Open gnanet opened 5 years ago
@bediger4000 i have not the required knowhow to write the code for the above mentioned "manual interventions", but it would be great to know if you think these would be useful.
Also in that case i could try to learn into the subject, and try to write the code.
Hello, thank you! I have had a lot to do at work, so I haven't taken a detailed look at what you wrote. None of your ideas look impossible. I will incorporate what I can after my job requirements ease up.
Again, thank you for your ideas and effort, and my apologies for being unavailable.
You don't need any apologies, I totally understand your priorities. I have these kind of restrictions too on my time on opensource projects. I am happy to see you think it's worth the code, so if i have any of them ready, i will make a PR referring to this issue, also if i am already started and deep into one of these ill get back, to let you know.
Sample source code: https://malwaredecoder.com/result/0a2a7c5bb813d755f72823f2a5895ac8
this is the cleanup module of ai-bolit scanner and it is a great sample of obfuscation techniques.
Until the third run of deobfuscation, I was missing the point about using the magic constant __FILE__
This specific script relies in its obfuscation techniques only on the basename:
procu2.php
, but for the sake of completeness The full path and filename of the file isRegarding the usage of __FILE__ I noticed a good solution in the linked malwaredecoder source
the first issue, that reverse-php-malware and PHP-Parser could not solve on it's own, was a
goto
pair, that jumps in the middle of the code, sets the function alias variables, then jumps back to the beginning. Without the variable to function replacements lot of things cannot be further deobfuscated.the second issue, that needed manual help, was the usage of XOR operator, sometimes combined with variable concatenatiion, and string-part deobfuscation like base64_decode to generate the function-names
array_map("i1001" . '100100111100111', array(''));
or one time for example, the multi level obfuscation generated a list of function names, that were called by array_walk in their order of appearance as an argument of a wrapper function, that processed a strongly obfuscated string recursively, to replace a combination of base64decode, compression, rot13, etc calls .