feat: add deobfuscate commands and functionality and fix backup path

marcocesarato · marcocesarato · commit 9238b6e71a94 · 2021-01-10T14:11:02.000+01:00
diff --git a/src/Actions.php b/src/Actions.php
@@ -123,9 +123,14 @@ public static function moveToQuarantine($file)
      */
     public static function makeBackup($file)
     {
-        $backup = Scanner::getPathBackups() . DIRECTORY_SEPARATOR . str_replace(realpath(Scanner::getPathScan()), '', realpath($file));
-        $backup = str_replace(['/', '\\'], DIRECTORY_SEPARATOR, $backup);
-        if (!is_dir(dirname($backup)) && (!mkdir($concurrentDirectory = dirname($backup), 0755, true) && !is_dir($concurrentDirectory))) {
+        $scanPath = realpath(Scanner::getPathScan());
+        if (is_file($scanPath)) {
+            $scanPath = dirname($scanPath);
+        }
+        $backup = Scanner::getPathBackups() . DIRECTORY_SEPARATOR . str_replace($scanPath, '', realpath($file));
+        $backup = Scanner::replaceSlash($backup);
+        if (!is_dir(dirname($backup)) &&
+            (!mkdir($concurrentDirectory = dirname($backup), 0755, true) && !is_dir($concurrentDirectory))) {
             throw new RuntimeException(sprintf('Directory "%s" was not created', $concurrentDirectory));
         }
         copy($file, $backup);
diff --git a/src/Scanner.php b/src/Scanner.php
@@ -22,6 +22,7 @@
 use Phar;
 use RecursiveDirectoryIterator;
 use RecursiveIteratorIterator;
+use RuntimeException;
 use SplFileInfo;
 
 /**
@@ -71,6 +72,13 @@ class Scanner
      */
     public static $pathBackups = '/scanner-backups/';
 
+    /**
+     * Deobfuscate path.
+     *
+     * @var string
+     */
+    public static $pathDeobfuscate = '/deobfuscated/';
+
     /**
      * Logs Path.
      *
@@ -254,14 +262,12 @@ public function __construct()
                 self::$pathScan = self::currentDirectory();
             }
 
-            $replaceSlash = function ($str) {
-                return str_replace(['/', '\\'], DIRECTORY_SEPARATOR, $str);
-            };
-
-            self::$pathQuarantine = $replaceSlash(self::$root . self::$pathQuarantine);
-            self::$pathLogs = $replaceSlash(self::$root . self::$pathLogs);
-            self::$pathWhitelist = $replaceSlash(self::$root . self::$pathWhitelist);
-            self::$pathReport = $replaceSlash(self::$root . self::$pathReport);
+            self::$pathQuarantine = self::replaceSlash(self::$root . self::$pathQuarantine);
+            self::$pathLogs = self::replaceSlash(self::$root . self::$pathLogs);
+            self::$pathWhitelist = self::replaceSlash(self::$root . self::$pathWhitelist);
+            self::$pathReport = self::replaceSlash(self::$root . self::$pathReport);
+            self::$pathBackups = self::replaceSlash(self::$root . self::$pathBackups);
+            self::$pathDeobfuscate = self::replaceSlash(self::$root . self::$pathDeobfuscate);
 
             if (!self::isCli()) {
                 self::setSilentMode(true);
@@ -388,13 +394,15 @@ private function arguments($args = null)
         self::$argv->addFlag('auto-whitelist', ['default' => false, 'help' => 'Auto whitelist (if you sure that source isn\'t compromised)']);
         self::$argv->addFlag('auto-prompt', ['default' => null, 'has_value' => true, 'value_name' => 'prompt', 'help' => "Set auto prompt command .\nex. --auto-prompt=\"delete\" or --auto-prompt=\"1\" (alias of auto-delete)"]);
         self::$argv->addFlag('path-whitelist', ['default' => self::$pathWhitelist, 'has_value' => true, 'value_name' => 'path', 'help' => 'Set whitelist file']);
+        self::$argv->addFlag('path-deobfuscate', ['default' => self::$pathDeobfuscate, 'has_value' => true, 'value_name' => 'path', 'help' => "Set debofuscated files path directory.\nIs recommended put files outside the public document path"]);
         self::$argv->addFlag('path-backups', ['default' => self::$pathBackups, 'has_value' => true, 'value_name' => 'path', 'help' => "Set backups path directory.\nIs recommended put files outside the public document path"]);
         self::$argv->addFlag('path-quarantine', ['default' => self::$pathQuarantine, 'has_value' => true, 'value_name' => 'path', 'help' => "Set quarantine path directory.\nIs recommended put files outside the public document path"]);
         self::$argv->addFlag('path-logs', ['default' => self::$pathLogs, 'has_value' => true, 'value_name' => 'path', 'help' => 'Set quarantine log file']);
         self::$argv->addFlag('path-report', ['default' => self::$pathReport, 'has_value' => true, 'value_name' => 'path', 'help' => 'Set report log file']);
         self::$argv->addFlag('disable-colors', ['alias' => ['--no-colors', '--no-color'], 'default' => false, 'help' => 'Disable CLI colors']);
         self::$argv->addFlag('disable-cache', ['alias' => '--no-cache', 'default' => false, 'help' => 'Disable Cache']);
         self::$argv->addFlag('disable-report', ['alias' => '--no-report', 'default' => false, 'help' => 'Disable Report']);
+        //self::$argv->addFlag('deobfuscate', ['default' => false, 'help' => 'Deobfuscate directory']);
         self::$argv->addArgument('path', ['var_args' => true, 'default' => self::currentDirectory(), 'help' => 'Define the path of the file or directory to scan']);
         self::$argv->parse($args);
 
@@ -445,14 +453,14 @@ private function arguments($args = null)
         }
 
         // Colors
-        if (isset(self::$argv['disable-colors']) && self::$argv['disable-colors']) {
+        if (!self::$argv['disable-colors']) {
             self::setColors(false);
         } elseif (function_exists('ncurses_has_colors')) {
             self::setColors(ncurses_has_colors());
         }
 
         // Cache
-        self::setCache(!(isset(self::$argv['disable-cache']) && self::$argv['disable-cache']));
+        self::setCache(!self::$argv['disable-cache']);
 
         // Max filesize
         if (isset(self::$argv['max-filesize']) && is_numeric(self::$argv['max-filesize'])) {
@@ -485,7 +493,12 @@ private function arguments($args = null)
 
         // Path backups
         if (isset(self::$argv['path-backups']) && !empty(self::$argv['path-backups'])) {
-            self::setPathQuarantine(self::$argv['path-backups']);
+            self::setPathBackups(self::$argv['path-backups']);
+        }
+
+        // Path deobfuscate
+        if (isset(self::$argv['path-deobfuscate']) && !empty(self::$argv['path-deobfuscate'])) {
+            self::setPathDeobfuscate(self::$argv['path-deobfuscate']);
         }
 
         // Path Whitelist
@@ -494,11 +507,17 @@ private function arguments($args = null)
         }
 
         // Report
-        self::setReport(!(isset(self::$argv['disable-report']) && self::$argv['disable-report']));
+        self::setReport(!self::$argv['disable-report']);
 
         // Report mode
         self::setReportMode((isset(self::$argv['report']) && self::$argv['report']) || !self::isCli());
 
+        // Deobfuscate mode
+        if (isset(self::$argv['deobfuscate']) && self::$argv['deobfuscate']) {
+            self::enableDeobfuscateMode();
+            self::disableReport();
+        }
+
         // Path report
         if (isset(self::$argv['path-report']) && !empty(self::$argv['path-report'])) {
             self::setPathReport(self::$argv['path-report']);
@@ -1063,6 +1082,47 @@ public function scanFile($info)
         return $result;
     }
 
+    /**
+     * Deobfuscate file.
+     *
+     * @param $info
+     */
+    public function deobfuscateFile($info)
+    {
+        $filePath = $info->getPathname();
+
+        $mimeType = 'text/php';
+        if (function_exists('mime_content_type')) {
+            $mimeType = mime_content_type($filePath);
+        } elseif (function_exists('finfo_open')) {
+            $finfo = finfo_open(FILEINFO_MIME);
+            $mimeType = finfo_file($finfo, $filePath);
+            finfo_close($finfo);
+        }
+
+        if (0 === stripos($mimeType, 'text')) {
+            $deobfuscator = new Deobfuscator();
+            $content = php_strip_whitespace($filePath);
+            $content = $deobfuscator->deobfuscate($content);
+            $content = $deobfuscator->decode($content);
+
+            // TODO: format code
+
+            $scanPath = realpath(self::getPathScan());
+            if (is_file($scanPath)) {
+                $scanPath = dirname($scanPath);
+            }
+            $filePath = self::getPathDeobfuscate() . DIRECTORY_SEPARATOR . str_replace($scanPath, '', realpath($filePath));
+            $filePath = self::replaceSlash($filePath);
+            if (!is_dir(dirname($filePath)) &&
+                (!mkdir($concurrentDirectory = dirname($filePath), 0755, true) && !is_dir($concurrentDirectory))) {
+                throw new RuntimeException(sprintf('Directory "%s" was not created', $concurrentDirectory));
+            }
+
+            Actions::putContents($filePath, $content);
+        }
+    }
+
     /**
      * Run index.php.
      *
@@ -1087,6 +1147,13 @@ private function scan($iterator)
             $fileExtension = $info->getExtension();
             $fileSize = filesize($filePath);
 
+            if (self::isDeobfuscateMode()) {
+                self::$report['scanned']++;
+                usleep(10);
+                $this->deobfuscateFile($info);
+                continue;
+            }
+
             $isFavicon = self::isInfectedFavicon($info);
 
             if ((
@@ -1651,6 +1718,45 @@ public static function isCacheEnabled()
         return isset(self::$settings['cache']) ? self::$settings['cache'] : true;
     }
 
+    /**
+     * @return self
+     */
+    public static function setDeobfuscateMode($mode = true)
+    {
+        self::$settings['deobfuscate-mode'] = $mode;
+        self::enableReport();
+
+        return new static();
+    }
+
+    /**
+     * @return bool
+     */
+    public static function isDeobfuscateMode()
+    {
+        return isset(self::$settings['deobfuscate-mode']) ? self::$settings['deobfuscate-mode'] : false;
+    }
+
+    /**
+     * @return self
+     */
+    public static function enableDeobfuscateMode()
+    {
+        self::setDeobfuscateMode(true);
+
+        return new static();
+    }
+
+    /**
+     * @return self
+     */
+    public static function disableDeobfuscateMode()
+    {
+        self::setDeobfuscateMode(false);
+
+        return new static();
+    }
+
     /**
      * @return self
      */
@@ -2019,6 +2125,24 @@ public static function setPathBackups($pathBackups)
         return new static();
     }
 
+    /**
+     * @return string
+     */
+    public static function getPathDeobfuscate()
+    {
+        return self::$pathDeobfuscate;
+    }
+
+    /**
+     * @param string $pathDeobfuscate
+     */
+    public static function setPathDeobfuscate($pathDeobfuscate)
+    {
+        self::$pathDeobfuscate = $pathDeobfuscate;
+
+        return new static();
+    }
+
     /**
      * @return string
      */
@@ -2381,4 +2505,19 @@ protected function setLastError($lastError)
 
         return $this;
     }
+
+    /**
+     * Replace slash.
+     *
+     * @param $path
+     *
+     * @return string
+     */
+    public static function replaceSlash($path)
+    {
+        $path = str_replace(['/', '\\'], DIRECTORY_SEPARATOR, $path);
+        $path = preg_replace('/' . preg_quote(DIRECTORY_SEPARATOR, '/') . '+/', DIRECTORY_SEPARATOR, $path);
+
+        return $path;
+    }
 }
