欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  后端开发

PHP扩展编写、PHP扩展调试、VLD源码分析

程序员文章站 2022-04-03 19:13:47
...

catalogue

1. 编译PHP源码2. 扩展结构、优缺点3. 使用PHP原生扩展框架wizard ext_skel编写扩展4. 编译安装VLD5. Debug调试VLD6. VLD源码分析

1. 编译PHP源码

wget http://cn2.php.net/distributions/php-5.5.31.tar.gztar -zvzf php-5.5.31.tar.gz//为了尽快得到可以测试的环境,我们仅编译一个最精简的PHP。通过执行 ./configure –disable-all来进行配置。 以后如果需要其他功能可以重新编译。如果configure命令出现错误,可能是缺少PHP所依赖的库,各个系统的环境可能不一样。 出现错误可根据出错信息上网搜索。 直到完成configure。configure完成后我们就可以开始编译./configure --enable-debug --enable-tokenizer  /*apt-get install -y libxml2*/make//运行编译后PHP./sapi/cli/php -v//install NetBeanshttp://download.netbeans.org/netbeans/8.1/final/bundles/netbeans-8.1-linux.shchmod 777 ./*./netbeans-8.1-linux.sh./configure CC=${IDE_CC} CXX=${IDE_CXX} CFLAGS="-g3 -gdwarf-2" CXXFLAGS="-g3 -gdwarf-2" --disable-all --enable-debug --enable-tokenizer

Relevant Link:

http://www.cnblogs.com/LittleHann/p/3562259.html

2. 扩展结构、优缺点

0x1: C/C++扩展PHP的优点

1. 效率 减少PHP脚本的复杂度,极端情况下,你只需要在PHP脚本中,简单的调用一个扩展实现的函数,然后所有的功能都就被扩展实现 2. 与外部的库做交互比如你有一个C/C++的库, 不妨假设,这个库呢就是实现了一个字符串加密和解密,而你并没有这个库的源码,也就是说,你无法把这个库在PHP中实现,那么你只有编写一个PHP扩展,来做为一个桥梁,连接起你的PHP和这个库3. 复用Zend的词法/语法处理逻辑在特殊领域的应用,例如WEBSHELL检测中,通过扩展Hook机制实现Token AST树的获取,然后在此基础上进行语法还原、和语法层面模拟执行

0x2: 缺点

1. 开发复杂2. 可维护性降低开发周期变长, 最简单的一个例子,当你用PHP脚本的时候, 如果你发现某个判断条件出错,你只要修改了这一行,保存,那么就立刻能见效。而如果是在C/C++编写的PHP扩展中, 那你可需要,修改源码,重新编译,然后重新load进PHP,然后重启Apache,才能见效 

0x3: 扩展框架的基础结构

root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31/ext# cd helloworld/root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31/ext/helloworld# lltotal 44drwxr-xr-x  3 root       root       4096 Jan 27 16:10 ./drwxr-xr-x 80 ubuntu1204 ubuntu1204 4096 Jan 27 16:10 ../-rw-r--r--  1 root       root       2178 Jan 27 16:10 config.m4-rw-r--r--  1 root       root        324 Jan 27 16:10 config.w32-rw-r--r--  1 root       root         10 Jan 27 16:10 CREDITS-rw-r--r--  1 root       root          0 Jan 27 16:10 EXPERIMENTAL-rw-r--r--  1 root       root       5296 Jan 27 16:10 helloworld.c-rw-r--r--  1 root       root        514 Jan 27 16:10 helloworld.php-rw-r--r--  1 root       root       2962 Jan 27 16:10 php_helloworld.h-rw-r--r--  1 root       root         16 Jan 27 16:10 .svnignoredrwxr-xr-x  2 root       root       4096 Jan 27 16:10 tests/

1. helloworld.c

这个文件是我们扩展的主要文件,扩展的主体逻辑都在里面实现

/*  +----------------------------------------------------------------------+  | PHP Version 5                                                        |  +----------------------------------------------------------------------+  | Copyright (c) 1997-2015 The PHP Group                                |  +----------------------------------------------------------------------+  | This source file is subject to version 3.01 of the PHP license,      |  | that is bundled with this package in the file LICENSE, and is        |  | available through the world-wide-web at the following url:           |  | http://www.php.net/license/3_01.txt                                  |  | If you did not receive a copy of the PHP license and are unable to   |  | obtain it through the world-wide-web, please send a note to          |  | license@php.net so we can mail you a copy immediately.               |  +----------------------------------------------------------------------+  | Author:                                                              |  +----------------------------------------------------------------------+*//* $Id$ */#ifdef HAVE_CONFIG_H#include "config.h"#endif#include "php.h"#include "php_ini.h"#include "ext/standard/info.h"#include "php_helloworld.h"/* If you declare any globals in php_helloworld.h uncomment this:ZEND_DECLARE_MODULE_GLOBALS(helloworld)*//* True global resources - no need for thread safety here */static int le_helloworld;/* {{{ helloworld_functions[] * * Every user visible function must have an entry in helloworld_functions[]. */const zend_function_entry helloworld_functions[] = {    PHP_FE(confirm_helloworld_compiled,    NULL)        /* For testing, remove later. */    PHP_FE_END    /* Must be the last line in helloworld_functions[] */};/* }}} *//* {{{ helloworld_module_entry */zend_module_entry helloworld_module_entry = {#if ZEND_MODULE_API_NO >= 20010901    STANDARD_MODULE_HEADER,#endif    "helloworld",    helloworld_functions,    PHP_MINIT(helloworld),    PHP_MSHUTDOWN(helloworld),    PHP_RINIT(helloworld),        /* Replace with NULL if there's nothing to do at request start */    PHP_RSHUTDOWN(helloworld),    /* Replace with NULL if there's nothing to do at request end */    PHP_MINFO(helloworld),#if ZEND_MODULE_API_NO >= 20010901    PHP_HELLOWORLD_VERSION,#endif    STANDARD_MODULE_PROPERTIES};/* }}} */#ifdef COMPILE_DL_HELLOWORLDZEND_GET_MODULE(helloworld)#endif/* {{{ PHP_INI *//* Remove comments and fill if you need to have entries in php.iniPHP_INI_BEGIN()    STD_PHP_INI_ENTRY("helloworld.global_value",      "42", PHP_INI_ALL, OnUpdateLong, global_value, zend_helloworld_globals, helloworld_globals)    STD_PHP_INI_ENTRY("helloworld.global_string", "foobar", PHP_INI_ALL, OnUpdateString, global_string, zend_helloworld_globals, helloworld_globals)PHP_INI_END()*//* }}} *//* {{{ php_helloworld_init_globals *//* Uncomment this function if you have INI entriesstatic void php_helloworld_init_globals(zend_helloworld_globals *helloworld_globals){    helloworld_globals->global_value = 0;    helloworld_globals->global_string = NULL;}*//* }}} *//* {{{ PHP_MINIT_FUNCTION */PHP_MINIT_FUNCTION(helloworld){    /* If you have INI entries, uncomment these lines     REGISTER_INI_ENTRIES();    */    return SUCCESS;}/* }}} *//* {{{ PHP_MSHUTDOWN_FUNCTION */PHP_MSHUTDOWN_FUNCTION(helloworld){    /* uncomment this line if you have INI entries    UNREGISTER_INI_ENTRIES();    */    return SUCCESS;}/* }}} *//* Remove if there's nothing to do at request start *//* {{{ PHP_RINIT_FUNCTION */PHP_RINIT_FUNCTION(helloworld){    return SUCCESS;}/* }}} *//* Remove if there's nothing to do at request end *//* {{{ PHP_RSHUTDOWN_FUNCTION */PHP_RSHUTDOWN_FUNCTION(helloworld){    return SUCCESS;}/* }}} *//* {{{ PHP_MINFO_FUNCTION */PHP_MINFO_FUNCTION(helloworld){    php_info_print_table_start();    php_info_print_table_header(2, "helloworld support", "enabled");    php_info_print_table_end();    /* Remove comments if you have entries in php.ini    DISPLAY_INI_ENTRIES();    */}/* }}} *//* Remove the following function when you have successfully modified config.m4   so that your module can be compiled into PHP, it exists only for testing   purposes. *//* Every user-visible function in PHP should document itself in the source *//* {{{ proto string confirm_helloworld_compiled(string arg)   Return a string to confirm that the module is compiled in */PHP_FUNCTION(confirm_helloworld_compiled){    char *arg = NULL;    int arg_len, len;    char *strg;    if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &arg, &arg_len) == FAILURE) {        return;    }    len = spprintf(&strg, 0, "Congratulations! You have successfully modified ext/%.78s/config.m4. Module %.78s is now compiled into PHP.", "helloworld", arg);    RETURN_STRINGL(strg, len, 0);}/* }}} *//* The previous line is meant for vim and emacs, so it can correctly fold and    unfold functions in source code. See the corresponding marks just before    function definition, where the functions purpose is also documented. Please    follow this convention for the convenience of others editing your code.*//* * Local variables: * tab-width: 4 * c-basic-offset: 4 * End: * vim600: noet sw=4 ts=4 fdm=marker * vim    

函数自身的定义使用了宏PHP_FUNCTION(),该宏可以生成一个适合于Zend引擎的函数原型为了获得函数传递的参数,可以使用zend_parse_parameters()API函数

zend_parse_parameters(int num_args TSRMLS_DC, char *type_spec, ...);1. num_args: 传递给函数的参数个数。通常的做法是传给它ZEND_NUM_ARGS(),这是一个表示传递给函数参数总个数的宏。2. TSRMLS_DC: 为了线程安全,总是传递TSRMLS_CC宏3. *type_spec: 是一个字符串,指定了函数期望的参数类型4. ...: 需要随参数值更新的变量列表,是一个变长数量参数传递

2. config.m4

m4是一个宏解释工具,它会把输入文件中的宏展开到输出文件。所以这个config.m4是PHP扩展框架所必须的,也是关键的一个文件,用来生成我们扩展的makefile

dnl $Id$dnl config.m4 for extension helloworld//在m4中,dnl表示注释,如果需要启用对应配置项,则删除行首的dnl即可dnl Comments in this file start with the string 'dnl'.dnl Remove where necessary. This file will not workdnl without editing.dnl If your extension references something external, use with:/*with说明了,要启用这个模块,必须要的先决条件,也就是说这个模块依赖于某些其他模块*/dnl PHP_ARG_WITH(helloworld, for helloworld support,dnl Make sure that the comment is aligned:dnl [  --with-helloworld             Include helloworld support])dnl Otherwise use enable:/*这段指令创建了一个configure时的参数“enable-example”, 第二个参数会显示在当configure处理到这个模块的configure文件的时候。第三个参数,会在用户输入./configurehelp的时候,作为一个可选的选项被显示即相当于:  ./configure --enable-helloworld */dnl PHP_ARG_ENABLE(helloworld, whether to enable helloworld support,dnl Make sure that the comment is aligned:dnl [  --enable-helloworld           Enable helloworld support])if test "$PHP_HELLOWORLD" != "no"; then  dnl Write more examples of tests here...  dnl # --with-helloworld -> check with-path  dnl SEARCH_PATH="/usr/local /usr"     # you might want to change this  dnl SEARCH_FOR="/include/helloworld.h"  # you most likely want to change this  dnl if test -r $PHP_HELLOWORLD/$SEARCH_FOR; then # path given as parameter  dnl   HELLOWORLD_DIR=$PHP_HELLOWORLD  dnl else # search default path list  dnl   AC_MSG_CHECKING([for helloworld files in default path])  dnl   for i in $SEARCH_PATH ; do  dnl     if test -r $i/$SEARCH_FOR; then  dnl       HELLOWORLD_DIR=$i  dnl       AC_MSG_RESULT(found in $i)  dnl     fi  dnl   done  dnl fi  dnl  dnl if test -z "$HELLOWORLD_DIR"; then  dnl   AC_MSG_RESULT([not found])  dnl   AC_MSG_ERROR([Please reinstall the helloworld distribution])  dnl fi  dnl # --with-helloworld -> add include path  dnl PHP_ADD_INCLUDE($HELLOWORLD_DIR/include)  dnl # --with-helloworld -> check for lib and symbol presence  dnl LIBNAME=helloworld # you may want to change this  dnl LIBSYMBOL=helloworld # you most likely want to change this /*在库library中查找第二个参数是否存在(这里是AC_DEFINE(HAVE_HELLOWORLDLIB,1,[ ])),如果存在则这个宏会被展开成found,否则not-found;*/  dnl PHP_CHECK_LIBRARY($LIBNAME,$LIBSYMBOL,  dnl [  dnl   PHP_ADD_LIBRARY_WITH_PATH($LIBNAME, $HELLOWORLD_DIR/$PHP_LIBDIR, HELLOWORLD_SHARED_LIBADD)  dnl   AC_DEFINE(HAVE_HELLOWORLDLIB,1,[ ])  dnl ],[  dnl   AC_MSG_ERROR([wrong helloworld lib version or lib not found])  dnl ],[  dnl   -L$HELLOWORLD_DIR/$PHP_LIBDIR -lm  dnl ])  dnl  dnl PHP_SUBST(HELLOWORLD_SHARED_LIBADD)/*这个就是对AC_DEFUN简单包装,最终会被展开成: #define what value*/  dnl PHP_DEFINE(what, [value]) /*如果你的扩展是使用C++编写,那么你就必须使用这个宏,来告诉编译器使用C++编译器。这个宏会被展开成AC_PROG_CXXAC_PROG_CXXCPP*/  dnl PHP_REQURE_CXX   PHP_NEW_EXTENSION(helloworld, helloworld.c, $ext_shared)fi

3. CREDITES

用来在发布你的扩展的时候附加一些其他信息 ,比如等等

4. helloworld.php

用来简单测试你的扩展的

";if(!extension_loaded('helloworld')) {    dl('helloworld.' . PHP_SHLIB_SUFFIX);}$module = 'helloworld';$functions = get_extension_funcs($module);echo "Functions available in the test extension:$br\n";foreach($functions as $func) {    echo $func."$br\n";}echo "$br\n";$function = 'confirm_' . $module . '_compiled';if (extension_loaded($module)) {    $str = $function($module);} else {    $str = "Module $module is not compiled into PHP";}echo "$str\n";?>

5. php_helloworld.h

/*  +----------------------------------------------------------------------+  | PHP Version 5                                                        |  +----------------------------------------------------------------------+  | Copyright (c) 1997-2015 The PHP Group                                |  +----------------------------------------------------------------------+  | This source file is subject to version 3.01 of the PHP license,      |  | that is bundled with this package in the file LICENSE, and is        |  | available through the world-wide-web at the following url:           |  | http://www.php.net/license/3_01.txt                                  |  | If you did not receive a copy of the PHP license and are unable to   |  | obtain it through the world-wide-web, please send a note to          |  | license@php.net so we can mail you a copy immediately.               |  +----------------------------------------------------------------------+  | Author:                                                              |  +----------------------------------------------------------------------+*//* $Id$ */#ifndef PHP_HELLOWORLD_H#define PHP_HELLOWORLD_Hextern zend_module_entry helloworld_module_entry;#define phpext_helloworld_ptr &helloworld_module_entry#define PHP_HELLOWORLD_VERSION "0.1.0" /* Replace with version number for your extension */#ifdef PHP_WIN32#    define PHP_HELLOWORLD_API __declspec(dllexport)#elif defined(__GNUC__) && __GNUC__ >= 4#    define PHP_HELLOWORLD_API __attribute__ ((visibility("default")))#else#    define PHP_HELLOWORLD_API#endif#ifdef ZTS#include "TSRM.h"#endifPHP_MINIT_FUNCTION(helloworld);PHP_MSHUTDOWN_FUNCTION(helloworld);PHP_RINIT_FUNCTION(helloworld);PHP_RSHUTDOWN_FUNCTION(helloworld);PHP_MINFO_FUNCTION(helloworld);PHP_FUNCTION(confirm_helloworld_compiled);    /* For testing, remove later. *//*       Declare any global variables you may need between the BEGIN    and END macros here:     ZEND_BEGIN_MODULE_GLOBALS(helloworld)    long  global_value;    char *global_string;ZEND_END_MODULE_GLOBALS(helloworld)*//* In every utility function you add that needs to use variables    in php_helloworld_globals, call TSRMLS_FETCH(); after declaring other    variables used by that function, or better yet, pass in TSRMLS_CC   after the last function argument and declare your utility function   with TSRMLS_DC after the last declared argument.  Always refer to   the globals in your function as HELLOWORLD_G(variable).  You are    encouraged to rename these macros something shorter, see   examples in any other php module directory.*/#ifdef ZTS#define HELLOWORLD_G(v) TSRMG(helloworld_globals_id, zend_helloworld_globals *, v)#else#define HELLOWORLD_G(v) (helloworld_globals.v)#endif#endif    /* PHP_HELLOWORLD_H *//* * Local variables: * tab-width: 4 * c-basic-offset: 4 * End: * vim600: noet sw=4 ts=4 fdm=marker * vim    

Relevant Link:

http://www.laruence.com/2008/08/16/301.html

3. 使用PHP原生扩展框架wizard ext_skel编写扩展

0x1: Hello world扩展框架代码生成

root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31# cd ext/root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31/ext# pwd/home/ubuntu1204/phpsourcecode/php-5.5.31/ext root@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31/ext# ./ext_skel --extname=helloworldCreating directory helloworldCreating basic files: config.m4 config.w32 .svnignore helloworld.c php_helloworld.h CREDITS EXPERIMENTAL tests/001.phpt helloworld.php [done].To use your new extension, you will have to execute the following steps:1.  $ cd ..2.  $ vi ext/helloworld/config.m43.  $ ./buildconf4.  $ ./configure --[with|enable]-helloworld5.  $ make6.  $ ./sapi/cli/php -f ext/helloworld/helloworld.php7.  $ vi ext/helloworld/helloworld.c8.  $ makeRepeat steps 3-6 until you are satisfied with ext/helloworld/config.m4 andstep 6 confirms that your module is compiled into PHP. Then, start writingcode and repeat the last two steps as often as necessary.

在ext目录下生成了一个名为example的目录,并在这个目录下生成了所有的要完成一个PHP扩展所必须的文件和代码

0x2: 修改config.m4

去除注释

PHP_ARG_WITH(helloworld, for helloworld support,dnl Make sure that the comment is aligned:[  --with-helloworld             Include helloworld support])

0x3: 编译

编译扩展有两种方法

1. 可装载模块或者DSO(动态共享对象)2. 静态编译到PHP

1. 可装载模块或者DSO(动态共享对象)

./buildconf --forceroot@ubuntu1204-virtual-machine:/home/ubuntu1204/phpsourcecode/php-5.5.31# ./configure --help | grep helloworld  --with-helloworld             Include helloworld supportmake/*安装PHPInstalling shared extensions:     /usr/local/lib/php/extensions/debug-non-zts-20121212/Installing PHP CLI binary:        /usr/local/bin/Installing PHP CLI man page:      /usr/local/php/man/man1/Installing PHP CGI binary:        /usr/local/bin/Installing PHP CGI man page:      /usr/local/php/man/man1/Installing build environment:     /usr/local/lib/php/build/Installing header files:          /usr/local/include/php/Installing helper programs:       /usr/local/bin/  program: phpize  program: php-configInstalling man pages:             /usr/local/php/man/man1/  page: phpize.1  page: php-config.1Installing PEAR environment:      /usr/local/lib/php/[PEAR] Archive_Tar    - installed: 1.4.0[PEAR] Console_Getopt - installed: 1.4.1[PEAR] Structures_Graph- installed: 1.1.1[PEAR] XML_Util       - installed: 1.3.0[PEAR] PEAR           - installed: 1.10.1Wrote PEAR system config file at: /usr/local/etc/pear.confYou may want to add: /usr/local/lib/php to your php.ini include_path/home/ubuntu1204/phpsourcecode/php-5.5.31/build/shtool install -c ext/phar/phar.phar /usr/local/binln -s -f phar.phar /usr/local/bin/pharInstalling PDO headers:          /usr/local/include/php/ext/pdo/*/make install//编译扩展cd ./ext/hellowordphpize./configure --with-helloworldmake//复制扩展so库到PHP目录make install

2. 静态编译到PHP

将静态库编译进PHP,和普通的静态库编译链接是一个道理,我们使用C/C++编写逻辑代码,并编译成静态.a库,然后重新编译PHP主程序源代码,并在编译参数中显式说明需要链接对应静态库

1. 用C/C++写PHP扩展2. 编译静态库.a库3. 把静态库加入PHP: 假设静态库的文件名叫libnpc.a,放在/home目录下。在PHP的安装目录下输入如下命令: export LDFLAGS="–L/home –lnpc",这个环境变量的作用就是让PHP在编译时知道要把这个库也一起编译进去4. 编译PHP

Relevant Link:

http://www.laruence.com/2011/09/13/2139.htmlhttps://segmentfault.com/a/1190000003952548http://hzcsky.blog.51cto.com/1560073/820232http://www.laruence.com/2009/04/28/719.htmlhttp://www.thinksaas.cn/manual/php/features.commandline.htmlhttp://weizhifeng.net/write-php-extension-part1.html

4. 编译安装VLD

VLD(Vulcan Logic Dumper)是一个在Zend引擎中,以挂钩的方式实现的用于输出PHP脚本生成的中间代码(执行单元)的扩展

0x1: 编译安装

cd /home/ubuntu1204/phpsourcecode/php-5.5.31/ext/vld解压VLD(Vulcan Logic Dumper)phpize./configure --enable-vld  makemake install//需要注意的,在PHP CLI模式下,php.ini的配置会被覆盖,我们可以自己显式配置php.ini指令./sapi/cli/php -d extension=vld.so -dvld.active=1 /home/ubuntu1204/phpsourcecode/sample/shell.php

0x2: VLD扩展的参数列表

//./sapi/cli/php -d extension=vld.so -dvld.active=1 -dvld.verbosity=3 /home/ubuntu1204/phpsourcecode/sample/shell.php//./sapi/cli/php -d extension=vld.so -dvld.active=1 -dvld.execute=0 /home/ubuntu1204/phpsourcecode/sample/shell.php1. -dvld.active: 是否在执行PHP时激活VLD挂钩    1) 默认为0: 表示禁用    2) 使用-dvld.active=1启用2. -dvld.skip_prepend: 是否跳过php.ini配置文件中auto_prepend_file指定的文件    1) 默认为0,即不跳过包含的文件,显示这些包含的文件中的代码所生成的中间代码。此参数生效有一个前提条件:-dvld.execute=03. -dvld.execute: 是否执行这段PHP脚本    1) 默认值为1,表示执行    2) 使用-dvld.execute=0,表示只显示中间代码,不执行生成的中间代码 4. -dvld.format: 是否以自定义的格式显示    1) 默认为0,表示否    2) 使用-dvld.format=1,表示以自己定义的格式显示。这里自定义的格式输出是以-dvld.col_sep指定的参数间隔5. -dvld.col_sep: 在-dvld.format参数启用时此函数才会有效,默认为 "t"6. -dvld.verbosity: 是否显示更详细的信息    1) 默认为1    2) 其值可以为0,1,2,3 其实比0小的也可以,只是效果和0一样,比如0.1之类,但是负数除外,负数和效果和3的效果一样 比3大的值也是可以的,只是效果和3一样,3代表最详细7. -dvld.save_dir: 指定文件输出的路径,默认路径为/tmp 8. -dvld.save_paths: 控制是否输出文件,默认为0,表示不输出文件9. -dvld.dump_paths: 控制输出的内容,现在只有0和1两种情况,默认为1,输出内容

Relevant Link:

http://techlog.cn/article/list/10182879http://pecl.php.net/package/vldhttp://www.lampweb.org/seo/8/20.htmlhttp://hilojack.com/p/php-vld/

5. Debug调试VLD

cd /home/ubuntu1204/phpsourcecode/php-5.5.31/ext/vldvim config.m4/*在最后一行添加if test -z "$PHP_DEBUG"; then        AC_ARG_ENABLE(debug,                [--enable-debg  compile with debugging system],                [PHP_DEBUG=$enableval], [PHP_DEBUG=no]        )fi这样就表示该扩展能够进行调试了,然后编译该扩展*/  phpize./configure --enable-vld  makemake install//编辑netbeans Debug参数"${OUTPUT_PATH}" -d extension=vld.so -dvld.active=3 /home/ubuntu1204/phpsourcecode/sample/shell.php

Relevant Link:

https://segmentfault.com/a/1190000002703073http://www.codefrom.com/paper/%E4%BD%BF%E7%94%A8gdb%E8%B0%83%E8%AF%95php%E6%89%A9%E5%B1%95

6. VLD源码分析

0x1: vld_compile_file

vld.c

/* {{{ zend_op_array vld_compile_file (file_handle, type) *    This function provides a hook for compilation */static zend_op_array *vld_compile_file(zend_file_handle *file_handle, int type TSRMLS_DC){    zend_op_array *op_array;    if (!VLD_G(execute) &&        ((VLD_G(skip_prepend) && PG(auto_prepend_file) && PG(auto_prepend_file)[0] && PG(auto_prepend_file) == file_handle->filename) ||         (VLD_G(skip_append)  && PG(auto_append_file)  && PG(auto_append_file)[0]  && PG(auto_append_file)  == file_handle->filename)))    {        zval nop;#if PHP_VERSION_ID >= 70000        zend_op_array *ret;        ZVAL_STRINGL(&nop, "RETURN ;", 8);        ret = compile_string(&nop, "NOP" TSRMLS_CC);        zval_dtor(&nop);        return ret;#else        ZVAL_STRINGL(&nop, "RETURN ;", 8, 0);        return compile_string(&nop, "NOP" TSRMLS_CC);#endif    }    //调用Zend的编译Lex函数,获取待检测样本Opcode array    op_array = old_compile_file (file_handle, type TSRMLS_CC);    if (VLD_G(path_dump_file)) {        fprintf(VLD_G(path_dump_file), "subgraph cluster_file_%08x { label=\"file %s\";\n", op_array, op_array->filename ? ZSTRING_VALUE(op_array->filename) : "__main");    }    if (op_array) {        //打印opcod数组        vld_dump_oparray (op_array TSRMLS_CC);    }    zend_hash_apply_with_arguments (CG(function_table) APPLY_TSRMLS_CC, (apply_func_args_t) vld_dump_fe, 0);    zend_hash_apply (CG(class_table), (apply_func_t) vld_dump_cle TSRMLS_CC);    if (VLD_G(path_dump_file)) {        fprintf(VLD_G(path_dump_file), "}\n");    }    return op_array;}/* }}} */

0x2: vld_dump_oparray

srm_oparray.c

void vld_dump_oparray(zend_op_array *opa TSRMLS_DC){    unsigned int i;    vld_set *set;    vld_branch_info *branch_info;    //获取oparray中保存opcode数组的基地址    unsigned int base_address = (unsigned int)(zend_intptr_t)&(opa->opcodes[0]);    //为分析结果集申请空间,初始化    set = vld_set_create(opa->last);    //为分支逻辑块申请空间,初始化    branch_info = vld_branch_info_create(opa->last);    if (VLD_G(dump_paths)) {        vld_analyse_oparray(opa, set, branch_info TSRMLS_CC);    }    if (VLD_G(format)) {        vld_printf (stderr, "filename:%s%s\n", VLD_G(col_sep), ZSTRING_VALUE(opa->filename));        vld_printf (stderr, "function name:%s%s\n", VLD_G(col_sep), ZSTRING_VALUE(opa->function_name));        vld_printf (stderr, "number of ops:%s%d\n", VLD_G(col_sep), opa->last);    } else {        vld_printf (stderr, "filename:       %s\n", ZSTRING_VALUE(opa->filename));        vld_printf (stderr, "function name:  %s\n", ZSTRING_VALUE(opa->function_name));        vld_printf (stderr, "number of ops:  %d\n", opa->last);    }#ifdef IS_CV /* PHP >= 5.1 */    vld_printf (stderr, "compiled vars:  ");    for (i = 0; i last_var; i++) {        vld_printf (stderr, "!%d = $%s%s", i, OPARRAY_VAR_NAME(opa->vars[i]), ((i + 1) == opa->last_var) ? "\n" : ", ");    }    if (!opa->last_var) {        vld_printf(stderr, "none\n");    }#endif    if (VLD_G(format)) {        vld_printf(stderr, "line%s# *%s%s%sop%sfetch%sext%sreturn%soperands\n",VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep),VLD_G(col_sep));    } else {        vld_printf(stderr, "line     #* E I O op                           fetch          ext  return  operands\n");        vld_printf(stderr, "-------------------------------------------------------------------------------------\n");    }    for (i = 0; i last; i++) {        vld_dump_op(i, opa->opcodes, base_address, vld_set_in(set, i), vld_set_in(branch_info->entry_points, i), vld_set_in(branch_info->starts, i), vld_set_in(branch_info->ends, i), opa TSRMLS_CC);    }    vld_printf(stderr, "\n");    if (VLD_G(dump_paths)) {        vld_branch_post_process(opa, branch_info);        vld_branch_find_paths(branch_info);        vld_branch_info_dump(opa, branch_info TSRMLS_CC);    }    vld_set_free(set);    vld_branch_info_free(branch_info);}

0x3: vld_analyse_oparray

void vld_analyse_oparray(zend_op_array *opa, vld_set *set, vld_branch_info *branch_info TSRMLS_DC){    unsigned int position = 0;    VLD_PRINT(1, "Finding entry points\n");    while (position last) {        if (position == 0) {            vld_analyse_branch(opa, position, set, branch_info TSRMLS_CC);            vld_set_add(branch_info->entry_points, position);#if PHP_MAJOR_VERSION >= 5        } else if (opa->opcodes[position].opcode == ZEND_CATCH) {            if (VLD_G(format)) {                VLD_PRINT2(1, "Found catch point at position:%s%d\n", VLD_G(col_sep),position);            } else {                VLD_PRINT1(1, "Found catch point at position: %d\n", position);            }            vld_analyse_branch(opa, position, set, branch_info TSRMLS_CC);            vld_set_add(branch_info->entry_points, position);#endif        }        position++;    }    vld_set_add(branch_info->ends, opa->last-1);    branch_info->branches[opa->last-1].start_lineno = opa->opcodes[opa->last-1].lineno;}

0x4: vld_analyse_branch

可以看到,VLD是根据Branch进行"逐块"翻译的,从PHP Zend的角度来看,构成"分支结构语法"的用户态代码结构有

1. if2. for3. foreach4. goto5. exit..

void vld_analyse_branch(zend_op_array *opa, unsigned int position, vld_set *set, vld_branch_info *branch_info TSRMLS_DC)

void vld_analyse_branch(zend_op_array *opa, unsigned int position, vld_set *set, vld_branch_info *branch_info TSRMLS_DC){    long jump_pos1 = VLD_JMP_NOT_SET;    long jump_pos2 = VLD_JMP_NOT_SET;    if (VLD_G(format)) {        VLD_PRINT2(1, "Branch analysis from position:%s%d\n", VLD_G(col_sep),position);    } else {        VLD_PRINT1(1, "Branch analysis from position: %d\n", position);    }    vld_set_add(branch_info->starts, position);    branch_info->branches[position].start_lineno = opa->opcodes[position].lineno;    /* First we see if the branch has been visited, if so we bail out. */    if (vld_set_in(set, position)) {        return;    }    /* Loop over the opcodes until the end of the array, or until a jump point has been found */    VLD_PRINT1(2, "Add %d\n", position);    vld_set_add(set, position);    while (position last) {        jump_pos1 = VLD_JMP_NOT_SET;        jump_pos2 = VLD_JMP_NOT_SET;        /* See if we have a jump instruction */        //定位条件逻辑块的起始、结束位置        if (vld_find_jump(opa, position, &jump_pos1, &jump_pos2)) {            VLD_PRINT1(1, "Jump found. Position 1 = %d", jump_pos1);            if (jump_pos2 != VLD_JMP_NOT_SET) {                VLD_PRINT1(1, ", Position 2 = %d\n", jump_pos2);            } else {                VLD_PRINT(1, "\n");            }            //从当前条件分支(Branch)开始,递归处理子语句块            if (jump_pos1 == VLD_JMP_EXIT || jump_pos1 >= 0) {                vld_branch_info_update(branch_info, position, opa->opcodes[position].lineno, 0, jump_pos1);                if (jump_pos1 != VLD_JMP_EXIT) {                    vld_analyse_branch(opa, jump_pos1, set, branch_info TSRMLS_CC);                }            }            if (jump_pos2 == VLD_JMP_EXIT || jump_pos2 >= 0) {                vld_branch_info_update(branch_info, position, opa->opcodes[position].lineno, 1, jump_pos2);                if (jump_pos2 != VLD_JMP_EXIT) {                    vld_analyse_branch(opa, jump_pos2, set, branch_info TSRMLS_CC);                }            }            break;        }#ifdef ZEND_ENGINE_2        /* See if we have a throw instruction */        if (opa->opcodes[position].opcode == ZEND_THROW) {            VLD_PRINT1(1, "Throw found at %d\n", position);            vld_set_add(branch_info->ends, position);            branch_info->branches[position].start_lineno = opa->opcodes[position].lineno;            break;        }#endif        /* See if we have an exit instruction */        if (opa->opcodes[position].opcode == ZEND_EXIT) {            VLD_PRINT(1, "Exit found\n");            vld_set_add(branch_info->ends, position);            branch_info->branches[position].start_lineno = opa->opcodes[position].lineno;            break;        }        /* See if we have a return instruction */        if (            opa->opcodes[position].opcode == ZEND_RETURN#if PHP_VERSION_ID >= 50400            || opa->opcodes[position].opcode == ZEND_RETURN_BY_REF#endif        ) {            VLD_PRINT(1, "Return found\n");            vld_set_add(branch_info->ends, position);            branch_info->branches[position].start_lineno = opa->opcodes[position].lineno;            break;        }        position++;        VLD_PRINT1(2, "Add %d\n", position);        vld_set_add(set, position);    }}

0x5: vld_dump_op

void vld_dump_op(int nr, zend_op * op_ptr, unsigned int base_address, int notdead, int entry, int start, int end, zend_op_array *opa TSRMLS_DC){    static uint last_lineno = (uint) -1;    int print_sep = 0, len;    char *fetch_type = "";    unsigned int flags, op1_type, op2_type, res_type;    const zend_op op = op_ptr[nr];        if (op.lineno == 0) {        return;    }    if (op.opcode >= NUM_KNOWN_OPCODES) {        flags = ALL_USED;    } else {        flags = opcodes[op.opcode].flags;    }    op1_type = op.VLD_TYPE(op1);    op2_type = op.VLD_TYPE(op2);    res_type = op.VLD_TYPE(result);    if (flags == SPECIAL) {        flags = vld_get_special_flags(&op, base_address);    }     if (flags & OP1_OPLINE) {        op1_type = VLD_IS_OPLINE;    }    if (flags & OP2_OPLINE) {        op2_type = VLD_IS_OPLINE;    }    if (flags & OP1_OPNUM) {        op1_type = VLD_IS_OPNUM;    }    if (flags & OP2_OPNUM) {        op2_type = VLD_IS_OPNUM;    }    if (flags & OP1_CLASS) {        op1_type = VLD_IS_CLASS;    }    if (flags & RES_CLASS) {        res_type = VLD_IS_CLASS;    }    if (flags & OP_FETCH) {#ifdef ZEND_ENGINE_2        switch (op.VLD_EXTENDED_VALUE(op2)) {            case ZEND_FETCH_GLOBAL:                fetch_type = "global";                break;            case ZEND_FETCH_LOCAL:                fetch_type = "local";                break;            case ZEND_FETCH_STATIC:                fetch_type = "static";                break;            case ZEND_FETCH_STATIC_MEMBER:                fetch_type = "static member";                break;#ifdef ZEND_FETCH_GLOBAL_LOCK            case ZEND_FETCH_GLOBAL_LOCK:                fetch_type = "global lock";                break;#endif#ifdef ZEND_FETCH_AUTO_GLOBAL            case ZEND_FETCH_AUTO_GLOBAL:                fetch_type = "auto global";                break;#endif            default:                fetch_type = "unknown";                break;        }#else         if (op.op2.u.fetch_type == ZEND_FETCH_GLOBAL) {            fetch_type = "global";        } else if (op.op2.u.fetch_type == ZEND_FETCH_STATIC) {            fetch_type = "static";        }#endif    }    if (op.lineno == last_lineno) {        vld_printf(stderr, "     ");    } else {        vld_printf(stderr, "%4d ", op.lineno);        last_lineno = op.lineno;    }    if (op.opcode >= NUM_KNOWN_OPCODES) {        if (VLD_G(format)) {            vld_printf(stderr, "%5d %s %c %c %c %c %s %-23s %s %-14s ", nr, VLD_G(col_sep), notdead ? ' ' : '*', entry ? 'E' : ' ', start ? '>' : ' ', end ? '>' : ' ', VLD_G(col_sep), op.opcode, VLD_G(col_sep), fetch_type);        } else {            vld_printf(stderr, "%5d%c %c %c %c %-23s %-14s ", nr, notdead ? ' ' : '*', entry ? 'E' : ' ', start ? '>' : ' ', end ? '>' : ' ', op.opcode, "", fetch_type);        }    } else {        if (VLD_G(format)) {            vld_printf(stderr, "%5d %s %c %c %c %c %s %-28s %s %-14s ", nr, VLD_G(col_sep), notdead ? ' ' : '*', entry ? 'E' : ' ', start ? '>' : ' ', end ? '>' : ' ', VLD_G(col_sep), opcodes[op.opcode].name, VLD_G(col_sep), fetch_type);        } else {            vld_printf(stderr, "%5d%c %c %c %c %-28s %-14s ", nr, notdead ? ' ' : '*', entry ? 'E' : ' ', start ? '>' : ' ', end ? '>' : ' ', opcodes[op.opcode].name, fetch_type);        }    }    if (flags & EXT_VAL) {        vld_printf(stderr, "%3d  ", op.extended_value);    } else {        vld_printf(stderr, "     ");    }    if ((flags & RES_USED) && !(op.VLD_EXTENDED_VALUE(result) & EXT_TYPE_UNUSED)) {        VLD_PRINT(3, " RES[ ");        len = vld_dump_znode (NULL, res_type, op.result, base_address TSRMLS_CC);        VLD_PRINT(3, " ]");        if (VLD_G(format)) {            if (len==0) {                vld_printf(stderr, " ");            }        } else {            vld_printf(stderr, "%*s", 8-len, " ");        }    } else {        vld_printf(stderr, "        ");    }    if (flags & OP1_USED) {        VLD_PRINT(3, " OP1[ ");        vld_dump_znode (&print_sep, op1_type, op.op1, base_address TSRMLS_CC);        VLD_PRINT(3, " ]");    }            if (flags & OP2_USED) {        VLD_PRINT(3, " OP2[ ");        if (flags & OP2_INCLUDE) {            if (VLD_G(verbosity) = 50399            switch (op.extended_value) {#else            switch (Z_LVAL(op.op2.u.constant)) {#endif                case ZEND_INCLUDE_ONCE:                    vld_printf(stderr, "INCLUDE_ONCE");                    break;                case ZEND_REQUIRE_ONCE:                    vld_printf(stderr, "REQUIRE_ONCE");                    break;                case ZEND_INCLUDE:                    vld_printf(stderr, "INCLUDE");                    break;                case ZEND_REQUIRE:                    vld_printf(stderr, "REQUIRE");                    break;                case ZEND_EVAL:                    vld_printf(stderr, "EVAL");                    break;                default:                    vld_printf(stderr, "!!ERROR!!");                    break;            }        } else {            vld_dump_znode (&print_sep, op2_type, op.op2, base_address TSRMLS_CC);        }        VLD_PRINT(3, " ]");    }    if (flags & OP2_BRK_CONT) {        long jmp;        zend_brk_cont_element *el;        VLD_PRINT(3, " BRK_CONT[ ");#if PHP_VERSION_ID >= 50399        el = vld_find_brk_cont(Z_LVAL_P(op.op2.zv), VLD_ZNODE_ELEM(op.op1, opline_num), opa);#else        el = vld_find_brk_cont(op.op2.u.constant.value.lval, VLD_ZNODE_ELEM(op.op1, opline_num), opa);#endif        jmp = op.opcode == ZEND_BRK ? el->brk : el->cont;        vld_printf (stderr, ", ->%d", jmp);        VLD_PRINT(3, " ]");    }    if (flags & NOP2_OPNUM) {        zend_op next_op = op_ptr[nr+1];        vld_dump_znode (&print_sep, VLD_IS_OPNUM, next_op.op2, base_address TSRMLS_CC);    }    vld_printf (stderr, "\n");}

Relevant Link:

http://bug1874.com/archives/125http://blog.csdn.net/phpkernel/article/details/5718519

Copyright (c) 2015 LittleHann All rights reserved