Tuesday, September 11, 2012

Bypass PHP ShellDetector: Poorman Style

One thing i hate the most is people finding our backdoor. So from xanda`s blog I found out there's a project called  phpshelldetect to detect malises phpcode.


So  Xanda wrote a good tutorial on how to bypass it  web xanda 

Since it's a signature based which means as long as we can craft 101 type of signature evasive technique.. It will be bypassed.

Signature based are bad and inefficent but fast enough to eliminate 99% of the population of the netizen.


So how hard is it to bypass the detector? Not dat hard at all and no obfuscation required.







And it works like a charm...



Lalala

3 comments:

Kuehtiow said...

An even simpler example... that passes the regex at https://github.com/emposha/PHP-Shell-Detector/commit/04e16b8541395e0d3e92fd99dee25b5d86e044f7


xanda said...

php5 allow function to be assigned to variable. "obfuscation" can be use during the assigning phase and you are good to go with the new variable.. tokenizer is a good option to be used in php detection tool and one of the good tokenizer can be seen in RIPS project http://sourceforge.net/projects/rips-scanner/

Kuehtiow said...

Haha.. the code above got filtered. Heres the code:

$abc = 'sys'.'tem';
echo $abc('dir');