Skip to content

Commit

Permalink
Merge pull request #316 from DataDog/fix-false-negative-exec-base64
Browse files Browse the repository at this point in the history
Identify when code is decrypted and executed on the fly
  • Loading branch information
christophetd authored Apr 3, 2024
2 parents fb663d1 + abfab37 commit ba5e53f
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
1 change: 1 addition & 0 deletions guarddog/analyzer/sourcecode/exec-base64.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,5 @@ rules:
- pattern: decode("...")
- pattern: __import__("base64").b64decode(...)
- pattern: marshal.loads(zlib.decompress(...))
- pattern: $FUNC("...").decrypt(...)
severity: WARNING
5 changes: 4 additions & 1 deletion tests/analyzer/sourcecode/exec-base64.py
Original file line number Diff line number Diff line change
Expand Up @@ -111,4 +111,7 @@
"<string>",
"exec",
)
)
)

# ruleid: exec-base64
exec(Fernet(b'E15Vxxx=').decrypt(b'gAAAxxx='))

0 comments on commit ba5e53f

Please sign in to comment.