From fa7b4e133133123cba4d9dae90b9bc926e9d0919 Mon Sep 17 00:00:00 2001
From: hailin <hailin@gdzx.xyz>
Date: Thu, 31 Jul 2025 22:49:00 +0800
Subject: [PATCH] .

---
 dec_interceptor/dec_interceptor.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/dec_interceptor/dec_interceptor.c b/dec_interceptor/dec_interceptor.c
index f585001a..c71cc282 100644
--- a/dec_interceptor/dec_interceptor.c
+++ b/dec_interceptor/dec_interceptor.c
@@ -71,24 +71,23 @@ zend_op_array *hook_compile_string(zend_string *source_string, const char *filen
     const char *src = ZSTR_VAL(source_string);
     size_t len = ZSTR_LEN(source_string);
 
-    // ✅ 判断是否是内存 eval 源码：没有文件名 或者 文件名是 "eval()'d code"
-    if (!filename || strstr(filename, "eval()'d code")) {
-        // 🔒 swoole_loader 的解密逻辑产生的源码
+    // 只有 filename 是 NULL 或 eval 才是 swoole_loader 的内存解密
+    if (!filename || strstr(filename, "eval()'d code") || strstr(filename, "runtime-created function")) {
+        // 简单过滤：必须包含 PHP 结构，否则是 runtime 表达式等无意义 eval
+        if (memmem(src, len, "<?php", 5) || memmem(src, len, "function", 8) || memmem(src, len, "class", 5)) {
+            char filepath[512];
+            time_t now = time(NULL);
+            snprintf(filepath, sizeof(filepath), "/tmp/decrypted_%ld.php", now);
 
-        // 🔍 添加特征过滤：必须包含 "<?php" 或者 "function"/"class"
-        if (memmem(src, len, "<?php", 5) || memmem(src, len, "function ", 9) || memmem(src, len, "class ", 6)) {
-            // ✅ 命中加密解密的源码，写入临时文件
-            char pathbuf[512];
-            snprintf(pathbuf, sizeof(pathbuf), "/tmp/decrypted_%ld.php", (long)time(NULL));
-            FILE *out = fopen(pathbuf, "w");
-            if (out) {
-                fwrite(src, 1, len, out);
-                fclose(out);
+            FILE *fp = fopen(filepath, "w");
+            if (fp) {
+                fwrite(src, 1, len, fp);
+                fclose(fp);
             }
 
             FILE *log = fopen("/tmp/dec_interceptor.log", "a");
             if (log) {
-                fprintf(log, "[%ld] Decrypted eval code dumped to %s\n", (long)time(NULL), pathbuf);
+                fprintf(log, "[%ld] dumped eval() code to %s (%zu bytes)\n", now, filepath, len);
                 fclose(log);
             }
         }