Updates malware hunter with 32/64 bit options

Corb3nik · Corb3nik · commit 89f6cac6057d · 2017-01-03T22:45:08.000-05:00
diff --git a/analysis_tools/opcache_malware_hunt.py b/analysis_tools/opcache_malware_hunt.py
@@ -232,7 +232,7 @@ def compare_parsed_files(file1, file2):
 
     return True
 
-def create_diff_report(file1, file2, report_name, from_desc, to_desc):
+def create_diff_report(file1, file2, report_name, from_desc, to_desc, is_64_bit):
 
     """ Create a report showing the differences between two files
 
@@ -245,8 +245,8 @@ def create_diff_report(file1, file2, report_name, from_desc, to_desc):
     """
 
     # Disassemble each file and split into lines
-    disassembled_1 = OPcacheDisassembler().disassemble(file1).split("\n")
-    disassembled_2 = OPcacheDisassembler().disassemble(file2).split("\n")
+    disassembled_1 = OPcacheDisassembler(is_64_bit).disassemble(file1).split("\n")
+    disassembled_2 = OPcacheDisassembler(is_64_bit).disassemble(file2).split("\n")
 
     # Differ
     html_differ = difflib.HtmlDiff()
@@ -296,7 +296,7 @@ def create_index(report_names):
 def show_help():
     """ Show the help menu"""
 
-    print "Usage : {0} [opcache_folder] [system_id] [php.ini] ".format(sys.argv[0])
+    print "Usage : {0} [opcache_folder] [-a(86|64)] [system_id] [php.ini] ".format(sys.argv[0])
 
 if __name__ == "__main__":
 
@@ -309,8 +309,17 @@ def show_help():
 
     # Paths to analyse
     opcache_folder = sys.argv[1]
-    system_id = sys.argv[2]
-    phpini_path = sys.argv[3]
+    architecture = sys.argv[2]
+    system_id = sys.argv[3]
+    phpini_path = sys.argv[4]
+
+    # Is 64 bit
+    is_64_bit = False
+    if architecture == "-a64":
+        is_64_bit = True
+    elif architecture == "-a32":
+        is_64_bit = False
+
 
     # Setup a new phpini for compilation
     setup_env(phpini_path)
@@ -359,7 +368,7 @@ def show_help():
         for idx, file, new_cache_file in flagged_files:
             print " - " + file
 
-            report = create_diff_report(new_cache_file, file, opcache_files[idx], "Source Code", "Cache")
+            report = create_diff_report(new_cache_file, file, opcache_files[idx], "Source Code", "Cache", is_64_bit)
             reports += [report]
 
         create_index(reports)
