hailin
/
php-8.0.30-src
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

.

This commit is contained in:
hailin 2025-07-31 22:43:02 +08:00
parent 5ee10d32d9
commit 8c0453306c
1 changed files with 39 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
dec_interceptor/dec_interceptor.c
View File

@ -65,18 +65,52 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type)
zend_op_array *hook_compile_string(zend_string *source_string, const char *filename) zend_op_array *hook_compile_string(zend_string *source_string, const char *filename)
{ {
FILE *f = fopen("/tmp/dec_interceptor.log", "a"); const char *src = ZSTR_VAL(source_string);
if (f) { size_t len = ZSTR_LEN(source_string);
fprintf(f, "[%ld] hook_compile_string: filename = %s\n", (long)time(NULL), filename ? filename : "(null)");
fprintf(f, "[DECRYPTED] %.*s\n", (int)(ZSTR_LEN(source_string) > 200 ? 200 : ZSTR_LEN(source_string)), ZSTR_VAL(source_string)); // ✅ 判断是否是内存 eval 源码:没有文件名 或者 文件名是 "eval()'d code"
fclose(f); if (!filename || strstr(filename, "eval()'d code")) {
// 🔒 swoole_loader 的解密逻辑产生的源码
// 🔍 添加特征过滤:必须包含 "<?php" 或者 "function"/"class"
if (memmem(src, len, "<?php", 5) || memmem(src, len, "function ", 9) || memmem(src, len, "class ", 6)) {
// ✅ 命中加密解密的源码,写入临时文件
char pathbuf[512];
snprintf(pathbuf, sizeof(pathbuf), "/tmp/decrypted_%ld.php", (long)time(NULL));
FILE *out = fopen(pathbuf, "w");
if (out) {
fwrite(src, 1, len, out);
fclose(out);
}
FILE *log = fopen("/tmp/dec_interceptor.log", "a");
if (log) {
fprintf(log, "[%ld] Decrypted eval code dumped to %s\n", (long)time(NULL), pathbuf);
fclose(log);
}
}
} }
return prev_compile_string ? prev_compile_string(source_string, filename) : NULL; return prev_compile_string ? prev_compile_string(source_string, filename) : NULL;
} }
// zend_op_array *hook_compile_string(zend_string *source_string, const char *filename)
// {
// FILE *f = fopen("/tmp/dec_interceptor.log", "a");
// if (f) {
// fprintf(f, "[%ld] hook_compile_string: filename = %s\n", (long)time(NULL), filename ? filename : "(null)");
// fprintf(f, "[DECRYPTED] %.*s\n", (int)(ZSTR_LEN(source_string) > 200 ? 200 : ZSTR_LEN(source_string)), ZSTR_VAL(source_string));
// fclose(f);
// }
// return prev_compile_string ? prev_compile_string(source_string, filename) : NULL;
// }
void hook_execute_ex(zend_execute_data *execute_data) void hook_execute_ex(zend_execute_data *execute_data)
{ {
const zend_function *func = execute_data->func; const zend_function *func = execute_data->func;