PHP RASP 实现原理与开发指南<\/h1>

1. RASP 基础概念<\/h2>
RASP (Runtime Application self-protection) 是一种在运行时检测攻击并进行自我保护的技术。PHP RASP 的核心设计思路是：<\/p>
跟踪所有客户端可控的变量（HTTP 请求参数、Header 等）<\/li>
监控这些变量在程序中的流动和使用<\/li>
选取敏感函数（如 require<\/code>, mysqli->query<\/code> 等）添加安全检查代码<\/li>
当被跟踪的信息流入敏感函数时触发安全检查<\/li>
检查通过则执行原函数，不通过则阻断执行并返回 403<\/li>
<\/ul>
2. 技术实现方案<\/h2>
2.1 污点分析模式 (Taint)<\/h3>

跟踪参数传递过程，判断清除或保留标记<\/li>
适用于检测未知攻击模式<\/li>
主要检测：

命令执行<\/li>
XSS<\/li>
SQL 注入<\/li>
<\/ul>
<\/li>
<\/ul>
2.2 Payload 模式<\/h3>

重命名函数 + PHP WAF 实现<\/li>
特征捕获检测<\/li>
忽略参数传递过程，只分析最后作用于敏感函数的参数是否恶意<\/li>
适用于上线前 Fuzz 检测<\/li>
<\/ul>
3. PHP 核心机制<\/h2>
3.1 PHP 生命周期<\/h3>
PHP 程序执行的四个阶段：<\/p>

模块初始化 (MINIT) - PHP_MINIT_FUNCTION<\/code><\/li>
请求初始化 (RINIT) - PHP_RINIT_FUNCTION<\/code><\/li>
请求处理<\/li>
请求结束 (RSHUTDOWN) - PHP_RSHUTDOWN_FUNCTION<\/code><\/li>
模块结束 (MSHUTDOWN) - PHP_MSHUTDOWN_FUNCTION<\/code><\/li>
<\/ol>
3.2 PHP Opcode<\/h3>
PHP 代码执行流程：<\/p>
PHP 代码 → 词法\/语法分析 → 生成 AST → 转换为 Opcode → Zend 虚拟机执行
<\/code><\/pre>
Opcode 是 PHP 代码在 Zend 虚拟机中执行的指令形式。<\/p>
4. 函数实现机制<\/h2>
PHP 中函数的存储结构 (zend_function<\/code>)：<\/p>
union<\/span> _zend_function {
<\/span><\/span>    zend_uchar type;
<\/span><\/span>    struct<\/span> {
<\/span><\/span>        \/\/ 公共头部
<\/span><\/span><\/span><\/span>        zend_uchar type;
<\/span><\/span>        zend_uchar arg_flags[3<\/span>];
<\/span><\/span>        uint32_t<\/span> fn_flags;
<\/span><\/span>        zend_string *<\/span>function_name;
<\/span><\/span>        zend_class_entry *<\/span>scope;
<\/span><\/span>        union<\/span> _zend_function *<\/span>prototype;
<\/span><\/span>        uint32_t<\/span> num_args;
<\/span><\/span>        uint32_t<\/span> required_num_args;
<\/span><\/span>        zend_arg_info *<\/span>arg_info;
<\/span><\/span>    } common;
<\/span><\/span>    
<\/span><\/span>    zend_op_array op_array;     \/\/ 用户自定义函数
<\/span><\/span><\/span><\/span>    zend_internal_function internal_function; \/\/ 内部函数
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>5. 环境搭建<\/h2>
5.1 开发环境准备<\/h3>


下载 PHP 源码：<\/p>
wget https:\/\/github.com\/php\/php-src\/archive\/php-7.0.33.zip
<\/span><\/span><\/code><\/pre><\/li>

创建扩展骨架：<\/p>
.\/ext_skel --extname=<\/span>passer6y
<\/span><\/span><\/code><\/pre><\/li>

修改 config.m4<\/code> 文件，去掉相关行的 dnl<\/code> 注释<\/p>
<\/li>

声明和实现扩展函数：<\/p>
\/\/ php_passer6y.h
<\/span><\/span><\/span><\/span>PHP_FUNCTION(passer6y_helloworld);
<\/span><\/span>
<\/span><\/span>\/\/ passer6y.c
<\/span><\/span><\/span><\/span>PHP_FUNCTION(passer6y_helloworld) {
<\/span><\/span>    char<\/span> *<\/span>arg =<\/span> NULL;
<\/span><\/span>    int<\/span> arg_len, len;
<\/span><\/span>    char<\/span> *<\/span>strg;
<\/span><\/span>
<\/span><\/span>    if<\/span> (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s"<\/span>, &<\/span>arg, &<\/span>arg_len) ==<\/span> FAILURE) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    php_printf("my first ext,Hello World!<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    RETURN_TRUE;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

编译安装扩展：<\/p>
apt-get install php7.0-dev
<\/span><\/span>phpize
<\/span><\/span>.\/configure --with-php-config=<\/span>\/usr\/bin\/php-config7.0
<\/span><\/span>make &&<\/span> make install
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5.2 GDB 调试环境<\/h3>


编译带调试信息的 PHP：<\/p>
.\/configure --prefix=<\/span>\/opt\/php_debug\/ --enable-debug --enable-cli --without-pear --enable-embed --enable-inline-optimization --enable-shared --enable-opcache --enable-fpm --with-gettext --enable-mbstring --with-iconv=<\/span>\/usr\/local\/libiconv
<\/span><\/span>make &&<\/span> make install
<\/span><\/span><\/code><\/pre><\/li>

创建调试用 PHP：<\/p>
ln -s \/opt\/php_debug\/bin\/php \/usr\/bin\/php_debug
<\/span><\/span>ln -s \/opt\/php_debug\/bin\/phpize \/usr\/bin\/phpize_debug
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5.3 VLD 扩展安装<\/h3>
查看 PHP 代码的 Opcode：<\/p>
wget http:\/\/pecl.php.net\/get\/vld-0.14.0.tgz
<\/span><\/span>tar zxvf vld-0.14.0.tgz 
<\/span><\/span>cd vld-0.14.0\/
<\/span><\/span>.\/configure --with-php-config=<\/span>\/usr\/bin\/php-config7.0 --enable-vld
<\/span><\/span>make &&<\/span> make install
<\/span><\/span><\/code><\/pre>在 php.ini<\/code> 中添加：<\/p>
extension=vld.so
<\/code><\/pre>
使用 VLD：<\/p>
php -dvld.active=<\/span>1<\/span> -dvld.execute=<\/span>0<\/span> test.php
<\/span><\/span><\/code><\/pre>6. 函数 Hook 技术<\/h2>
6.1 重命名函数<\/h3>
在 MINIT 阶段重命名内部函数：<\/p>
static<\/span> zend_always_inline Bucket *<\/span>rename_hash_key<\/span>(HashTable *<\/span>ht, zend_string *<\/span>orig_name, zend_string *<\/span>new_name, int<\/span> type) {
<\/span><\/span>    \/\/ 检查新名称是否已存在
<\/span><\/span><\/span><\/span>    if<\/span> (zend_hash_exists(ht, new_name)) {
<\/span><\/span>        zend_error(E_ERROR, "function\/class '%s' already exists"<\/span>, ZSTR_VAL(new_name));
<\/span><\/span>        return<\/span> NULL;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 查找原函数
<\/span><\/span><\/span><\/span>    \/\/ ... 查找逻辑
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 重命名函数
<\/span><\/span><\/span><\/span>    zend_string_release(p-><\/span>key);
<\/span><\/span>    p-><\/span>key =<\/span> zend_string_init_interned(ZSTR_VAL(new_name), ZSTR_LEN(new_name), 1<\/span>);
<\/span><\/span>    p-><\/span>h =<\/span> h =<\/span> zend_string_hash_val(p-><\/span>key);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (type ==<\/span> XMARK_IS_FUNCTION) {
<\/span><\/span>        zend_string_release(p-><\/span>val.value.func-><\/span>common.function_name);
<\/span><\/span>        zend_string_addref(p-><\/span>key);
<\/span><\/span>        p-><\/span>val.value.func-><\/span>common.function_name =<\/span> p-><\/span>key;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> p;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6.2 Hook Opcode<\/h3>
对于语言特性（如 echo<\/code>, eval<\/code>）需要通过 Hook Opcode 实现：<\/p>
\/\/ passer6y.h
<\/span><\/span><\/span><\/span>int<\/span> fake_echo<\/span>(ZEND_OPCODE_HANDLER_ARGS);
<\/span><\/span>
<\/span><\/span>\/\/ passer6y.c
<\/span><\/span><\/span><\/span>int<\/span> fake_echo<\/span>(ZEND_OPCODE_HANDLER_ARGS) {
<\/span><\/span>    php_printf("hook success"<\/span>);
<\/span><\/span>    return<\/span> ZEND_USER_OPCODE_RETURN;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ MINIT 函数中注册
<\/span><\/span><\/span><\/span>zend_set_user_opcode_handler(ZEND_ECHO, fake_echo);
<\/span><\/span><\/code><\/pre>关键 Opcode 需要 Hook：<\/p>

INCLUDE_OR_EVAL<\/code> - 包含 eval<\/code>, include<\/code>, require<\/code> 等<\/li>
DO_ICALL<\/code> - 如 system<\/code> 等内部函数调用<\/li>
DO_FCALL<\/code> - 变量函数调用，如 $a="system"; $a("whoami");<\/code><\/li>
<\/ul>
7. 污点标记实现<\/h2>
7.1 标记函数实现<\/h3>
PHP_FUNCTION(xmark) {
<\/span><\/span>    zval *<\/span>z_str;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (!<\/span>XMARK_G(enable)) {
<\/span><\/span>        RETURN_FALSE;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    if<\/span> (zend_parse_parameters(ZEND_NUM_ARGS(), "z"<\/span>, &<\/span>z_str) ==<\/span> FAILURE) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    ZVAL_DEREF(z_str); \/\/ 解引用
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    if<\/span> (IS_STRING !=<\/span> Z_TYPE_P(z_str) ||<\/span> Z_STRLEN_P(z_str) ==<\/span> 0<\/span>) {
<\/span><\/span>        RETURN_FALSE;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    if<\/span> (xmark_zstr(z_str) ==<\/span> FAILURE) {
<\/span><\/span>        RETURN_FALSE;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    RETURN_TRUE;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>static<\/span> zend_always_inline int<\/span> xmark_zstr(zval *<\/span>z_str) {
<\/span><\/span>    if<\/span> (!<\/span>XCHECK_FLAG(Z_STR_P(z_str))) {
<\/span><\/span>        zend_string *<\/span>str =<\/span> zend_string_init(Z_STRVAL_P(z_str), Z_STRLEN_P(z_str), 0<\/span>);
<\/span><\/span>        ZSTR_LEN(str) =<\/span> Z_STRLEN_P(z_str);
<\/span><\/span>        zend_string_release(Z_STR_P(z_str));
<\/span><\/span>        XMARK_FLAG(str);
<\/span><\/span>        ZVAL_STR(z_str, str);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> SUCCESS;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>7.2 标记位定义<\/h3>
#if PHP_VERSION_ID < 70300
<\/span><\/span><\/span>#   define IS_XMARK_FLAG            (1<<6)
<\/span><\/span><\/span>#   define XMARK_FLAG(str)          (GC_FLAGS((str)) |= IS_XMARK_FLAG)
<\/span><\/span><\/span>#   define XCLEAR_FLAG(str)         (GC_FLAGS((str)) &= ~IS_XMARK_FLAG)
<\/span><\/span><\/span>#   define XCHECK_FLAG(str)         (GC_FLAGS((str)) & IS_XMARK_FLAG)
<\/span><\/span><\/span>#else
<\/span><\/span><\/span>#   define IS_XMARK_FLAG            (1<<5)
<\/span><\/span><\/span>#   define XMARK_FLAG(str)          GC_ADD_FLAGS(str, IS_XMARK_FLAG)
<\/span><\/span><\/span>#   define XCLEAR_FLAG(str)         GC_DEL_FLAGS(str, IS_XMARK_FLAG)
<\/span><\/span><\/span>#   define XCHECK_FLAG(str)         (GC_FLAGS((str)) & IS_XMARK_FLAG)
<\/span><\/span><\/span>#endif
<\/span><\/span><\/span><\/code><\/pre>8. 威胁判断流程<\/h2>


Source 点标记<\/strong> - 标记所有输入源：<\/p>
prvd_xmark<\/span>($_GET, true<\/span>);
<\/span><\/span>prvd_xmark<\/span>($_POST, true<\/span>);
<\/span><\/span>prvd_xmark<\/span>($_COOKIE, true<\/span>);
<\/span><\/span>prvd_xmark<\/span>($_FILES, true<\/span>);
<\/span><\/span>prvd_xmark<\/span>($_REQUEST, true<\/span>);
<\/span><\/span>
<\/span><\/span>foreach<\/span> ($_SERVER as<\/span> $key =><\/span> &<\/span>$value) {
<\/span><\/span>    if<\/span> (stripos<\/span>($key, 'HTTP_'<\/span>) ===<\/span> 0<\/span>) {
<\/span><\/span>        prvd_xmark<\/span>($value);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

Filter 点传递<\/strong> - 在数据处理过程中传递标记：<\/p>
function<\/span> base64_decode<\/span>($data, ...<\/span>$args) {
<\/span><\/span>    $result =<\/span> call_user_func<\/span>(PRVD_RENAME_PREFIX<\/span>.<\/span>"base64_decode"<\/span>, $data, ...<\/span>$args);
<\/span><\/span>    if<\/span> (PRVD_TAINT_ENABLE<\/span> &&<\/span> prvd_xcheck<\/span>($data)) {
<\/span><\/span>        prvd_xmark<\/span>($result);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $result;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

Sink 点检测<\/strong> - 在敏感函数处检测标记：<\/p>
static<\/span> int<\/span> php_do_fcall_handler<\/span>(zend_execute_data *<\/span>execute_data) {
<\/span><\/span>    \/\/ 获取函数名和参数
<\/span><\/span><\/span><\/span>    \/\/ 检查是否为危险函数
<\/span><\/span><\/span><\/span>    \/\/ 检查参数是否被标记
<\/span><\/span><\/span><\/span>    \/\/ 根据检查结果决定是否阻断执行
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
9. 实现示例<\/h2>
9.1 敏感函数 Hook 示例<\/h3>
static<\/span> int<\/span> php_do_fcall_handler<\/span>(zend_execute_data *<\/span>execute_data) {
<\/span><\/span>    const<\/span> zend_op *<\/span>opline =<\/span> execute_data-><\/span>opline;    
<\/span><\/span>    zend_execute_data *<\/span>call =<\/span> execute_data-><\/span>call;
<\/span><\/span>    zend_function *<\/span>fbc =<\/span> call-><\/span>func;
<\/span><\/span>
<\/span><\/span>    if<\/span> (fbc-><\/span>type ==<\/span> ZEND_INTERNAL_FUNCTION) {
<\/span><\/span>        int<\/span> arg_count =<\/span> ZEND_CALL_NUM_ARGS(call);   
<\/span><\/span>        if<\/span> (!<\/span>arg_count) {
<\/span><\/span>            return<\/span> ZEND_USER_OPCODE_DISPATCH;
<\/span><\/span>        }
<\/span><\/span>
<\/span><\/span>        if<\/span> (fbc-><\/span>common.scope ==<\/span> NULL) {
<\/span><\/span>            zend_string *<\/span>fname =<\/span> fbc-><\/span>common.function_name;
<\/span><\/span>            char<\/span> *<\/span>funcname =<\/span> ZSTR_VAL(fname);
<\/span><\/span>            int<\/span> len =<\/span> strlen(funcname);
<\/span><\/span>            if<\/span> (fname) {
<\/span><\/span>                if<\/span> (strncmp("passthru"<\/span>, funcname, len) ==<\/span> 0<\/span>
<\/span><\/span>                            ||<\/span> strncmp("system"<\/span>, funcname, len) ==<\/span> 0<\/span>
<\/span><\/span>                            ||<\/span> strncmp("exec"<\/span>, funcname, len) ==<\/span> 0<\/span>
<\/span><\/span>                            ||<\/span> strncmp("shell_exec"<\/span>, funcname, len) ==<\/span> 0<\/span>
<\/span><\/span>                            ||<\/span> strncmp("proc_open"<\/span>, funcname, len) ==<\/span> 0<\/span> ) {
<\/span><\/span>                            zend_error(E_WARNING, funcname);
<\/span><\/span>                    }
<\/span><\/span>            }   
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> ZEND_USER_OPCODE_DISPATCH;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>9.2 参数获取与警告<\/h3>
static<\/span> void<\/span> php_warning<\/span>(const<\/span> char<\/span> *<\/span>fname, const<\/span> char<\/span> *<\/span>arg, const<\/span> char<\/span> *<\/span>format, ...) {
<\/span><\/span>    char<\/span> *<\/span>buffer, *<\/span>msg;
<\/span><\/span>    va_list args;
<\/span><\/span>    
<\/span><\/span>    va_start(args, format);
<\/span><\/span>    vspprintf(&<\/span>buffer, 0<\/span>, format, args);
<\/span><\/span>    spprintf(&<\/span>msg, 0<\/span>, "%s(<\/span>\"<\/span>%s<\/span>\"<\/span>): %s"<\/span>, fname, arg, buffer);
<\/span><\/span>    efree(buffer);
<\/span><\/span>    zend_error(E_WARNING, msg);
<\/span><\/span>    efree(msg);
<\/span><\/span>    va_end(args);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>10. 总结<\/h2>
10.1 技术要点<\/h3>


两种检测模式：<\/p>

污点分析：跟踪数据流，适合检测未知攻击<\/li>
Payload 模式：特征检测，适合上线前 Fuzz<\/li>
<\/ul>
<\/li>

关键实现技术：<\/p>

函数重命名<\/li>
Opcode Hook<\/li>
污点标记传递<\/li>
<\/ul>
<\/li>

主要 Hook 点：<\/p>

INCLUDE_OR_EVAL<\/code><\/li>
DO_ICALL<\/code><\/li>
DO_FCALL<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
10.2 优缺点<\/h3>
污点分析优点<\/strong>：<\/p>

能检测未知攻击模式<\/li>
不依赖特定 payload<\/li>
覆盖全面<\/li>
<\/ul>
Payload 模式缺点<\/strong>：<\/p>

多入口文件时容易遗漏<\/li>
检测精度依赖 payload 质量<\/li>
需要维护特征库<\/li>
<\/ul>
11. 参考资源<\/h2>

替换PHP底层函数实现<\/a><\/li>
从PHP源码与扩展开发谈PHP任意代码执行与防御<\/a><\/li>
php7内核剖析<\/a><\/li>
xmark: A PHP7 extension that can hook most functions\/classes and parts of opcodes<\/a><\/li>
一类PHP RASP实现<\/a><\/li>
PHP 运行时漏洞检测<\/a><\/li>
毕业设计之php RASP<\/a><\/li>
taint: Taint is a PHP extension, used for detecting XSS codes<\/a><\/li>
<\/ol>