Catalog ​​​​​​​

One 、 What is? RASP

Two 、PHP Introduction to expansion

3、 ... and 、PHP Of HOOK Realization

One 、 What is? RASP

RASP The full name is Runtime Application self-protection, That is, the runtime applies self-protection , This is a kind of embedded into the application , Real time detection of requests from outside 、 Input technology .PHP Of RASP It's through PHP The expanded form is embedded in PHP In the interpreter of .

Two 、PHP Introduction to expansion

PHP There are different working modes in different environments , Common are ： Single process mode and Apache Multi process or multi thread mode in the environment . But no matter which mode , The following processes need to be executed ：

  chart 1 Single process expansion execution process

In single process mode, the whole PHP The life cycle of is ：

  chart 2 Single process lifecycle

Life cycle in multi process mode ：

  chart 3 Multi process lifecycle

In the case of multiple processes, each process only performs module initialization and module shutdown once , Will continue to perform request initialization - Processing requests - The process of requesting closure . Multithreading mode is similar to , It's just the thread that handles the request .

So we can initialize the module （MINIT） Or request initialization （RINIT） Stage hook, In this way, every time we process the request, our business logic function , You can input in our business logic function 、 Or request monitoring , After the abnormality is judged, the risk can be reported .

3、 ... and 、PHP Of HOOK Realization

Want to know hook The way , I need to look at it first PHP Processing flow of script .

PHP After lexical analysis and linguistic analysis of the script, it will generate OPArray, That is to say OPCode Array of , Every OPCode All represent a different operation , The name is similar to the following ：

ZEND_ADD： Perform the arithmetic addition of two operands ;

ZEND_EXIT： sign out PHP perform ;

Zend VM There is a main branch loop in （while(1) Dead cycle ）, Only when executed opcode Of handler The return value of 1（ZEND_VM_RETURN()） when , This cycle will end , So the compiler will be for each PHP The script adds one at the end RETURN Of OPCode.

With ZEND_ADD This opcode For example , This structure contains two operands （op1 and op2）、handler( A function pointer )、result（ The result of the operation ）.Zend VM According to the type of the two operands , Find the corresponding handler, In the source code ZEND_ADD This opcode Of handler The definition is as follows ：

ZEND_VM_HANDLER(1, ZEND_ADD, CONST|TMP|VAR|CV, CONST|TMP|VAR|CV)
{
    USE_OPLINE
    zend_free_op free_op1, free_op2;
    SAVE_OPLINE();
    fast_add_function(&EX_T(opline->result.var).tmp_var,
        GET_OP1_ZVAL_PTR(BP_VAR_R),
        GET_OP2_ZVAL_PTR(BP_VAR_R) TSRMLS_CC);
    FREE_OP1();
    FREE_OP2();
    CHECK_EXCEPTION();
    ZEND_VM_NEXT_OPCODE();
}

The last two parameters of the function represent op1 and op2 Acceptable operand types .

The processing tool will be based on the definition of this function , Yes op1 and op2 Make type combinations , Generate 16 Handle specific types handler function . these handler The function is named as follows ：

static int ZEND_FASTCALL  ZEND_ADD_SPEC_CONST_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) { /* handler code */ }
static int ZEND_FASTCALL  ZEND_ADD_SPEC_CONST_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS) { /* handler code */ }
static int ZEND_FASTCALL  ZEND_ADD_SPEC_CONST_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS) { /* handler code */ }
static int ZEND_FASTCALL  ZEND_ADD_SPEC_CONST_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS) { /* handler code */ }
static int ZEND_FASTCALL  ZEND_ADD_SPEC_TMP_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS) { /* handler code */ }
static int ZEND_FASTCALL  ZEND_ADD_SPEC_TMP_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)  { /* handler code */ }

......

The law is ：static int ZEND_FASTCALL OPCode_SPEC_{OP1-TYPE}_{OP2-TYPE}_HANDLER

So which one is finally executed handler It depends on the type that requires two operands .

So we can replace OPCode Of handler, It happens that there is a corresponding interface in the source code zend_set_user_opcode_handler(zend_uchar opcode, user_opcode_handler_t handler) available .

except OPCode Outside ,PHP There are also many built-in functions , such as sprintf、 system、usort wait , These functions are not OPcode Of , But these functions are stored in the global function table , Can pass CG(function_table) obtain , These functions also have corresponding handler A function pointer , So we can directly back up the original handler After use function->internal_function.handler = new_handler Replace it .