Why does w3wp.exe modify php-cgi memory? 04/02 Update SLTechnology News&Howtos

Why does w3wp.exe modify php-cgi memory?

2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Shulou(Shulou.com)06/01 Report--

This article mainly introduces "why w3wp.exe modifies php-cgi memory". In daily operation, I believe many people have doubts about why w3wp.exe modifies php-cgi memory. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the question of "why w3wp.exe modifies php-cgi memory". Next, please follow the editor to study!

"w3wp.exe modifies php-cgi 's memory" appears because D Shield is protected by D Shield when loading php's php-cgi.exe process in order to support multiple PHP versions on the same server.

This article operating environment: Windows7 system, PHP7.1 version, DELL G3 computer

How does w3wp.exe modify the memory of php-cgi?

Regarding the use of D Shield, the security dog prompts w3wp.exe to modify php-cgi.exe memory.

Regarding the use of D Shield, the server security dog prompts w3wp.exe to modify php-cgi.exe memory.

Recently, when I saw the new version of Safety Dog, there will be such a hint.

In order to reduce misunderstandings, let's talk about it!

In order to support multiple PHP versions on the same server, D Shield is protected by D Shield when loading the php-cgi.exe process of php.

You need to modify the memory when you start php-cgi.exe and have php-cgi.exe load the DLL of the D shield's protection module.

(at first, I want to set up startup through php.ini configuration, but there may be multiple PHP versions on some servers, so it is easy to omit

It is also possible for users to modify or add dynamically, and if they cannot get the status in time, it is easy to cause PHP not to be protected, so give up this scheme)

Post a part of the start php-cgi of D shield and open the delphi code of D shield protection.

(to prevent hackers from knowing too many details and ignoring some details):

/ / # # / / HOOK executes functions here to filter processing / / # # function My_CreateProcessInternalW (dw1_: Pointer LpApplicationName: LPCWSTR;lpCommandLine: LPWSTR; lpProcessAttributes, lpThreadAttributes: PSecurityAttributes; bInheritHandles: BOOL; dwCreationFlags: dword;lpEnvironment: Pointer; lpCurrentDirectory: LPCWSTR;const lpStartupInfo: TStartupInfoW;var lpProcessInformation: TProcessInformation; Dw2: Pointer): BOOL; stdcall;varre_add: HMODULE;is_64_pe: boolean;Err_index: integer;ImageBaseAddress, AddressOfEntryPoint_: PVOID64;P_NT_HEAD_32: PImageNtHeaders32; / / NT head P _ NT_HEAD_64: PImageNtHeaders64; / / NT head NtHead_: TImageNtHeaders64; / / NT head dwSize: SIZE_T D_Safe_X32_load_manage_A: WideString;str: string;lpEnvironment_str: AnsiString;inf_: PWeb_Http_Context;Re_Fun_Add: HMODULE;App_, com_, com_exe_path, dir_: string;re_app_, re_cs_: string;App_len, Com_len: dword;comlin_inf_: TFilePath_pak;App_inf_: TFilePath_pak;Ex_Style_: dword;state_: integer;Nt_Head_add_: PVOID64 / / simplified process creation function function CreateProcessInternalW_do (): BOOL;beginResult: = CreateProcessInternalW_ (dw1_, lpApplicationName, lpCommandLine,lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags,lpEnvironment, lpCurrentDirectory, lpStartupInfo,lpProcessInformation, Dw2); end;// executes php-cgi.exe and loads the protective function RUN_PHP_FCGI of D shield (): boolean;varerr_: integer;Function Kill_pro (pid_: dword): boolean;beginResult: = false / / the D shield protection module of the 32-bit pool cannot protect the 64-bit PHP. Please change the pool to 64-bit or use the 32-bit PHP version of dumbmsg _ (c_no_Support_64_php, NIIF_ERROR_); / / end the process TerminateProcess (OpenProcess (PROCESS_TERMINATE, false, pid_), $FFFFFFFF); SetLastError (5); end;begin// create the php-cgi process Result: = CreateProcessInternalW_do () If Result thenbegin// reads the NT header information of the specified process ImageBaseAddress: = D_Get_Process_NtHeaders (lpProcessInformation.hProcess,NtHead_, is_64_pe, Nt_Head_add_); if ImageBaseAddress > 0 thenbegin// if it is a 64-bit process, if is_64_pe thenbeginP_NT_HEAD_64: = @ NtHead_;AddressOfEntryPoint_: = ImageBaseAddress + P_NT_HEAD_64.OptionalHeader.AddressOfEntryPoint / / if the current iis process is not 64-bit When the entry position of php-cgi is greater than 0x100000000, if (D_IS_Win64_Project () = false) and (AddressOfEntryPoint_ > = $100000000) thenbegincase WIN_Ver_ of_WIN_VER_2003, and _ WIN_VER_2008:begin// writes 64-bit load_manage.dllif Run_x64_LdrLoadDll (lpProcessInformation.hProcess,WIN_INF_.D_Safe_X64_load_manage) = false thenbegin// of D shield fails, end process Result: = Kill_pro (lpProcessInformation.hProcess) Exit;endelsebeginResult: = true;SetLastError (0); when exit;end;end;_WIN_VER_2012:begin// does not support protection, end process Result: = Kill_pro (lpProcessInformation.hProcess); load_manage.dllif D_Write_DLL_To_Process (lpProcessInformation.hProcess,AddressOfEntryPoint_, WIN_INF_.D_Safe_X64_load_manage, true) thenbeginResult of exit;end;end;endelsebegin// written to D shield: = true;SetLastError (0); exit End the php-cgi process Result: = Kill_pro (lpProcessInformation.hProcess) when writing to endelsebegin// fails; P_NT_HEAD_32: = @ NtHead_;AddressOfEntryPoint_: = ImageBaseAddress + paired header programs for exit;end;end;endelsebegin// 32-bit programs 32. OptionalHeader.AddressOfEntryPointSize: = sizeof (TSet_Fun_ADD_Head_32) / / write load_manage.dllif D_Write_DLL_To_Process (lpProcessInformation.hProcess,AddressOfEntryPoint_, WIN_INF_.D_Safe_X32_load_manage, false) thenbeginResult: = true;SetLastError (0) to D shield; end php-cgi process Result: = Kill_pro (lpProcessInformation.hProcess) when exit;endelsebegin// write failure; end php-cgi process Result: = Kill_pro (lpProcessInformation.hProcess); exit;end;end;end;begin.... / / previous code Ignore / / # # / / if it is PHP-cgi.exe// # # if (.... / / ignore some code) and (Pos (CONST_PHP_CGI, App_) > 0) and ((Com_len-App_len) = 2) thenbegin// executes PHP-cgi.exe and adds the D shield protection module Result: = RUN_PHP_FCGI (); exit;end;... / / the following code, ignore

If you need to see the assembly code, you can run D Shield WEB protection and debug the w3wp.exe process with OllyICE.

And select and debug web_safe.dll, find the character php-cgi.exe, you can quickly locate the relevant code location

The following code is the x32\ web_safe.dll assembly code for the d_safe_2.1.4.4 version

D shield program without shell, easy to debug, welcome the supervision of technical friends. It has always been believed that third-party supervision is the best supervision.

If you disable D Shield from modifying memory when starting php-cgi.exe, it will end the php-cgi.exe or cannot be protected. Please do not disable it.

If the user feels that he needs a switch to protect or not protect PHP, please talk to D QQ:9269563, depending on the user's feedback.

Whether to add a switch to turn off PHP protection.

In order to achieve protection, D Shield needs a large number of HOOK-related API to achieve protection, most of which need to modify the memory of assembly code.

At this point, the study on "why w3wp.exe modifies php-cgi memory" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.