feat: add new funtions encoded and add new decoders for functions

marcocesarato · marcocesarato · commit e08a2ac66480 · 2020-12-31T16:39:40.000+01:00
diff --git a/src/Definitions.php b/src/Definitions.php
@@ -483,6 +483,59 @@ class Definitions
         "escapeshellcmd",*/
     ];
 
+    /**
+     * Default encoded functions definitions.
+     *
+     * @var array
+     */
+    public static $FUNCTIONS_ENCODED = [
+        'il_exec',
+        'shell_exec',
+        'eval',
+        'system',
+        'create_function',
+        'exec',
+        'assert',
+        'syslog',
+        'passthru',
+        'define_syslog_variables',
+        'debugger_off',
+        'debugger_on',
+        'parse_ini_file',
+        'show_source',
+        'symlink',
+        'popen',
+        'posix_kill',
+        'posix_getpwuid',
+        'posix_mkfifo',
+        'posix_setpgid',
+        'posix_setsid',
+        'posix_setuid',
+        'posix_uname',
+        'proc_close',
+        'proc_get_status',
+        'proc_nice',
+        'proc_open',
+        'proc_terminate',
+        'ini_alter',
+        'ini_get_all',
+        'ini_restore',
+        'parse_ini_file',
+        'inject_code',
+        'apache_child_terminate',
+        'apache_setenv',
+        'apache_note',
+        'define_syslog_variables',
+        'escapeshellarg',
+        'escapeshellcmd',
+        'base64_decode',
+        'urldecode',
+        'rawurldecode',
+        'str_rot13',
+        'preg_replace',
+        'create_function',
+    ];
+
     /**
      * Signatures.
      *
diff --git a/src/Scanner.php b/src/Scanner.php
@@ -927,12 +927,19 @@ public function scanFile($info)
                  * Encoded functions.
                  */
                 if (in_array($funcRaw, self::$functionsEncoded)) {
-                    // Check base64 functions
-                    $regexPatternBase64 = '/' . base64_encode($funcRaw) . '/s';
-                    foreach ($contents as $content) {
-                        if (@preg_match_all($regexPatternBase64, $content, $matches, PREG_OFFSET_CAPTURE)) {
-                            foreach ($matches[0] as $match) {
-                                $checkFunction($match, $regexPatternBase64, Definitions::LVL_DANGEROUS, 'base64');
+                    $decoders = [
+                        'str_rot13',
+                        'base64_decode',
+                        'strrev',
+                    ];
+                    foreach ($decoders as $decoder) {
+                        // Check encoded functions
+                        $regexPatternEncoded = '/' . @$decoder($funcRaw) . '/s';
+                        foreach ($contents as $content) {
+                            if (@preg_match_all($regexPatternEncoded, $content, $matches, PREG_OFFSET_CAPTURE)) {
+                                foreach ($matches[0] as $match) {
+                                    $checkFunction($match, $regexPatternEncoded, Definitions::LVL_DANGEROUS, $decoder);
+                                }
                             }
                         }
                     }
@@ -2020,7 +2027,8 @@ public static function setFunctions($functions)
      */
     public static function setFunctionsEncoded($functions)
     {
-        self::$functionsEncoded = $functions;
+        $encodedFunc = array_unique(array_merge($functions, Definitions::$FUNCTIONS_ENCODED));
+        self::$functionsEncoded = $encodedFunc;
 
         return new static();
     }
