From 8c0453306c4d9175c4e84663afabb4564d71b58e Mon Sep 17 00:00:00 2001
From: hailin <hailin@gdzx.xyz>
Date: Thu, 31 Jul 2025 22:43:02 +0800
Subject: [PATCH] .

---
 dec_interceptor/dec_interceptor.c | 44 +++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 5 deletions(-)

diff --git a/dec_interceptor/dec_interceptor.c b/dec_interceptor/dec_interceptor.c
index 79b4dfeb..f585001a 100644
--- a/dec_interceptor/dec_interceptor.c
+++ b/dec_interceptor/dec_interceptor.c
@@ -65,18 +65,52 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type)
 
 
 
+
 zend_op_array *hook_compile_string(zend_string *source_string, const char *filename)
 {
-    FILE *f = fopen("/tmp/dec_interceptor.log", "a");
-    if (f) {
-        fprintf(f, "[%ld] hook_compile_string: filename = %s\n", (long)time(NULL), filename ? filename : "(null)");
-        fprintf(f, "[DECRYPTED] %.*s\n", (int)(ZSTR_LEN(source_string) > 200 ? 200 : ZSTR_LEN(source_string)), ZSTR_VAL(source_string));
-        fclose(f);
+    const char *src = ZSTR_VAL(source_string);
+    size_t len = ZSTR_LEN(source_string);
+
+    // ✅ 判断是否是内存 eval 源码：没有文件名 或者 文件名是 "eval()'d code"
+    if (!filename || strstr(filename, "eval()'d code")) {
+        // 🔒 swoole_loader 的解密逻辑产生的源码
+
+        // 🔍 添加特征过滤：必须包含 "<?php" 或者 "function"/"class"
+        if (memmem(src, len, "<?php", 5) || memmem(src, len, "function ", 9) || memmem(src, len, "class ", 6)) {
+            // ✅ 命中加密解密的源码，写入临时文件
+            char pathbuf[512];
+            snprintf(pathbuf, sizeof(pathbuf), "/tmp/decrypted_%ld.php", (long)time(NULL));
+            FILE *out = fopen(pathbuf, "w");
+            if (out) {
+                fwrite(src, 1, len, out);
+                fclose(out);
+            }
+
+            FILE *log = fopen("/tmp/dec_interceptor.log", "a");
+            if (log) {
+                fprintf(log, "[%ld] Decrypted eval code dumped to %s\n", (long)time(NULL), pathbuf);
+                fclose(log);
+            }
+        }
     }
 
     return prev_compile_string ? prev_compile_string(source_string, filename) : NULL;
 }
 
+
+
+// zend_op_array *hook_compile_string(zend_string *source_string, const char *filename)
+// {
+//     FILE *f = fopen("/tmp/dec_interceptor.log", "a");
+//     if (f) {
+//         fprintf(f, "[%ld] hook_compile_string: filename = %s\n", (long)time(NULL), filename ? filename : "(null)");
+//         fprintf(f, "[DECRYPTED] %.*s\n", (int)(ZSTR_LEN(source_string) > 200 ? 200 : ZSTR_LEN(source_string)), ZSTR_VAL(source_string));
+//         fclose(f);
+//     }
+
+//     return prev_compile_string ? prev_compile_string(source_string, filename) : NULL;
+// }
+
 void hook_execute_ex(zend_execute_data *execute_data)
 {
     const zend_function *func = execute_data->func;