Skip to content

Commit

Permalink
v3.1 - PHP-AV to v3.9. Add SHA1 detection, code samples.
Browse files Browse the repository at this point in the history 
-v3.1.
-PHP-AV App to v3.9. Defs to v4.7.
-Add support for SHA1 hash detection ($data3, $virus[4]).
-Add code detection for lots of malicious files. 
-Includes malicious code samples for Golang, Python, C++, node.js, Java, Javascript, PowerShell, Ruby, VBS & more.
-Fix obscenely large logfiles by removing filename logging during scanning.
-To continue logging filenames like before (and generate really large log files) set $CONFIG['debug'] = True;
-Fixed indented code blocks.
-Bump included WordPress version to v5.1.1 (latest).
  • Loading branch information
@zelon88
zelon88 authored Mar 26, 2019
1 parent dd89ee5 commit 04ea940
Show file tree
Hide file tree
Showing 3 changed files with 217 additions and 42 deletions.
93 changes: 56 additions & 37 deletions Applications/PHP-AV/PHP-AV-Lib.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,49 +45,60 @@ function virus_check($file, $defs, $debug, $defData) {
$filecount++;
if ($file !== $InstLoc.'/Applications/PHP-AV/virus.def') {
if (file_exists($file)) {
$txt = 'Scanning file '.$file.' ... ';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
if ($debug) {
$txt = 'Scanning file '.$file.' ... ';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
$filesize = filesize($file);
$data1 = hash_file('md5', $file);
$data2 = hash_file('sha256', $file);
$data3 = hash_file('sha1', $file);
// / Scan files larger than the memory limit by breaking them into chunks.
if ($filesize >= $memoryLimit && file_exists($file)) {
$txt = 'Chunking file ... ';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
if ($debug) {
$txt = 'Chunking file ... ';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
$handle = @fopen($file, "r");
if ($handle) {
while (($buffer = fgets($handle, $chunkSize)) !== false) {
$data = $buffer;
if ($debug) {
$txt = 'Scanning chunk ... ';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
foreach ($defs as $virus) {
$virus = explode("\t", $virus[0]);
if (isset($virus[1]) && $virus[1] !== '' && $virus[1] !== ' ') {
if (strpos($data, $virus[1]) or strpos($file, $virus[1])) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', Data Match: '.$virus[1].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } } } }
if (!feof($handle)) {
$txt = 'ERROR!!! PHPAV160, Unable to open '.$file.' on '.$Time.'!';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>'; }
if ($handle) {
while (($buffer = fgets($handle, $chunkSize)) !== false) {
$data = $buffer;
if ($debug) {
$txt = 'Scanning chunk ... ';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
foreach ($defs as $virus) {
$virus = explode("\t", $virus[0]);
if (isset($virus[1]) && $virus[1] !== '' && $virus[1] !== ' ') {
if (strpos($data, $virus[1]) or strpos($file, $virus[1])) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', Data Match: '.$virus[1].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } } } }
if (!feof($handle)) {
$txt = 'ERROR!!! PHPAV160, Unable to open '.$file.' on '.$Time.'!';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>'; }
fclose($handle); }
if (isset($virus[2]) && $virus[2] !== '' && $virus[2] !== ' ') {
if (strpos($data1, $virus[2])) {
if (isset($virus[2]) && $virus[2] !== '' && $virus[2] !== ' ') {
if (strpos($data1, $virus[2])) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', MD5 Hash Match: '.$virus[2].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } }
if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
if (strpos($data2, $virus[3])) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', MD5 Hash Match: '.$virus[2].')';
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } }
if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
if (strpos($data2, $virus[3])) {
if (isset($virus[4]) && $virus[4] !== '' && $virus[4] !== ' ') {
if (strpos($data3, $virus[4])) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA1 Hash Match: '.$virus[4].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
Expand Down Expand Up @@ -116,14 +127,22 @@ function virus_check($file, $defs, $debug, $defData) {
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } }
if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
if (strpos($data2, $virus[3])) {
if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
if (strpos($data2, $virus[3])) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } } }
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } }
if (isset($virus[4]) && $virus[4] !== '' && $virus[4] !== ' ') {
if (strpos($data3, $virus[4])) {
// File matches virus defs.
$txt = 'Infected: '.$file.' ('.$virus[0].', SHA1 Hash Match: '.$virus[4].')';
$MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
$report .= '<p class="r">'.$txt.'</p>';
$infected++;
$clean = 0; } } }
if (($debug) && ($clean)) {
$report .= '<p class="g">Clean: '.$file.'</p>'; } } }
// / -----------------------------------------------------------------------------------
Expand Down
7 changes: 3 additions & 4 deletions Applications/PHP-AV/PHP-AV.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
/*//
HRCLOUD2-PLUGIN-START
App Name: PHP-AV
App Version: v3.8 (8-21-2018 00:00)
App Version: v3.9 (3-25-2019 00:00)
App License: GPLv3
App Author: FujitsuBoy (aka Keyboard Artist) & zelon88
App Description: A simple HRCloud2 App for scanning files for viruses.
Expand Down Expand Up @@ -48,18 +48,17 @@

// / -----------------------------------------------------------------------------------
// / The following code sets the variables for the session.
$versions = 'PHP-AV App v3.8 | Virus Definition v4.6, 8/1/2018';
$versions = 'PHP-AV App v3.9 | Virus Definition v4.7, 3/25/2019';
$memoryLimitPOST = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_POST['AVmemoryLimit']);
$chunkSizePOST = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_POST['AVchunkSize']);
$report = '';
$dircount = 0;
$filecount = 0;
$infected = 0;
$CONFIG = Array();
$CONFIG['debug'] = 0;
$abort = $CONFIG['debug'] = FALSE;
$CONFIG['scanpath'] = $_SERVER['DOCUMENT_ROOT'];
$CONFIG['extensions'] = Array();
$abort = FALSE;
$AVLogDir = $InstLoc.'/DATA/'.$UserID.'/.AppData/'.$Date;
$AVLogFile = $AVLogDir.'/PHPAV-'.$SesHash.'-'.$Date.'.txt';
$AVLogURL = str_replace(str_split('~#[](){};$!#^&%@>*<"\''), '', '/HRProprietary/HRCloud2/DATA/'.$UserID.'/.AppData/'.$Date.'/PHPAV-'.$SesHash.'-'.$Date.'.txt');
Expand Down
159 changes: 158 additions & 1 deletion Applications/PHP-AV/virus.def
View file
Original file line number Diff line number Diff line change
Expand Up @@ -714,6 +714,163 @@ Trojan Disttrak.31 vdsk911.sys
Trojan Disttrak.32 ntertmgr32.exe
Trojan Disttrak.33 ntertmgr64.exe
Trojan Disttrak.34 usbvideo324.pnf
Trojan Ruby.1 if first_line != virus_top b727b40999396587cf41dcb0e0a65ec0 131fa083cb8cd7ed02f48f4fba0f5190ea60d700031c00542c366097b4657463
Trojan Ruby.2 = '#0x3a'
Trojan Ruby.3 w.call(FUScaZXvqH,
Trojan Ruby.4 FzJnoy
Trojan Ruby.5 WMIC.exe shadowcopy delete
Trojan Ruby.6 vssadmin.exe delete shadows
Trojan Ruby.7 Bcdedit.exe /set {default} recoveryenabled no
Trojan Ruby.8 Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Trojan Ruby.9 cmd.exe /C wevtutil.exe cl
Trojan PowerShell.1 110.10.179.65:80 638b7b0536217c8923e856f4138d9caff7eb309d
Trojan PowerShell.2 download/microsoftp.jpg d30e8c7543adbc801d675068530b57d75cabb13f
Trojan PowerShell.3 <Command>mshta.exe</Command> 973b1ca8661be6651114edf29b10b31db4e218f7
Trojan PowerShell.4 syscheck.vbs 691686839681adb345728806889925dc4eddb74e
Trojan PowerShell.5 SndVolSSO.txt 3cf4b44c9470fb5bd0c16996c4b2a338502a7517
Trojan PowerShell.6 activator.ps1:log.txt
Trojan PowerShell.7 sunjavascheduler.txt
Trojan PowerShell.8 Const HIDDEN_WINDOW = 12
Trojan PowerShell.9 ("/OGaaaaa6ytd
Trojan PowerShell.10 kb-10233.exe
Trojan PowerShell.11 product_info.dll
Trojan PowerShell.12 208.67.222.222:53
Trojan PowerShell.13 teriava.com
Trojan PowerShell.14 $$cpte
Trojan PowerShell.15 $$ecpte
Trojan PowerShell.16 testObj.Remove 1
Trojan PowerShell.17 kerberos::tgt exit
Trojan PowerShell.18 logonpasswords exit
Trojan PowerShell.19 sekurlsa
Trojan PowerShell.20 lsadump::sam exit
Trojan PowerShell.21 kerberos:ptt
Trojan PowerShell.22 c:\programdata\log.dat
Trojan CPP.1 SetWindowsHookEx(WH_CBT, msgBoxHook, 0, GetCurrentThreadId());
Trojan CPP.2 enablePayloads
Trojan CPP.3 waveOutOpen(&hwo, WAVE_MAPPER, &fmt, NULL, NULL, CALLBACK_NULL);
Trojan CPP.4 BY THE MEMZ TROJAN.
Trojan CPP.5 KILLMSGS,
Trojan CPP.6 "KillMessages"
Trojan CPP.7 \nYour PC is
Trojan CPP.8 Sleep(payloads[p].startDelay);
Trojan CPP.9 HANDLE note = CreateFileA("\\note.txt", GENERIC_READ | GENERIC_WRITE,1
Trojan CPP.10 considered malware.\r\n\
Trojan CPP.11 CreateThread(NULL, NULL, &watchdogThread, NULL, NULL, NULL);
Trojan CPP.12 LRESULT CALLBACK watchdogWindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
Trojan CPP.13 DWORD WINAPI ripMessageThread(LPVOID parameter) {
Trojan CPP.14 void killWindows() { 5421781c2c05e64ef20be54e2ee32e37
Trojan CPP.15 void killWindowsInstant() { 5394b09cf2a0b3d1caaecc46c0e502e3
Trojan CPP.16 PUNICODE_STRING AccountName, 1a4d58e281103fea2a4ccbfab93f74d2
Trojan CPP.17 OutputDebugString(L"PasswordFilter"); 018433e8e815d9d2065e57b759202edc
Trojan CPP.18 FILE* pFile = fopen("c:\\windows\\temp\\logFile.txt", "a+"); facec411b6d6aa23ff80d1366633ea7a
Trojan Go.1 MAIL TO WHOEVER IS IMPORTANT
Trojan Go.2 All your servers will be DDoS
Trojan Go.3 We are Armada Collective.
Trojan Go.4 struct scanner.PHP{
Trojan Go.5 struct scanner.Service{
Trojan Go.6 iface scanner.Dialer{
Trojan Go.7 iface scanner.Scanner{
Trojan Go.8 iface scanner.PHPExecutor{
Trojan Go.9 struct scanner.ConnScanner {
Trojan Go.10 struct scanner.HTTP { 0bf24e0bc69f310c0119fc199c8938773cdede9d1ca6ba7ac7fea5c863e0f099
Trojan Go.11 struct scanner.HttpScanner{ 3fcd17aa60f1a70ba53fa89860da3371a1f8de862855b4d1e5d0eb8411e19adf
Trojan Go.12 struct scanner.Drupal{ 513224149cd6f619ddeec7e0c00f81b55210140707d78d0e8482b38b9297fc8f
Trojan Go.13 struct scanner.Wordpress { 941330c6be0af1eb94741804ffa3522a68265f9ff6c8fd6bcf1efb063cb61196
Trojan Go.14 int main_main() 992ed9c632eb43399a32e13b9f19b769c73d07002d16821dde07daa231109432
Trojan Go.15 tmweb.ru
Trojan Go.16 "Ethereum-WalletFailed to find Failed
Trojan Go.17 FindNextVolumeWFindVolume
Trojan Go.18 "monero-keystorems: gomaxprocs=multipart
Trojan Go.19 HyperCheats.rar
Trojan Go.20 HyperCheats.zip
Trojan Node.1 rawReq.write(JSON.stringify(body, null, 2))
Trojan Node.2 var reproduce = function(target) {
Trojan Node.3 var getEntryPoint = function(packageJSON) { 8b90859b19e3e3dea8d923996709210ed48ff3249563f56ff12eb1936ffcc295
Trojan Node.4 var getTargets = function(targets, dir) { afc100fb28f7bac05e41d9ae33f184502b8068642b7fd05970eb72bf1786892c
Trojan Python.1 injecteex64 5ffefc13a49c138ac1d454176d5a19fd
Trojan Python.2 injecteex86 b508908cc44a54a841ede7214d34aff3
Trojan Python.3 MinerBlocker e5ba5f821da68331b875671b4b946b56
Trojan Python.4 proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) 596dc36cd6eabd8861a6362b6b55011a
Trojan Python.5 SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%mw.exe") 645176c6d02bdb8a18d2a6a445dd1ac3
Trojan Python.6 bablo39.php
Trojan Python.7 188.225.18.203
Trojan Python.8 @.*@ -> inject js/i.js
Trojan Python.9 80 -> 24861
Trojan Python.10 443 -> 24136
Trojan Python.11 95.56.246.182
Trojan Python.12 194.105.148.87
Trojan Python.13 213.135.106.194
Trojan Python.14 aWJhbmswbmVja2xhY2UucnU
Trojan Python.15 b24saW51LmFsZWZiYW5rLnJ1
Trojan Python.16 aWJhbmsuc3Bpcm10YmFuay5ydQ
Trojan Python.17 dmJyci5ydQ
Trojan Python.18 ZGJvMS51cmFsZm
Trojan Python.19 b2ZjLnJ1
Trojan Python.20 cm9kbmF5YXN2eWF6LnJ1
Trojan Python.21 *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}
Trojan Python.22 l.IsValidCodePage(587903595)
Trojan Python.23 l.GetFileSize(4028719249,0)
Trojan Python.24 A.SwitchDesktop(2761630931)
Trojan Python.25 l.VerSetConditionMask(4023949374,975516802,3027135998,9930938)
Trojan Python.26 l.GetFileType(4282997275)
Trojan Python.27 C.glColor3ub(255, 255, 255)
Trojan Python.28 a = [[(- 1), (- 1)], [(- 1), 1], [1, 1], [1, (- 1)]]
Trojan Python.29 _fields_ = [('pt', c_ushort),
Trojan Python.30 A.RegisterHotKey(3322104681,3081727047,2221883463,745264245)
Trojan Python.31 _fields_ = [('Lt', c_ulong),
Trojan Python.32 drunkdared=spokenbier+meantreads
Trojan Python.33 R('Not an MZ image!')
Trojan Python.34 villainweapon('echorough='+solehers)
Trojan Python.35 R(("Failed to resolve the the '%s!%s' import" % (string_at(LO), string_at(mG))))
Trojan Python.36 pupilabhorred="r"
Trojan Python.37 villainweapon=exec
Trojan Python.37 dmJyci5ydQ==
Trojan Python.38 cnNoYi5ydQ==
Trojan Python.39 Y2hhc2UuY29t
Trojan Python.40 fellreels="r"
Trojan Python.41 aS12dGIuYnk=
Trojan Python.42 Z29zdXNsdWdpLnJ1
Trojan Python.43 aWIuc2xzcC5zaw==
Trojan Python.44 ZGVsdGEtb25saW5lLmt6
Trojan Python.45 dWJyci5ydQ==
Trojan Python.46 eWFyYmFuay5ydQ==
Trojan Python.47 c21wb25iYW5rLnJ1
Trojan Python.48 d3d3LnlhbmRleC5jb20=
Trojan Python.49 aWJhbmsyLnJ1
Trojan Python.50 YmFuay50YWF0dGEucnU=
Trojan Python.51 b25saW5lLmJtLnJ1
Trojan Python.52 YWxiYW5rLnJ1
Trojan Python.53 YnNiLmJ5
Trojan Python.54 aWJhbTI0LnJ1
Trojan Python.55 bW1iYW5rLnJ1
Trojan Python.56 YXZiYW5rLnJ1
Trojan Python.57 if (c.cd) eval(c01(c10(bd(c.cd))));
Trojan Python.58 googletagmanage.com
Trojan Python.59 h = JSON.parse(h);
Trojan Python.60 eval(c01(c10(bd(html.cd))));
Trojan Python.61 var exec = "di9+aC83PHA=";
Trojan Python.62 1e22b;CertFreeCertificateChain->51380;5
Trojan Python.63 1c8b6;WSAConnectByNameA->50c60;5
Trojan Python.64 value = text.value # Dump the content in value
Trojan Python.65 get_keystrokes(log_dir, log_name):
Trojan Python.66 keylogger.get_keystrokes(log_dir, log_name)
Trojan Python.67 elif i == 0x0d: # If <ENTER>, log the line typed then clear the line variable
Trojan VBS.1 SmallPlasticKeyboard7 = Round(447)
Trojan VBS.2 Avon82 = Round(608)
Trojan VBS.3 backingup43 = "Web"
Trojan VBS.4 copy23 = Round(MoneyMarketAccount37)
Trojan VBS.5 Function reboot5()
Trojan VBS.6 withdrawal60 = Round(412)
Trojan VBS.7 "_4@http:"
Trojan VBS.8 AwesomeSteelComputer16 = "nde.com.br"
Trojan VBS.9 Metal33 = "2@http:/"
Trojan VBS.10 reboot5 = withdrawal2 + ComputersGardenBooks30 + BooksGroceryBeauty50
Trojan VBS.11 compelling69 = "" + program71 + GroceryBeauty72
Trojan Java.1 <title>AhMyth</title>
Trojan Java.2 assertEquals("ahmyth.mine.king.ahmyth", appContext.getPackageName());
Trojan JS.1 victimsList.addVictim(
Trojan JS.2 victimsList.getVictim(index).socket;
Trojan JS.3 send("SocketIO:VictimDisconnected");
Crazy Toolbar IE Exploit crazy-toolbar.com
JS.Scob.Trojan 217.107.218.147
Liber Inc. Exploit advadmin.biz
Expand Down Expand Up @@ -2169,4 +2326,4 @@ Known Ransomware Host: RigEK.2 hdyejdn638ir8.com
Known Ransomware Host: RigEK.3 parking-services.us
Known Ransomware Host: RigEK.4 188.225.78.226
Known Ransomware Host: RigEK.5 188.225.35.5
Known Ransomware Host: RigEK.6 wdwefwefwwfewdefewfwefw.onion
Known Ransomware Host: RigEK.6 wdwefwefwwfewdefewfwefw.onion

0 comments on commit 04ea940

Please sign in to comment.