.

2025-07-31 15:57:37 +08:00 · 2025-07-31 15:57:37 +08:00 · a86c3ad859
parent bf6e0f8a70
commit a86c3ad859
1 changed files with 32 additions and 29 deletions
--- a/dec_interceptor/dec_interceptor.c
+++ b/dec_interceptor/dec_interceptor.c
@ -26,48 +26,51 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type)
    FILE *log = fopen("/tmp/dec_interceptor.log", "a");
    if (log) {
        fprintf(log, "[%ld] hook_compile_file called\n", (long)time(NULL));
-        if (file_handle) {
+        if (file_handle && file_handle->filename) {
-            fprintf(log, "  file_handle->filename = %s\n", file_handle->filename ? file_handle->filename : "(null)");
+            fprintf(log, "[%ld] file_handle->filename = %s\n", (long)time(NULL), file_handle->filename);
            fprintf(log, "  file_handle->type = %d\n", file_handle->type);
        }
    }
-    // 拦截 install.php 或其他目标文件
+    // 判断是否是 install.php 或其他目标加密文件
    if (file_handle && file_handle->filename && strstr(file_handle->filename, "install.php")) {
        if (file_handle->type == ZEND_HANDLE_FP && file_handle->handle.fp) {
-            // 正常文件指针
+            // 通过 php_stream 读取内容（最多 10KB）
-            fseek(file_handle->handle.fp, 0, SEEK_SET);
+            php_stream *stream = php_stream_fopen_from_FILE(file_handle->handle.fp, file_handle->filename, "rb");
-            char buffer[10241] = {0};  // 最多读取 10KB
+            if (stream) {
-            size_t read_len = fread(buffer, 1, 10240, file_handle->handle.fp);
+                if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
                    char buffer[10241] = {0};  // 额外 1 字节存 null terminator
                    size_t len = php_stream_read(stream, buffer, 10240);
-            if (log && read_len > 0) {
+                    if (len > 0 && log) {
-                fprintf(log, "[DECRYPTED_SOURCE install.php] (%zu bytes)\n%.*s\n", read_len, (int)read_len, buffer);
+                        fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
-            }
+                        fprintf(log, "%.*s\n", (int)len, buffer);
-
+                    }
-            fseek(file_handle->handle.fp, 0, SEEK_SET);  // 重置位置
+                    php_stream_seek(stream, 0, SEEK_SET);  // 恢复位置
        } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) {
            // stream 类型，如 swoole_loader 包裹的加密解密流
            php_stream *stream = (php_stream *) file_handle->handle.stream.handle;
            if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
                char *contents = NULL;
                size_t len = php_stream_copy_to_mem(stream, &contents, 10240, 0); // 最多10KB
                if (contents && len > 0 && log) {
                    fprintf(log, "[DECRYPTED_STREAM_SOURCE install.php] (%zu bytes)\n%.*s\n", len, (int)len, contents);
                }
-                if (contents) {
+                php_stream_close(stream);  // 不会关闭 file_handle->handle.fp，只是释放包装层
                    efree(contents);
                }
                php_stream_seek(stream, 0, SEEK_SET);  // 重置流位置
            } else if (log) {
-                fprintf(log, "[WARN] php_stream_seek failed\n");
+                fprintf(log, "[%ld] failed to wrap fp in php_stream\n", (long)time(NULL));
            }
        } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) {
            php_stream *stream = (php_stream *)file_handle->handle.stream.handle;
            if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
                char buffer[10241] = {0};
                size_t len = php_stream_read(stream, buffer, 10240);
                if (len > 0 && log) {
                    fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
                    fprintf(log, "%.*s\n", (int)len, buffer);
                }
                php_stream_seek(stream, 0, SEEK_SET);
            }
        } else if (log) {
-            fprintf(log, "[WARN] Unknown file_handle type or null stream/fp\n");
+            fprintf(log, "[%ld] unsupported file_handle->type: %d\n", (long)time(NULL), file_handle->type);
        }
    }
-    if (log) fclose(log);
+    if (log) {
        fclose(log);
    }
    return prev_compile_file ? prev_compile_file(file_handle, type) : NULL;
 }