Merge pull request #1 from c1982/develop

feat: mvp

Author: c1982

.gitignore

@@ -1,15 +1,13 @@
-# Binaries for programs and plugins
 *.exe
 *.exe~
 *.dll
 *.so
-*.dylib
-
-# Test binary, built with `go test -c`
 *.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
 *.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/
+go.sum
+scripts/collection-*
+scripts/fuzzy.db
+scripts/fuzzy.db-e
+pkg/fuzzyhash/db
+cmd/shellboy/shellboy

README.md

@@ -1,2 +1,15 @@
 # shellboy
 Web Shell Scanner www.shellboy.net
+
+# Yara Files Sources
+* https://raw.githubusercontent.com/Neo23x0/signature-base/50f14d7d1def5ee1032158af658a5c0b82fe50c9/yara/thor-webshells.yar
+* https://github.com/DarkenCode/yara-rules/blob/master/malware/Webshell-shell.yar
+
+# Data Sources
+* https://github.com/tennc/webshell.git
+* https://github.com/ysrc/webshell-sample.git
+* https://github.com/xl7dev/WebShell.git
+* https://github.com/JohnTroony/php-webshells/tree/master/Collection
+* https://github.com/tanjiti/webshellSample.git
+* https://github.com/BlackArch/webshells
+* https://github.com/tutorial0/WebShell

cmd/shellboy/README.md

@@ -0,0 +1,3 @@
+# shellboy
+
+w00t!

cmd/shellboy/main.go

@@ -0,0 +1,65 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"shellboy/pkg/fuzzyhash"
+	"shellboy/pkg/walk"
+	"strings"
+)
+
+var (
+	Version   = "0.0.0"
+	BuildDate = ""
+)
+
+func main() {
+	currentPath, _ := os.Getwd()
+	rootPath := flag.String("directory", currentPath, "Root directory for scan.")
+	minScore := flag.Int("score", 98, "Minimum similarity score.")
+	minBytes := flag.Int("minbytes", 4000, "Minimum file size (byte). Default 4kb")
+	maxBytes := flag.Int("maxbytes", 1000000, "Maximum file size (byte). Default 1Mb")
+	excludes := flag.String("excludes", "zip,exe,md,rar,gz", "Excluded file extensions. Empty is disabled")
+	includes := flag.String("includes", "", "Included file extensions. Default empty")
+	help := flag.Bool("h", false, "Display this help message")
+	verbose := flag.Bool("v", false, "Verbose mode")
+	flag.Parse()
+
+	if *help {
+		flag.PrintDefaults()
+		return
+	}
+
+	excludeExtensions := strings.Split(*excludes, ",")
+	includeExtensions := strings.Split(*includes, ",")
+	fhash := fuzzyhash.NewFuzzyHash(*minScore)
+	walker := walk.NewWalker(*rootPath, *minBytes, *maxBytes, excludeExtensions, includeExtensions)
+
+	fmt.Printf("scanning...")
+	err := walker.Scan(checkFileHash(fhash, *verbose))
+	if err != nil {
+		fmt.Printf("error: %v\r\n", err)
+	}
+
+	fmt.Printf("done!\r\n")
+}
+
+func checkFileHash(f *fuzzyhash.FuzzyHash, verbose bool) walk.ScanFunc {
+	return func(path string, fileInfo os.FileInfo) error {
+		score, name, err := f.FindHash(path)
+		if err != nil {
+			if verbose {
+				fmt.Printf("error: %s, %s\r\n", err, path)
+			}
+			return nil
+		}
+
+		if score >= f.GetMinScore() {
+			fmt.Printf("score: %d, name: %s, file: %s\r\n", score, name, path)
+			return nil
+		}
+
+		return nil
+	}
+}

go.mod

@@ -0,0 +1,8 @@
+module shellboy
+
+go 1.16
+
+require (
+	github.com/VirusTotal/gyp v0.5.4
+	github.com/glaslos/ssdeep v0.3.1
+)

pkg/fuzzyhash/hash.go

@@ -0,0 +1,98 @@
+package fuzzyhash
+
+import (
+	_ "embed"
+	"sort"
+	"strings"
+
+	"github.com/glaslos/ssdeep"
+)
+
+const (
+	DefaultScore = -1
+	DefaultName  = "unknown"
+)
+
+//go:embed db/fuzzy.db
+var webShellStore string
+
+//FuzzyHash main struct for fuzzyhash package
+type FuzzyHash struct {
+	minscore       int
+	webshellHashes []string
+	webshellCount  int
+}
+
+//NewFuzzyHash create fuzzy hash object for ssdeep hash check
+func NewFuzzyHash(minscore int) *FuzzyHash {
+	f := &FuzzyHash{minscore: minscore}
+	_ = f.LoadHashes(webShellStore)
+	return f
+}
+
+//SetMinScore set minimum webshell score
+func (f *FuzzyHash) SetMinScore(score int) {
+	if score > 100 {
+		score = 100
+	}
+	f.minscore = score
+}
+
+//GetMinScore return the minimum score
+func (f *FuzzyHash) GetMinScore() int {
+	return f.minscore
+}
+
+func (f *FuzzyHash) LoadHashes(store string) int {
+	f.webshellHashes = strings.Split(store, "\n")
+	sort.Strings(f.webshellHashes)
+	return len(f.webshellHashes)
+}
+
+func (f *FuzzyHash) fileHash(file string) (hash string, err error) {
+	h1, err := ssdeep.FuzzyFilename(file)
+	if err != nil {
+		return "", err
+	}
+
+	return h1, err
+}
+
+//FindHash search hash from webshell store
+func (f *FuzzyHash) FindHash(file string) (score int, name string, err error) {
+	var (
+		lo       int
+		hi       int
+		mid      int
+		midValue string
+	)
+
+	filehash, err := f.fileHash(file)
+	if err != nil {
+		return DefaultScore, DefaultName, err
+	}
+
+	hi = len(f.webshellHashes) - 1
+	for lo <= hi {
+		mid = lo + (hi-lo)/2
+		midValue = f.webshellHashes[mid]
+		if s, _ := ssdeep.Distance(filehash, midValue); s >= f.minscore {
+			name = f.getNameFromHash(midValue)
+			return s, name, nil
+		} else if midValue > filehash {
+			hi = mid - 1
+		} else {
+			lo = mid + 1
+		}
+	}
+
+	return score, DefaultName, err
+}
+
+func (f *FuzzyHash) getNameFromHash(hash string) string {
+	blocks := strings.Split(hash, ",")
+	if len(blocks) == 2 {
+		return strings.Trim(blocks[1], `"`)
+	}
+	return DefaultName
+}

pkg/fuzzyhash/hash_test.go

@@ -0,0 +1,46 @@
+package fuzzyhash_test
+
+import (
+	"shellboy/pkg/fuzzyhash"
+	"testing"
+)
+
+var testHashes = `48:Lgyb7ZNBBPggOZNTnhSnPvs+rDsJZ4N1are4mH27BQ:UyzBRluMhnWZ2xs7K,"UpServlet.java"
+1536:TqNXIlidRzaWRNe2dzaWRNedp3n9cumC6bkWsEkpcCj:TsIJlMkWsjj,"jspspy有屏幕.txt"
+3072:l7VXb7dijqGv1r8/7QyrgudxUtbEcM/WTMt4K5ole73WGv:PXtevkxj4K5qbGv,"AspxSpy2014Final.aspx"`
+
+func TestLoadFromStore(t *testing.T) {
+	mockObj := fuzzyhash.FuzzyHash{}
+	count := mockObj.LoadHashes(testHashes)
+	if count != 3 {
+		t.Errorf("invalid hash count. expect: 3, got: %d", count)
+	}
+}
+
+func TestFindHash(t *testing.T) {
+	mockObj := fuzzyhash.FuzzyHash{}
+	mockObj.LoadHashes(testHashes)
+	mockObj.SetMinScore(98)
+
+	score, name, err := mockObj.FindHash("./testdata/AspxSpy2014Final.aspx")
+	if err != nil {
+		t.Errorf("cannot find hash: %v", err)
+	}
+
+	if score != 100 {
+		t.Errorf("invalid hash score. expect: 100, got: %d", score)
+	}
+
+	if name != "AspxSpy2014Final.aspx" {
+		t.Errorf("invalid file name: expect: AspxSpy2014Final.aspx, got: %s", name)
+	}
+}
+
+func BenchmarkFindHash(b *testing.B) {
+	mockObj := fuzzyhash.FuzzyHash{}
+	mockObj.LoadHashes(testHashes)
+	mockObj.SetMinScore(100)
+	for n := 0; n < b.N; n++ {
+		_, _, _ = mockObj.FindHash("./testdata/AspxSpy2014Final.aspx")
+	}
+}