pKaji: The PHP Analyzer

pKaji is a free service provided by MyCERT that allows one to analyze  PHP codes.  It facilitates detection of network activities and other potentially malicious activities within the code by using the ‘hooking’ technique. Basically, it uses the APD (Advance PHP Debugger) extension to hook the original PHP built-in function.

Using pKaji

To use pKaji, a user can upload a valid PHP file to pKaji with a size smaller than 1 Mb at https://blog.honeynet.org.my/pKaji/. The front-end of pKaji will forward the request to the pKaji-core engine. The process will probably take a few minutes depending on the server workload.

Result of the analysis will be in shown in xml format displaying each of the parameter sent to the function called.

Output Example

PHP code XML Output
set_time_limit(0); <function_call>
<name>set_time_limit</name>
<parameter>seconds=0</parameter>
</function_call>
fsockopen(“irc.neoshell.org”,”6667”, &$err_num, &$err_msg, 30); <function_call>
<name>fsockopen</name>

<parameter>host=irc.neoshell.org, port=6667, , , 30</parameter>
</function_call>

echo “ID: ShiroHige<br>”; <function_call>
<name>echo</name>
<parameter>$str=”ID: ShiroHige<br>”</parameter>

</function_call>

@getenv(“SERVER_ADDR”); <function_call>
<name>getenv</name>

<parameter>$varname=SERVER_ADDR</parameter>
</function_call>

To upload a file, you need to have account. You can request the login credentials via email honeynet [at] cybersecurity.my . Just tell us a bit about yourself and be patient 🙂 We definitely look forward to working with security teams and researchers in the future.

Leave a Reply