File tree Expand file tree Collapse file tree 3 files changed +54
-21
lines changed
src/macaron/resources/pypi_malware_rules
tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation Expand file tree Collapse file tree 3 files changed +54
-21
lines changed Original file line number Diff line number Diff line change @@ -319,6 +319,8 @@ rules:
319319 languages :
320320 - python
321321 severity : ERROR
322- patterns :
323- - pattern-regex : ' [\s]{50,}(\S)+' # The 50 here is the threshold for excessive spacing , more than that is considered obfuscation
324- - pattern-not-regex : ' """[\s\S]*"""'
322+ pattern-either : # The 50 here is the threshold for excessive spacing , more than that is considered obfuscation
323+ # there is excessive spacing after a ";", marking the end of a statement, then additional code.
324+ - pattern-regex : ;[\s]{50,}(\S)+
325+ # there is excessive spacing before a ";", and any amount of whitespace before additional code.
326+ - pattern-regex : ' [\s]{50,};[\s]*(\S)+'
Original file line number Diff line number Diff line change @@ -20,6 +20,7 @@ def test_function():
2020 """
2121 sys .exit ()
2222
23- # excessive spacing obfuscation
24- def excessive_spacing_flow ():
25- print ("Hello world!" )
23+ # excessive spacing obfuscation. The second line here will trigger two detections, which is expected since it matches both patterns.
24+ print ("hello" ); __import__ ('os' )
25+ print ("hi" ) ; __import__ ('base64' )
26+ print ("things" ) ;__import__ ('zlib' )
Original file line number Diff line number Diff line change 5353 "start" : 44 ,
5454 "end" : 44
5555 },
56+ {
57+ "file" : " obfuscation/excessive_spacing.py"
58+ "start" : 24 ,
59+ "end" : 24
60+ },
61+ {
62+ "file" : " obfuscation/excessive_spacing.py"
63+ "start" : 25 ,
64+ "end" : 25
65+ },
66+ {
67+ "file" : " obfuscation/excessive_spacing.py"
68+ "start" : 26 ,
69+ "end" : 26
70+ },
5671 {
5772 "file" : " obfuscation/inline_imports.py"
5873 "start" : 23 ,
105120 }
106121 ]
107122 },
123+ "src.macaron.resources.pypi_malware_rules.obfuscation_excessive-spacing" : {
124+ "message" : " Hidden code after excessive spacing"
125+ "detections" : [
126+ {
127+ "file" : " obfuscation/excessive_spacing.py"
128+ "start" : 24 ,
129+ "end" : 24
130+ },
131+ {
132+ "file" : " obfuscation/excessive_spacing.py"
133+ "start" : 25 ,
134+ "end" : 25
135+ },
136+ {
137+ "file" : " obfuscation/excessive_spacing.py"
138+ "start" : 25 ,
139+ "end" : 25
140+ },
141+ {
142+ "file" : " obfuscation/excessive_spacing.py"
143+ "start" : 26 ,
144+ "end" : 26
145+ },
146+ {
147+ "file" : " obfuscation/inline_imports.py"
148+ "start" : 27 ,
149+ "end" : 27
150+ }
151+ ]
152+ },
108153 "src.macaron.resources.pypi_malware_rules.obfuscation_obfuscation-tools" : {
109154 "message" : " Found an indicator of the use of a python code obfuscation tool"
110155 "detections" : [
229274 "end" : 68
230275 }
231276 ]
232- },
233- "src.macaron.resources.pypi_malware_rules.obfuscation_excessive-spacing" : {
234- "message" : " Hidden code after excessive spacing"
235- "detections" : [
236- {
237- "file" : " obfuscation/excessive_spacing.py"
238- "start" : 24 ,
239- "end" : 25
240- },
241- {
242- "file" : " obfuscation/inline_imports.py"
243- "start" : 27 ,
244- "end" : 27
245- }
246- ]
247277 }
248278 },
249279 "disabled_sourcecode_rule_findings" : {}
You can’t perform that action at this time.
0 commit comments