A Tool written in Python to help de-obfuscate the $GLOBALS type malware.
Will work on malware: hexedglobals.3793 | Kidslug | php.obfuscated! | php.malware.GLOBALS.003 | php.malware.GLOBALS.004
How does it work
The first part of the script will take the alphabet and will match it to the relevant number within the code. Thanks to @iamrasting for his help on this part. The remainder of the code will deobfuscate a file entered and produce the file output.txt after it has been processed.
- Find the hex alphabet within the code. it will look something like this
- Copy and paste the alphabet into Alphabet Soup at the top.
- Check that all hex characters are formed correctly they should all be in the format \x01
Where hex is not formed correctly ie \xd please add a starting 0, otherwise the code will fail.Look out for characters xd x9 and xa which seem to be the ones not correct.
TIP - IF YOU WANT NICE LOOKING CODE ON OUTPUT - STICK CODE PRIOR TO PROCESSING THROUGH A PHP FORMATTER
- Enter the name of the webshell file:
with open('globals.php') as infile: for obs in infile:
- Run the script
- Open output.txt for your deobfuscated code.
I have experimental code where I have converted some further values in hex to python. https://repl.it/repls/UnlawfulGreatLinks It is currently in devlopment, but you can insert the file in and hex alphabet and it will print out the file
- Not great formatting currently. This is a step closer to complete automation.