v0.2.2

• Added SuspiciousWrite rule
• Added OSFingerprint rule
• Improved exfiltration detection of sensitive data (os.environ)
• Added benchmark command
• Added dump-package command
• Improve tracking of data flow for lists, functions, dicts and so on. This enhances obfuscation detection.
• Decode base64 strings.
• Significantly Improved exec/eval detection.

Some examples of what kind of code can be deobfuscated and detected now:

def doit(m, f1, f2):
    import importlib

    module = importlib.import_module(m)
    function_name = f1 + f2
    function = getattr(module, function_name)
    return function


username = doit("os", "getl", "ogin")()

[os.system][0]("ls")
dispatch = {"run": os.system}
dispatch["run"]("ls")

os.__getattribute__("system")("ls")

list(map(os.system, ["ls"]))

      _ = lambda __: __import__("zlib").decompress(
          __import__("base64").b64decode(__[::-1])
      )
      exec((_)(b"payload"))
      install.run(self)

v0.2.1

• Add new rule: HX8020 SuspiciousComment
• Add handling for bytes arrays (bytes.fromhex("41 42 43"), bytes([98, 97, 115, 104]).decode())
• Improve handling of fstrings
• Improve detection of obfuscated exec/eval (zlib/codecs/marshal/pickle),
• Add new signatures for literals (docker secrets, k8s secrets, /dev/tcp)
• Tune confidence levels to be less noisy
• Add basic handling of binascii.unhexlify, bytes.fromhex
• Improve os.path operations like os.path.join and os.path.expanduser.
• Handle generator expressions, e.g. "".join(chr(x) for x in (65, 66))
• Various codebase improvements

v0.2.0

New version

v0.1.2

Bump version

v.0.1.1 pypi

Bump version