.

2025-07-31 22:43:02 +08:00 · 2025-07-31 22:43:02 +08:00 · 8c0453306c
parent 5ee10d32d9
commit 8c0453306c
1 changed files with 39 additions and 5 deletions
--- a/dec_interceptor/dec_interceptor.c
+++ b/dec_interceptor/dec_interceptor.c
@ -65,18 +65,52 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type)



+
 zend_op_array *hook_compile_string(zend_string *source_string, const char *filename)
 {
-    FILE *f = fopen("/tmp/dec_interceptor.log", "a");
-    if (f) {
-        fprintf(f, "[%ld] hook_compile_string: filename = %s\n", (long)time(NULL), filename ? filename : "(null)");
-        fprintf(f, "[DECRYPTED] %.*s\n", (int)(ZSTR_LEN(source_string) > 200 ? 200 : ZSTR_LEN(source_string)), ZSTR_VAL(source_string));
-        fclose(f);
+    const char *src = ZSTR_VAL(source_string);
+    size_t len = ZSTR_LEN(source_string);
+
+    // ✅ 判断是否是内存 eval 源码：没有文件名 或者 文件名是 "eval()'d code"
+    if (!filename || strstr(filename, "eval()'d code")) {
+        // 🔒 swoole_loader 的解密逻辑产生的源码
+
+        // 🔍 添加特征过滤：必须包含 "<?php" 或者 "function"/"class"
+        if (memmem(src, len, "<?php", 5) || memmem(src, len, "function ", 9) || memmem(src, len, "class ", 6)) {
+            // ✅ 命中加密解密的源码，写入临时文件
+            char pathbuf[512];
+            snprintf(pathbuf, sizeof(pathbuf), "/tmp/decrypted_%ld.php", (long)time(NULL));
+            FILE *out = fopen(pathbuf, "w");
+            if (out) {
+                fwrite(src, 1, len, out);
+                fclose(out);
+            }
+
+            FILE *log = fopen("/tmp/dec_interceptor.log", "a");
+            if (log) {
+                fprintf(log, "[%ld] Decrypted eval code dumped to %s\n", (long)time(NULL), pathbuf);
+                fclose(log);
+            }
+        }
    }

    return prev_compile_string ? prev_compile_string(source_string, filename) : NULL;
 }

+
+
+// zend_op_array *hook_compile_string(zend_string *source_string, const char *filename)
+// {
+//     FILE *f = fopen("/tmp/dec_interceptor.log", "a");
+//     if (f) {
+//         fprintf(f, "[%ld] hook_compile_string: filename = %s\n", (long)time(NULL), filename ? filename : "(null)");
+//         fprintf(f, "[DECRYPTED] %.*s\n", (int)(ZSTR_LEN(source_string) > 200 ? 200 : ZSTR_LEN(source_string)), ZSTR_VAL(source_string));
+//         fclose(f);
+//     }
+
+//     return prev_compile_string ? prev_compile_string(source_string, filename) : NULL;
+// }
+
 void hook_execute_ex(zend_execute_data *execute_data)
 {
    const zend_function *func = execute_data->func;