marcocesarato / PHP-Antimalware-Scanner

AMWScan (PHP Antimalware Scanner) is a free tool to scan php files and analyze your project to find any malicious code inside it.
https://marcocesarato.github.io/PHP-Antimalware-Scanner/
GNU General Public License v3.0
644 stars 108 forks source link

PHP scanner crashes #95

Closed killmasta93 closed 1 year ago

killmasta93 commented 1 year ago

Hi Currently trying to run it locally and on docker it starts scanning then crashes

esurov commented 1 year ago

@killmasta93 thank you for your report! could you please provide more details? does it crash due to the max memory limit?

killmasta93 commented 1 year ago

hi @esurov thanks for the reply, nope i just run it but after a while it crashes when you say memory limit do you mean of the VM?

esurov commented 1 year ago

Hi @killmasta93 Does it produce any output upon the crash? With the memory limit I mean the PHP setting in your php.ini. You might want to change it to something like this:

memory_limit = 2G
killmasta93 commented 1 year ago

HI @esurov Thank you for the reply im attaching picture, it starts running then after checksum it start image

i was checking logs didnt find anything with issue on memory limit as for the php.ini do you mean on the host or the docker container? Thank you

im attaching the logs that shows


2023-10-02 21:55:31] [INFO] Scan date: 2023-10-02 21:55:31
[2023-10-02 21:55:31] [INFO] Scanning /root/PHP-Antimalware-Scanner/dist
[2023-10-02 21:55:31] [INFO] Mapping and retrieving checksums, please wait
[2023-10-02 21:55:31] [INFO] Verifying files checksum
[2023-10-02 21:55:31] [INFO] Found 0 files to check
[2023-10-02 21:55:31] [INFO] Checking files
[2023-10-02 21:55:31] [SUCCESS] Scan finished!
[2023-10-02 21:55:31] [INFO] Files scanned: 0
[2023-10-02 21:55:31] [INFO] Files edited: 0
[2023-10-02 21:55:31] [INFO] Files quarantined: 0
[2023-10-02 21:55:31] [INFO] Files whitelisted: 0
[2023-10-02 21:55:31] [INFO] Files ignored: 0
[2023-10-02 21:55:31] [INFO] Malware detected: 0
[2023-10-02 21:55:31] [INFO] Malware removed: 0
[2023-10-02 21:55:55] [INFO] Scan date: 2023-10-02 21:55:55
[2023-10-02 21:55:55] [INFO] Scanning /scsi1/xxxxx
[2023-10-02 21:55:55] [INFO] Mapping and retrieving checksums, please wait
[2023-10-02 21:55:58] [SUCCESS] Found WordPress 6.2.2 (en_US) at "/scsi1/xxx"
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Akeeba Backup CORE for WordPress 7.8.0.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Pro 3.11.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Pro 3.7.7
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor 3.11.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin ElementsKit Lite 2.8.5
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Envato Elements 2.0.11
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Essential Addons for Elementor 5.6.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Essential Blocks 4.0.2
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Site Kit by Google 1.95.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Elementor Header & Footer Builder 1.6.13
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin MetForm 3.2.3
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Really Simple SSL 6.2.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Simple Chat Button 1.5.0
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Themesflat Addons For Elementor 1.9.6
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin WP Sticky Button - Click to Chat 1.4.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin Yoast SEO 20.2.1
[2023-10-02 21:55:58] [SUCCESS] Found WordPress Plugin WP Mail SMTP 3.7.0
[2023-10-02 21:55:58] [INFO] Retrieving checksums of Wordpress 6.2.2
[2023-10-02 21:55:59] [INFO] Verifying files checksum
[2023-10-02 21:56:11] [INFO] Found 1883 files to check
[2023-10-02 21:56:11] [INFO] Checking files
[2023-10-02 21:56:12] [DANGER] PROBABLE MALWARE FOUND!
[2023-10-02 21:56:12] [WARNING] Checksum: 7c30e6993591b043f8f685b35f699868
[2023-10-02 21:56:12] [WARNING] File path: /scsi1/xxxx/wp-content/plugins/elementor-pro/wp-cron.php
[2023-10-02 21:56:12] [DANGER] Evil code found: [!] Exploit (hex_char) [line 46] - Hex char is usually used for the obfuscation of malicious code => \x5f
[2023-10-02 21:56:25] [SUCCESS] File '/scsi1/lxxxxwp-content/plugins/elementor-pro/wp-cron.php' skipped!
[2023-10-02 21:56:25] [DANGER] PROBABLE MALWARE FOUND!
[2023-10-02 21:56:25] [WARNING] Checksum: e808c392175886a9b2ca099e11cdd3de
[2023-10-02 21:56:25] [WARNING] File path: /scsi1/lxxxxxxx/wp-content/plugins/elementor-pro/core/integrations/actions/email/email.php
[2023-10-02 21:56:25] [DANGER] Evil code found: [!] Exploit (double_var2) [line 95] - Double var technique is usually used for the obfuscation of malicious code => ${$field}
[2023-10-02 21:56:28] [SUCCESS] File '/scsi1/xxxxxxwp-content/plugins/elementor-pro/core/integrations/actions/email/email.php' skipped!
esurov commented 1 year ago

Hi @killmasta93 ! Thanks for providing these details. If you're running the scanner in docker then it could be that memory limit is hit on default PHP settings. Maybe it could be a good idea to make a PR to increase the memory limit.

Borcejn commented 1 year ago

Hi all,

I'm re-pasting my message here again. :) (from: https://github.com/marcocesarato/PHP-Antimalware-Scanner/issues/72)

The problem is in the file: vendor/marcocesarato/amwscan/src/Deobfuscator.php The following "calc" function is defined in mentioned file:

private function calc($expr)
    {
        if (is_array($expr)) {
            $expr = $expr[0];
        }
        preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
        if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
            return $exprArr[1](explode(',', $exprArr[2]));
        }

        preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
        if (!empty($exprArr[1]) && !empty($exprArr[2])) {
            if (in_array('*', $exprArr[2], true)) {
                $pos = array_search('*', $exprArr[2], true);
                $res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
                $expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('/', $exprArr[2], true)) {
                $pos = array_search('/', $exprArr[2], true);
                $res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('-', $exprArr[2], true)) {
                $pos = array_search('-', $exprArr[2], true);
                $res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } elseif (in_array('+', $exprArr[2], true)) {
                $pos = array_search('+', $exprArr[2], true);
                $res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr);
            } else {
                return $expr;
            }
        }

        return $expr;

As you can see, this is a recursive function that - for some reason - has an erroneous stop condition for the file you indicated and goes into very, very deep levels of recursion (in my case, about ~281000 - until the memory on the stack is exhausted).

I haven't had time to disarm this function and analyze the stop condition, but it seems that a simple and sufficient workaround is to add an additional guard in the form:

if($level>100000) return "";

This will interrupt further nesting if it goes too far :)

So, all the correct function code will therefore look as follows:

    private function calc($expr, $level = 0)
    {
        if($level>100000) return "";

        if (is_array($expr)) {
            $expr = $expr[0];
        }
        preg_match('~(min|max)?\(([^\)]+)\)~mi', $expr, $exprArr);
        if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
            return $exprArr[1](explode(',', $exprArr[2]));
        }

        preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
        if (!empty($exprArr[1]) && !empty($exprArr[2])) {
            if (in_array('*', $exprArr[2], true)) {
                $pos = array_search('*', $exprArr[2], true);
                $res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
                $expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr, $level+1);
            } elseif (in_array('/', $exprArr[2], true)) {
                $pos = array_search('/', $exprArr[2], true);
                $res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr, $level+1);
            } elseif (in_array('-', $exprArr[2], true)) {
                $pos = array_search('-', $exprArr[2], true);
                $res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr,$level+1);
            } elseif (in_array('+', $exprArr[2], true)) {
                $pos = array_search('+', $exprArr[2], true);
                $res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
                $expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
                $expr = $this->calc($expr,$level+1);
            } else {
                return $expr;
            }
        }

        return $expr;
    }

This is completely sufficient (at least for my needs).

I sincerely greet you and warm hugs for the file that helped me to solve this problem, ~WB

killmasta93 commented 1 year ago

@Borcejn thank you so much