Skip to content

Commit b2575c2

Browse files
author
Corb3nik
committed
Adds first version of OPcache disassembler, parser and malware detector
1 parent a90132e commit b2575c2

5 files changed

+921
-0
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
*.pyc

definitions.py

Lines changed: 210 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,210 @@
1+
#!/usr/bin/env python
2+
3+
OPCODES = {
4+
0 : "NOP",
5+
1 : "ADD",
6+
2 : "SUB",
7+
3 : "MUL",
8+
4 : "DIV",
9+
5 : "MOD",
10+
6 : "SL",
11+
7 : "SR",
12+
8 : "CONCAT",
13+
9 : "BW_OR",
14+
10 : "BW_AND",
15+
11 : "BW_XOR",
16+
12 : "BW_NOT",
17+
13 : "BOOL_NOT",
18+
14 : "BOOL_XOR",
19+
15 : "IS_IDENTICAL",
20+
16 : "IS_NOT_IDENTICAL",
21+
17 : "IS_EQUAL",
22+
18 : "IS_NOT_EQUAL",
23+
19 : "IS_SMALLER",
24+
20 : "IS_SMALLER_OR_EQUAL",
25+
21 : "CAST",
26+
22 : "QM_ASSIGN",
27+
23 : "ASSIGN_ADD",
28+
24 : "ASSIGN_SUB",
29+
25 : "ASSIGN_MUL",
30+
26 : "ASSIGN_DIV",
31+
27 : "ASSIGN_MOD",
32+
28 : "ASSIGN_SL",
33+
29 : "ASSIGN_SR",
34+
30 : "ASSIGN_CONCAT",
35+
31 : "ASSIGN_BW_OR",
36+
32 : "ASSIGN_BW_AND",
37+
33 : "ASSIGN_BW_XOR",
38+
34 : "PRE_INC",
39+
35 : "PRE_DEC",
40+
36 : "POST_INC",
41+
37 : "POST_DEC",
42+
38 : "ASSIGN",
43+
39 : "ASSIGN_REF",
44+
40 : "ECHO",
45+
41 : "PRINT",
46+
42 : "JMP",
47+
43 : "JMPZ",
48+
44 : "JMPNZ",
49+
45 : "JMPZNZ",
50+
46 : "JMPZ_EX",
51+
47 : "JMPNZ_EX",
52+
48 : "CASE",
53+
49 : "SWITCH_FREE",
54+
50 : "BRK",
55+
51 : "CONT",
56+
52 : "BOOL",
57+
53 : "INIT_STRING",
58+
54 : "ADD_CHAR",
59+
55 : "ADD_STRING",
60+
56 : "ADD_VAR",
61+
57 : "BEGIN_SILENCE",
62+
58 : "END_SILENCE",
63+
59 : "INIT_FCALL_BY_NAME",
64+
60 : "DO_FCALL",
65+
61 : "DO_FCALL_BY_NAME",
66+
62 : "RETURN",
67+
63 : "RECV",
68+
64 : "RECV_INIT",
69+
65 : "SEND_VAL",
70+
66 : "SEND_VAR",
71+
67 : "SEND_REF",
72+
68 : "NEW",
73+
69 : "INIT_NS_FCALL_BY_NAME",
74+
70 : "FREE",
75+
71 : "INIT_ARRAY",
76+
72 : "ADD_ARRAY_ELEMENT",
77+
73 : "INCLUDE_OR_EVAL",
78+
74 : "UNSET_VAR",
79+
75 : "UNSET_DIM",
80+
76 : "UNSET_OBJ",
81+
77 : "FE_RESET",
82+
78 : "FE_FETCH",
83+
79 : "EXIT",
84+
80 : "FETCH_R",
85+
81 : "FETCH_DIM_R",
86+
82 : "FETCH_OBJ_R",
87+
83 : "FETCH_W",
88+
84 : "FETCH_DIM_W",
89+
85 : "FETCH_OBJ_W",
90+
86 : "FETCH_RW",
91+
87 : "FETCH_DIM_RW",
92+
88 : "FETCH_OBJ_RW",
93+
89 : "FETCH_IS",
94+
90 : "FETCH_DIM_IS",
95+
91 : "FETCH_OBJ_IS",
96+
92 : "FETCH_FUNC_ARG",
97+
93 : "FETCH_DIM_FUNC_ARG",
98+
94 : "FETCH_OBJ_FUNC_ARG",
99+
95 : "FETCH_UNSET",
100+
96 : "FETCH_DIM_UNSET",
101+
97 : "FETCH_OBJ_UNSET",
102+
98 : "FETCH_DIM_TMP_VAR",
103+
99 : "FETCH_CONSTANT",
104+
100 : "GOTO",
105+
101 : "EXT_STMT",
106+
102 : "EXT_FCALL_BEGIN",
107+
103 : "EXT_FCALL_END",
108+
104 : "EXT_NOP",
109+
105 : "TICKS",
110+
106 : "SEND_VAR_NO_REF",
111+
107 : "CATCH",
112+
108 : "THROW",
113+
109 : "FETCH_CLASS",
114+
110 : "CLONE",
115+
111 : "RETURN_BY_REF",
116+
112 : "INIT_METHOD_CALL",
117+
113 : "INIT_STATIC_METHOD_CALL",
118+
114 : "ISSET_ISEMPTY_VAR",
119+
115 : "ISSET_ISEMPTY_DIM_OBJ",
120+
116 : "(116)?",
121+
117 : "(117)?",
122+
118 : "(118)?",
123+
119 : "(119)?",
124+
120 : "(120)?",
125+
121 : "(121)?",
126+
122 : "(122)?",
127+
123 : "(123)?",
128+
124 : "(124)?",
129+
125 : "(125)?",
130+
126 : "(126)?",
131+
127 : "(127)?",
132+
128 : "(128)?",
133+
129 : "(129)?",
134+
130 : "(130)?",
135+
131 : "(131)?",
136+
132 : "PRE_INC_OBJ",
137+
133 : "PRE_DEC_OBJ",
138+
134 : "POST_INC_OBJ",
139+
135 : "POST_DEC_OBJ",
140+
136 : "ASSIGN_OBJ",
141+
137 : "(137)?",
142+
138 : "INSTANCEOF",
143+
139 : "DECLARE_CLASS",
144+
140 : "DECLARE_INHERITED_CLASS",
145+
141 : "DECLARE_FUNCTION",
146+
142 : "RAISE_ABSTRACT_ERROR",
147+
143 : "DECLARE_CONST",
148+
144 : "ADD_INTERFACE",
149+
145 : "DECLARE_INHERITED_CLASS_DELAYED",
150+
146 : "VERIFY_ABSTRACT_CLASS",
151+
147 : "ASSIGN_DIM",
152+
148 : "ISSET_ISEMPTY_PROP_OBJ",
153+
149 : "HANDLE_EXCEPTION",
154+
150 : "USER_OPCODE",
155+
152 : "ZEND_JMP_SET",
156+
153 : "ZEND_DECLARE_LAMBDA_FUNCTION",
157+
154 : "ZEND_ADD_TRAIT",
158+
155 : "ZEND_BIND_TRAITS",
159+
156 : "ZEND_SEPARATE",
160+
157 : "ZEND_FETCH_CLASS_NAME",
161+
158 : "ZEND_CALL_TRAMPOLINE",
162+
159 : "ZEND_DISCARD_EXCEPTION",
163+
160 : "ZEND_YIELD",
164+
161 : "ZEND_GENERATOR_RETURN",
165+
162 : "ZEND_FAST_CALL",
166+
163 : "ZEND_FAST_RET",
167+
164 : "ZEND_RECV_VARIADIC",
168+
165 : "ZEND_SEND_UNPACK",
169+
166 : "ZEND_POW",
170+
167 : "ZEND_ASSIGN_POW",
171+
168 : "ZEND_BIND_GLOBAL",
172+
169 : "ZEND_COALESCE",
173+
170 : "ZEND_SPACESHIP",
174+
171 : "ZEND_DECLARE_ANON_CLASS",
175+
172 : "ZEND_DECLARE_ANON_INHERITED_CLASS",
176+
}
177+
178+
# regular data types
179+
IS_UNDEF = 0
180+
IS_NULL = 1
181+
IS_FALSE = 2
182+
IS_TRUE = 3
183+
IS_LONG = 4
184+
IS_DOUBLE = 5
185+
IS_STRING = 6
186+
IS_ARRAY = 7
187+
IS_OBJECT = 8
188+
IS_RESOURCE = 9
189+
IS_REFERENCE = 10
190+
191+
# constant expressions
192+
IS_CONSTANT = 11
193+
IS_CONSTANT_AST = 12
194+
195+
# fake types
196+
_IS_BOOL = 13
197+
IS_CALLABLE = 14
198+
IS_VOID = 18
199+
200+
# internal types
201+
IS_INDIRECT = 15
202+
IS_PTR = 17
203+
_IS_ERROR = 19
204+
205+
# Op Types
206+
IS_CONST = 1 << 0
207+
IS_TMP_VAR = 1 << 1
208+
IS_VAR = 1 << 2
209+
IS_UNUSED = 1 << 3
210+
IS_CV = 1 << 4

0 commit comments

Comments
 (0)