.Hi i'm reversing shared library which is an php zend extension.
My first goal was to determine which function of this module will be called by a standard php handler and it's input.
Problem is, apache is preforked so i can't determine which child will handle the request as a result i can't just attach with gdb and add rwatch to a prospective(after static analysis) function.
What i've done already in short: i've written a kernel module which marks memory region where module is mapped as non-executable, and hook's pagefault handing.
parsing exception frame to determine address of code that called lookup it's stack and so on.
So after that seems like i've achieved my goal, and now i can emulate this input by my own software and debug it as normal, or, for example put it into radare VM.
But i was wondering if there is a better way to do it?
What for example if i did't have xd bit or running i386 distro without PAE?
Thanks in advance!
PS:I was thinking about reloc redirection but loading address are randomized.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}