Calling functions without their names in PHP

Strings. Ah juicy and precious strings! It is common for malware scanners and IDPS to look for suspicious strings in network traffic and files… but what if there are no strings to look for? (whaaa?)

Today I was wondering about some features found in many interpreted languages of listing its internal functions in some sort of list/array. This way we can enumerate the [index] => function_name relationship, replace all function_names on the code to their index and voilá!

You might ask: “But you can just put those indexes on the rulesets.” I answer: “Yes, that’s true”. But different server/PHP configurations might generate the different indexes. Besides, numbers are much more fun to obfuscate than strings.

PHP, because it’s widely used on the wild

I wasn’t remembering if PHP had this or not but I was pretty confident due to its nature. Turns out that get_defined_functions is there as expected. With the aid of call_user_func_array it enabled the calling of functions without writing down their names in any encoded form (but it is required that you enumerate them beforehand).

The Code

This snippet has fewer than 10 lines (and it’s optimized for readability) and is our indirect caller function.

Then you can call your functions like this:

The output

Just for illustration:

We can even make it a little more compact

But Jan, there are still tree other internal function names exposed in your code. (func_get_args, call_user_func_array and array_shift)

Heck, you’re right. Let’s make this better.

or even…

MOAR compact!

A simple silly backdoor

How the numbers could be obfuscated to bypass simple rules?

Well, with the very simple math stuff:

  • XOR/AND/OR all entries: $index^$key, $index&$key, $index|$key
  • SUM/SUB/DIV/MUL all entries: $index+$key,$index-$key, $index/$key, $index*$key

And so on.

So, what to do to prevent/catch those things?

Keep an eye for get_defined_functions.

Cya!

Leave a Reply

Your email address will not be published. Required fields are marked *