diff --git a/src/macaron/resources/pypi_malware_rules/obfuscation.yaml b/src/macaron/resources/pypi_malware_rules/obfuscation.yaml index 6d6ea066b..6071d2157 100644 --- a/src/macaron/resources/pypi_malware_rules/obfuscation.yaml +++ b/src/macaron/resources/pypi_malware_rules/obfuscation.yaml @@ -311,3 +311,13 @@ rules: - pattern: os.writev(...) - pattern: os.pwrite(...) - pattern: os.pwritev(...) + +- id: obfuscation_excessive-spacing + metadata: + description: Detects the use of excessive spacing in code, which may indicate obfuscation or hidden code. + message: Hidden code after excessive spacing + languages: + - python + severity: WARNING + pattern-either: + - pattern-regex: '[ \t\n\r\f\v]{50,}[^ \t\n\r\f\v]+' # The 50 here is the threshold for excessive spacing , more than that is considered obfuscation diff --git a/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/excessive_spacing.py b/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/excessive_spacing.py new file mode 100644 index 000000000..22ea38a6f --- /dev/null +++ b/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/excessive_spacing.py @@ -0,0 +1,25 @@ +# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +""" +Running this code will not produce any malicious behavior, but code isolation measures are +in place for safety. +""" + +import sys + +# ensure no symbols are exported so this code cannot accidentally be used +__all__ = [] +sys.exit() + +def test_function(): + """ + All code to be tested will be defined inside this function, so it is all local to it. This is + to isolate the code to be tested, as it exists to replicate the patterns present in malware + samples. + """ + sys.exit() + + # excessive spacing obfuscation + def excessive_spacing_flow(): + print("Hello world!") diff --git a/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/expected_results.json b/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/expected_results.json index aabf72e18..78b1467a2 100644 --- a/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/expected_results.json +++ b/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/expected_results.json @@ -229,6 +229,21 @@ "end": 68 } ] + }, + "src.macaron.resources.pypi_malware_rules.obfuscation_excessive-spacing": { + "message": "Hidden code after excessive spacing", + "detections": [ + { + "file": "obfuscation/excessive_spacing.py", + "start": 24, + "end": 25 + }, + { + "file": "obfuscation/inline_imports.py", + "start": 27, + "end": 27 + } + ] } }, "disabled_sourcecode_rule_findings": {} diff --git a/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/inline_imports.py b/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/inline_imports.py index 80e006781..4e37c7c02 100644 --- a/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/inline_imports.py +++ b/tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/inline_imports.py @@ -24,7 +24,7 @@ def test_function(): __import__('builtins') __import__('subprocess') __import__('sys') - __import__('os') + print("Hello world!") ;__import__('os') __import__('zlib') __import__('marshal') # these both just import builtins