How to append data on a packet from kernel space?

2019-01-17 18:33发布

I am trying to append some data on a packet from kernel space. I have an echo client and server. I type in the command line like: ./client "message" and the server just echoes it back. The server was run with ./server .

Now, the client and server are on two different machines (may be VMs). I am writing a kernel module which runs on the client machine. Its work is to append "12345" after "message" while the packet goes out of the machine. I am presenting the code below.

/*
 * This is ibss_obsf_cat.c
 */

#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/kernel.h>
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/udp.h>
#include <linux/ip.h>

#undef __KERNEL__
#include <linux/netfilter_ipv4.h>
#define __KERNEL__


/*
 * Function prototypes ...
 */

static unsigned int cat_obsf_begin (unsigned int hooknum,
                struct sk_buff *skb,
                const struct net_device *in,
                const struct net_device *out,
                int (*okfn)(struct sk_buff *));

static void hex_dump (char str[], int len)
{

}

/*
 * struct nf_hook_ops instance initialization
 */

static struct nf_hook_ops cat_obsf_ops __read_mostly = {
    .pf = NFPROTO_IPV4,
    .priority = 1,
    .hooknum = NF_IP_POST_ROUTING,
    .hook = cat_obsf_begin,
};

/*
 * Module init and exit functions. 
 * No need to worry about that.
 */

static int __init cat_obsf_init (void)
{
    printk(KERN_ALERT "cat_obsf module started...\n");
    return nf_register_hook(&cat_obsf_ops);
}

static void __exit cat_obsf_exit (void)
{
    nf_unregister_hook(&cat_obsf_ops);
    printk(KERN_ALERT "cat_obsf module stopped...\n");
}

/*
 * Modification of the code begins here. 
 * Here are all the functions and other things.
 */

static unsigned int cat_obsf_begin (unsigned int hooknum,
                struct sk_buff *skb,
                const struct net_device *in,
                const struct net_device *out,
                int (*okfn)(struct sk_buff *))
{ 
    struct iphdr *iph;
    struct udphdr *udph;
    unsigned char *data;
    unsigned char dt[] = "12345";
    unsigned char *tmp;
    unsigned char *ptr;

    int i, j, len;

    if (skb){
        iph = ip_hdr(skb);

        if (iph && iph->protocol && (iph->protocol == IPPROTO_UDP)){
            udph = (struct udphdr *) ((__u32 *)iph + iph->ihl);
            data = (char *)udph + 8;

            if(ntohs(udph->dest) == 6000){
                for (i=0; data[i]; i++);
                len = i;

                //printk(KERN_ALERT "\nData length without skb: %d", len);
                //printk(KERN_ALERT "Data is: %s", data);
                //printk(KERN_ALERT "dt size: %lu", sizeof(dt));
                //printk(KERN_ALERT "skb->len: %d", skb->len);
                tmp = kmalloc(200*sizeof(char), GFP_KERNEL);

                memcpy(tmp, data, len);
                ptr = tmp + len;
                memcpy(ptr, dt, sizeof(dt));

                printk(KERN_ALERT "tmp: %s", tmp);


                printk(KERN_ALERT "skb->tail: %d", skb->tail);
                //skb_put(skb, sizeof(dt));
                printk(KERN_ALERT "skb->end: %d", skb->end);
                printk(KERN_ALERT "skb->tail: %d", skb->tail);
                printk(KERN_ALERT "skb->tail(int): %d", (unsigned int)skb->tail);

                //memset(data, 0, len + sizeof(dt));

                //memcpy(data, tmp, len + sizeof(dt));

                //skb_add_data(skb, tmp, len+sizeof(dt));

                printk(KERN_ALERT "Now data is: %s", data);
                for(i=0; data[i]; i++);
                printk(KERN_ALERT "data length: %d", i);

                kfree(tmp);

            }       
        }   
    }
    return NF_ACCEPT;
}

/*
 * Nothing to be touched hereafter
 */

module_init(cat_obsf_init);
module_exit(cat_obsf_exit);

MODULE_AUTHOR("Rifat");
MODULE_DESCRIPTION("Module for packet mangling");
MODULE_LICENSE("GPL");

I want to get the "message" to be "message12345" while sending out of the client machine from kernel space. So that the server will get "message12345" and echo it back, and the client will the read just "message12345" But I am having trouble with skb_put() and skb_add_data() functions. I do not understand what error was made by me. If anyone can help me with the code, I will be highly grateful. Thanks in advance. I am also giving the Makefile for convenience. This is for the distribution kernel, not for a built kernel.

#If KERNELRELEASE is defined, we've been invoked from the
#kernel build system and use its language
ifneq ($(KERNELRELEASE),)
    obj-m := ibss_obsf_cat.o

#Otherwise we were called directly from the command
#line; invoke the kernel build system.
else

    KERNELDIR ?= /lib/modules/$(shell uname -r)/build
    PWD := $(shell pwd)

default:
    $(MAKE) -C $(KERNELDIR) M=$(PWD) modules

endif

Now I am quite convinced that skb->end - skb->tail is so small that I will have to create new packets in kernel space. I have used alloc_skb() skb_reserve() skb_header_pointer() and other useful skb functions for creating a new skb, but the thing I am running out of idea is that how to route the newly created packet in the packet flowing path. How to use
ip_route_me_harder() I looked in the xtables-addons package for suggestion, but the function they used is different from the one in linux kernel. Any suggestion is welcomed.

2条回答
该账号已被封号
2楼-- · 2019-01-17 19:15

I have solved the problem. It was trivial. And all I am going to do is to post my code for future references and discussion.

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter.h>
#include <linux/netdevice.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <linux/mm.h>
#include <linux/err.h>
#include <linux/crypto.h>
#include <linux/init.h>
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <net/ip.h>
#include <net/udp.h>
#include <net/route.h>

#undef __KERNEL__
#include <linux/netfilter_ipv4.h>
#define __KERNEL__

#define IP_HDR_LEN 20
#define UDP_HDR_LEN 8
#define TOT_HDR_LEN 28

static unsigned int pkt_mangle_begin(unsigned int hooknum,
                        struct sk_buff *skb,
                        const struct net_device *in,
                        const struct net_device *out,
                        int (*okfn)(struct sk_buff *));

static struct nf_hook_ops pkt_mangle_ops __read_mostly = {
    .pf = NFPROTO_IPV4,
    .priority = 1,
    .hooknum = NF_IP_LOCAL_OUT,
    .hook = pkt_mangle_begin,
};

static int __init pkt_mangle_init(void)
{
    printk(KERN_ALERT "\npkt_mangle module started ...");
    return nf_register_hook(&pkt_mangle_ops);
}

static void __exit pkt_mangle_exit(void)
{
    nf_unregister_hook(&pkt_mangle_ops);
    printk(KERN_ALERT "pkt_mangle module stopped ...");
} 

static unsigned int pkt_mangle_begin (unsigned int hooknum,
                        struct sk_buff *skb,
                        const struct net_device *in,
                        const struct net_device *out,
                        int (*okfn)(struct sk_buff *))
{ 
    struct iphdr *iph;
    struct udphdr *udph;
    unsigned char *data;

    unsigned int data_len;
    unsigned char extra_data[] = "12345";
    unsigned char *temp;
    unsigned int extra_data_len;
    unsigned int tot_data_len;

    unsigned int i;

    __u16 dst_port, src_port;

    if (skb) {
        iph = (struct iphdr *) skb_header_pointer (skb, 0, 0, NULL);

        if (iph && iph->protocol &&(iph->protocol == IPPROTO_UDP)) {
            udph = (struct udphdr *) skb_header_pointer (skb, IP_HDR_LEN, 0, NULL);
            src_port = ntohs (udph->source);
            dst_port = ntohs (udph->dest);

            if (src_port == 6000) {
                printk(KERN_ALERT "UDP packet goes out");
                data = (unsigned char *) skb_header_pointer (skb, IP_HDR_LEN+UDP_HDR_LEN, 0, NULL);
                data_len = skb->len - TOT_HDR_LEN;

                    temp = kmalloc(512 * sizeof(char), GFP_ATOMIC);
                memcpy(temp, data, data_len);

                unsigned char *ptr = temp + data_len - 1;
                extra_data_len = sizeof(extra_data);
                memcpy(ptr, extra_data, extra_data_len);
                tot_data_len = data_len + extra_data_len - 1;

                skb_put(skb, extra_data_len - 1);

                memcpy(data, temp, tot_data_len);

                /* Manipulating necessary header fields */
                iph->tot_len = htons(tot_data_len + TOT_HDR_LEN);
                udph->len = htons(tot_data_len + UDP_HDR_LEN);

                /* Calculation of IP header checksum */
                iph->check = 0;
                ip_send_check (iph);

                /* Calculation of UDP checksum */
                udph->check = 0;
                int offset = skb_transport_offset(skb);
                int len = skb->len - offset;
                udph->check = ~csum_tcpudp_magic((iph->saddr), (iph->daddr), len, IPPROTO_UDP, 0);

                 }
        }
    }
    return NF_ACCEPT;
}


module_init(pkt_mangle_init);
module_exit(pkt_mangle_exit);

MODULE_AUTHOR("Rifat Rahman Ovi: <rifatrahmanovi@gmail.com>");
MODULE_DESCRIPTION("Outward Packet Mangling and Decryption in Kernel Space");
MODULE_LICENSE("GPL");

Here the thing is that, I forgot to update the length fields and forgot to update the checksum. Now, if I present the code correctly here, all should go well. There are some other helper functions which are not included here.

查看更多
混吃等死
3楼-- · 2019-01-17 19:20

About one year ago for kernel 2.6.26 I did it like this:

// Do we need extra space?
if(len - skb_tailroom(skb) > 0){

  // Expand skb tail until we have enough room for the extra data
  if (pskb_expand_head(skb, 0, extra_data_len - skb_tailroom(skb), GFP_ATOMIC)) {
    // allocation failed. Do whatever you need to do
  }

  // Allocation succeeded

  // Reserve space in skb and return the starting point
  your_favourite_structure* ptr = (your_favourite_structure*) 
                                  skb_push(skb, sizeof(*ptr)); 

  // Now either set each field of your structure or memcpy into it.
  // Remember you can use a char*

}

Don't forget:

  • Recalculate UDP checksum, because you changed data in the transported data.

  • Change the field tot_len(total length) in the ip header, because you added data to the packet.

  • Recalculate the IP header checksum, because you changed the tot_len field.

Extra note: This is just a simple thing. I see in your code you're allocating tmp as a 200 byte array and using that to store the data of your message. If you send a bigger packet you'll have a hard time debugging this as kernel crashes due to memory overflows are too painful.

查看更多
登录 后发表回答