This commit is contained in:
parent
7f60b8d6c8
commit
c029693932
|
|
@ -9,6 +9,61 @@ zend_op_array *(*prev_compile_string)(zend_string *source_string, const char *fi
|
|||
void (*prev_execute_ex)(zend_execute_data *execute_data) = NULL;
|
||||
|
||||
|
||||
// zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type)
|
||||
// {
|
||||
// FILE *log = fopen("/tmp/dec_interceptor.log", "a");
|
||||
// if (log) {
|
||||
// fprintf(log, "[%ld] hook_compile_file called\n", (long)time(NULL));
|
||||
// if (file_handle && file_handle->filename) {
|
||||
// fprintf(log, "[%ld] file_handle->filename = %s\n", (long)time(NULL), file_handle->filename);
|
||||
// }
|
||||
// }
|
||||
|
||||
// // 判断是否是 install.php 或其他目标加密文件
|
||||
// if (file_handle && file_handle->filename && strstr(file_handle->filename, "install.php")) {
|
||||
// if (file_handle->type == ZEND_HANDLE_FP && file_handle->handle.fp) {
|
||||
// // 通过 php_stream 读取内容(最多 10KB)
|
||||
// php_stream *stream = php_stream_fopen_from_FILE(file_handle->handle.fp, file_handle->filename, "rb");
|
||||
// if (stream) {
|
||||
// if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
|
||||
// char buffer[10241] = {0}; // 额外 1 字节存 null terminator
|
||||
// size_t len = php_stream_read(stream, buffer, 10240);
|
||||
|
||||
// if (len > 0 && log) {
|
||||
// fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
|
||||
// fprintf(log, "%.*s\n", (int)len, buffer);
|
||||
// }
|
||||
// php_stream_seek(stream, 0, SEEK_SET); // 恢复位置
|
||||
// }
|
||||
// php_stream_close(stream); // 不会关闭 file_handle->handle.fp,只是释放包装层
|
||||
// } else if (log) {
|
||||
// fprintf(log, "[%ld] failed to wrap fp in php_stream\n", (long)time(NULL));
|
||||
// }
|
||||
// } else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) {
|
||||
// php_stream *stream = (php_stream *)file_handle->handle.stream.handle;
|
||||
// if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
|
||||
// char buffer[10241] = {0};
|
||||
// size_t len = php_stream_read(stream, buffer, 10240);
|
||||
|
||||
// if (len > 0 && log) {
|
||||
// fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
|
||||
// fprintf(log, "%.*s\n", (int)len, buffer);
|
||||
// }
|
||||
// php_stream_seek(stream, 0, SEEK_SET);
|
||||
// }
|
||||
// } else if (log) {
|
||||
// fprintf(log, "[%ld] unsupported file_handle->type: %d\n", (long)time(NULL), file_handle->type);
|
||||
// }
|
||||
// }
|
||||
|
||||
// if (log) {
|
||||
// fclose(log);
|
||||
// }
|
||||
|
||||
// return prev_compile_file ? prev_compile_file(file_handle, type) : NULL;
|
||||
// }
|
||||
|
||||
|
||||
zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type)
|
||||
{
|
||||
FILE *log = fopen("/tmp/dec_interceptor.log", "a");
|
||||
|
|
@ -19,41 +74,51 @@ zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type)
|
|||
}
|
||||
}
|
||||
|
||||
// 判断是否是 install.php 或其他目标加密文件
|
||||
if (file_handle && file_handle->filename && strstr(file_handle->filename, "install.php")) {
|
||||
char buffer[10241] = {0}; // 最多 10KB + null terminator
|
||||
size_t len = 0;
|
||||
|
||||
if (file_handle->type == ZEND_HANDLE_FP && file_handle->handle.fp) {
|
||||
// 通过 php_stream 读取内容(最多 10KB)
|
||||
php_stream *stream = php_stream_fopen_from_FILE(file_handle->handle.fp, file_handle->filename, "rb");
|
||||
if (stream) {
|
||||
if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
|
||||
char buffer[10241] = {0}; // 额外 1 字节存 null terminator
|
||||
size_t len = php_stream_read(stream, buffer, 10240);
|
||||
|
||||
if (len > 0 && log) {
|
||||
fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
|
||||
fprintf(log, "%.*s\n", (int)len, buffer);
|
||||
}
|
||||
php_stream_seek(stream, 0, SEEK_SET); // 恢复位置
|
||||
len = php_stream_read(stream, buffer, 10240);
|
||||
php_stream_seek(stream, 0, SEEK_SET);
|
||||
}
|
||||
php_stream_close(stream); // 不会关闭 file_handle->handle.fp,只是释放包装层
|
||||
php_stream_close(stream);
|
||||
} else if (log) {
|
||||
fprintf(log, "[%ld] failed to wrap fp in php_stream\n", (long)time(NULL));
|
||||
}
|
||||
} else if (file_handle->type == ZEND_HANDLE_STREAM && file_handle->handle.stream.handle) {
|
||||
php_stream *stream = (php_stream *)file_handle->handle.stream.handle;
|
||||
if (php_stream_seek(stream, 0, SEEK_SET) == 0) {
|
||||
char buffer[10241] = {0};
|
||||
size_t len = php_stream_read(stream, buffer, 10240);
|
||||
|
||||
if (len > 0 && log) {
|
||||
fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
|
||||
fprintf(log, "%.*s\n", (int)len, buffer);
|
||||
}
|
||||
len = php_stream_read(stream, buffer, 10240);
|
||||
php_stream_seek(stream, 0, SEEK_SET);
|
||||
}
|
||||
} else if (log) {
|
||||
fprintf(log, "[%ld] unsupported file_handle->type: %d\n", (long)time(NULL), file_handle->type);
|
||||
}
|
||||
|
||||
if (len > 0) {
|
||||
if (log) {
|
||||
fprintf(log, "[%ld] [DECRYPTED_STREAM_SOURCE install.php] (%zu bytes):\n", (long)time(NULL), len);
|
||||
fprintf(log, "%.*s\n", (int)len, buffer);
|
||||
}
|
||||
|
||||
// ✅ 保存为独立文件
|
||||
char path[512];
|
||||
snprintf(path, sizeof(path), "/tmp/dec_interceptor_%ld_install.php", time(NULL));
|
||||
FILE *out = fopen(path, "w");
|
||||
if (out) {
|
||||
fwrite(buffer, 1, len, out);
|
||||
fclose(out);
|
||||
if (log) {
|
||||
fprintf(log, "[%ld] source dumped to file: %s\n", (long)time(NULL), path);
|
||||
}
|
||||
} else if (log) {
|
||||
fprintf(log, "[%ld] failed to write to %s\n", (long)time(NULL), path);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (log) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue