1

I tried to write a PHP module which is used to detect zend internal function which is called in a php cgi file. Liked code shown below,I want get its name -- 'printf' in my code.

<?php printf("Hello SO!");?>

Now I hooked this function with a function named 'zend_set_user_opcode_handler'.However,I am not able to get the function name which was hooked.(It is 'printf' in this example.) So, what should I do if I want achieve that 'printf' in Function hook_handler()?

Codes here.

int shellhook_handler(ZEND_OPCODE_HANDLER_ARGS){

 /* What should I do to catch function name here*/

 return ZEND_USER_OPCODE_DISPATCH;
}


PHP_MINIT_FUNCTION(shellhook)
{

    REGISTER_INI_ENTRIES();
    zend_set_user_opcode_handler(ZEND_DO_FCALL, hook_handler);
    return SUCCESS;
}
Naktibalda
  • 13,705
  • 5
  • 35
  • 51
Solomon
  • 21
  • 2

1 Answers1

1

Hey guys I have got the answer. There are two different methods to achieve hooked function's name.

First, if PHP5 is used, a defining of macro is necessary,because the method depend on the PHP minor version(less than 4 or not).

#if (PHP_MAJOR_VERSION == 5) && (PHP_MINOR_VERSION < 4) 
                # define OP1_CONSTANT_PTR(n) (&(n)->op1.u.constant)
#else    
                #  define OP1_CONSTANT_PTR(n) ((n)->op1.zv)
#endif 

zend_op *opline = execute_data->opline;
zval *fname = OP1_CONSTANT_PTR(opline);
php_printf("FunctionName:%s\n",Z_STRVAL_P(fname));

Second, if PHP7 is used, parameters of shellhook() are not ZEND_OPCODE_HANDLER_ARGS any more. It is replaced by zend_execute_data *execute_data.

    zend_execute_data *call = execute_data->call;
    zend_function *fbc = call->func;
    zend_string *fname = fbc->common.function_name;
    php_printf("FunctionName:%s\n",ZSTR_VAL(fname));
Solomon
  • 21
  • 2