In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly introduces "why w3wp.exe modifies php-cgi memory". In daily operation, I believe many people have doubts about why w3wp.exe modifies php-cgi memory. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the question of "why w3wp.exe modifies php-cgi memory". Next, please follow the editor to study!
"w3wp.exe modifies php-cgi 's memory" appears because D Shield is protected by D Shield when loading php's php-cgi.exe process in order to support multiple PHP versions on the same server.
This article operating environment: Windows7 system, PHP7.1 version, DELL G3 computer
How does w3wp.exe modify the memory of php-cgi?
Regarding the use of D Shield, the security dog prompts w3wp.exe to modify php-cgi.exe memory.
Regarding the use of D Shield, the server security dog prompts w3wp.exe to modify php-cgi.exe memory.
Recently, when I saw the new version of Safety Dog, there will be such a hint.
In order to reduce misunderstandings, let's talk about it!
In order to support multiple PHP versions on the same server, D Shield is protected by D Shield when loading the php-cgi.exe process of php.
You need to modify the memory when you start php-cgi.exe and have php-cgi.exe load the DLL of the D shield's protection module.
(at first, I want to set up startup through php.ini configuration, but there may be multiple PHP versions on some servers, so it is easy to omit
It is also possible for users to modify or add dynamically, and if they cannot get the status in time, it is easy to cause PHP not to be protected, so give up this scheme)
Post a part of the start php-cgi of D shield and open the delphi code of D shield protection.
(to prevent hackers from knowing too many details and ignoring some details):
/ / # # / / HOOK executes functions here to filter processing / / # # function My_CreateProcessInternalW (dw1_: Pointer LpApplicationName: LPCWSTR;lpCommandLine: LPWSTR; lpProcessAttributes, lpThreadAttributes: PSecurityAttributes; bInheritHandles: BOOL; dwCreationFlags: dword;lpEnvironment: Pointer; lpCurrentDirectory: LPCWSTR;const lpStartupInfo: TStartupInfoW;var lpProcessInformation: TProcessInformation; Dw2: Pointer): BOOL; stdcall;varre_add: HMODULE;is_64_pe: boolean;Err_index: integer;ImageBaseAddress, AddressOfEntryPoint_: PVOID64;P_NT_HEAD_32: PImageNtHeaders32; / / NT head P _ NT_HEAD_64: PImageNtHeaders64; / / NT head NtHead_: TImageNtHeaders64; / / NT head dwSize: SIZE_T D_Safe_X32_load_manage_A: WideString;str: string;lpEnvironment_str: AnsiString;inf_: PWeb_Http_Context;Re_Fun_Add: HMODULE;App_, com_, com_exe_path, dir_: string;re_app_, re_cs_: string;App_len, Com_len: dword;comlin_inf_: TFilePath_pak;App_inf_: TFilePath_pak;Ex_Style_: dword;state_: integer;Nt_Head_add_: PVOID64 / / simplified process creation function function CreateProcessInternalW_do (): BOOL;beginResult: = CreateProcessInternalW_ (dw1_, lpApplicationName, lpCommandLine,lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags,lpEnvironment, lpCurrentDirectory, lpStartupInfo,lpProcessInformation, Dw2); end;// executes php-cgi.exe and loads the protective function RUN_PHP_FCGI of D shield (): boolean;varerr_: integer;Function Kill_pro (pid_: dword): boolean;beginResult: = false / / the D shield protection module of the 32-bit pool cannot protect the 64-bit PHP. Please change the pool to 64-bit or use the 32-bit PHP version of dumbmsg _ (c_no_Support_64_php, NIIF_ERROR_); / / end the process TerminateProcess (OpenProcess (PROCESS_TERMINATE, false, pid_), $FFFFFFFF); SetLastError (5); end;begin// create the php-cgi process Result: = CreateProcessInternalW_do () If Result thenbegin// reads the NT header information of the specified process ImageBaseAddress: = D_Get_Process_NtHeaders (lpProcessInformation.hProcess,NtHead_, is_64_pe, Nt_Head_add_); if ImageBaseAddress > 0 thenbegin// if it is a 64-bit process, if is_64_pe thenbeginP_NT_HEAD_64: = @ NtHead_;AddressOfEntryPoint_: = ImageBaseAddress + P_NT_HEAD_64.OptionalHeader.AddressOfEntryPoint / / if the current iis process is not 64-bit When the entry position of php-cgi is greater than 0x100000000, if (D_IS_Win64_Project () = false) and (AddressOfEntryPoint_ > = $100000000) thenbegincase WIN_Ver_ of_WIN_VER_2003, and _ WIN_VER_2008:begin// writes 64-bit load_manage.dllif Run_x64_LdrLoadDll (lpProcessInformation.hProcess,WIN_INF_.D_Safe_X64_load_manage) = false thenbegin// of D shield fails, end process Result: = Kill_pro (lpProcessInformation.hProcess) Exit;endelsebeginResult: = true;SetLastError (0); when exit;end;end;_WIN_VER_2012:begin// does not support protection, end process Result: = Kill_pro (lpProcessInformation.hProcess); load_manage.dllif D_Write_DLL_To_Process (lpProcessInformation.hProcess,AddressOfEntryPoint_, WIN_INF_.D_Safe_X64_load_manage, true) thenbeginResult of exit;end;end;endelsebegin// written to D shield: = true;SetLastError (0); exit End the php-cgi process Result: = Kill_pro (lpProcessInformation.hProcess) when writing to endelsebegin// fails; P_NT_HEAD_32: = @ NtHead_;AddressOfEntryPoint_: = ImageBaseAddress + paired header programs for exit;end;end;endelsebegin// 32-bit programs 32. OptionalHeader.AddressOfEntryPointSize: = sizeof (TSet_Fun_ADD_Head_32) / / write load_manage.dllif D_Write_DLL_To_Process (lpProcessInformation.hProcess,AddressOfEntryPoint_, WIN_INF_.D_Safe_X32_load_manage, false) thenbeginResult: = true;SetLastError (0) to D shield; end php-cgi process Result: = Kill_pro (lpProcessInformation.hProcess) when exit;endelsebegin// write failure; end php-cgi process Result: = Kill_pro (lpProcessInformation.hProcess); exit;end;end;end;begin.... / / previous code Ignore / / # # / / if it is PHP-cgi.exe// # # if (.... / / ignore some code) and (Pos (CONST_PHP_CGI, App_) > 0) and ((Com_len-App_len) = 2) thenbegin// executes PHP-cgi.exe and adds the D shield protection module Result: = RUN_PHP_FCGI (); exit;end;... / / the following code, ignore
If you need to see the assembly code, you can run D Shield WEB protection and debug the w3wp.exe process with OllyICE.
And select and debug web_safe.dll, find the character php-cgi.exe, you can quickly locate the relevant code location
The following code is the x32\ web_safe.dll assembly code for the d_safe_2.1.4.4 version
05ED9B20 / E9 73010000 jmp web_safe.05ED9C9805ED9B25 | 8B45 28 mov eax, dword ptr [ebp+28] 05ED9B28 | 50 push eax05ED9B29 | 8B85 B0FEFFFF mov eax, dword ptr [ebp-150] 05ED9B2F | E8 5C0BDEFF call web_safe.05CBA69005ED9B34 | 8D95 5EFCFFFF lea edx, dword ptr [ebp-3A2] 05ED9B3A | 33C9 xor ecx, ecx05ED9B3C | E8 BF82FAFF call web_safe.05E81E0005ED9B41 | 8D85 B8FEFFFF lea eax, dword ptr [ebp-148] 05ED9B47 | 8B95 5EFCFFFF mov edx, dword ptr [ebp-3A2] 05ED9B4D | E8 A60BDEFF call web_safe.05CBA6F805ED9B52 | 8D85 5EFCFFFF lea eax Dword ptr [ebp-3A2] 05ED9B58 | E8 1F67FAFF call web_safe.05E8027C05ED9B5D | 837D 2000 cmp dword ptr [ebp+20], 005ED9B61 | 743B je short web_safe.05ED9B9E05ED9B63 | 0FB785 62FCFFFF movzx eax, word ptr [ebp-39E] 05ED9B6A | 3BF0 cmp esi, eax05ED9B6C | 75 30 jnz short web_safe.05ED9B9E05ED9B6E | B9 01000000 mov ecx, 105ED9B73 | 8B95 C0FEFFFF mov edx, dword ptr [ebp-140] 05ED9B79 | B8 E49CED05 mov eax, web_safe.05ED9CE4 Php-cgi.exe05ED9B7E | E8 F910DEFF call web_safe.05CBAC7C05ED9B83 | 85C0 test eax, eax05ED9B85 | 7e 17 jle short web_safe.05ED9B9E05ED9B87 | 2BFE sub edi, esi05ED9B89 | 83FF 02 cmp edi, 205ED9B8C | 75 10 jnz short web_safe.05ED9B9E05ED9B8E | 55 push ebp05ED9B8F | E8 A8FBFFFF call web_safe.05ED973C; enter RUN_PHP_FCGI function 05ED9B94 | 59 pop ecx05ED9B95 | F6D8 neg al05ED9B97 | 1BDB sbb ebx, ebx05ED9B99 | E9 FA000000 jmp web_safe.05ED9C98
D shield program without shell, easy to debug, welcome the supervision of technical friends. It has always been believed that third-party supervision is the best supervision.
If you disable D Shield from modifying memory when starting php-cgi.exe, it will end the php-cgi.exe or cannot be protected. Please do not disable it.
If the user feels that he needs a switch to protect or not protect PHP, please talk to D QQ:9269563, depending on the user's feedback.
Whether to add a switch to turn off PHP protection.
In order to achieve protection, D Shield needs a large number of HOOK-related API to achieve protection, most of which need to modify the memory of assembly code.
At this point, the study on "why w3wp.exe modifies php-cgi memory" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 209
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.