├── LICENSE
├── README.md
├── config.m4
├── evalhook.c
└── tests
    ├── detect-evasion.phpt
    ├── evalhook.phpt
    └── evalhook_test_functions.inc


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 extremecoders-re
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # php-eval-hook
  2 | 
  3 | A PHP extension for hooking `eval()`. Useful for dumping eval-obfuscated code. The extension is expected to work with PHP 7.x in general. May work with PHP 5.x but is untested.
  4 | 
  5 | ## Compiling steps
  6 | 
  7 | A precompiled extension can be downloaded from [releases](https://github.com/extremecoders-re/php-eval-hook/releases). It has been compiled against PHP 7.2.24 available on Ubuntu 18.04 repos. The precompiled extension is not guaranteed to work on your system. Hence it's always recommended to compile from source as shown below.
  8 | 
  9 | 1. Install php and php-dev packages. Here we are using the packages available on the official Ubuntu 18.04 repos.
 10 | 
 11 |     ```
 12 |     $ sudo apt install php7.2 php7.2-dev
 13 |     ```
 14 | 
 15 | 2. Clone the repository
 16 | 
 17 |     ```
 18 |     $ git clone https://github.com/extremecoders-re/php-eval-hook
 19 |     ```
 20 | 
 21 | 3. Run `phpize`. This will generate the `Makefile` and other files needed for buidling the extension.
 22 | 
 23 |     ```
 24 |     $ cd php-eval-hook
 25 |     $ phpize
 26 |     ```
 27 | 
 28 | 4. Build the extension. `make install` copies the `.so` to the appropriate location.
 29 | 
 30 |     ```
 31 |     $ ./configure --enable-evalhook
 32 | 
 33 |     $ make
 34 | 
 35 |     $ make install
 36 |     Installing shared extensions:     /usr/lib/php/20170718/
 37 |     ```
 38 | 
 39 | ## Registering the extension with PHP
 40 | 
 41 | 1. Find the location  of *php.ini*.
 42 | 
 43 |     ```
 44 |     $ php -r 'phpinfo();' | grep php.ini
 45 |     Configuration File (php.ini) Path => /etc/php/7.2/cli
 46 |     Loaded Configuration File => /etc/php/7.2/cli/php.ini
 47 |     ```
 48 | 
 49 | 2. Edit *php.ini* and add the line `extension=evalhook.so` at the end.
 50 |     ```
 51 |     $ echo "extension=evalhook.so" >> /etc/php/7.2/cli/php.ini
 52 |     ```
 53 | 
 54 | 3. Ensure that the extension is properly loaded.
 55 |     ```
 56 |     $ php -r 'print_r(get_loaded_extensions());' | grep evalhook
 57 |         [14] => evalhook
 58 |     ```
 59 | 
 60 |     ```
 61 |     $ php -r 'phpinfo();' | grep eval
 62 |     evalhook
 63 |     eval() hooking => enabled
 64 |     callback function => __eval
 65 |     ```
 66 | 
 67 | ## Usage
 68 | 
 69 | You must define a callback function named `__eval` in your PHP code. The extension will call this function whenever it encounters an `eval`. Inside your callback you can print the code to stdout or dump to a file or whatever you want.
 70 | 
 71 | ### Example
 72 | 
 73 | **Original Code**
 74 | ```php
 75 | <?php
 76 | function test_obfuscated()
 77 | {
 78 | 	echo("This is an obfuscated function\n");
 79 | }
 80 | 
 81 | test_obfuscated();
 82 | ?>
 83 | ```
 84 | **obfuscated.php** [Generated from [Simple online PHP obfuscator](https://www.mobilefish.com/services/php_obfuscator/php_obfuscator.php)]
 85 | ```
 86 | <?php
 87 | eval(str_rot13(gzinflate(str_rot13(base64_decode('LUnHEqxVDvyaiWx7w9PEnvDeey4ba++hMV8/1bvLTkQSqgyVUXOxtdPz5xi/6f5Z9fZ0nqqNwP6zYVi2YX/KqXjK5//O36quwWnFbI6jsDfENXDEcqf+6qgkvpSe6W/+F2/WCTAwpAJY2asyRin6IjInIjN8yxKcRcg8+ooz2q07z0f5F+KqPi4Tp4qYbdKKWQg2mtIN5fVe1GIksHhs9442hlHZkKl/gdd4sqSr76LZfqIezT0pD4Kk0O8GAxZGdj4zJfqzFo7LCFpPE+qmGg1weGq9C/u2dxjhbTQJ27MEyMcjsiDiFl+SBSc1GqY9cwZIXd/fOcyH3HVLvQg0wab0aD0IV6aH1fCuRRMOpI3yR67lB22kR3YwnSL9VyAyH1M3FU8UHX1SSJ0jrk0knA1AvrwKbx5m0F1Slc734/MQmSSvaI74Ms1iBkbe28ZRSSUIi2q9VWOX7TCFOAQJH9JG7sPHL5Exr1h8AoVmLorKcq2hdqOWYjw9YmIBcp8nGkcOD0RRaemYNK1UGS2BNmhxjwSIjYq6zy74LF5LOoKk7z6UuXwhrDUdjIjhCIBj6wKiUfFauCN8cfV7paJDhE4uNWnAU9jAi56eZg9vbnp2pdGv8TAZibkk8tOChg8BQnibT9XTMF+Ji14oHKFSw4cC9KAByV38s709S15IfTTY7y/HfP1CrMql3OzQ6laMAeeDkaF8oJXzVDC2r+OxT+sscZLqAOZOMtZKOrMDeIA1GrmYXEeK2xw9rz2eD6lS4Z+tHumo+ohnNyIRSks4ezS5DSuxBPZHJijcrVp8VyMF5+QYA65+RZlgXC/MpCaxrpC09egnLU1ZPzvoI+b2nRrVAFhza2tKr5flLUnrJpVLxrwFdCbHCZCHl+FNmY/7WHnGQAYRqzOGWmEjDpJfiNLiQX6ZuO/fFYv1G5s7zmhDFEp+XRk83OSa20Xp7fHgcsuIxEr0Cr/nBifjtxVjVmWp7J7uz7fbBCtAbrHVxd/Y9KiJ6+v7+2vVvakJBLqwPFC7j8UaHAqiVo7g9epTjuIY+YjEe33mpu6q3o5WEoFe/ZhLjOPg81glFe/d034V8MR8J4IeiYxJacnfnrEomrU6JZnnIS3gRSwxLPLGaruclu4pE2nOC9Giva+gke20Gcj3CnWAUh60Fo9hl5zUmV+To1lNkXIlySsiqbBFum2kQByYbdgY+qkNMIyY5JYrf0ea5qYI0NVolSqyNn87zGoN0KQSfpTHhcsTLOyTMqr1BHMFmauv45lzkItrNsF+EmhFYW3IQau98k02sNJSui6qH+dxCBErcIfNd1V+C5VZdM8nXpM4Nz3Ks7LcYUbCFKkbycFKglJCC81V+x6WOvUZuzB5T0a4d4EqtEMTEx8sruaatdQ196pNUMyop5O/IXBcYcSKxV3tMNQnmvjdRb15czcwPc4s0GzRGt6z4t7UHRLZwVbvJ4dNG34aEmWkwTWrcHAxVdea5mvcjx+niB1zGlXE2VWgnxjWm+/QQ5sPcdg1jFDaJ3Wj5/IaBJVwB3Yg7wYl1sq0+THRVjt9q2JNb/FDgfxHUqRlAzQtKIujxS0jYjQEd904bodSTSWyxYMo3EAQ+Ze4Wwu2+5Mf9JUjlY8NxFE8aDhbEyRBmYGlsCjDKcsYQugDsCsZ1A9fmRXLDM4P2zHXwZFalMtKiF5gCozxW+AeOYHioLUpeCEQ1RJbpEZcFfkmysYXsoK+Pj/GV/Jyry0ulQGBHFOG80lAnwVDefMgyh0SeHBxgw42p71dBGOX8ffXxZzVYKdafLfKnkc6NNK1HMUq91mujX6Ml6sufPDXnwmfr8h6CjT18PXGXnGhfdv49knuEmPjN3JuXEedbUmNBs7XzzTy6+bbd4p5rAQ1IORCirZTTkZLC1DT5+FoAqGyKJv8J378EQMbMFG+FWzEag0F3DUw7N5q+8/0JZ1ZIn5tU5BhXCx1o29Xg4fP2GyDenLPQZvrvv5hTf/l7842N+I+xVOyU6a+jPvlf+gNC/e1mOHw74IzDRSGHV/AJ+LG8CArb9pzQW6a6r7PzzeVpzz7zE8WpdEMYeNxAU/ic4b0GX7cTaefJvr+ZNkNrehaP2c4N8BD4h+HqMrkbLAO7gxqUXW+W/xKit1asleqKmJ0z/VelCznA4OoLa714sheo5QyvurFRrFP0/uI9Zt4X7ewWPlxIRCfG02k0AwDWEgGG5YS22dgupM3nyT8hLgoefpW3TccASg5oQbQsq2qr/DpCE9N9t+fBxHr24qK+NWSqaFgjF/NWngIws2uVZYE0r2hU8tgUyi9+HJuOdPLKjI6eUo/MTcPZ8a3vrkGr5CFqRr1UZxVhj2d9mitp1c2zf4jKIkR6Pq/E2rLX6j997/A8+9/AA==')))));
 88 | ?>
 89 | ```
 90 | 
 91 | **harness.php**
 92 | ```php
 93 | <?php
 94 | function __eval($code, $file) {
 95 |   echo "eval() @ {$file}:\n{$code}\n\n";
 96 | 
 97 |   // return FALSE if you want to prevent the eval()
 98 |   // return false;
 99 | 
100 |   // return a string if you want to replace the eval-d code
101 |   // return 'echo 2;';
102 | 
103 |   // return nothing to continue execution normally
104 | }
105 | 
106 | include("obfuscated.php");
107 | ?>
108 | ```
109 | 
110 | ```
111 | $ php obfuscated.php
112 | This is an obfuscated function
113 | ```
114 | 
115 | ```
116 | $ php harness.php | tail
117 | 
118 | eval() @ /workspace/php7/obfuscated.php(2) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'
119 | d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : ev
120 | al()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code:
121 | function test_obfuscated()
122 | {
123 |         echo("This is an obfuscated function\n");
124 | }
125 | 
126 | test_obfuscated();
127 | 
128 | This is an obfuscated function
129 | ```
130 | 
131 | ## Credits
132 | 
133 | The extension is based on [php-eval](https://github.com/mfmans/php-eval).
134 | 
135 | ## License
136 | 
137 | MIT
138 | 


--------------------------------------------------------------------------------
/config.m4:
--------------------------------------------------------------------------------
1 | PHP_ARG_ENABLE(evalhook, whether to enable evalhook support,
2 | [ --enable-evalhook   Enable PHP eval hook support])
3 | if test "$PHP_EVALHOOK" = "yes"; then
4 |   AC_DEFINE(HAVE_EVALHOOK, 1, [Whether you have PHP EVALHOOK])
5 |   PHP_NEW_EXTENSION(evalhook, evalhook.c, $ext_shared)
6 | fi


--------------------------------------------------------------------------------
/evalhook.c:
--------------------------------------------------------------------------------
  1 | /* $Id$ */
  2 | 
  3 | #include "php.h"
  4 | #include "ext/standard/info.h"
  5 | 
  6 | 
  7 | #define EVAL_CALLBACK_FUNCTION  "__eval"
  8 | 
  9 | static const char module_name[] = "evalhook";
 10 | 
 11 | static zend_op_array* (*old_compile_string)(zend_string *, const char *, zend_compile_position);
 12 | 
 13 | 
 14 | static zend_op_array* evalhook_compile_string(
 15 | 		zend_string *source_string,
 16 | 		const char *filename,
 17 | 		zend_compile_position pos)
 18 | {
 19 | 	zend_op_array *op_array = NULL;
 20 | 	int op_compiled = 0;
 21 | 
 22 | 	if(strstr(filename, "eval()'d code")) {
 23 | 		if(zend_hash_str_exists(CG(function_table), EVAL_CALLBACK_FUNCTION, strlen(EVAL_CALLBACK_FUNCTION))) {
 24 | 			zval function;
 25 | 			zval retval;
 26 | 			zval parameter[2];
 27 | 
 28 | 			ZVAL_STR(&parameter[0], source_string);
 29 | 			ZVAL_STRING(&function, EVAL_CALLBACK_FUNCTION);
 30 | 			ZVAL_STRING(&parameter[1], filename);
 31 | 
 32 | 			if(call_user_function(CG(function_table), NULL, &function, &retval, 2, parameter) == SUCCESS) {
 33 | 				switch(Z_TYPE(retval)) {
 34 | 					case IS_STRING:
 35 | 						op_array = old_compile_string(Z_STR(retval), filename, pos);
 36 | 					case IS_FALSE:
 37 | 						op_compiled = 1;
 38 | 						break;
 39 | 				}
 40 | 			}
 41 | 
 42 | 			zval_dtor(&function);
 43 | 			zval_dtor(&retval);
 44 | 			zval_dtor(&parameter[1]);
 45 | 		}
 46 | 	}
 47 | 
 48 | 	if(op_compiled) {
 49 | 		return op_array;
 50 | 	} else {
 51 | 		return old_compile_string(source_string, filename, pos);
 52 | 	}
 53 | }
 54 | 
 55 | /* Evasion protection
 56 |  * ==================
 57 |  *
 58 |  * Some code try to evade analysis by checking if the evalhook extension is
 59 |  * loaded before calling eval(). So we override the extension_loaded function
 60 |  * so it will return false if the module name is the same as our module name.
 61 |  */
 62 | zif_handler original_handler_extension_loaded;
 63 | 
 64 | ZEND_NAMED_FUNCTION(evalhook_extension_loaded)
 65 | {
 66 | 	zend_string * module;
 67 | 
 68 | 	ZEND_PARSE_PARAMETERS_START(1, 1)
 69 | 		Z_PARAM_STR(module)
 70 | 	ZEND_PARSE_PARAMETERS_END();
 71 | 
 72 | 	if (zend_string_equals_cstr(module, module_name, sizeof module_name) == 0) {
 73 | 		RETURN_FALSE;
 74 | 	}
 75 | 
 76 | 	// Pass control on to the original handler
 77 | 	original_handler_extension_loaded(INTERNAL_FUNCTION_PARAM_PASSTHRU);
 78 | }
 79 | 
 80 | PHP_MINIT_FUNCTION(evalhook)
 81 | {
 82 | 	// If the ZEND_TSRMLS_CACHE_UPDATE() is in RINIT, move it
 83 | 	// to MINIT to ensure access to the compiler globals
 84 | #if defined(COMPILE_DL_MY_EXTENSION) && defined(ZTS)
 85 | 	ZEND_TSRMLS_CACHE_UPDATE();
 86 | #endif
 87 | 
 88 | 	zend_function * original =
 89 | 		zend_hash_str_find_ptr(CG(function_table), "extension_loaded", sizeof "extension_loaded" - 1);
 90 | 
 91 | 	if (original) {
 92 | 		original_handler_extension_loaded = original->internal_function.handler;
 93 | 		original->internal_function.handler = evalhook_extension_loaded;
 94 | 	}
 95 | 
 96 | 	return SUCCESS;
 97 | }
 98 | 
 99 | PHP_MSHUTDOWN_FUNCTION(evalhook)
100 | {
101 | 	return SUCCESS;
102 | }
103 | 
104 | PHP_RINIT_FUNCTION(evalhook)
105 | {
106 | 	old_compile_string = zend_compile_string;
107 | 	zend_compile_string = evalhook_compile_string;
108 | 
109 | 	return SUCCESS;
110 | }
111 | 
112 | PHP_RSHUTDOWN_FUNCTION(evalhook)
113 | {
114 | 	zend_compile_string = old_compile_string;
115 | 	return SUCCESS;
116 | }
117 | 
118 | PHP_MINFO_FUNCTION(evalhook)
119 | {
120 | 	php_info_print_table_start();
121 | 	php_info_print_table_row(2, "eval() hooking", "enabled");
122 | 	php_info_print_table_row(2, "callback function", EVAL_CALLBACK_FUNCTION);
123 | 	php_info_print_table_end();
124 | }
125 | 
126 | 
127 | zend_function_entry evalhook_functions[] = {
128 | 	ZEND_FE_END
129 | };
130 | 
131 | zend_module_entry evalhook_module_entry = {
132 | 	STANDARD_MODULE_HEADER,
133 | 	module_name,
134 | 	evalhook_functions,
135 | 	PHP_MINIT(evalhook),
136 | 	PHP_MSHUTDOWN(evalhook),
137 | 	PHP_RINIT(evalhook),
138 | 	PHP_RSHUTDOWN(evalhook),
139 | 	PHP_MINFO(evalhook),
140 | 	"0.0.1-dev",
141 | 	STANDARD_MODULE_PROPERTIES
142 | };
143 | 
144 | ZEND_GET_MODULE(evalhook)
145 | 
146 | 


--------------------------------------------------------------------------------
/tests/detect-evasion.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | evalhook: detect evasion
 3 | --EXTENSIONS--
 4 | evalhook
 5 | --FILE--
 6 | <?php
 7 | require __DIR__ . '/evalhook_test_functions.inc';
 8 | 
 9 | if (extension_loaded('evalhook')
10 |   || extension_loaded('Evalhook')
11 |   || extension_loaded('EvalHook')
12 |   || extension_loaded('EVALHOOK')
13 |   || extension_loaded('eval_hook')
14 |   || extension_loaded('Eval_hook')
15 |   || extension_loaded('Eval_Hook')
16 |   || extension_loaded('EVAL_HOOK'))
17 | {
18 |   echo "evalhook extension detected! Exiting." . PHP_EOL;
19 |   exit;
20 | }
21 | 
22 | eval("echo 'Hello there!';");
23 | ?>
24 | --EXPECT--
25 | ===== Dump of eval'd code =====
26 | echo 'Hello there!';
27 | ===== End of dumped code =====
28 | Hello there!
29 | 


--------------------------------------------------------------------------------
/tests/evalhook.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | evalhook: simple eval
 3 | --EXTENSIONS--
 4 | evalhook
 5 | --FILE--
 6 | <?php
 7 | require __DIR__ . '/evalhook_test_functions.inc';
 8 | 
 9 | eval("echo 'Hello there!';");
10 | ?>
11 | --EXPECT--
12 | ===== Dump of eval'd code =====
13 | echo 'Hello there!';
14 | ===== End of dumped code =====
15 | Hello there!
16 | 


--------------------------------------------------------------------------------
/tests/evalhook_test_functions.inc:
--------------------------------------------------------------------------------
1 | <?php
2 | function __eval(string $code) {
3 | 	echo PHP_EOL . "===== Dump of eval'd code =====" . PHP_EOL;
4 | 	echo $code;
5 | 	echo PHP_EOL . "===== End of dumped code =====" . PHP_EOL;
6 | }
7 | 


--------------------------------------------------------------------------------