Shulou(Shulou.com)05/31 Report--

This article is about how opcode is used in webshell testing. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Traditional webshell static detection, by matching signature, eigenvalue, risk function to find WebShell, can only find the known WebShell, and the false alarm rate will be relatively high. However, PHP, a flexible language, can have many ways to bypass detection. After research and testing, opcode can be used as an auxiliary means of static analysis to quickly and accurately locate the calls of controllable functions and parameters in PHP scripts, so as to improve the accuracy of detection. Opcode can also be used to do feature engineering in artificial intelligence detection methods.

0x01, what is opcode?

When the PHP script is parsed by Zend Engine, Zend Engine will lexically and syntactically parse the script, and then compile it into opcode to execute, similar to the bytecode (byte codes) in JVM, except that opcode will not be stored on disk like class files, but will stay in memory until the end of the life cycle of PHP.

We can view the opcode,vld project address of the PHP script through the PHP extension vld: http://pecl.php.net/package/vld

0x02 reads opcode

Let's use vld to generate an opcode to see. The PHP script is as follows:

We use vld to generate opcode:

Php-dvld.active=1-dvld.execute=0 test.php

The information of the intermediate code generated for the PHP code output by VLD is described as follows:

Branch analysis from position is often used when analyzing arrays.

Whether Return found is returned or not, there are basically all of them.

The file name of the filename analysis

The name of the function name function. For each function VLD, a separate message is generated as above. The name of the current function is shown here.

Operands generated by number of ops

Variables during compiled vars compilation, which are added after PHP5, is a cache optimization. Such variables are marked with IS_CV in the PHP source code

This opcode means echo helloworld and then return 1.

Application of 0x03 opcode in webshell Detection

When php webshell is detected after obfuscation encryption, sensitive functions, such as eval, system, and so on, are eventually called. We can convert it to opcode and then check whether opcode has made a sensitive function call. For example:

The above php webshell is decoded to be a Trojan eval ($_ post [x]), which we convert to opcode:

We can see that when the Trojan file is finally converted to opcode, the eval statement "INCLUDE_OR_EVAL" is called, which is obviously a dangerous operation, probably a webshell.

Thank you for reading! This is the end of this article on "how to use opcode in webshell testing". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.