First commit

extremecoders-re · Apr 30, 2020 · 13eebec · 13eebec
1 parent 46752ea
commit 13eebec
Show file tree

Hide file tree

Showing 3 changed files with 242 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,133 @@
+# php-eval-hook
+
+A PHP extension for hooking `eval`. Useful for dumping eval-obfuscated code.
+
+## Compiling steps
+
+The extension has only been tested on PHP 7.2.24 available on Ubuntu 18.04 repos. Expected to work with PHP 7.x in general. May work with PHP 5.x but is untested.
+
+1. Install php and php-dev packages. Here we are using the packages available on the official Ubuntu 18.04 repos.
+
+    ```
+    $ sudo apt install php7.2 php7.2-dev
+    ```
+
+2. Clone the repository
+
+    ```
+    git https://github.com/extremecoders-re/php-eval-hook
+    ```
+
+3. Run `phpize`. This will generate the `Makefile` and other files needed for buidling the extension.
+
+    ```
+    $ cd php-eval-hook
+    $ phpize
+    ```
+
+4. Build the extension. `make install` copies the `.so` to the appropriate location.
+
+    ```
+    $ ./configure --enable-evalhook
+
+    $ make
+
+    $ make install
+    Installing shared extensions:     /usr/lib/php/20170718/
+    ```
+
+## Registering the extension with PHP
+
+1. Find the location  of *php.ini*.
+
+    ```
+    $ php -r 'phpinfo();' | grep php.ini
+    Configuration File (php.ini) Path => /etc/php/7.2/cli
+    Loaded Configuration File => /etc/php/7.2/cli/php.ini
+    ```
+
+2. Edit *php.ini* and add the line `extension=evalhook.so` at the end.
+    ```
+    $ echo "extension=evalhook.so" >> /etc/php/7.2/cli/php.ini
+    ```
+
+3. Ensure that the extension is properly loaded.
+    ```
+    $ php -r 'print_r(get_loaded_extensions());' | grep evalhook
+        [14] => evalhook
+    ```
+
+    ```
+    $ php -r 'phpinfo();' | grep eval
+    evalhook
+    eval() hooking => enabled
+    callback function => __eval
+    ```
+
+## Usage
+
+You must define a callback function named `__eval` in your PHP code. The extension will call this function whenever it encounters an `eval`. Inside your callback you can print the code to stdout or dump to a file or whatever you want.
+
+### Example
+
+**Original Code**
+```php
+<?php
+function test_obfuscated()
+{
+	echo("This is an obfuscated function\n");
+}
+
+test_obfuscated();
+?>
+```
+**obfuscated.php** [Generated from [Simple online PHP obfuscator](https://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php)]
+```
+<?php
+eval(str_rot13(gzinflate(str_rot13(base64_decode('LUnHEqxVDvyaiWx7w9PEnvDeey4ba++hMV8/1bvLTkQSqgyVUXOxtdPz5xi/6f5Z9fZ0nqqNwP6zYVi2YX/KqXjK5//O36quwWnFbI6jsDfENXDEcqf+6qgkvpSe6W/+F2/WCTAwpAJY2asyRin6IjInIjN8yxKcRcg8+ooz2q07z0f5F+KqPi4Tp4qYbdKKWQg2mtIN5fVe1GIksHhs9442hlHZkKl/gdd4sqSr76LZfqIezT0pD4Kk0O8GAxZGdj4zJfqzFo7LCFpPE+qmGg1weGq9C/u2dxjhbTQJ27MEyMcjsiDiFl+SBSc1GqY9cwZIXd/fOcyH3HVLvQg0wab0aD0IV6aH1fCuRRMOpI3yR67lB22kR3YwnSL9VyAyH1M3FU8UHX1SSJ0jrk0knA1AvrwKbx5m0F1Slc734/MQmSSvaI74Ms1iBkbe28ZRSSUIi2q9VWOX7TCFOAQJH9JG7sPHL5Exr1h8AoVmLorKcq2hdqOWYjw9YmIBcp8nGkcOD0RRaemYNK1UGS2BNmhxjwSIjYq6zy74LF5LOoKk7z6UuXwhrDUdjIjhCIBj6wKiUfFauCN8cfV7paJDhE4uNWnAU9jAi56eZg9vbnp2pdGv8TAZibkk8tOChg8BQnibT9XTMF+Ji14oHKFSw4cC9KAByV38s709S15IfTTY7y/HfP1CrMql3OzQ6laMAeeDkaF8oJXzVDC2r+OxT+sscZLqAOZOMtZKOrMDeIA1GrmYXEeK2xw9rz2eD6lS4Z+tHumo+ohnNyIRSks4ezS5DSuxBPZHJijcrVp8VyMF5+QYA65+RZlgXC/MpCaxrpC09egnLU1ZPzvoI+b2nRrVAFhza2tKr5flLUnrJpVLxrwFdCbHCZCHl+FNmY/7WHnGQAYRqzOGWmEjDpJfiNLiQX6ZuO/fFYv1G5s7zmhDFEp+XRk83OSa20Xp7fHgcsuIxEr0Cr/nBifjtxVjVmWp7J7uz7fbBCtAbrHVxd/Y9KiJ6+v7+2vVvakJBLqwPFC7j8UaHAqiVo7g9epTjuIY+YjEe33mpu6q3o5WEoFe/ZhLjOPg81glFe/d034V8MR8J4IeiYxJacnfnrEomrU6JZnnIS3gRSwxLPLGaruclu4pE2nOC9Giva+gke20Gcj3CnWAUh60Fo9hl5zUmV+To1lNkXIlySsiqbBFum2kQByYbdgY+qkNMIyY5JYrf0ea5qYI0NVolSqyNn87zGoN0KQSfpTHhcsTLOyTMqr1BHMFmauv45lzkItrNsF+EmhFYW3IQau98k02sNJSui6qH+dxCBErcIfNd1V+C5VZdM8nXpM4Nz3Ks7LcYUbCFKkbycFKglJCC81V+x6WOvUZuzB5T0a4d4EqtEMTEx8sruaatdQ196pNUMyop5O/IXBcYcSKxV3tMNQnmvjdRb15czcwPc4s0GzRGt6z4t7UHRLZwVbvJ4dNG34aEmWkwTWrcHAxVdea5mvcjx+niB1zGlXE2VWgnxjWm+/QQ5sPcdg1jFDaJ3Wj5/IaBJVwB3Yg7wYl1sq0+THRVjt9q2JNb/FDgfxHUqRlAzQtKIujxS0jYjQEd904bodSTSWyxYMo3EAQ+Ze4Wwu2+5Mf9JUjlY8NxFE8aDhbEyRBmYGlsCjDKcsYQugDsCsZ1A9fmRXLDM4P2zHXwZFalMtKiF5gCozxW+AeOYHioLUpeCEQ1RJbpEZcFfkmysYXsoK+Pj/GV/Jyry0ulQGBHFOG80lAnwVDefMgyh0SeHBxgw42p71dBGOX8ffXxZzVYKdafLfKnkc6NNK1HMUq91mujX6Ml6sufPDXnwmfr8h6CjT18PXGXnGhfdv49knuEmPjN3JuXEedbUmNBs7XzzTy6+bbd4p5rAQ1IORCirZTTkZLC1DT5+FoAqGyKJv8J378EQMbMFG+FWzEag0F3DUw7N5q+8/0JZ1ZIn5tU5BhXCx1o29Xg4fP2GyDenLPQZvrvv5hTf/l7842N+I+xVOyU6a+jPvlf+gNC/e1mOHw74IzDRSGHV/AJ+LG8CArb9pzQW6a6r7PzzeVpzz7zE8WpdEMYeNxAU/ic4b0GX7cTaefJvr+ZNkNrehaP2c4N8BD4h+HqMrkbLAO7gxqUXW+W/xKit1asleqKmJ0z/VelCznA4OoLa714sheo5QyvurFRrFP0/uI9Zt4X7ewWPlxIRCfG02k0AwDWEgGG5YS22dgupM3nyT8hLgoefpW3TccASg5oQbQsq2qr/DpCE9N9t+fBxHr24qK+NWSqaFgjF/NWngIws2uVZYE0r2hU8tgUyi9+HJuOdPLKjI6eUo/MTcPZ8a3vrkGr5CFqRr1UZxVhj2d9mitp1c2zf4jKIkR6Pq/E2rLX6j997/A8+9/AA==')))));
+?>
+```
+
+**harness.php**
+```php
+<?php
+function __eval($code, $file) {
+  echo "eval() @ {$file}:\n{$code}\n\n";
+
+  // return FALSE if you want to prevent the eval()
+  // return false;
+
+  // return a string if you want to replace the eval-d code
+  // return 'echo 2;';
+
+  // return nothing to continue execution normally
+}
+
+include("obfuscated.php");
+?>
+```
+
+```
+$ php obfuscated.php
+This is an obfuscated function
+```
+
+```
+$ php harness.php | tail
+
+eval() @ /workspace/php7/obfuscated.php(2) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'
+d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : ev
+al()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:
+function test_obfuscated()
+{
+        echo("This is an obfuscated function\n");
+}
+
+test_obfuscated();
+
+This is an obfuscated function
+```
+
+## Credits
+
+The extension is based on [php-eval](https://github.com/mfmans/php-eval).
diff --git a/config.m4 b/config.m4
@@ -0,0 +1,6 @@
+PHP_ARG_ENABLE(evalhook, whether to enable evalhook support,
+[ --enable-evalhook   Enable PHP eval hook support])
+if test "$PHP_EVALHOOK" = "yes"; then
+  AC_DEFINE(HAVE_EVALHOOK, 1, [Whether you have PHP EVALHOOK])
+  PHP_NEW_EXTENSION(evalhook, evalhook.c, $ext_shared)
+fi
diff --git a/evalhook.c b/evalhook.c
@@ -0,0 +1,103 @@
+/* $Id$ */
+
+#include "php.h"
+#include "ext/standard/info.h"
+
+
+#define EVAL_CALLBACK_FUNCTION  "__eval"
+
+
+static zend_op_array* (*old_compile_string)(zval *source_string, char *filename TSRMLS_DC);
+
+
+static zend_op_array* evalhook_compile_string(zval *source_string, char *filename TSRMLS_DC)
+{
+	zend_op_array *op_array = NULL;
+	int op_compiled = 0;
+
+	if(strstr(filename, "eval()'d code")) {
+		if(zend_hash_str_exists(CG(function_table), EVAL_CALLBACK_FUNCTION, strlen(EVAL_CALLBACK_FUNCTION) TSRMLS_CC)) {
+			zval function;
+			zval retval;
+			zval parameter[2];
+
+			parameter[0] = *source_string;
+
+			ZVAL_STRING(&function, EVAL_CALLBACK_FUNCTION);
+			ZVAL_STRING(&parameter[1], filename);
+
+			if(call_user_function(CG(function_table), NULL, &function, &retval, 2, parameter TSRMLS_CC) == SUCCESS) {
+				switch(Z_TYPE(retval)) {
+					case IS_STRING:
+						op_array = old_compile_string(&retval, filename TSRMLS_CC);
+					case IS_FALSE:
+						op_compiled = 1;
+						break;
+				}
+			}
+
+			zval_dtor(&function);
+			zval_dtor(&retval);
+			zval_dtor(&parameter[1]);
+		}
+	}
+
+	if(op_compiled) {
+		return op_array;
+	} else {
+		return old_compile_string(source_string, filename TSRMLS_CC);
+	}
+}
+
+
+PHP_MINIT_FUNCTION(evalhook)
+{
+	return SUCCESS;
+}
+
+PHP_MSHUTDOWN_FUNCTION(evalhook)
+{
+	return SUCCESS;
+}
+
+PHP_RINIT_FUNCTION(evalhook)
+{
+	old_compile_string = zend_compile_string;
+	zend_compile_string = evalhook_compile_string;
+	return SUCCESS;
+}
+
+PHP_RSHUTDOWN_FUNCTION(evalhook)
+{
+	zend_compile_string = old_compile_string;
+	return SUCCESS;
+}
+
+PHP_MINFO_FUNCTION(evalhook)
+{
+	php_info_print_table_start();
+	php_info_print_table_row(2, "eval() hooking", "enabled");
+	php_info_print_table_row(2, "callback function", EVAL_CALLBACK_FUNCTION);
+	php_info_print_table_end();
+}
+
+
+zend_function_entry evalhook_functions[] = {
+	ZEND_FE_END
+};
+
+zend_module_entry evalhook_module_entry = {
+	STANDARD_MODULE_HEADER,
+	"evalhook",
+	evalhook_functions,
+	PHP_MINIT(evalhook),
+	PHP_MSHUTDOWN(evalhook),
+	PHP_RINIT(evalhook),	
+	PHP_RSHUTDOWN(evalhook),
+	PHP_MINFO(evalhook),
+	"0.0.1-dev",
+	STANDARD_MODULE_PROPERTIES
+};
+
+ZEND_GET_MODULE(evalhook)
+