PHP extension调用so库 | Appl3s的博客

0x00 extension是啥

extension是用c开发的扩展，引入来提高网站运行效率，也可以作为底层驱动上层接口来使用，因为我的创新项目要用到底层函数的调用，所以记录一下其中的坑

0x01 环境准备

系统在ubuntu14.04下，php5环境。因为要用到phpize命令，但是直接apt-get install安装的php没有，所以我们还需要装一个

1	sudo apt-get install php5-dev

0x02 so的编写

参考网上的教程，我写了一个函数，很简单

1
2
3

mkdir code
cd code
vi hello.c

文件内容

1
2
3

int hello(int a,int b){
    return a+b; 
}

编写测试文件

vi test.c

内容

#include <stdio.h>
void hello(int,int);
int main()
{
        int a = 3, b = 4;
        printf("%d + %d = %d\n", a, b, hello(a,b));
        return 0;
}

执行命令

gcc hello.c -shared -o libhello.so #生成so
cp libhello.so /usr/local/lib/libhello.so #拷贝到系统公共库
ldconfig #载入库
gcc -o test test.c -lhello #编译test
./test #执行test，如果结果3+4=7则说明so调用成功

0x03 编写PHP extension

1
2
3

mkdir /usr/share/php5/ext_mine
cd /usr/share/php5/ext_mine
vi fun.def

文件内容

1	int hello(int a,int b)

注意没有分号

1	../ext_skel --extname=hello --proto=fun.def --skel=/usr/share/php5/skeleton

你会发现目录下有hello文件夹，里面生成了hello.c等等一系列文件
进入目录我们来继续配置

1 2	cd hello vi config.m4

去掉第16和18行的dnl

1
2
3

16:  PHP_ARG_ENABLE(hello, whether to enable hello support,
17:  dnl Make sure that the comment is aligned:
18:  [  --enable-hello           Enable hello support])

接下来修改hello.c
改写PHP_FUNCTION(hello)函数,增加返回值

//hello.c
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include "php.h"
#include "php_ini.h"
#include "ext/standard/info.h"
#include "php_hello.h"

/* If you declare any globals in php_hello.h uncomment this:
ZEND_DECLARE_MODULE_GLOBALS(hello)
*/

/* True global resources - no need for thread safety here */
static int le_hello;

/* {{{ hello_functions[]
 *
 * Every user visible function must have an entry in hello_functions[].
 */
const zend_function_entry hello_functions[] = {
	PHP_FE(confirm_hello_compiled,	NULL)		/* For testing, remove later. */
	PHP_FE(hello,	NULL)
	PHP_FE_END	/* Must be the last line in hello_functions[] */
};
/* }}} */

/* {{{ hello_module_entry
 */
zend_module_entry hello_module_entry = {
#if ZEND_MODULE_API_NO >= 20010901
	STANDARD_MODULE_HEADER,
#endif
	"hello",
	hello_functions,
	PHP_MINIT(hello),
	PHP_MSHUTDOWN(hello),
	PHP_RINIT(hello),		/* Replace with NULL if there's nothing to do at request start */
	PHP_RSHUTDOWN(hello),	/* Replace with NULL if there's nothing to do at request end */
	PHP_MINFO(hello),
#if ZEND_MODULE_API_NO >= 20010901
	PHP_HELLO_VERSION,
#endif
	STANDARD_MODULE_PROPERTIES
};
/* }}} */

#ifdef COMPILE_DL_HELLO
ZEND_GET_MODULE(hello)
#endif

/* {{{ PHP_INI
 */
/* Remove comments and fill if you need to have entries in php.ini
PHP_INI_BEGIN()
    STD_PHP_INI_ENTRY("hello.global_value",      "42", PHP_INI_ALL, OnUpdateLong, global_value, zend_hello_globals, hello_globals)
    STD_PHP_INI_ENTRY("hello.global_string", "foobar", PHP_INI_ALL, OnUpdateString, global_string, zend_hello_globals, hello_globals)
PHP_INI_END()
*/
/* }}} */

/* {{{ php_hello_init_globals
 */
/* Uncomment this function if you have INI entries
static void php_hello_init_globals(zend_hello_globals *hello_globals)
{
	hello_globals->global_value = 0;
	hello_globals->global_string = NULL;
}
*/
/* }}} */

/* {{{ PHP_MINIT_FUNCTION
 */
PHP_MINIT_FUNCTION(hello)
{
	/* If you have INI entries, uncomment these lines 
	REGISTER_INI_ENTRIES();
	*/
	return SUCCESS;
}
/* }}} */

/* {{{ PHP_MSHUTDOWN_FUNCTION
 */
PHP_MSHUTDOWN_FUNCTION(hello)
{
	/* uncomment this line if you have INI entries
	UNREGISTER_INI_ENTRIES();
	*/
	return SUCCESS;
}
/* }}} */

/* Remove if there's nothing to do at request start */
/* {{{ PHP_RINIT_FUNCTION
 */
PHP_RINIT_FUNCTION(hello)
{
	return SUCCESS;
}
/* }}} */

/* Remove if there's nothing to do at request end */
/* {{{ PHP_RSHUTDOWN_FUNCTION
 */
PHP_RSHUTDOWN_FUNCTION(hello)
{
	return SUCCESS;
}
/* }}} */

/* {{{ PHP_MINFO_FUNCTION
 */
PHP_MINFO_FUNCTION(hello)
{
	php_info_print_table_start();
	php_info_print_table_header(2, "hello support", "enabled");
	php_info_print_table_end();

	/* Remove comments if you have entries in php.ini
	DISPLAY_INI_ENTRIES();
	*/
}
/* }}} */


/* Remove the following function when you have successfully modified config.m4
   so that your module can be compiled into PHP, it exists only for testing
   purposes. */

/* Every user-visible function in PHP should document itself in the source */
/* {{{ proto string confirm_hello_compiled(string arg)
   Return a string to confirm that the module is compiled in */
PHP_FUNCTION(confirm_hello_compiled)
{
	char *arg = NULL;
	int arg_len, len;
	char *strg;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &arg, &arg_len) == FAILURE) {
		return;
	}

	len = spprintf(&strg, 0, "Congratulations! You have successfully modified ext/%.78s/config.m4. Module %.78s is now compiled into PHP.", "hello", arg);
	RETURN_STRINGL(strg, len, 0);
}
/* }}} */
/* The previous line is meant for vim and emacs, so it can correctly fold and 
   unfold functions in source code. See the corresponding marks just before 
   function definition, where the functions purpose is also documented. Please 
   follow this convention for the convenience of others editing your code.
*/

/* {{{ proto int hello(int a, int b)
    */
PHP_FUNCTION(hello)
{
	int argc = ZEND_NUM_ARGS();
	long a;
	long b;
	long result;
	if (zend_parse_parameters(argc TSRMLS_CC, "ll", &a, &b) == FAILURE) 
		return;
	result=hello(a,b);//调用so库函数
	RETURN_LONG(result);
	php_error(E_WARNING, "hello: not yet implemented");
}
/* }}} */


/*
 * Local variables:
 * tab-width: 4
 * c-basic-offset: 4
 * End:
 * vim600: noet sw=4 ts=4 fdm=marker
 * vim<600: noet sw=4 ts=4
 */

接下来用phpize命令生成configure文件

phpize
./configure -with-php-config=/usr/bin/php-config #生成makefile
make LDFLAGS=-lhello #载入libhello.so并make
make test

如果test的结果是


=====================================================================
PHP         : /usr/bin/php
PHP_SAPI    : cli
PHP_VERSION : 5.5.9-1ubuntu4.20
ZEND_VERSION: 2.5.0
PHP_OS      : Linux - Linux vultr.guest 3.13.0-95-generic #142-Ubuntu SMP Fri Aug 12 17:00:09 UTC 2016 x86_64
INI actual  : /usr/share/php5/ext_minister/hello/tmp-php.ini
More .INIs  :
CWD         : /usr/share/php5/ext_minister/hello
Extra dirs  :
VALGRIND    : Not used
=====================================================================
TIME START 2016-12-19 16:18:31
=====================================================================
PASS Check for hello presence [tests/001.phpt]
=====================================================================
TIME END 2016-12-19 16:18:31

=====================================================================
TEST RESULT SUMMARY
---------------------------------------------------------------------
Exts skipped    :    0
Exts tested     :   43
---------------------------------------------------------------------

Number of tests :    1                 1
Tests skipped   :    0 (  0.0%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    0 (  0.0%) (  0.0%)
Expected fail   :    0 (  0.0%) (  0.0%)
Tests passed    :    1 (100.0%) (100.0%) #注意这里
---------------------------------------------------------------------
Time taken      :    0 seconds
=====================================================================

This report can be automatically sent to the PHP QA team at
http://qa.php.net/reports and http://news.php.net/php.qa.reports
This gives us a better understanding of PHP's behavior.
If you don't want to send the report immediately you can choose
option "s" to save it.  You can then email it to qa-reports@lists.php.net later.
Do you want to send this report now? [Yns]:

就表明测试通过了

1	make install #将库安装到php的扩展文件夹里面

接下来我们编辑php.ini载入这个库

vi /etc/php5/apache2/php.ini
#在文件末尾添加
extension=hello.so
#重启apache
/etc/init.d/apache2 restart

然后我们编写测试php文件

1
2
3

<?php
	echo hello(3, 4);
	phpinfo();

执行结果如下
可以看出，我们成功的引入了hello模块并且执行了so中的函数

0x04 小结

这个php扩展也有可能成为持久化后门，这个我们下次再分享啦~