# webshellKiller **Repository Path**: hbh112233abc/webshellKiller ## Basic Information - **Project Name**: webshellKiller - **Description**: webshell killer by golang - **Primary Language**: Go - **License**: Apache-2.0 - **Default Branch**: main - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2026-04-27 - **Last Updated**: 2026-05-04 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # WebShellKiller A Go-based PHP WebShell detection and monitoring tool with CLI scanning and real-time daemon monitoring modes. ## Features - **Multi-engine Detection**: Signature matching, static analysis, entropy analysis - **Two Modes**: CLI directory scanning and real-time daemon monitoring - **Confidence Scoring**: Formula-based aggregation (`1 - Π(1 - weight_i)`) - **Incremental Scanning**: File cache with mtime+size comparison - **Whitelist Support**: Exact path and glob pattern matching - **Multiple Output Formats**: Terminal (colored) and JSON reports - **Single Binary**: No external dependencies at runtime ## Quick Start ### Build ```bash go build -o webshellKiller ./cmd/cli/ ``` ### Scan Mode ```bash # Scan a directory ./webshellKiller scan /path/to/php/project # Output as JSON ./webshellKiller scan /path/to/php/project -f json # Save report to file ./webshellKiller scan /path/to/php/project -f json -o report.json ``` ### Daemon Mode ```bash # Monitor a directory in real-time ./webshellKiller daemon /var/www/html ``` ## Configuration Create a `config.yaml` file: ```yaml scanner: concurrency: 4 max_file_size: 10485760 extensions: - ".php" - ".inc" exclude_dirs: - "vendor" - ".git" whitelist: file: "whitelist.json" rules: signatures: - "rules/signatures.yaml" static: - "rules/static.yaml" entropy: - "rules/entropy.yaml" ``` Use with: `./webshellKiller scan -c config.yaml /target` ## Detection Engines | Engine | Method | Description | |--------|--------|-------------| | Signature | Regex | Pattern matching against known WebShell signatures | | Static Analysis | Regex | Structural code analysis (variable variables, obfuscation) | | Entropy | Shannon | High entropy string detection (encoded/encrypted payloads) | ## Project Structure ``` ├── cmd/cli/ # CLI entry point (cobra) ├── internal/ │ ├── config/ # Configuration management │ ├── engine/ # Detection engines │ │ ├── types.go # Core types and interfaces │ │ ├── signature.go │ │ ├── static.go │ │ ├── entropy.go │ │ └── aggregator.go │ ├── rules/ # Rule file loader │ ├── scanner/ # File walker and scanner │ ├── report/ # Output formatters │ ├── whitelist/ # Whitelist manager │ └── watcher/ # File system watcher (daemon mode) ├── rules/ # Built-in detection rules (YAML) ├── testdata/ # Test samples └── deploy/ # Deployment files (systemd) ``` ## License MIT