How does this giant regex work?

Question

I recently found the code below in one of my directories, in a file called doc.php. The file functions or links to a file manager. It\'s quite nicely done. Basi

Answer 1

The e pattern modifier means the replaced code should be executed as PHP code. The series of \x??'s as the beginning of the string are hex characters to hide the ASCII they correspond to; \x65\x76\x61\x6C is equivalent to just typing eval, but someone who sees eval in a script is going to realize immediately that something is up. The complete replacement string translates to:

eval(gzinflate(base64_decode("...")));

I left out the ... contents, but that's the complete code the malware author is executing. You can execute just the gzinflate(base64_decode("...")) part to see the code; it's over 1000 lines long and probably not worth posting here