#!/usr/bin/python
# -*- coding: utf-8 -*-


import os
import sys
import re

# ```ops
# title:基于python的简单的webshell脚本检测脚本
# descr:
# ```
rulelist = [
    '(\$_(GET|POST|REQUEST)\[.{0,15}\]\(\$_(GET|POST|REQUEST)\[.{0,15}\]\))',
    '(base64_decode\([\'"][\w\+/=]{200,}[\'"]\))',
    'eval\(base64_decode\(',
    '(eval\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
    '(assert\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
    '(\$[\w_]{0,15}\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
    '(wscript\.shell)',
    '(gethostbyname\()',
    '(cmd\.exe)',
    '(shell\.application)',
    '(documents\s+and\s+settings)',
    '(system32)',
    '(serv-u)',
    '(提权)',
    '(phpspy)',
    '(后门)',
    '(webshell)',
    '(Program\s+Files)'
]


def Scan(path):
    for root, dirs, files in os.walk(path):
        for filespath in files:
            isover = False
            if '.' in filespath:
                ext = filespath[(filespath.rindex('.')+1):]
                if ext == 'php':
                    file = open(os.path.join(root, filespath))
                    filestr = file.read()
                    file.close()
                    for rule in rulelist:
                        result = re.compile(rule).findall(filestr)
                        if result:
                            print('文件：'+os.path.join(root, filespath))
                            print('恶意代码：'+str(result[0]))
                            print('\n\n')
                            break


if os.path.lexists(sys.argv[1]):
    print('\n\n开始扫描：'+sys.argv[1])
    print('               可疑文件                 ')
    print('########################################')
    Scan(sys.argv[1])
    print('提示：扫描完成-- O(∩_∩)O哈哈~')
else:
    print('提示：指定的扫描目录不存在---  我靠( \'o′)！！凸')