Fixed some bugs and improved some features

README.md

@@ -2,7 +2,7 @@
 
 # AMWSCAN - PHP Antimalware Scanner
 
-**Version:** 0.4.0.59 beta
+**Version:** 0.4.0.60 beta
 
 **Github:** https://github.com/marcocesarato/PHP-Antimalware-Scanner
 

src/Application.php

@@ -81,15 +81,15 @@ private function init() {
 		// Prepare whitelist
 		self::$WHITELIST = CSV::read(self::$PATH_WHITELIST);
 
-        Definitions::optimizeSig(Definitions::$SIGNATURES);
+		Definitions::optimizeSig(Definitions::$SIGNATURES);
 	}
 
 	/**
 	 * Run application
 	 */
 	public function run() {
 		try {
-			if (function_exists('gc_enable') && (function_exists('gc_enable') && !gc_enabled())) {
+			if(function_exists('gc_enable') && (function_exists('gc_enable') && !gc_enabled())) {
 				gc_enable();
 			}
 			// Print header
@@ -241,8 +241,8 @@ private function arguments() {
 		// Check if only signatures mode is enabled
 		if(isset(self::$ARGV['only-definitions'])) {
 			$_REQUEST['definitions'] = true;
-			$_REQUEST['exploits'] = false;
-			$_REQUEST['functions'] = false;
+			$_REQUEST['exploits']    = false;
+			$_REQUEST['functions']   = false;
 		} else {
 			$_REQUEST['definitions'] = false;
 		}
@@ -340,6 +340,11 @@ private function modes() {
 		if($_REQUEST['exploits']) {
 			self::$FUNCTIONS = array();
 		}
+
+		if($_REQUEST['definitions']) {
+			self::$EXPLOITS = array();
+			self::$FUNCTIONS = array();
+		}
 	}
 
 	/**
@@ -382,22 +387,22 @@ public function scanFile($info) {
 		$is_favicon    = self::isInfectedFavicon($info);
 		$pattern_found = array();
 
-        $mime_type = 'text/php';
-        if(function_exists('mime_content_type')){
-            $mime_type = mime_content_type($_FILE_PATH);
-        } elseif(function_exists('finfo_open')){
-            $finfo = finfo_open(FILEINFO_MIME);
-            $mime_type = finfo_file($finfo, $_FILE_PATH);
-            finfo_close($finfo);
-        }
+		$mime_type = 'text/php';
+		if(function_exists('mime_content_type')) {
+			$mime_type = mime_content_type($_FILE_PATH);
+		} elseif(function_exists('finfo_open')) {
+			$finfo     = finfo_open(FILEINFO_MIME);
+			$mime_type = finfo_file($finfo, $_FILE_PATH);
+			finfo_close($finfo);
+		}
 
-        if(preg_match("/^text/i", $mime_type)) {
+		if(preg_match("/^text/i", $mime_type)) {
 
-            $deobfuctator = new Deobfuscator();
+			$deobfuctator = new Deobfuscator();
 
 			$fc              = file_get_contents($_FILE_PATH);
 			$fc_clean        = php_strip_whitespace($_FILE_PATH);
-            $fc_deobfuscated = $deobfuctator->deobfuscate($fc);
+			$fc_deobfuscated = $deobfuctator->deobfuscate($fc);
 			$fc_filtered     = $this->filterCode($fc_deobfuscated);
 
 			// Scan exploits
@@ -433,7 +438,7 @@ public function scanFile($info) {
 				$match_description = null;
 				$func              = preg_quote(trim($_func), '/');
 				// Basic search
-				$regex_pattern        = "/(?:^|[\s\r\n]+|[^a-zA-Z0-9_>]+)(" . $func . "[\s\r\n]*\((?<=\().*?(?=\))\))/si";
+				$regex_pattern = "/(?:^|[\s\r\n]+|[^a-zA-Z0-9_>]+)(" . $func . "[\s\r\n]*\((?<=\().*?(?=\))\))/si";
 				if(@preg_match($regex_pattern, $fc_filtered, $match, PREG_OFFSET_CAPTURE) ||
 				   @preg_match($regex_pattern, $fc_clean, $match, PREG_OFFSET_CAPTURE)) {
 					$last_match        = explode($_func, $match[0][0]);
@@ -487,24 +492,24 @@ public function scanFile($info) {
 				unset($last_match, $match_description, $lineNumber, $regex_pattern, $regex_pattern_base64, $match);
 			}
 
-            foreach (Definitions::$SIGNATURES as $key => $pattern) {
-                $regex_pattern = '#' . $pattern . '#smiS';
-                if (preg_match($regex_pattern, $fc_filtered, $match, PREG_OFFSET_CAPTURE)) {
-                    $last_match        = $match[0][0];
-                    if(!empty($last_match) && @preg_match('/' . preg_quote( $match[0][0], '/') . '/', $fc, $match, PREG_OFFSET_CAPTURE)) {
-                        $lineNumber        = count(explode("\n", substr($fc, 0, $match[0][1])));
-                        $match_description = "Sign " . $key . " [line " . $lineNumber . "]\n => " . $last_match;
-                    }
-                    if(!empty($match_description)) {
-                        $pattern_found[$match_description] = array(
-                            "key"     => $key,
-                            "line"    => $lineNumber,
-                            "pattern" => $regex_pattern,
-                            "match"   => $last_match
-                        );
-                    }
-                }
-            }
+			foreach(Definitions::$SIGNATURES as $key => $pattern) {
+				$regex_pattern = '#' . $pattern . '#smiS';
+				if(preg_match($regex_pattern, $fc_filtered, $match, PREG_OFFSET_CAPTURE)) {
+					$last_match = $match[0][0];
+					if(!empty($last_match) && @preg_match('/' . preg_quote($match[0][0], '/') . '/', $fc, $match, PREG_OFFSET_CAPTURE)) {
+						$lineNumber        = count(explode("\n", substr($fc, 0, $match[0][1])));
+						$match_description = "Sign " . $key . " [line " . $lineNumber . "]\n => " . $last_match;
+					}
+					if(!empty($match_description)) {
+						$pattern_found[$match_description] = array(
+							"key"     => $key,
+							"line"    => $lineNumber,
+							"pattern" => $regex_pattern,
+							"match"   => $last_match
+						);
+					}
+				}
+			}
 
 			unset($fc_filtered, $fc_clean);
 		}
@@ -617,7 +622,7 @@ private function scan($iterator) {
 				$pattern_found = $this->scanFile($info);
 
 				// Check whitelist
-				$in_whitelist  = 0;
+				$in_whitelist = 0;
 				foreach(self::$WHITELIST as $item) {
 					foreach($pattern_found as $key => $pattern) {
 						$lineNumber        = $pattern["line"];
@@ -651,7 +656,7 @@ private function scan($iterator) {
 						$last_command = '0';
 						Console::displayBreak(2);
 						Console::writeBreak();
-						Console::writeLine("PROBABLE MALWARE FOUND!", 1,'red');
+						Console::writeLine("PROBABLE MALWARE FOUND!", 1, 'red');
 
 						while($_WHILE) {
 							$fc            = file_get_contents($_FILE_PATH);
@@ -735,7 +740,7 @@ private function scan($iterator) {
 								Console::displayBreak(2);
 								Console::code($fc);
 								Console::displayBreak(2);
-								Console::display(Console::title("", "="),'black', 'green');
+								Console::display(Console::title("", "="), 'black', 'green');
 								Console::displayBreak(2);
 								Console::displayLine("File sanitized, now you must verify if has been fixed correctly.", 2, "yellow");
 								$confirm2 = Console::read("Confirm and save [y|N]? ", "purple");
@@ -763,7 +768,7 @@ private function scan($iterator) {
 								Console::displayBreak(2);
 								Console::code($fc);
 								Console::displayBreak(2);
-								Console::display(Console::title("", "="),'black', 'green');
+								Console::display(Console::title("", "="), 'black', 'green');
 								Console::displayBreak(2);
 								Console::displayLine("File sanitized, now you must verify if has been fixed correctly.", 2, "yellow");
 								$confirm2 = Console::read("Confirm and save [y|N]? ", "purple");
@@ -939,14 +944,14 @@ static function update() {
 			$version = trim($match[1]);
 			if(version_compare(self::$VERSION, $version, '<')) {
 				Console::write('New version');
-				Console::write(' '.$version.' ');
+				Console::write(' ' . $version . ' ');
 				Console::writeLine('of the scanner available!', 2);
 				$confirm = Console::read('You sure you want update the scanner to the last version [y|N]? ', 'purple');
 				Console::writeBreak();
 				if(strtolower($confirm) == "y") {
 					file_put_contents(__FILE__, $new_version);
 					Console::write('Updated to last version');
-					Console::write(' ('.self::$VERSION.' => '.$version.') ');
+					Console::write(' (' . self::$VERSION . ' => ' . $version . ') ');
 					Console::writeLine('with SUCCESS!', 2);
 				} else {
 					Console::writeLine('Updated SKIPPED!', 2);

src/Console.php

@@ -75,7 +75,7 @@ public static function eol($n) {
 	public static function header() {
 		$version = Application::$VERSION;
 		self::displayBreak(2);
-		$header  = <<<EOD
+		$header = <<<EOD
  █████╗ ███╗   ███╗██╗    ██╗███████╗ ██████╗ █████╗ ███╗   ██╗
 ██╔══██╗████╗ ████║██║    ██║██╔════╝██╔════╝██╔══██╗████╗  ██║
 ███████║██╔████╔██║██║ █╗ ██║███████╗██║     ███████║██╔██╗ ██║
@@ -189,7 +189,7 @@ public static function progress($done, $total, $size = 30) {
 	 * Display title bar
 	 * @param $string
 	 */
-	public static function displayTitle($string, $foreground_color, $background_color){
+	public static function displayTitle($string, $foreground_color, $background_color) {
 		self::display(self::title(""), $foreground_color, $background_color);
 		self::displayBreak();
 		self::display(self::title(strtoupper($string)), $foreground_color, $background_color);
@@ -374,8 +374,8 @@ public static function log($string, $color = "") {
 			$string = trim($string, ".");
 			$string = str_replace(self::eol(1), " ", $string);
 			$string = preg_replace("/[\s]+/m", " ", $string);
-			$type = "INFO";
-			switch($color){
+			$type   = "INFO";
+			switch($color) {
 				case "green":
 					$type = "SUCCESS";
 					break;

src/Definitions.php

@@ -3309,7 +3309,7 @@ public static function optimizeSig(&$sigs) {
 		$txt = implode("\n", $sigs);
 
 		for($i = 24; $i >= 1; ($i > 4) ? $i -= 4 : -- $i) {
-			$txt = preg_replace_callback('#^((?>(?:\\\\.|\\[.+?\\]|[^(\n]|\((?:\\\\.|[^)(\n])++\))(?:[*?+]\+?|\{\d+(?:,\d*)?\}[+?]?|)){' . $i . ',})[^\n]*+(?:\\n\\1(?![{?*+]).+)+#im', 'optMergePrefixes', $txt);
+			$txt = preg_replace_callback('#^((?>(?:\\\\.|\\[.+?\\]|[^(\n]|\((?:\\\\.|[^)(\n])++\))(?:[*?+]\+?|\{\d+(?:,\d*)?\}[+?]?|)){' . $i . ',})[^\n]*+(?:\\n\\1(?![{?*+]).+)+#im', array(__CLASS__, 'optimizeMergePrefixes'), $txt);
 		}
 
 		$sigs = array_merge(explode("\n", $txt), $tmp);
@@ -3318,10 +3318,11 @@ public static function optimizeSig(&$sigs) {
 	}
 
 	/**
+	 * optimizeMergePrefixes
 	 * @param $m
 	 * @return string
 	 */
-	private static function optimizeMergePrefixes($m) {
+	public static function optimizeMergePrefixes($m) {
 		$limit = 8000;
 
 		$prefix     = $m[1];