#include "php.h" #include "php_ini.h" #include "ext/standard/info.h" #include "php_dec_interceptor.h" #include zend_op_array *(*prev_compile_file)(zend_file_handle *file_handle, int type) = NULL; zend_op_array *(*prev_compile_string)(zval *source_string, const char *filename) = NULL; void (*prev_execute_ex)(zend_execute_data *execute_data) = NULL; zend_op_array *(*prev_eval_stringl)(zend_string *code, const char *filename, int handle) = NULL; zend_op_array *hook_compile_file(zend_file_handle *file_handle, int type) { FILE *f = fopen("/tmp/dec_interceptor.log", "a"); if (f) { fprintf(f, "[%ld] hook_compile_file called\n", (long)time(NULL)); if (file_handle) { if (file_handle->filename) { fprintf(f, "[%ld] file_handle->filename = %s\n", (long)time(NULL), file_handle->filename); } else { fprintf(f, "[%ld] file_handle->filename = (null)\n", (long)time(NULL)); } } fclose(f); } return prev_compile_file ? prev_compile_file(file_handle, type) : NULL; } zend_op_array *hook_compile_string(zval *source_string, const char *filename) { FILE *f = fopen("/tmp/dec_interceptor.log", "a"); if (f) { fprintf(f, "[%ld] hook_compile_string: filename = %s\n", (long)time(NULL), filename ? filename : "(null)"); if (Z_TYPE_P(source_string) == IS_STRING) { zend_string *s = Z_STR_P(source_string); fprintf(f, "[DECRYPTED] %.*s\n", (int)(s->len > 200 ? 200 : s->len), s->val); } fclose(f); } return prev_compile_string ? prev_compile_string(source_string, filename) : NULL; } void hook_execute_ex(zend_execute_data *execute_data) { const zend_function *func = execute_data->func; if (func && ZEND_USER_CODE(func->type)) { const zend_op_array *opa = &func->op_array; FILE *f = fopen("/tmp/dec_interceptor.log", "a"); if (f) { const char *fname = func->common.function_name ? ZSTR_VAL(func->common.function_name) : "(no name)"; const char *file = opa->filename ? ZSTR_VAL(opa->filename) : "(no file)"; fprintf(f, "[%ld] hook_execute_ex: %s (from %s)\n", (long)time(NULL), fname, file); fprintf(f, " op_array dump: %d opcodes\n", opa->last); for (int i = 0; i < opa->last; ++i) { const zend_op *op = &opa->opcodes[i]; fprintf(f, " [%03d] opcode=%d op1_type=%d op2_type=%d result_type=%d\n", i, op->opcode, op->op1_type, op->op2_type, op->result_type); } fclose(f); } } else { FILE *f = fopen("/tmp/dec_interceptor.log", "a"); if (f) { fprintf(f, "[%ld] hook_execute_ex: (internal or unknown function)\n", (long)time(NULL)); fclose(f); } } if (prev_execute_ex) { prev_execute_ex(execute_data); } } zend_op_array *hook_eval_stringl(zend_string *code, const char *filename, int handle) { FILE *f = fopen("/tmp/dec_interceptor.log", "a"); if (f) { fprintf(f, "[%ld] hook_eval_stringl: filename = %s\n", (long)time(NULL), filename ? filename : "(null)"); fprintf(f, "[DECRYPTED-EVAL] %.*s\n", (int)(ZSTR_LEN(code) > 200 ? 200 : ZSTR_LEN(code)), ZSTR_VAL(code)); fclose(f); } return prev_eval_stringl ? prev_eval_stringl(code, filename, handle) : NULL; } PHP_RINIT_FUNCTION(dec_interceptor) { FILE *f = fopen("/tmp/dec_interceptor.log", "a"); if (f) { fprintf(f, "[%ld] RINIT: zend_compile_file = %p\n", (long)time(NULL), zend_compile_file); fclose(f); } return SUCCESS; } PHP_MINIT_FUNCTION(dec_interceptor) { prev_compile_file = zend_compile_file; zend_compile_file = hook_compile_file; prev_compile_string = zend_compile_string; zend_compile_string = hook_compile_string; prev_execute_ex = zend_execute_ex; zend_execute_ex = hook_execute_ex; prev_eval_stringl = zend_eval_stringl; zend_eval_stringl = hook_eval_stringl; FILE *f = fopen("/tmp/dec_interceptor.log", "a"); if (f) { fprintf(f, "[%ld] MINIT done\n", (long)time(NULL)); fclose(f); } return SUCCESS; } PHP_MSHUTDOWN_FUNCTION(dec_interceptor) { zend_compile_file = prev_compile_file; zend_compile_string = prev_compile_string; zend_execute_ex = prev_execute_ex; zend_eval_stringl = prev_eval_stringl; FILE *f = fopen("/tmp/dec_interceptor.log", "a"); if (f) { fprintf(f, "[%ld] MSHUTDOWN done\n", (long)time(NULL)); fclose(f); } return SUCCESS; } PHP_MINFO_FUNCTION(dec_interceptor) { php_info_print_table_start(); php_info_print_table_row(2, "dec_interceptor support", "enabled"); php_info_print_table_end(); } zend_module_entry dec_interceptor_module_entry = { STANDARD_MODULE_HEADER, "dec_interceptor", NULL, PHP_MINIT(dec_interceptor), PHP_MSHUTDOWN(dec_interceptor), PHP_RINIT(dec_interceptor), NULL, PHP_MINFO(dec_interceptor), PHP_DEC_INTERCEPTOR_VERSION, STANDARD_MODULE_PROPERTIES }; ZEND_GET_MODULE(dec_interceptor)