LARA

Runtime Instrumentation

In some cases, static analysis is not enough, especially for configuration or runtime specific variables, such as $_GET or $_SERVER. Thankfully, phantm provides features to instrument your runtime environment so that it can re-use it as part of the analysis. This is done in two ways.

Includes

It is not always possible to infer the exact files getting included when the path is dynamic. phantm provides a function that you can wrap around your include expressions. For instance, the following code

include $this_complex."expression".foo().".php;

can be instrumentalized using:

include phantm_incl($this_complex."expression".foo().".php);

This will not affect your application, as phantm_incl will simply return its argument, but it will also keep a trace of it in a “.incl” file. You can tell phantm to use this file, so that whenever it encounters this expression, it will simply look in the file to resolve the inclusion.

For example, you could use --importincludes last.incl

Environment

You can also use another function, to dump all the information that would be relevant for phantm. For instance:

$a = $_SESSION['test'];
$a = $a . "foo";

will output a notice since phantm knows nothing about what a session holds. If you feel that the first part of the code is valid, and would like to analyze the second part using phantm, you can import the runtime environment directly into phantm:

$a = $_SESSION['test'];
phantm_collect_state(get_defined_vars());
$a = $a . "foo";

When running the following code like usual, it will die at the point of the call, and create “.dump” files. Those files can be imported back into phantm.

For example, you could use --importState last.dump.