Calling functions without their names in PHP
Strings. Ah juicy and precious strings! It is common for malware scanners and IDPS to look for suspicious strings in network traffic and files… but what if there are no strings to look for? (whaaa?)
Today I was wondering about some features found in many interpreted languages of listing its internal functions in some sort of list/array. This way we can enumerate the [index] => function_name
relationship, replace all function_name
s on the code to their index and voilá!
You might ask: “But you can just put those indexes on the rulesets.” I answer: “Yes, that’s true”. But different server/PHP configurations might generate the different indexes. Besides, numbers are much more fun to obfuscate than strings.
PHP, because it’s widely used on the wild
I wasn’t remembering if PHP had this or not but I was pretty confident due to its nature. Turns out that get_defined_functions
is there as expected. With the aid of call_user_func_array
it enabled the calling of functions without writing down their names in any encoded form (but it is required that you enumerate them beforehand).
The Code
This snippet has fewer than 10 lines (and it’s optimized for readability) and is our indirect caller function.
Then you can call your functions like this:
The output
Just for illustration:
We can even make it a little more compact
But Jan, there are still tree other internal function names exposed in your code. (func_get_args, call_user_func_array and array_shift)
Heck, you’re right. Let’s make this better.
or even…
MOAR compact!
A simple silly backdoor
How the numbers could be obfuscated to bypass simple rules?
Well, with the very simple math stuff:
- XOR/AND/OR all entries: $index^$key, $index&$key, $index|$key
- SUM/SUB/DIV/MUL all entries: $index+$key,$index-$key, $index/$key, $index*$key
And so on.
So, what to do to prevent/catch those things?
Keep an eye for get_defined_functions
.
Cya!