一、PHP扩展进行代码分析(动态分析)

基础环境 



    
	
	
  1. 
		apt-get install php5
	
    2. 

	
  2. 
		apt-get install php5-dev
	
    3. 

	
  3. 
		apt-get install apache
	
    4. 

	
  4. 
		apt-get install mysql
	
    5.

使用PHPTracert 



    
	
	
  1. 
		mkdir godhead
	
    2. 

	
  2. 
		wget https://github.com/Qihoo360/phptrace/archive/v0.3.0.zip
	
    3. 

	
  3. 
		unzip v0.3.0.zip
	
    4. 

	
  4. 
		cd ./phptrace-0.3.0/extension
	
    5. 

	
  5. 
		phpize5
	
    6. 

	
  6. 
		./configure --with-php-config=/usr/bin/php-config
	
    7. 

	
  7. 
		make & make install
	
    8. 

	
  8. 
		cd ../cmdtool
	
    9. 

	
  9. 
		make 
	
    10.

编辑php.ini,增加 



    
	
	
  1. 
		extension=trace.so
	
    2.

测试 



    
	
	
  1. 
		<?php 
	
    2. 

	
  2. 
		for($i=0;$i<100;$i++){
	
    3. 

	
  3. 
		 echo $I;
	
    4. 

	
  4. 
		 sleep(1);
	
    5. 

	
  5. 
		}
	
    6. 

	
  6. 
		?>
	
    7.

CLI 



    
	
	
  1. 
		php test.php &
	
    2. 

	
  2. 
		ps -axu|grep php
	
    3. 

	
  3. 
		./phptrace -p pid
	
    4.

apache 



    
	
	
  1. 
		curl 127.0.0.1/test.php
	
    2. 

	
  2. 
		ps -aux|grep apache
	
    3. 

	
  3. 
		./phptrace -p pid
	
    4.

phptrace分析

执行的代码如下 



    
	
	
  1. 
		<?php
	
    2. 

	
  2. 
		function c(){
	
    3. 

	
  3. 
		 echo 1;
	
    4. 

	
  4. 
		}
	
    5. 

	
  5. 
		function b(){
	
    6. 

	
  6. 
		 c();
	
    7. 

	
  7. 
		}
	
    8. 

	
  8. 
		function a(){
	
    9. 

	
  9. 
		 b();
	
    10. 

	
  10. 
		}
	
    11. 

	
  11. 
		a();
	
    12. 

	
  12. 
		?>
	
    13.

执行顺序是 



    
	
	
  1. 
		a>b>c>echo
	
    2.

参数含义 

Clipboard Image.png

日志输出 



    
	
	
  1. 
		{"seq":0, "type":1, "level":1, "func":"{main}", "st":1448387651119445, "params":"", "file":"/var/www/html/2.php", "lineno":11 }
	
    2. 

	
  2. 
		{"seq":1, "type":1, "level":2, "func":"a", "st":1448387651119451, "params":"", "file":"/var/www/html/2.php", "lineno":11 }
	
    3. 

	
  3. 
		{"seq":2, "type":1, "level":3, "func":"b", "st":1448387651119452, "params":"", "file":"/var/www/html/2.php", "lineno":9 }
	
    4. 

	
  4. 
		{"seq":3, "type":1, "level":4, "func":"c", "st":1448387651119453, "params":"", "file":"/var/www/html/2.php", "lineno":6 }
	
    5. 

	
  5. 
		{"seq":4, "type":2, "level":4, "func":"c, "st":1448387651119457, "return":"NULL", "wt":4, "ct":4, "mem":48, "pmem":144 }
	
    6. 

	
  6. 
		{"seq":5, "type":2, "level":3, "func":"b, "st":1448387651119459, "return":"NULL", "wt":7, "ct":6, "mem":48, "pmem":144 }
	
    7. 

	
  7. 
		{"seq":6, "type":2, "level":2, "func":"a, "st":1448387651119459, "return":"NULL", "wt":8, "ct":8, "mem":80, "pmem":176 }
	
    8. 

	
  8. 
		{"seq":7, "type":2, "level":1, "func":"{main}, "st":1448387651119460, "return":"1", "wt":15, "ct":14, "mem":112, "pmem":208 }
	
    9.

逻辑分析

1.解析监控进程

开一个后台进程一直刷新进程列表,如果出现没有tracer的进程就立即进行托管

2.json提取

通过对每一个文件的json进行提取,提取过程如下 
1.便利所有文件 
2.读读取文件 
3.提取json,按照seq排序 
4.提取type=2的与type=1的进行合并 
5.按照level梳理上下级关系存储同一个字典 
6.按照seq排序,取出头函数进行输出 
7.提取恶意函数往上提取level直到level=0 
函数对应如下 



    
	
	
  1. 
		list1={
	
    2. 

	
  2. 
		 level1:[seq,type,func,param,return]
	
    3. 

	
  3. 
		 level2:[seq,type,func,param,return]
	
    4. 

	
  4. 
		 level3:[seq,type,func,param,return] #eval 
	
    5. 

	
  5. 
		 level4:[seq,type,func,param,return]
	
    6. 

	
  6. 
		
	
    7. 

	
  7. 
		}
	
    8.

3.数据查看

通过追踪危险函数,然后将其函数执行之前的关系梳理出来进行输出,然后再进行人工审查。

放上demo 

Clipboard Image.png

使用XDEBUG

安装 



    
	
	
  1. 
		apt-get install php5-xdebug
	
    2.

修改php.ini 



    
	
	
  1. 
		[xdebug]
	
    2. 

	
  2. 
		zend_extension = "/usr/lib/php5/20131226/xdebug.so"
	
    3. 

	
  3. 
		xdebug.auto_trace = on
	
    4. 

	
  4. 
		xdebug.auto_profile = on
	
    5. 

	
  5. 
		xdebug.collect_params = on
	
    6. 

	
  6. 
		xdebug.collect_return = on
	
    7. 

	
  7. 
		xdebug.profiler_enable = on
	
    8. 

	
  8. 
		xdebug.trace_output_dir = "/tmp/ad/xdebug_log"
	
    9. 

	
  9. 
		xdebug.profiler_output_dir = "/tmp/ad/xdebug_log"
	
    10.

放上几个demo图片

Clipboard Image.png

优缺点

缺点

人为参与力度较大,无法进行脱离人工的操作进行独立执行。

优点

精准度高,对于面向对象和面向过程的代码都可以进行分析。

二、语法分析(静态分析)

案例: 
http://php-grinder.com/ 
http://rips-scanner.sourceforge.net/

使用php-parser

介绍: 



    
	
	
  1. 
		http://www.oschina.net/p/php-parser
	
    2. 

	
  2. 
		https://github.com/nikic/PHP-Parser/
	
    3.

安装 



    
	
	
  1. 
		git clone https://github.com/nikic/PHP-Parser.git & cd PHP-Parser
	
    2. 

	
  2. 
		curl -sS https://getcomposer.org/installer | php
	
    3.

PHP >= 5.3; for parsing PHP 5.2 to PHP 5.6 



    
	
	
  1. 
		php composer.phar require nikic/php-parser
	
    2.

PHP >= 5.4; for parsing PHP 5.2 to PHP 7.0 



    
	
	
  1. 
		php composer.phar require nikic/php-parser 2.0.x-dev
	
    2.

测试 



    
	
	
  1. 
		<?php
	
    2. 

	
  2. 
		include 'autoload.php';
	
    3. 

	
  3. 
		use PhpParser\Error;
	
    4. 

	
  4. 
		use PhpParser\ParserFactory;
	
    5. 

	
  5. 
		
	
    6. 

	
  6. 
		$code = '<?php  eval($_POST[c])?>';
	
    7. 

	
  7. 
		$parser = (new ParserFactory)->create(ParserFactory::PREFER_PHP7);
	
    8. 

	
  8. 
		
	
    9. 

	
  9. 
		try {
	
    10. 

	
  10. 
		 $stmts = $parser->parse($code);
	
    11. 

	
  11. 
		 print_r($stmts);
	
    12. 

	
  12. 
		 // $stmts is an array of statement nodes
	
    13. 

	
  13. 
		} catch (Error $e) {
	
    14. 

	
  14. 
		 echo 'Parse Error: ', $e->getMessage();
	
    15. 

	
  15. 
		}
	
    16.

输出如下 



    
	
	
  1. 
		Array
	
    2. 

	
  2. 
		(
	
    3. 

	
  3. 
		 [0] => PhpParser\Node\Expr\Eval_ Object
	
    4. 

	
  4. 
		 (
	
    5. 

	
  5. 
		 [expr] => PhpParser\Node\Expr\ArrayDimFetch Object
	
    6. 

	
  6. 
		 (
	
    7. 

	
  7. 
		 [var] => PhpParser\Node\Expr\Variable Object
	
    8. 

	
  8. 
		 (
	
    9. 

	
  9. 
		 [name] => _POST
	
    10. 

	
  10. 
		 [attributes:protected] => Array
	
    11. 

	
  11. 
		 (
	
    12. 

	
  12. 
		 [startLine] => 1
	
    13. 

	
  13. 
		 [endLine] => 1
	
    14. 

	
  14. 
		 )
	
    15. 

	
  15. 
		
	
    16. 

	
  16. 
		 )
	
    17. 

	
  17. 
		
	
    18. 

	
  18. 
		 [dim] => PhpParser\Node\Expr\ConstFetch Object
	
    19. 

	
  19. 
		 (
	
    20. 

	
  20. 
		 [name] => PhpParser\Node\Name Object
	
    21. 

	
  21. 
		 (
	
    22. 

	
  22. 
		 [parts] => Array
	
    23. 

	
  23. 
		 (
	
    24. 

	
  24. 
		 [0] => c
	
    25. 

	
  25. 
		 )
	
    26. 

	
  26. 
		
	
    27. 

	
  27. 
		 [attributes:protected] => Array
	
    28. 

	
  28. 
		 (
	
    29. 

	
  29. 
		 [startLine] => 1
	
    30. 

	
  30. 
		 [endLine] => 1
	
    31. 

	
  31. 
		 )
	
    32. 

	
  32. 
		
	
    33. 

	
  33. 
		 )
	
    34. 

	
  34. 
		
	
    35. 

	
  35. 
		 [attributes:protected] => Array
	
    36. 

	
  36. 
		 (
	
    37. 

	
  37. 
		 [startLine] => 1
	
    38. 

	
  38. 
		 [endLine] => 1
	
    39. 

	
  39. 
		 )
	
    40. 

	
  40. 
		
	
    41. 

	
  41. 
		 )
	
    42. 

	
  42. 
		
	
    43. 

	
  43. 
		 [attributes:protected] => Array
	
    44. 

	
  44. 
		 (
	
    45. 

	
  45. 
		 [startLine] => 1
	
    46. 

	
  46. 
		 [endLine] => 1
	
    47. 

	
  47. 
		 )
	
    48. 

	
  48. 
		
	
    49. 

	
  49. 
		 )
	
    50. 

	
  50. 
		
	
    51. 

	
  51. 
		 [attributes:protected] => Array
	
    52. 

	
  52. 
		 (
	
    53. 

	
  53. 
		 [startLine] => 1
	
    54. 

	
  54. 
		 [endLine] => 1
	
    55. 

	
  55. 
		 )
	
    56. 

	
  56. 
		
	
    57. 

	
  57. 
		 )
	
    58. 

	
  58. 
		
	
    59. 

	
  59. 
		)
	
    60.

由此可见,我们需要提取出 



    
	
	
  1. 
		[0] => PhpParser\Node\Expr\Eval_ Object
	
    2. 

	
  2. 
		[name] => _POST
	
    3. 

	
  3. 
		[parts] => Array
	
    4. 

	
  4. 
		 (
	
    5. 

	
  5. 
		 [0] => c
	
    6. 

	
  6. 
		 )
	
    7.

然后进行拼接之后即可发现原始语句是: 



    
	
	
  1. 
		eval($_POST[c])
	
    2.

逻辑分析

代码解析

1.通过该库进行语法分析 
2.提取结果 
3.提取危险函数 
4.提取危险函数中存在的变量 
5.从上文中提取此变量的赋值方式 
6.分析出可控结果 
7.输出结果

优缺点

缺点

对于面向对象的程序进行分析比较弱。

优点

适合大批量的自动化分析,可以脱离人工操作进行独立执行


作者: ConD0r