Fix undetected malwares in scanner#140
Merged
Merged
Conversation
Closed
Agent-Logs-Url: https://github.com/marcocesarato/PHP-Antimalware-Scanner/sessions/1a932226-2fdc-471c-97ce-7638ab75df07 Co-authored-by: marcocesarato <36447518+marcocesarato@users.noreply.github.com>
Copilot stopped work on behalf of
marcocesarato due to an error
May 5, 2026 21:35
Owner
|
@copilot continue |
Contributor
Author
All tasks are now complete. Here's a summary of what was done: 4 new exploit patterns added to
2 new malware fixture files added:
All three original malware samples from the issue are now detected, and no false positives were introduced on the clean fixtures. |
Copilot
AI
changed the title
[WIP] Fix undetected malwares in scanner
Fix undetected malwares in scanner
May 6, 2026
There was a problem hiding this comment.
Pull request overview
This PR extends the scanner’s exploit detection definitions by adding new regex-based patterns to catch additional backdoor/obfuscation techniques, and adds new malware fixture files intended to serve as regression samples for those detections.
Changes:
- Added four new exploit patterns in
src/Exploits.phptargeting cookie-based backdoors, XOR+str_repeatdecoding,str_replace-then-evalexecution, and obfuscatedurldecodenaming. - Added two new malware fixture files under
tests/Fixtures/malware/to exercise the new detections.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| tests/Fixtures/malware/globals_include_backdoor.php | Adds a malware fixture demonstrating obfuscated urldecode naming and global-state include behavior. |
| tests/Fixtures/malware/cookie_backdoor.php | Adds a malware fixture demonstrating cookie-driven payload assembly, XOR decoding, and str_replace + eval execution. |
| src/Exploits.php | Adds four new exploit regex patterns intended to detect previously undetected malware families/techniques. |
| 'cookie_backdoor' => [ | ||
| 'description' => 'Cookie-based backdoor that reads HTTP cookie data using a substring of an obfuscated key to retrieve and execute malicious payloads', | ||
| 'level' => CodeMatch::DANGEROUS, | ||
| 'pattern' => '/\$_COOKIE[\s]*;.*?@?\$\w+[\s]*\[[\s]*substr[\s]*\(/si', |
Comment on lines
+452
to
+454
| // urldecode/rawurldecode function name built via string concatenation to evade detection | ||
| 'urldecode_obfuscation' => [ | ||
| 'description' => 'Obfuscated urldecode or rawurldecode function call built via string concatenation, typically used to hide XOR-based payload decoding in backdoors', |
Comment on lines
+435
to
+438
| 'cookie_backdoor' => [ | ||
| 'description' => 'Cookie-based backdoor that reads HTTP cookie data using a substring of an obfuscated key to retrieve and execute malicious payloads', | ||
| 'level' => CodeMatch::DANGEROUS, | ||
| 'pattern' => '/\$_COOKIE[\s]*;.*?@?\$\w+[\s]*\[[\s]*substr[\s]*\(/si', |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds four new exploit detection patterns to
src/Exploits.phpto catch three previously undetected malware families, along with malware fixture files for regression testing.New Exploit Patterns
cookie_backdoor: Detects$_COOKIEassigned to a local variable and then accessed via asubstr()-based key — characteristic of cookie-based PHP backdoors (malwares 1 & 3)xor_str_repeat: Detects$arr[0] ^ str_repeat($key, ...)XOR decryption used to decode cookie-supplied payloads (malwares 1 & 3)str_replace_eval: Detectsstr_replace(..., '', ...)immediately followed byeval(), used to strip<?phpfrom a stored payload before executing it (malwares 1 & 3)urldecode_obfuscation: Detects"url" . "decode"string-concatenation obfuscation of theurldecodefunction name (malware 2)New Malware Fixtures
tests/Fixtures/malware/cookie_backdoor.php— exercisescookie_backdoor,xor_str_repeat, andstr_replace_evalpatternstests/Fixtures/malware/globals_include_backdoor.php— exercisesurldecode_obfuscationpatternTesting