From 7f60b8d6c8a1c5c8efcc083273588d60939b18a3 Mon Sep 17 00:00:00 2001 From: hailin Date: Thu, 31 Jul 2025 16:13:12 +0800 Subject: [PATCH] . --- dec_interceptor/dec_interceptor.c | 63 +++++++++++-------------------- 1 file changed, 23 insertions(+), 40 deletions(-) diff --git a/dec_interceptor/dec_interceptor.c b/dec_interceptor/dec_interceptor.c index 160e2880..79b4dfeb 100644 --- a/dec_interceptor/dec_interceptor.c +++ b/dec_interceptor/dec_interceptor.c @@ -3,25 +3,11 @@ #include "ext/standard/info.h" #include "php_dec_interceptor.h" #include -#include "main/php_streams.h" -#include "ext/standard/php_smart_string.h" zend_op_array *(*prev_compile_file)(zend_file_handle *file_handle, int type) = NULL; zend_op_array *(*prev_compile_string)(zend_string *source_string, const char *filename) = NULL; void (*prev_execute_ex)(zend_execute_data *execute_data) = NULL; -// zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type) -// { -// FILE *f = fopen("/tmp/dec_interceptor.log", "a"); -// if (f) { -// fprintf(f, "[%ld] hook_compile_file called\n", (long)time(NULL)); -// if (file_handle && file_handle->filename) { -// fprintf(f, "[%ld] file_handle->filename = %s\n", (long)time(NULL), file_handle->filename); -// } -// fclose(f); -// } -// return prev_compile_file ? prev_compile_file(file_handle, type) : NULL; -// } zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type) { @@ -33,44 +19,41 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type) } } + // 判断是否是 install.php 或其他目标加密文件 if (file_handle && file_handle->filename && strstr(file_handle->filename, "install.php")) { - char buffer[32769] = {0}; // 最多 32KB + null terminator - size_t len = 0; - if (file_handle->type == ZEND_HANDLE_FP && file_handle->handle.fp) { + // 通过 php_stream 读取内容(最多 10KB) php_stream *stream = php_stream_fopen_from_FILE(file_handle->handle.fp, file_handle->filename, "rb"); if (stream) { - php_stream_seek(stream, 0, SEEK_SET); - len = php_stream_read(stream, buffer, 32768); - php_stream_seek(stream, 0, SEEK_SET); - php_stream_close(stream); + if (php_stream_seek(stream, 0, SEEK_SET) == 0) { + char buffer[10241] = {0}; // 额外 1 字节存 null terminator + size_t len = php_stream_read(stream, buffer, 10240); + + if (len > 0 && log) { + fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len); + fprintf(log, "%.*s\n", (int)len, buffer); + } + php_stream_seek(stream, 0, SEEK_SET); // 恢复位置 + } + php_stream_close(stream); // 不会关闭 file_handle->handle.fp,只是释放包装层 } else if (log) { fprintf(log, "[%ld] failed to wrap fp in php_stream\n", (long)time(NULL)); } } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) { php_stream *stream = (php_stream *)file_handle->handle.stream.handle; - php_stream_seek(stream, 0, SEEK_SET); - len = php_stream_read(stream, buffer, 32768); - php_stream_seek(stream, 0, SEEK_SET); + if (php_stream_seek(stream, 0, SEEK_SET) == 0) { + char buffer[10241] = {0}; + size_t len = php_stream_read(stream, buffer, 10240); + + if (len > 0 && log) { + fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len); + fprintf(log, "%.*s\n", (int)len, buffer); + } + php_stream_seek(stream, 0, SEEK_SET); + } } else if (log) { fprintf(log, "[%ld] unsupported file_handle->type: %d\n", (long)time(NULL), file_handle->type); } - - if (len > 0) { - // 写入独立文件 - char path[512]; - time_t now = time(NULL); - snprintf(path, sizeof(path), "/tmp/dec_interceptor_%ld_install.php", now); - FILE *out = fopen(path, "w"); - if (out) { - fwrite(buffer, 1, len, out); - fclose(out); - } - - if (log) { - fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] dumped to: %s (%zu bytes)\n", (long)time(NULL), path, len); - } - } } if (log) {