check .php.bin files
                 if file.endswith(".php.bin"):
                     file = os.path.join(subdir, file)
+                    opcache_files += [file]
 
-                    print "Checking " + file
+    else:
+        # Only check .php.bin files
+        if path.endswith(".php.bin"):
+          opcache_files += [path]
 
-                    try:
-                        # Create an AST from the compiled file
-                        ast = disassembler.create_ast(file)
-                    except KeyboardInterrupt:
-                        exit(0)
+    return opcache_files
 
-                    except:
-                        print "Unable to parse file " + file
-                        continue
+def dump_source_file_list(list):
 
-                    # Check the ast for dangerous keywords
-                    check_dangerous_keywords(ast, disassembler)
+    with open(hunt_source_files, 'w') as f:
+        for file in list:
+            f.write(file + "\n")
 
-    else:
-        # Only check .php.bin files
-        if path.endswith(".php.bin"):
+def setup_env(phpini_path):
+
+    # hunt.ini
+    with open(phpini_path, "r") as f:
+        with open(hunt_ini, "w") as h:
+            for line in f.readlines():
+
+                # opcache.file_cache
+                if "opcache.file_cache=" in line:
+                    line = "opcache.file_cache=" + os.path.join(os.getcwd(), hunt_opcache)
+
+                # opcache.enable_cli
+                if "opcache.enable_cli=" in line:
+                    line = "opcache.enable_cli=1"
+
+                # opcache.enable_cli
+                if "opcache.enable=" in line:
+                    line = "opcache.enable=1"
+
+                h.write(line)
+
+    # cache folder location
+    os.mkdir(hunt_opcache)
+    os.chmod(hunt_opcache, 0o777)
+
+def cleanup():
+
+    # Remove cache folder
+    try:
+        shutil.rmtree(hunt_opcache)
+    except:
+        pass
+
+    # Remove hunt.ini
+    try:
+        os.remove(hunt_ini)
+    except:
+        pass
+
+    # Remove source files list
+    try:
+        os.remove(hunt_source_files)
+    except:
+        pass
+
+def compile_source_files():
+    command = "php -c {0} compile.php {1}".format(hunt_ini, hunt_source_files)
+    subprocess.call(command.split(), shell=False)
+
+def show_help():
+    """ Show the help menu"""
+
+    print "Usage : {0} [opcache_folder] [system_id] [php.ini] ".format(sys.argv[0])
+
+if __name__ == "__main__":
+
+    if len(sys.argv) < 3:
+        show_help()
+        exit(0)
+
+    # Remove temporary files and folders
+    cleanup()
+
+    # Paths to analyse
+    opcache_folder = sys.argv[1]
+    system_id = sys.argv[2]
+    phpini_path = sys.argv[3]
+
+    # Setup a new phpini for compilation
+    setup_env(phpini_path)
+
+    # OPcache file list
+    opcache_files = list_opcache_files(opcache_folder)
 
-            print "Checking " + path
-            try:
-                # Create an AST from the compiled file
-                ast = disassembler.create_ast(path)
-            except:
-                print "Unable to parse file " + path
-                exit(0)
+    # Get location of source folder
+    prefix = os.path.commonprefix(opcache_files)
+    source_folder = prefix.split(system_id, 1)[1]
 
-            # Check AST for dangerous files
-            check_dangerous_keywords(ast, disassembler)
-        else:
-            print "File is not a .php.bin file"
+    # Source files list
+    source_files = [source_folder + file.split(source_folder, 1)[1][:-4] for file in opcache_files ]
 
+    # Dump source files
+    dump_source_file_list(source_files)
 
+    # Compile source files
+    compile_source_files()
 
+    # Remove temporary files and folders
+    cleanup()