From a86c3ad85997f1455c6c37b4313940363d7c46b1 Mon Sep 17 00:00:00 2001 From: hailin Date: Thu, 31 Jul 2025 15:57:37 +0800 Subject: [PATCH] . --- dec_interceptor/dec_interceptor.c | 61 ++++++++++++++++--------------- 1 file changed, 32 insertions(+), 29 deletions(-) diff --git a/dec_interceptor/dec_interceptor.c b/dec_interceptor/dec_interceptor.c index 49aa2068..dd5bc651 100644 --- a/dec_interceptor/dec_interceptor.c +++ b/dec_interceptor/dec_interceptor.c @@ -26,48 +26,51 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type) FILE *log = fopen("/tmp/dec_interceptor.log", "a"); if (log) { fprintf(log, "[%ld] hook_compile_file called\n", (long)time(NULL)); - if (file_handle) { - fprintf(log, " file_handle->filename = %s\n", file_handle->filename ? file_handle->filename : "(null)"); - fprintf(log, " file_handle->type = %d\n", file_handle->type); + if (file_handle && file_handle->filename) { + fprintf(log, "[%ld] file_handle->filename = %s\n", (long)time(NULL), file_handle->filename); } } - // 拦截 install.php 或其他目标文件 + // 判断是否是 install.php 或其他目标加密文件 if (file_handle && file_handle->filename && strstr(file_handle->filename, "install.php")) { if (file_handle->type == ZEND_HANDLE_FP && file_handle->handle.fp) { - // 正常文件指针 - fseek(file_handle->handle.fp, 0, SEEK_SET); - char buffer[10241] = {0}; // 最多读取 10KB - size_t read_len = fread(buffer, 1, 10240, file_handle->handle.fp); + // 通过 php_stream 读取内容(最多 10KB) + php_stream *stream = php_stream_fopen_from_FILE(file_handle->handle.fp, file_handle->filename, "rb"); + if (stream) { + if (php_stream_seek(stream, 0, SEEK_SET) == 0) { + char buffer[10241] = {0}; // 额外 1 字节存 null terminator + size_t len = php_stream_read(stream, buffer, 10240); - if (log && read_len > 0) { - fprintf(log, "[DECRYPTED_SOURCE install.php] (%zu bytes)\n%.*s\n", read_len, (int)read_len, buffer); - } - - fseek(file_handle->handle.fp, 0, SEEK_SET); // 重置位置 - } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) { - // stream 类型,如 swoole_loader 包裹的加密解密流 - php_stream *stream = (php_stream *) file_handle->handle.stream.handle; - - if (php_stream_seek(stream, 0, SEEK_SET) == 0) { - char *contents = NULL; - size_t len = php_stream_copy_to_mem(stream, &contents, 10240, 0); // 最多10KB - if (contents && len > 0 && log) { - fprintf(log, "[DECRYPTED_STREAM_SOURCE install.php] (%zu bytes)\n%.*s\n", len, (int)len, contents); + if (len > 0 && log) { + fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len); + fprintf(log, "%.*s\n", (int)len, buffer); + } + php_stream_seek(stream, 0, SEEK_SET); // 恢复位置 } - if (contents) { - efree(contents); - } - php_stream_seek(stream, 0, SEEK_SET); // 重置流位置 + php_stream_close(stream); // 不会关闭 file_handle->handle.fp,只是释放包装层 } else if (log) { - fprintf(log, "[WARN] php_stream_seek failed\n"); + fprintf(log, "[%ld] failed to wrap fp in php_stream\n", (long)time(NULL)); + } + } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) { + php_stream *stream = (php_stream *)file_handle->handle.stream.handle; + if (php_stream_seek(stream, 0, SEEK_SET) == 0) { + char buffer[10241] = {0}; + size_t len = php_stream_read(stream, buffer, 10240); + + if (len > 0 && log) { + fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len); + fprintf(log, "%.*s\n", (int)len, buffer); + } + php_stream_seek(stream, 0, SEEK_SET); } } else if (log) { - fprintf(log, "[WARN] Unknown file_handle type or null stream/fp\n"); + fprintf(log, "[%ld] unsupported file_handle->type: %d\n", (long)time(NULL), file_handle->type); } } - if (log) fclose(log); + if (log) { + fclose(log); + } return prev_compile_file ? prev_compile_file(file_handle, type) : NULL; }