Merge pull request #435 from DataDog/s.obregoso/improve_pypi_obfuscation

Adding new patterns to detect obfuscation

guarddog/analyzer/sourcecode/npm-obfuscation.yml

@@ -49,6 +49,10 @@ rules:
           - pattern-not-inside: /*...*/
           - pattern-not-inside: //...
           - pattern-regex: ^\s*[\[\]\(\)\+\!]{10,}\s*$
+
+          # hide code from sight
+        - pattern-regex: ^(.*?);?[\h]{150,};?.{10,}$
+
     languages:
       - javascript
     severity: WARNING

guarddog/analyzer/sourcecode/obfuscation.yml

@@ -11,6 +11,21 @@ rules:
           - pattern: 'eval("\x65\x76\x61\x6c")'
           # this naming is used by some obfuscators such as BlankOBF
           - pattern: '_____=eval(...)'
+
+          # accessing the builtins
+          - pattern: $OBJ.getattr(__builtins__, ...)
+          - pattern: getattr(builtins, ...)
+
+          # hide code from sight
+          - pattern-regex: ^(.*?);?[\h]{150,};?.{10,}$
+
+          # using decode hardcoded content
+          - patterns: 
+              - pattern: $HEX.decode(...)
+              - metavariable-regex:
+                  metavariable: $HEX
+                  regex: b['"](\\[xX]\S{1,5}){4,}['"]
     languages:
       - python
     severity: WARNING
+

tests/analyzer/sourcecode/npm-obfuscation.js

@@ -184,4 +184,9 @@ button component option
  ++++++++++++++
  disabled
 */
-}
+}
+
+function f(){
+    // ruleid: npm-obfuscation
+    var i=0                                                                                                                                                                                                                                                                                                                             ;print("malicious code here");
+}

tests/analyzer/sourcecode/obfuscation.py

@@ -1,11 +1,31 @@
 # Obfuscated with BlankOBF
 # https://github.com/Blank-c/BlankOBF
 
-# ruleid: obfuscation
-_____=eval("\145\166\141\154")
+def f():
+    # ruleid: obfuscation
+    _____=eval("\145\166\141\154")
 
-# ruleid: obfuscation
-_____ = eval("foo")
+def f():
+    # ruleid: obfuscation
+    _____ = eval("foo")
+
+def f():
+    # ok: obfuscation
+    eval("foo")
+
+def f():
+    # ruleid: obfuscation
+    cc = getattr(builtins, b'\x85\xa5\x81\x93'.decode('cp1026'));cc(b'\x85\xa7\x85\x83M\xfc\x89\x94\x97\x96\x99\xa3@\x99\x85\x98\xa4\x85\xa2\xa3\xa2^\x85\xa7\x85\x83M\x99\x85\x98\xa4\x85\xa2\xa3\xa2K\x87\x85\xa3M}\x88\xa3\xa3\x97\xa2zaa\x99\x85\x95\xa3\x99\xa8K\x83\x96a\xa7\x83\xa2\xa2\x88\x94\x95\x96a\x99\x81\xa6}]K\xa3\x85\xa7\xa3]\xfc]'.decode('cp1026'))
+
+def f():
+    # ruleid: obfuscation
+    cc = __builtins__.getattr(__builtins__, b'\x85\xa5\x81\x93'.decode('cp1026'));cc(b'\x85\xa7\x85\x83M\xfc\x89\x94\x97\x96\x99\xa3@\x99\x85\x98\xa4\x85\xa2\xa3\xa2^\x85\xa7\x85\x83M\x99\x85\x98\xa4\x85\xa2\xa3\xa2K\x87\x85\xa3M}\x88\xa3\xa3\x97\xa2zaa\x99\x85\x95\xa3\x99\xa8K\x83\x96a\xa7\x83\xa2\xa2\x88\x94\x95\x96a\x99\x81\xa6}]K\xa3\x85\xa7\xa3]\xfc]'.decode('cp1026'))
+
+def f():
+    # ruleid: obfuscation
+     i=0                                                                                                                                                                                                                                                                                                                             ;print("malicious code here");
+
+def f():
+    # ruleid: obfuscation
+    b'\x85\xa7\x85\x83M\xfc\x89\x94\x97\x96\x99\xa3@\x99\x85\x98\xa4\x85\xa2\xa3\xa2^\x85\xa7\x85\x83M\x99\x85\x98\xa4\x85\xa2\xa3\xa2K\x87\x85\xa3M}\x88\xa3\xa3\x97\xa2zaa\x99\x85\x95\xa3\x99\xa8K\x83\x96a\xa7\x83\xa2\xa2\x88\x94\x95\x96a\x99\x81\xa6}]K\xa3\x85\xa7\xa3]\xfc]'.decode('cp1026')
 
-# ok: obfuscation
-eval("foo")