<?php
/**
* @file qtrPatternsDb.php
* @brief This function contain patterns database implementation
*
*
* @author Quttera (qtr),
[email protected]
*
* @internal
* Created 01/15/2016
* Compiler gcc/g++
* Company Quttera
* Copyright Copyright (c) 2016, Quttera
*
* This source code is released for free distribution under the terms of the
* GNU General Public License as published by the Free Software Foundation.
* =====================================================================================
*/
if(!defined("CLEANUP_OPERATION_UNDEF")){
define("CLEANUP_OPERATION_UNDEF",0);
define("CLEANUP_OPERATION_CURE",1);
define("CLEANUP_OPERATION_QUARANTINE",2);
}
class CQtrPattern
{
protected $_severity;
protected $_pattern;
protected $_details;
protected $_name;
protected $_curable;
public function __construct($severity,$pattern,$details,$name, $curable=0){
$this->_severity = $severity;
$this->_pattern = $pattern;
$this->_details = $details;
$this->_name = $name;
$this->_curable = $curable;
}
public function severity(){
return $this->_severity;
}
public function pattern(){
return $this->_pattern;
}
public function details(){
return $this->_details;
}
public function name(){
return $this->_name;
}
public function is_curable(){
return ($this->_curable > 0)?(true):(false);
}
public function find_match($str)
{
$matches = array();
try
{
$match = preg_match("/" . $this->_pattern . "/m", $str, $group);
if ($match > 0)
{
array_push($matches, array($this,$group[0]));
}
}
catch (Exception $e)
{
//print "Error in" . $e->getMessage();
}
if( count($matches) == 0 )
{
return NULL;
}
return $matches;
}
}
class CQtrPatternsDatabase
{
protected $_database;
public function __construct()
{
$this->_database = array();
}
public function Load($path)
{
if(!is_file($path)){
return FALSE;
}
$file = fopen($path,"r");
if( !$file ){
return FALSE;
}
$body = fread($file,filesize($path));
fclose($file);
$step1 = base64_decode($body);
$step2 = str_rot13($step1);
$patterns = json_decode($step2);
foreach($patterns as $entry ){
$pattern = new CQtrPattern(
$entry[0], /* severity */
$entry[1], /* pattern */
$entry[2], /* details */
$entry[3], /* name */
$entry[4] /* curable */
);
array_push($this->_database, $pattern );
}
return TRUE;
}
public function Scan($file_path, $heuristic=false)
{
$matches = array();
if( !is_file($file_path)){
return NULL;
}
$file = fopen($file_path,"r");
if( !$file ){
return NULL;
}
if( filesize( $file_path ) <= 0 ){
return NULL;
}
$body = fread($file,filesize($file_path));
fclose($file);
foreach( $this->_database as $pattern ){
if($heuristic == false and $pattern->is_curable() == false ){
/*
* this is heuristic pattern, skipping
*/
continue;
}
$match = $pattern->find_match($body);
if( $match != NULL ){
$matches = array_merge($matches, $match);
}
}
if( count($matches) == 0 ){
return NULL;
}
return $matches;
}
}
?>