PHP-Parser与PHP代码混淆技术详解<\/h1>

一、PHP-Parser基础<\/h2>
PHP-Parser是由nikic用PHP编写的PHP5.2到PHP7.4解析器，主要用于简化静态代码分析和操作。<\/p>

1.1 创建解析器实例<\/h3>
use<\/span> PhpParser\ParserFactory<\/span>;
<\/span><\/span>$parser =<\/span> (new<\/span> ParserFactory<\/span>)-><\/span>create<\/span>(ParserFactory<\/span>::<\/span>PREFER_PHP7<\/span>);
<\/span><\/span><\/code><\/pre>ParserFactory支持的参数：<\/p>

PREFER_PHP7<\/code>：优先解析PHP7，失败则解析为PHP5<\/li>
PREFER_PHP5<\/code>：优先解析PHP5，失败则解析为PHP7<\/li>
ONLY_PHP7<\/code>：只解析PHP7<\/li>
ONLY_PHP5<\/code>：只解析PHP5<\/li>
<\/ul>
1.2 解析PHP脚本为AST<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>use<\/span> PhpParser\Error<\/span>;
<\/span><\/span>use<\/span> PhpParser\ParserFactory<\/span>;
<\/span><\/span>
<\/span><\/span>$code =<\/span> file_get_contents<\/span>(".\/test.php"<\/span>);
<\/span><\/span>$parser =<\/span> (new<\/span> ParserFactory<\/span>)-><\/span>create<\/span>(ParserFactory<\/span>::<\/span>PREFER_PHP7<\/span>);
<\/span><\/span>
<\/span><\/span>try<\/span> {
<\/span><\/span>    $ast =<\/span> $parser-><\/span>parse<\/span>($code);
<\/span><\/span>} catch<\/span> (Error<\/span> $error) {
<\/span><\/span>    echo<\/span> "Parse error: <\/span>{<\/span>$error-><\/span>getMessage<\/span>()}<\/span>\n<\/span>"<\/span>;
<\/span><\/span>}
<\/span><\/span>var_dump<\/span>($ast);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>1.3 节点类型<\/h3>
PHP-Parser节点分为三类：<\/p>

语句节点(Stmts)<\/strong>：不返回值且不能出现在表达式中，如类定义<\/li>
表达式节点(Expr)<\/strong>：返回值的语言构造，如变量($var<\/code>)和函数调用(func()<\/code>)<\/li>
标量节点(Scalars)<\/strong>：表示标量值，如字符串、数字等<\/li>
<\/ol>
1.4 节点遍历<\/h3>
使用NodeTraverser<\/code>遍历节点：<\/p>
use<\/span> PhpParser\NodeTraverser<\/span>;
<\/span><\/span>use<\/span> PhpParser\NodeVisitorAbstract<\/span>;
<\/span><\/span>use<\/span> PhpParser\Node<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> MyVisitor<\/span> extends<\/span> NodeVisitorAbstract<\/span> {
<\/span><\/span>    public<\/span> function<\/span> leaveNode<\/span>(Node<\/span> $node) {
<\/span><\/span>        if<\/span> ($node instanceof<\/span> Node\Scalar\String_<\/span>) {
<\/span><\/span>            echo<\/span> $node-><\/span>value<\/span>,"<\/span>\n<\/span>"<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$traverser =<\/span> new<\/span> NodeTraverser<\/span>;
<\/span><\/span>$traverser-><\/span>addVisitor<\/span>(new<\/span> MyVisitor<\/span>);
<\/span><\/span>$stmts =<\/span> $traverser-><\/span>traverse<\/span>($ast);
<\/span><\/span><\/code><\/pre>NodeVisitor接口的四个方法：<\/p>

beforeTraverse(array $nodes)<\/code>：遍历前调用<\/li>
enterNode(Node $node)<\/code>：进入节点时调用<\/li>
leaveNode(Node $node)<\/code>：离开节点时调用<\/li>
afterTraverse(array $nodes)<\/code>：遍历后调用<\/li>
<\/ol>
二、PHP代码混淆与反混淆<\/h2>
2.1 phpjiami混淆分析<\/h3>
2.1.1 常见反调试技巧<\/h4>

CLI环境检测：<\/li>
<\/ol>
php_sapi_name<\/span>()==<\/span>"cli"<\/span> ?<\/span> die<\/span>() :<\/span> ''<\/span>
<\/span><\/span><\/code><\/pre>
运行环境检测：<\/li>
<\/ol>
if<\/span> (!<\/span>isset<\/span>($_SERVER["HTTP_HOST"<\/span>]) &&<\/span> !<\/span>isset<\/span>($_SERVER["SERVER_ADDR"<\/span>]) &&<\/span> !<\/span>isset<\/span>($_SERVER["REMOTE_ADDR"<\/span>])) {
<\/span><\/span>    die<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
执行时间检测：<\/li>
<\/ol>
$v46 =<\/span> microtime<\/span>(true<\/span>) *<\/span> 1000<\/span>;
<\/span><\/span>eval<\/span>(""<\/span>);
<\/span><\/span>if<\/span> (microtime<\/span>(true<\/span>) *<\/span> 1000<\/span> -<\/span> $v46 ><\/span> 100<\/span>) {
<\/span><\/span>    die<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
文件完整性检查：<\/li>
<\/ol>
!<\/span>strpos<\/span>(func2<\/span>(substr<\/span>($v51, func2<\/span>("???"<\/span>), func2<\/span>("???"<\/span>))), md5<\/span>(substr<\/span>($<\/span>51<\/span>, func2<\/span>("??"<\/span>), func2<\/span>("???"<\/span>)))) ?<\/span> $<\/span>52<\/span>() :<\/span> $<\/span>53<\/span>;
<\/span><\/span><\/code><\/pre>2.1.2 解密流程<\/h4>

解密核心代码：<\/li>
<\/ol>
$v55 =<\/span> str_rot13<\/span>(@<\/span>gzuncompress<\/span>(func2<\/span>(substr<\/span>($v51,-<\/span>974<\/span>,$v55))));
<\/span><\/span><\/code><\/pre>
最终通过eval执行解密后的代码<\/li>
<\/ol>
2.2 enphp混淆分析<\/h3>
2.2.1 混淆特点<\/h4>

将字符串、函数等替换为$GLOBALS{乱码}[num]<\/code>形式<\/li>
使用全局数组存储原始字符串<\/li>
<\/ul>
2.2.2 反混淆方法<\/h4>

提取全局字符串数组：<\/li>
<\/ol>
$split=<\/span>$ast[2<\/span>]-><\/span>expr<\/span>-><\/span>expr<\/span>-><\/span>args<\/span>[0<\/span>]-><\/span>value<\/span>-><\/span>value<\/span>;
<\/span><\/span>$all=<\/span>$ast[2<\/span>]-><\/span>expr<\/span>-><\/span>expr<\/span>-><\/span>args<\/span>[1<\/span>]-><\/span>value<\/span>-><\/span>value<\/span>;
<\/span><\/span>$str_arr=<\/span>explode<\/span>($split,$all);
<\/span><\/span><\/code><\/pre>
替换节点类型：<\/li>
<\/ol>
if<\/span> ($node instanceof<\/span> PhpParser\Node\Expr\ArrayDimFetch<\/span>
<\/span><\/span>    &&<\/span> $node-><\/span>var<\/span> instanceof<\/span> PhpParser\Node\Expr\ArrayDimFetch<\/span>
<\/span><\/span>    &&<\/span> $node-><\/span>var<\/span>-><\/span>var<\/span> instanceof<\/span> PhpParser\Node\Expr\Variable<\/span>
<\/span><\/span>    &&<\/span> $node-><\/span>var<\/span>-><\/span>var<\/span>-><\/span>name<\/span>===<\/span>"GLOBALS"<\/span>
<\/span><\/span>    \/\/ ...其他条件
<\/span><\/span><\/span><\/span>){
<\/span><\/span>    return<\/span> new<\/span> PhpParser\Node\Scalar\String_<\/span>($this-><\/span>str_arr<\/span>[$node-><\/span>dim<\/span>-><\/span>value<\/span>]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
处理函数调用：<\/li>
<\/ol>
if<\/span> (($node instanceof<\/span> Node\Expr\FuncCall<\/span>
<\/span><\/span>    ||<\/span> $node instanceof<\/span> Node\Expr\StaticCall<\/span>
<\/span><\/span>    ||<\/span> $node instanceof<\/span> Node\Expr\MethodCall<\/span>)
<\/span><\/span>    &&<\/span> $node-><\/span>name<\/span> instanceof<\/span> Node\Scalar\String_<\/span>) {
<\/span><\/span>    $node-><\/span>name<\/span> =<\/span> new<\/span> Node\Name<\/span>($node-><\/span>name<\/span>-><\/span>value<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
美化变量名：<\/li>
<\/ol>
function<\/span> BeautifyVariables<\/span>($code){
<\/span><\/span>    $v =<\/span> 0<\/span>;
<\/span><\/span>    $map =<\/span> [];
<\/span><\/span>    $tokens =<\/span> token_get_all<\/span>($code);
<\/span><\/span>    foreach<\/span> ($tokens as<\/span> $token) {
<\/span><\/span>        if<\/span> ($token[0<\/span>] ===<\/span> T_VARIABLE<\/span> &&<\/span> !<\/span>isset<\/span>($map[$token[1<\/span>]])) {
<\/span><\/span>            $code =<\/span> str_replace<\/span>($token[1<\/span>], '$v'<\/span> .<\/span> $v++<\/span>, $code);
<\/span><\/span>            $map[$token[1<\/span>]] =<\/span> $v;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $code;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>三、实用技巧<\/h2>

格式化混淆代码<\/strong>：<\/li>
<\/ol>
use<\/span> PhpParser\PrettyPrinter<\/span>;
<\/span><\/span>$prettyPrinter =<\/span> new<\/span> PrettyPrinter\Standard<\/span>;
<\/span><\/span>$prettyCode =<\/span> $prettyPrinter-><\/span>prettyPrintFile<\/span>($ast);
<\/span><\/span><\/code><\/pre>
节点查找<\/strong>：<\/li>
<\/ol>
use<\/span> PhpParser\NodeFinder<\/span>;
<\/span><\/span>$nodeFinder =<\/span> new<\/span> NodeFinder<\/span>;
<\/span><\/span>$Funcs =<\/span> $nodeFinder-><\/span>findInstanceOf<\/span>($ast, PhpParser\Node\Stmt\Function_<\/span>::<\/span>class<\/span>);
<\/span><\/span><\/code><\/pre>
调试节点结构<\/strong>：<\/li>
<\/ol>
$nodeDumper =<\/span> new<\/span> NodeDumper<\/span>;
<\/span><\/span>echo<\/span> $nodeDumper-><\/span>dump<\/span>($stmts), "<\/span>\n<\/span>"<\/span>;
<\/span><\/span>\/\/ 或使用命令行工具
<\/span><\/span><\/span>\/\/ vendor\/bin\/php-parse test.php
<\/span><\/span><\/span><\/code><\/pre>四、参考资源<\/h2>

PHP-Parser官方文档<\/a><\/li>
enphp项目<\/a><\/li>
PHP代码混淆与反混淆技术讨论<\/a><\/li>
<\/ol>
PHP-Parser与PHP代码混淆技术详解<\/h1>

一、PHP-Parser基础<\/h2> PHP-Parser是由nikic用PHP编写的PHP5.2到PHP7.4解析器，主要用于简化静态代码分析和操作。<\/p>

二、PHP代码混淆与反混淆<\/h2>

2.1 phpjiami混淆分析<\/h3>

2.2 enphp混淆分析<\/h3>

四、参考资源<\/h2> PHP-Parser官方文档<\/a><\/li> enphp项目<\/a><\/li> PHP代码混淆与反混淆技术讨论<\/a><\/li> <\/ol>

一、PHP-Parser基础<\/h2>
PHP-Parser是由nikic用PHP编写的PHP5.2到PHP7.4解析器，主要用于简化静态代码分析和操作。<\/p>

四、参考资源<\/h2>

PHP-Parser官方文档<\/a><\/li>
enphp项目<\/a><\/li>
PHP代码混淆与反混淆技术讨论<\/a><\/li> <\/ol>
