Update gen_webshells.yar

find more php obfuscation
2024-11-06 18:15:20 +00:00 · 2021-03-11 08:22:32 +01:00 · 2021-03-11 08:22:32 +01:00 · 08bd7513bc
commit 08bd7513bc
parent 418e188a77
1 changed files with 5 additions and 1 deletions
--- a/yara/gen_webshells.yar
+++ b/yara/gen_webshells.yar
@ -1157,7 +1157,11 @@ rule webshell_php_by_string_obfuscation
 		$opbs29 = "\"ht\".\"tp\".\"s:" wide ascii
 		$opbs31 = "'ev'.'al'" nocase wide ascii
 		$opbs32 = "eval/*" nocase wide ascii
-		$opbs34 = "assert/*" nocase wide ascii
+		$opbs33 = "eval(/*" nocase wide ascii
+		$opbs34 = "eval(\"/*" nocase wide ascii
+		$opbs36 = "assert/*" nocase wide ascii
+		$opbs37 = "assert(/*" nocase wide ascii
+		$opbs38 = "assert(\"/*" nocase wide ascii
 		$opbs40 = "'ass'.'ert'" nocase wide ascii
 		$opbs41 = "${'_'.$_}['_'](${'_'.$_}['__'])" wide ascii
 		$opbs44 = "'s'.'s'.'e'.'r'.'t'" nocase wide ascii