File tree 1 file changed +24
-0
lines changed
1 file changed +24
-0
lines changed Original file line number Diff line number Diff line change @@ -25,6 +25,30 @@ Simply pass a filename or a URL.
2525 ------------
2626 System ID : 81d80d78c6ef96b89afaadc7ffc5d7ea
2727
28+ ## OPcache Disassembler
29+ This tool lets you disassemble an OPcache file.
30+
31+ You can display it as a syntax tree (-t) or pseudocode (-c).
32+ Simply pass a display option and an OPcache file.
33+
34+ $ ./opcache_disassembler.py -c malware.php.bin
35+
36+ #0 $280 = FETCH_IS('_GET', None);
37+ #1 ~0 = ISSET_ISEMPTY_DIM_OBJ($280, 'test');
38+ #2 JMPZ(~408, ->5);
39+ #3 ECHO('success', None);
40+ ...
41+
42+
43+ ## OPcache Malware Detect
44+ This tool helps detect malware hidden in OPcache files by searching specific keywords in the file's opcodes.
45+
46+ Pass an OPcache file or directory and the detector will recursively go through all the ` .php.bin ` files.
47+
48+ $ ./opcache_malware_detect.py malware.php.bin
49+ Checking malware.php.bin
50+ Found potentially dangerous keyword 'preg_replace'.
51+ Found potentially dangerous keyword 'str_rot13'.
2852
2953## Demo
3054To setup the demo, run the following two commands :
You can’t perform that action at this time.
0 commit comments