phpfunc.c

#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <zend_API.h>
#include <sys/uio.h>

/*
adam@asx1c3:~/tmp$ gcc -Wall -g $(php-config --includes) phpfunc.c -o phpfunc
adam@asx1c3:~/tmp$ php -r 'sleep(9999);' &
[1] 23436
adam@asx1c3:~/tmp$ sudo ./phpfunc $(pgrep php)
sleep
*** stack smashing detected ***: <unknown> terminated
Aborted
*/

#define copy_struct(ppid, pptr, psize, paddr) do { \
    local[0].iov_base = buf; \
    local[0].iov_len = (psize); \
    remote[0].iov_base = (void *)(paddr); \
    remote[0].iov_len = (psize); \
    if (process_vm_readv(pid, local, 1, remote, 1, 0) == -1) { \
        printf("failed %s\n", #pptr); \
        exit(1); \
    } \
    (pptr) = (typeof(pptr))(local[0].iov_base); \
} while(0)

int main(int argc, char **argv) {
    pid_t pid;
    struct iovec local[1];
    struct iovec remote[1];
    char cmd[1024];
    char buf[1024];
    zend_executor_globals *eg;
    zend_execute_data *ed;
    zend_function *zf;
    zend_string *zs;
    FILE *fp;
    unsigned long long eg_addr;

    // get php pid from argv
    pid = (pid_t)atoi(argv[1]);

    // get beginning of process address space
    sprintf(cmd, "/bin/sh -c \"cat /proc/%d/maps | head -n1 | cut -d- -f1\"", (int)pid);
    fp = popen(cmd, "r");
    fgets(buf, sizeof(buf)-1, fp);
    pclose(fp);

    // get address of executor_globals
    eg_addr = strtoull(buf, NULL, 16)
        + 0x00000000013c62a0ull; // readelf -s $(which php) | grep executor_globals

    // copy structs to get at current function name
    copy_struct(pid, eg, sizeof(*eg), eg_addr);
    copy_struct(pid, ed, sizeof(*ed), eg->current_execute_data);
    copy_struct(pid, zf, sizeof(*zf), ed->func);
    copy_struct(pid, zs, sizeof(*zs), zf->common.function_name);

    printf("%s\n", (char*)zs->val);

    return 0;
}