From 08bd7513bca563b11166e39b4198a25598237adc Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+2d4d@users.noreply.github.com>
Date: Thu, 11 Mar 2021 08:22:32 +0100
Subject: [PATCH] Update gen_webshells.yar

find more php obfuscation
---
 yara/gen_webshells.yar | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/yara/gen_webshells.yar b/yara/gen_webshells.yar
index 43e1bc2..46a597a 100644
--- a/yara/gen_webshells.yar
+++ b/yara/gen_webshells.yar
@@ -1157,7 +1157,11 @@ rule webshell_php_by_string_obfuscation
 		$opbs29 = "\"ht\".\"tp\".\"s:" wide ascii
 		$opbs31 = "'ev'.'al'" nocase wide ascii
 		$opbs32 = "eval/*" nocase wide ascii
-		$opbs34 = "assert/*" nocase wide ascii
+		$opbs33 = "eval(/*" nocase wide ascii
+		$opbs34 = "eval(\"/*" nocase wide ascii
+		$opbs36 = "assert/*" nocase wide ascii
+		$opbs37 = "assert(/*" nocase wide ascii
+		$opbs38 = "assert(\"/*" nocase wide ascii
 		$opbs40 = "'ass'.'ert'" nocase wide ascii
 		$opbs41 = "${'_'.$_}['_'](${'_'.$_}['__'])" wide ascii
 		$opbs44 = "'s'.'s'.'e'.'r'.'t'" nocase wide ascii