Principle Analysis of APM software and Principle Analysis of apm

Principle Analysis of APM software and Principle Analysis of apm

Directory

Principle Analysis of APM software 1

0x00 Background 1

0x01 installation process 1

0x02 startup process 5

0x03 trigger Process 7

0x04 overall process 13

0x05 resource 13

 

 

Principle Analysis of APM Software

0x00 background

This article uses the APM monitoring plug-in of the PHP website as the research object to find out:

1) analyze which processes and files have been modified during installation;

2) Processes Modified and functions called during the plug-in startup;

3) how to trigger monitoring and data transmission between processes while the program is running;

4) obtain the hook points of the listener plug-in for mysql and apache;

 

Related tools: IDA, gdb, strace, tcpdump, ps, lsof

Related Knowledge: PHP extension principle, basic PHP operation principle, socket inter-process communication

Environment: kail linux + apache2 + mysql + php5

Tips: APM stands for Application Performance Management & Monitoring, Application Performance Management & Monitoring. It is used to monitor and manage the effective operation of application software. IT mainly refers to the monitoring and optimization of key business applications of enterprises, improving the reliability and quality of enterprise applications, ensuring that users get good services, and reducing the total IT ownership cost (TCO ).

0x01 Installation Process

Baidu searched for an APM software as the research object.

1. Use strace to track the installation process and analyze which files have been modified by the installation software.

Run the ps command to find that the PID of the Installation File is 7096.

Then use strace-p 7096-o log.txt (-p specifies the process PID and-o specifies the directory where output results are saved)

During installation, you must enter the licensekey and php installation path.

 

2. strace Result Analysis

The installer modified php. ini.

Copy the so file in the installation package to the extension library path of php.

Copy the daemon file to the/usr/bin/directory.

Write the installation process to log

You can directly analyze the installation process by finding the log file, but the result is similar to that found in strace.

The cli of php5 and conf. d of apache2 are modified.

 

Php. ini

 

3. Installation Process Analysis

Installer found

In this process, you can find the extended oneapm. so daemon, which can be analyzed in IDA.

 

Tips: php Extension

If you use php to write frequently-used functions with low efficiency, you can call the function by compiling the functions in C language, compiling them into the so file, and modifying the php. ini file. This method of Calling C language library functions can greatly improve function efficiency.

Reference: http://www.open-open.com/lib/view/open1392188698114.html

0x02 Startup Process

In the oneapm. so file, there is the get_module entry. This function obtains the PC value and adds a certain offset to enter the apm_module_entry_ptr module entry.

In apm_module_entry_ptr, a function table contains several functions.

Among them, activate functions are activation modules. When a request occurs, certain conditions must be triggered to execute them. Other functions are executed during initialization when the program starts.

Tips: PHP Operating Principle

Start stage

The entire starting phase of PHP goes through two phases: module initialization and module activation.

MINITThat is, the module initialization phase occurs throughout the lifecycle or the entire execution process of the command line program after Apache/Nginx is started. This phase is only performed once.

RINITModule activation occurs in the request phase.

Reference: http://www.mamicode.com/info-detail-1028100.html

 

Apache2 automatically calls several other functions at startup, because oneapm. so is introduced in php. ini. These functions are executed during module initialization. Ps and cat/proc/{PID}/maps show that apache references oneapm. so.

 

Zm_startup_apm

Zm_startup_apm will fork () process, and then start the oneapm-daemon daprocess. After the software is installed, restart apache. The rest is for initialization.

 

 

Zm_info_apm

Zm_info_apm collects basic information.

 

Throughout the startup phase, apache2 loads oneapm. so, initializes the module, automatically calls the above functions, starts the daemon process oneapm-daemon, and collects some basic functions.

0x03 trigger Process

Using tcpdump to capture packets, you can view the server's transmission performance information to the website.

1. Monitor the oneapm-daemon to obtain data interaction clues.

Use strace to monitor the oneapm-daemon process.

Strace-ff-p 1278-s 1024-o oneapm (-ff monitors sub-process Sub-threads and uses it with-o to write the results to different files, -s specifies the length of a row,-p specifies the process PID)

Oneapm-daemon will start four sub-threads, and strace will generate four files oneapm.1278 oneapm.1279, oneapm.1280, oneapm.1281

Oneapm.1280

Thread 1280 keeps obtaining time and sends data to the target website. The data sent is the same as the data captured by tcpdump.

 

Oneapm.1279

Thread 1279 enables a listener and uses the accept () function to wait for the connection. Then read data from the handle using the read () function. Handle fd = 6.

We can see thatOneapm-daemonEnable the listener through a thread and wait for the data to be transmitted to read the data. Then, use another thread to send data to the presentation website. Socket is used for communication between local processes.

 

2. Find the socket handle

Because the socket fd is instantaneous, you cannot use lsof to directly view the handle. Use gdb attach.

Read calls are interrupted at the following points.

Fd = 6, buffer reads the data we want. Use lsof to view handle information

Connect to A/tmp/. oneapm-daemon.domain file.

 

3. Find the data sending Process

Because only apache2 is connected to the oneapm. so extension, you must first listen to apache2.

Strace-ff-p 5046-s 1024-o apache

Find the following information in the result file:

Apache2 connects to/tmp/. oneapm-daemon.domain through a socket and sends data to it. In this way, data is transmitted between processes with oneapm-daemon.

 

4. Data Transmission and collection process

Apache on Gdb attach, enters the sub-process mode, and breakpoint under several activation functions of oneapm. so.

Breakpoint hit

We can see the call order zm_activate_apm, zm_deactivate_apm, zm_post_zend_deactivate_apm

Print its call stack. These functions are automatically called by php after certain conditions are met.

 

Analyze the code of these functions

1) zm_activate_apm ()

Zm_activate_apm calls the very important function hook_start ().

The Hook_start () function is as follows:

This is the core hook entry point of the monitoring program. The hook of the apm program for website performance monitoring can be found here.

2) zm_deactivate_apm () does some anti-activation work.

3) zm_post_zend_deactivate_apm ()

Send_connect_data ()

Talk_to_server ()

Do_write ()

The call process is as follows:

Zm_post_zend_deactivate_apm () à send _ connect_data () à talk _ to_server () à

Do_connect (), do_write ()-> send ()

 

Zm_post_zend_deactivate_apm () sends data.

5. Code Flow

Shows the monitoring stage code process.

0x04 overall process

1) The installation file copies oneapm. so and oneapm-daemon to the corresponding folder, and then modifies the php configuration file to implement php extension.

2) during Apache startup, load the extended oneapm. so, automatically execute some initialization functions, and pull the daemon process

Oneapm-daemon, and collect some system information. The oneapm-daemon process creates a listener and waits for local socket connection.

3) website requests and some time conditions inspire oneapm in apache. the so activation function starts to hook and collect some current server performance information, then reactivates the function, and then communicates the information through local socket to connect to the oneapm-daemon listener, then send the collected data to it. The oneapm-daemon process receives connections, reads data, and sends data to the display website using another thread.

0x05 Resources

Hook information, which is located in the hook_start () function

Related ELF files