Plattform-specific, but also theoretical exec vectors:
- dotnet_load()
- new COM("WScript.Shell")
- new Java("java.lang.Runtime")
- event_new() - very eventually
And there are many more disguising methods:
- proc_open is an alias for popen
- call_user_func_array("exE".chr(99), array("/usr/bin/damage", "--all"));
- file_put_contents("/cgi-bin/nextinvocation.cgi") && chmod(...)
- PharData::setDefaultStub - some more work to examine code in .phar files
- runkit_function_rename("exec", "innocent_name") or APD rename_function
