Security-related PHP7 OPcache abuse tools and demo
Python PHP
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
analysis_tools open binary file with rb rather than b Mar 29, 2018
demo More changes to setup script Apr 26, 2016
static Adds images for readme. May 13, 2016
LICENSE Specified license: MIT Apr 27, 2016 Fixes duplicate declaration of variable in zend_arg_info May 4, 2016 First attempt at x86_64 support with the disassembler and 010editor t… Jan 4, 2017 linked to HackFest's video and slides Feb 10, 2017 Specified license: MIT Apr 27, 2016

PHP OPcache Override

This project contains the demo website and the tools presented in the following blog posts :

010 Editor Template

These templates parse OPcache files generated by a 32 and 64 bit platform.

  • Download 010 editor
  • Templates -> Open Template... Select or
  • Open your OPcache file
  • Press F5

Python System ID Scraper

This tool lets you extract the system_id of a phpinfo() page. Simply pass a filename or a URL.

$ ./ info.html
PHP version : 7.0.4-7ubuntu2
Zend Extension ID : API320151012,NTS
Zend Bin ID : BIN_SIZEOF_CHAR48888
Assuming x86_64 architecture
System ID : 81d80d78c6ef96b89afaadc7ffc5d7ea

OPcache Disassembler

This tool lets you disassemble an OPcache file.

You can display it as a syntax tree (-t) or pseudocode (-c) on both 32 and 64 bit platforms. Simply pass a display option, the architecture to use and an OPcache file.

$ ./ -c -a64 malware.php.bin

#0 $280 = FETCH_IS('_GET', None);
#1 ~0 = ISSET_ISEMPTY_DIM_OBJ($280, 'test');
#2 JMPZ(~408, ->5);
#3 ECHO('success', None);

OPcache Malware Hunter

This tool helps detect malware hidden in OPcache files by looking for manipulated OPcache files. It compiles its own version of the source code, compares the compiled file with the current cache file and checks for differences. You must run this tool on the same system as the one where the cache files have been compiled originally.

OPcache malware hunter requires four parameters :

  • The location of the cache folder
  • The architecture of the system (32 or 64 bit)
  • The system_id
  • The php.ini file used

In the situation where a potentially infected cache file is found, OPcache Malware Hunter will generate an HTML report in the filesystem showing the differences between the source code and the infected cache file.

$ ./ /tmp/cache -a64 2d3b19863f4c71f9a3adda4c957752e2 /etc/php/7.0/cli/php.ini
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-load.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin
Potentially infected files :
 - /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin

Main page of generated report :

A typical report page :



To setup the demo, run the following two commands :

sudo ./
php -S -c php.ini

Note that on some Linux based systems, the opcache subsystem is compiled out of the PHP core and must be dynamically loaded. This can be performed by adding the following statement under the [PHP] directive: