{"id":20761706,"url":"https://github.com/s0rg/phpunisher","last_synced_at":"2025-04-30T06:25:39.602Z","repository":{"id":46220046,"uuid":"198482605","full_name":"s0rg/phpunisher","owner":"s0rg","description":"Finds smelly php code pieces","archived":false,"fork":false,"pushed_at":"2024-04-29T08:07:59.000Z","size":94,"stargazers_count":6,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-30T13:34:04.165Z","etag":null,"topics":["golang-application","malware","php","php-analyzer","php-antimalware","scanner","security","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/s0rg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-23T17:57:36.000Z","updated_at":"2023-09-17T12:18:30.000Z","dependencies_parsed_at":"2023-12-28T04:25:33.042Z","dependency_job_id":"738b7a85-fad0-4c30-bc4e-4dc8cf008706","html_url":"https://github.com/s0rg/phpunisher","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0rg%2Fphpunisher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0rg%2Fphpunisher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0rg%2Fphpunisher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0rg%2Fphpunisher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/s0rg","download_url":"https://codeload.github.com/s0rg/phpunisher/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251652930,"owners_count":21622040,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang-application","malware","php","php-analyzer","php-antimalware","scanner","security","static-analysis"],"created_at":"2024-11-17T10:25:23.445Z","updated_at":"2025-04-30T06:25:39.575Z","avatar_url":"https://github.com/s0rg.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build](https://github.com/s0rg/phpunisher/workflows/ci/badge.svg)](https://github.com/s0rg/phpunisher/actions?query=workflow%3Aci)\n[![Go Report Card](https://goreportcard.com/badge/github.com/s0rg/phpunisher)](https://goreportcard.com/report/github.com/s0rg/phpunisher)\n[![Maintainability](https://api.codeclimate.com/v1/badges/a495e449a4b9190b6571/maintainability)](https://codeclimate.com/github/s0rg/phpunisher/maintainability)\n[![Test Coverage](https://api.codeclimate.com/v1/badges/a495e449a4b9190b6571/test_coverage)](https://codeclimate.com/github/s0rg/phpunisher/test_coverage)\n\n[![License](https://img.shields.io/badge/license-MIT%20License-blue.svg)](https://github.com/s0rg/phpunisher/blob/main/LICENSE)\n[![Go Version](https://img.shields.io/github/go-mod/go-version/s0rg/phpunisher)](go.mod)\n[![Release](https://img.shields.io/github/v/release/s0rg/phpunisher)](https://github.com/s0rg/phpunisher/releases/latest)\n![Downloads](https://img.shields.io/github/downloads/s0rg/phpunisher/total.svg)\n\n# phpunisher\n\nFinds code pieces, that looks like viruses/trojans inside php source code.\n\nTested on following public malware collections:\n\n- [https://github.com/nikicat/web-malware-collection](https://github.com/nikicat/web-malware-collection)\n- [https://github.com/nbs-system/php-malware-finder](https://github.com/nbs-system/php-malware-finder)\n- [https://github.com/mnutsch/Computer-Security---Malware](https://github.com/mnutsch/Computer-Security---Malware)\n- [https://github.com/sarn1/example-malware-vulnerabilities](https://github.com/sarn1/example-malware-vulnerabilities)\n- [https://github.com/AUCyberClub/php-malwares](https://github.com/AUCyberClub/php-malwares)\n- [https://github.com/nexylan/PHPAV](https://github.com/nexylan/PHPAV)\n- [https://github.com/marcocesarato/PHP-Malware-Collection](https://github.com/marcocesarato/PHP-Malware-Collection)\n- [https://github.com/ollyxar/php-malware-detector](https://github.com/ollyxar/php-malware-detector)\n- [https://github.com/planet-work/php-malware-scanner](https://github.com/planet-work/php-malware-scanner)\n- [https://github.com/bediger4000/php-malware-analysis](https://github.com/bediger4000/php-malware-analysis)\n- [https://github.com/Am0rphous/Malware](https://github.com/Am0rphous/Malware)\n- [https://github.com/harsxv/malware-bucket](https://github.com/harsxv/malware-bucket)\n\n\n# features\n\n- powered by great [php-parser](https://github.com/z7zmey/php-parser) library\n- selected scanners run in parrallel\n- no signatures\n- fully customized detection rules\n\n\n# installation\n\n- [binaries](https://github.com/s0rg/phpunisher/releases) for Linux, macOS and Windows\n\n\n# usage\n\n```\n~# cd /to/your/php/code\n~# phpunisher -report                  # to see report\n~# phpunisher | xargs -d \"\\n\" -n 1 rm  # to remove suspicios\n```\n\nor\n\n```\n~# phpunisher -dump-conf \u003e my_rules.yaml\n~# $EDITOR my_rules.yaml # edit to suit your needs\n~# cd /to/your/php/code\n~# phpunisher -conf /path/to/my_rules.yaml -report\n```\n\n\n# flags\n\n```\n-conf string\n    load scanners config from file\n-dump-conf\n    dump default scanners config to stdout\n-mask string\n    scan masks, use ';' as separator (default \"*.php*\")\n-report\n    show report for found suspects\n-score float\n    minimal score to threat file as suspect\n-version\n    show version\n-workers int\n    workers count (scan parallelism) (default 2)\n```\n\n\n# scanners\n\n- **array-call** finds function calls from array elements\n- **array-ops** notifies if array operations amount is over 20% of all operations\n- **escapes** notifies if string literal has more than two escaped symbols\n- **evals** scans for eval expression\n- **funcs** scans againts 'bad function' list (based on [this article](https://habr.com/en/company/modesco/blog/472092))\n- **include** notifies if whole file is single include instruction\n- **long-str** notifies if string literal rather long (\u003e64 chars) and does not contains any spaces (encoded blobs)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0rg%2Fphpunisher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fs0rg%2Fphpunisher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0rg%2Fphpunisher/lists"}