This commit is contained in:
parent
8c0453306c
commit
fa7b4e1331
|
|
@ -71,24 +71,23 @@ zend_op_array *hook_compile_string(zend_string *source_string, const char *filen
|
||||||
const char *src = ZSTR_VAL(source_string);
|
const char *src = ZSTR_VAL(source_string);
|
||||||
size_t len = ZSTR_LEN(source_string);
|
size_t len = ZSTR_LEN(source_string);
|
||||||
|
|
||||||
// ✅ 判断是否是内存 eval 源码:没有文件名 或者 文件名是 "eval()'d code"
|
// 只有 filename 是 NULL 或 eval 才是 swoole_loader 的内存解密
|
||||||
if (!filename || strstr(filename, "eval()'d code")) {
|
if (!filename || strstr(filename, "eval()'d code") || strstr(filename, "runtime-created function")) {
|
||||||
// 🔒 swoole_loader 的解密逻辑产生的源码
|
// 简单过滤:必须包含 PHP 结构,否则是 runtime 表达式等无意义 eval
|
||||||
|
if (memmem(src, len, "<?php", 5) || memmem(src, len, "function", 8) || memmem(src, len, "class", 5)) {
|
||||||
|
char filepath[512];
|
||||||
|
time_t now = time(NULL);
|
||||||
|
snprintf(filepath, sizeof(filepath), "/tmp/decrypted_%ld.php", now);
|
||||||
|
|
||||||
// 🔍 添加特征过滤:必须包含 "<?php" 或者 "function"/"class"
|
FILE *fp = fopen(filepath, "w");
|
||||||
if (memmem(src, len, "<?php", 5) || memmem(src, len, "function ", 9) || memmem(src, len, "class ", 6)) {
|
if (fp) {
|
||||||
// ✅ 命中加密解密的源码,写入临时文件
|
fwrite(src, 1, len, fp);
|
||||||
char pathbuf[512];
|
fclose(fp);
|
||||||
snprintf(pathbuf, sizeof(pathbuf), "/tmp/decrypted_%ld.php", (long)time(NULL));
|
|
||||||
FILE *out = fopen(pathbuf, "w");
|
|
||||||
if (out) {
|
|
||||||
fwrite(src, 1, len, out);
|
|
||||||
fclose(out);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
FILE *log = fopen("/tmp/dec_interceptor.log", "a");
|
FILE *log = fopen("/tmp/dec_interceptor.log", "a");
|
||||||
if (log) {
|
if (log) {
|
||||||
fprintf(log, "[%ld] Decrypted eval code dumped to %s\n", (long)time(NULL), pathbuf);
|
fprintf(log, "[%ld] dumped eval() code to %s (%zu bytes)\n", now, filepath, len);
|
||||||
fclose(log);
|
fclose(log);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue