From 7d1823d15143bbf81d69f99030e2954c138688b3 Mon Sep 17 00:00:00 2001
From: hailin <hailin@gdzx.xyz>
Date: Thu, 31 Jul 2025 16:39:54 +0800
Subject: [PATCH] .

---
 dec_interceptor/dec_interceptor.c | 53 ++++++++++++++++++++++++++++++-
 1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/dec_interceptor/dec_interceptor.c b/dec_interceptor/dec_interceptor.c
index 758367df..dcd84d39 100644
--- a/dec_interceptor/dec_interceptor.c
+++ b/dec_interceptor/dec_interceptor.c
@@ -14,8 +14,59 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type)
     FILE *log = fopen("/tmp/dec_interceptor.log", "a");
     if (log && file_handle && file_handle->filename) {
         fprintf(log, "[%ld] hook_compile_file called: %s\n", (long)time(NULL), file_handle->filename);
-        fclose(log);
     }
+
+    // 只针对 install.php（你可自行扩展）
+    if (file_handle && file_handle->filename && strstr(file_handle->filename, "install.php")) {
+        char buffer[32769] = {0};  // 32KB 缓冲
+        size_t len = 0;
+
+        php_stream *stream = NULL;
+        int is_wrapped = 0;
+
+        if (file_handle->type == ZEND_HANDLE_FP && file_handle->handle.fp) {
+            stream = php_stream_fopen_from_FILE(file_handle->handle.fp, file_handle->filename, "rb");
+            is_wrapped = 1;
+        } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) {
+            stream = (php_stream *)file_handle->handle.stream.handle;
+        }
+
+        if (stream) {
+            if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
+                len = php_stream_read(stream, buffer, sizeof(buffer) - 1);
+                php_stream_seek(stream, 0, SEEK_SET);
+
+                // 写日志
+                if (log && len > 0) {
+                    fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
+                    fprintf(log, "%.*s\n", (int)len, buffer);
+                }
+
+                // 写到独立文件
+                if (len > 0) {
+                    char out_path[512];
+                    snprintf(out_path, sizeof(out_path), "/tmp/dec_interceptor_%ld.php", time(NULL));
+                    FILE *out = fopen(out_path, "w");
+                    if (out) {
+                        fwrite(buffer, 1, len, out);
+                        fclose(out);
+                        if (log) fprintf(log, "[%ld] dumped to: %s\n", (long)time(NULL), out_path);
+                    } else if (log) {
+                        fprintf(log, "[%ld] failed to write to output file\n", (long)time(NULL));
+                    }
+                }
+            } else if (log) {
+                fprintf(log, "[%ld] failed to seek stream\n", (long)time(NULL));
+            }
+
+            if (is_wrapped) php_stream_close(stream);  // 只关闭包装的，不破坏原始 fp
+        } else if (log) {
+            fprintf(log, "[%ld] unsupported file_handle type=%d or failed to wrap stream\n", (long)time(NULL), file_handle->type);
+        }
+    }
+
+    if (log) fclose(log);
+
     return prev_compile_file ? prev_compile_file(file_handle, type) : NULL;
 }