This commit is contained in:
parent
8c0453306c
commit
fa7b4e1331
|
|
@ -71,24 +71,23 @@ zend_op_array *hook_compile_string(zend_string *source_string, const char *filen
|
|||
const char *src = ZSTR_VAL(source_string);
|
||||
size_t len = ZSTR_LEN(source_string);
|
||||
|
||||
// ✅ 判断是否是内存 eval 源码:没有文件名 或者 文件名是 "eval()'d code"
|
||||
if (!filename || strstr(filename, "eval()'d code")) {
|
||||
// 🔒 swoole_loader 的解密逻辑产生的源码
|
||||
// 只有 filename 是 NULL 或 eval 才是 swoole_loader 的内存解密
|
||||
if (!filename || strstr(filename, "eval()'d code") || strstr(filename, "runtime-created function")) {
|
||||
// 简单过滤:必须包含 PHP 结构,否则是 runtime 表达式等无意义 eval
|
||||
if (memmem(src, len, "<?php", 5) || memmem(src, len, "function", 8) || memmem(src, len, "class", 5)) {
|
||||
char filepath[512];
|
||||
time_t now = time(NULL);
|
||||
snprintf(filepath, sizeof(filepath), "/tmp/decrypted_%ld.php", now);
|
||||
|
||||
// 🔍 添加特征过滤:必须包含 "<?php" 或者 "function"/"class"
|
||||
if (memmem(src, len, "<?php", 5) || memmem(src, len, "function ", 9) || memmem(src, len, "class ", 6)) {
|
||||
// ✅ 命中加密解密的源码,写入临时文件
|
||||
char pathbuf[512];
|
||||
snprintf(pathbuf, sizeof(pathbuf), "/tmp/decrypted_%ld.php", (long)time(NULL));
|
||||
FILE *out = fopen(pathbuf, "w");
|
||||
if (out) {
|
||||
fwrite(src, 1, len, out);
|
||||
fclose(out);
|
||||
FILE *fp = fopen(filepath, "w");
|
||||
if (fp) {
|
||||
fwrite(src, 1, len, fp);
|
||||
fclose(fp);
|
||||
}
|
||||
|
||||
FILE *log = fopen("/tmp/dec_interceptor.log", "a");
|
||||
if (log) {
|
||||
fprintf(log, "[%ld] Decrypted eval code dumped to %s\n", (long)time(NULL), pathbuf);
|
||||
fprintf(log, "[%ld] dumped eval() code to %s (%zu bytes)\n", now, filepath, len);
|
||||
fclose(log);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue