From c02969393255f01d9daa8179b8babfb58c7a0483 Mon Sep 17 00:00:00 2001 From: hailin Date: Thu, 31 Jul 2025 16:19:53 +0800 Subject: [PATCH] . --- dec_interceptor/dec_interceptor.c | 101 ++++++++++++++++++++++++------ 1 file changed, 83 insertions(+), 18 deletions(-) diff --git a/dec_interceptor/dec_interceptor.c b/dec_interceptor/dec_interceptor.c index 79b4dfeb..ca65c5af 100644 --- a/dec_interceptor/dec_interceptor.c +++ b/dec_interceptor/dec_interceptor.c @@ -9,6 +9,61 @@ zend_op_array *(*prev_compile_string)(zend_string *source_string, const char *fi void (*prev_execute_ex)(zend_execute_data *execute_data) = NULL; +// zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type) +// { +// FILE *log = fopen("/tmp/dec_interceptor.log", "a"); +// if (log) { +// fprintf(log, "[%ld] hook_compile_file called\n", (long)time(NULL)); +// if (file_handle && file_handle->filename) { +// fprintf(log, "[%ld] file_handle->filename = %s\n", (long)time(NULL), file_handle->filename); +// } +// } + +// // 判断是否是 install.php 或其他目标加密文件 +// if (file_handle && file_handle->filename && strstr(file_handle->filename, "install.php")) { +// if (file_handle->type == ZEND_HANDLE_FP && file_handle->handle.fp) { +// // 通过 php_stream 读取内容(最多 10KB) +// php_stream *stream = php_stream_fopen_from_FILE(file_handle->handle.fp, file_handle->filename, "rb"); +// if (stream) { +// if (php_stream_seek(stream, 0, SEEK_SET) == 0) { +// char buffer[10241] = {0}; // 额外 1 字节存 null terminator +// size_t len = php_stream_read(stream, buffer, 10240); + +// if (len > 0 && log) { +// fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len); +// fprintf(log, "%.*s\n", (int)len, buffer); +// } +// php_stream_seek(stream, 0, SEEK_SET); // 恢复位置 +// } +// php_stream_close(stream); // 不会关闭 file_handle->handle.fp,只是释放包装层 +// } else if (log) { +// fprintf(log, "[%ld] failed to wrap fp in php_stream\n", (long)time(NULL)); +// } +// } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) { +// php_stream *stream = (php_stream *)file_handle->handle.stream.handle; +// if (php_stream_seek(stream, 0, SEEK_SET) == 0) { +// char buffer[10241] = {0}; +// size_t len = php_stream_read(stream, buffer, 10240); + +// if (len > 0 && log) { +// fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len); +// fprintf(log, "%.*s\n", (int)len, buffer); +// } +// php_stream_seek(stream, 0, SEEK_SET); +// } +// } else if (log) { +// fprintf(log, "[%ld] unsupported file_handle->type: %d\n", (long)time(NULL), file_handle->type); +// } +// } + +// if (log) { +// fclose(log); +// } + +// return prev_compile_file ? prev_compile_file(file_handle, type) : NULL; +// } + + zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type) { FILE *log = fopen("/tmp/dec_interceptor.log", "a"); @@ -19,41 +74,51 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type) } } - // 判断是否是 install.php 或其他目标加密文件 if (file_handle && file_handle->filename && strstr(file_handle->filename, "install.php")) { + char buffer[10241] = {0}; // 最多 10KB + null terminator + size_t len = 0; + if (file_handle->type == ZEND_HANDLE_FP && file_handle->handle.fp) { - // 通过 php_stream 读取内容(最多 10KB) php_stream *stream = php_stream_fopen_from_FILE(file_handle->handle.fp, file_handle->filename, "rb"); if (stream) { if (php_stream_seek(stream, 0, SEEK_SET) == 0) { - char buffer[10241] = {0}; // 额外 1 字节存 null terminator - size_t len = php_stream_read(stream, buffer, 10240); - - if (len > 0 && log) { - fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len); - fprintf(log, "%.*s\n", (int)len, buffer); - } - php_stream_seek(stream, 0, SEEK_SET); // 恢复位置 + len = php_stream_read(stream, buffer, 10240); + php_stream_seek(stream, 0, SEEK_SET); } - php_stream_close(stream); // 不会关闭 file_handle->handle.fp,只是释放包装层 + php_stream_close(stream); } else if (log) { fprintf(log, "[%ld] failed to wrap fp in php_stream\n", (long)time(NULL)); } } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) { php_stream *stream = (php_stream *)file_handle->handle.stream.handle; if (php_stream_seek(stream, 0, SEEK_SET) == 0) { - char buffer[10241] = {0}; - size_t len = php_stream_read(stream, buffer, 10240); - - if (len > 0 && log) { - fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len); - fprintf(log, "%.*s\n", (int)len, buffer); - } + len = php_stream_read(stream, buffer, 10240); php_stream_seek(stream, 0, SEEK_SET); } } else if (log) { fprintf(log, "[%ld] unsupported file_handle->type: %d\n", (long)time(NULL), file_handle->type); } + + if (len > 0) { + if (log) { + fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len); + fprintf(log, "%.*s\n", (int)len, buffer); + } + + // ✅ 保存为独立文件 + char path[512]; + snprintf(path, sizeof(path), "/tmp/dec_interceptor_%ld_install.php", time(NULL)); + FILE *out = fopen(path, "w"); + if (out) { + fwrite(buffer, 1, len, out); + fclose(out); + if (log) { + fprintf(log, "[%ld] source dumped to file: %s\n", (long)time(NULL), path); + } + } else if (log) { + fprintf(log, "[%ld] failed to write to %s\n", (long)time(NULL), path); + } + } } if (log) {