PHWhat is a PHP Security project that renders all PHP arbitrary code execution unexploitable. It's very conceptually simple, it iterates through the entire PHP source hierarchy and changes every function/method to a different (arbitrary generated) name. This method doesn't have any effect on PHP's performance. It simply elimates the leverage of all PHP source code execution, and will be taken many steps further in the new future.
- Compile and run the PHWhat program to completely obscure PHPs functions and methods and build PHP
- Use the PHWhat translator to translate your regular php to the arbitrarily generated function calls. It's analogous to compiling a C program, as before it is ran through the translator, nearly all of it will be complete nonsense to your interpreter.
- Now whenever an attacker finds a vulnerability which allows PHP code execution, it will be rendered useless, as your obscurred php build doesn't have the ability to interpret his PHP function calls, or anything of the sort.
Unfortunately, the project is not entirely finished. It must be compiled --without-pear, and --disable-phar, as PHAR has a few very complicated files. I've added a semi-temporary fix too it which has been commented out, but even that is not fully functional so if you'd like to give it a shot you'd be more than obliged.
- Compile the program with g++ -o PHWhat *.cpp -std=c++11
- ./Configure your PHP source so PHWhat can use some generated files
- -i.e. ./Configure --without-pear --disable-phar --with-apxs2=/usr/bin/apxs2 --enable-calendar ...
- Run the Program ./PHWhat /(directorytophpsource)/php true/false -The second argument commends on whether to enable the backtick operator or not.
- Build your PHP source ( sudo make; sudo make install)
- Your PHP build is now fully obscurred, the only thing left to do is correlate your files
Compile PHWhat translator, run with ./PHWhatTranslator /pathtophpfile /pathtoRandomname.txt <- Generated by PHWhat.
- Your php source should now be fully cooperative with your obscurred php build, and your code is ready to execute.