Linux内核模块:如何重新注入内核认为是NF_STOLEN的数据包?

Linux内核模块:如何重新注入内核认为是NF_STOLEN的数据包?,第1张

概述晚上好.发布到这个网站对我来说是新的,但我一直是一个感恩的读者,他已经从这个论坛学到了很多东西,现在已经有一段时间了.这是我第一次遇到问题我既不能自己解决,也不能借助Stackoverflow上已存在的条目或互联网提供的任何其他资源. 我希望你能再次帮助我(从现在开始,我也能帮助别人,因为我觉得自己已经成长为能够成为写作会员的地方). 问题: 我正在研究内核模块.它的目的是使用PRE_ROUTIN 晚上好.发布到这个网站对我来说是新的,但我一直是一个感恩的读者,他已经从这个论坛学到了很多东西,现在已经有一段时间了.这是我第一次遇到问题我既不能自己解决,也不能借助Stackoverflow上已存在的条目或互联网提供的任何其他资源.

我希望你能再次帮助我(从现在开始,我也能帮助别人,因为我觉得自己已经成长为能够成为写作会员的地方).

问题:

我正在研究内核模块.它的目的是使用PRE_ROUTING netfilter挂钩从内核窃取带有特定源IP的传入数据包.只有TCP数据包才对它很有用.

现在,钩子通过dev_queue_xmit()将数据包重新注入正常的内核数据包处理例程,并将数据包的NF_STolEN返回给内核.来自其他源地址的数据包不会被重新注入,但会通过返回NF_ACCEPT而不是NF_STolEN来忽略.

内核模块还存储每个被盗数据包的TCP seq号,以便确定来自所提到的IP的传入数据包是新的,还是已经通过dev_queue_xmit()进行了修改和重新注入,因为这些数据包再次遍历钩子.

什么工作:

>模块加载
> Hook已注册
>为每个数据包调用Hook.
> Hook可以确定数据包SRC IP是否是我正在寻找的IP.
> Hook为具有其他源地址的数据包返回NF_ACCEPT
>重新注入具有源地址的数据包,同时为它们返回NF_STolEN
>重新传输的数据包再次遍历钩子并被忽略

问题

当我在加载模块后使用浏览器访问IP时,我的IP堆栈似乎崩溃了.我不能再Ping任何地址了.模块记录它遇到来自相关IP的数据包,并且它将它们重新排队并且之后它发现了一个已知的数据包(所以一切看起来都很好),但仍然:没有正确连接到站点/任何其他地址.

这是钩子代码:

static unsigned int hook(unsigned int hooknum,struct sk_buff *skb,const struct net_device *in,const struct net_device *out,int (*okfn)(struct sk_buff *)){    struct iphdr *iph;    struct tcphdr *tcph;    unsigned int i;    if(!skb)        return NF_ACCEPT;    iph = (struct iphdr *)skb_network_header(skb);    if(!iph || !(iph->saddr) || iph->saddr != *(unsigned int*)suspicIoUs_ip)        return NF_ACCEPT;    tcph = (struct tcphdr *)skb_transport_header(skb);    for(i=0; i < number_of_kNown_packets; i++)    {        if(tcph->seq == *(already_kNown_packets+i))        {            deBUG("Already kNown packet");            return NF_ACCEPT;        }    }    deBUG("New packet");    printk("seq: %u\n",tcph->seq);    if((number_of_kNown_packets + 1) * 4 >= memory_allocated_for_kNown_packets)         imba_realloc(500*4);    *(already_kNown_packets+number_of_kNown_packets++) = tcph->seq;     deBUG("Requeuing packet");    // once the requeuing is working proper,I want to manipulate the payload as well    printk("Result: %i",dev_queue_xmit(skb));    return NF_STolEN;}

如何挂钩:

static struct nf_hook_ops nfho;int init_module(voID){    deBUG("module loaded");    already_kNown_packets = kmalloc(memory_allocated_for_kNown_packets,GFP_KERNEL);    deBUG("initial memory allocated");    nfho.hook = hook;    nfho.hooknum = NF_INET_PRE_ROUTING;    nfho.pf = PF_INET;    nfho.priority = 1;    nf_register_hook(&nfho);    deBUG("hook registered");    return 0;}

系统日志:

Sep 21 13:11:43 linux kernel: [ 3298.937902] [PACKET PROXY] module loadedSep 21 13:11:43 linux kernel: [ 3298.937907] [PACKET PROXY] initial memory allocatedSep 21 13:11:43 linux kernel: [ 3298.937931] [PACKET PROXY] hook registeredSep 21 13:11:49 linux kernel: [ 3305.415404] [PACKET PROXY] New packetSep 21 13:11:49 linux kernel: [ 3305.415410] seq: 1538346824Sep 21 13:11:49 linux kernel: [ 3305.415412] [PACKET PROXY] Requeuing packetSep 21 13:11:49 linux kernel: [ 3305.415430] Result: 0Sep 21 13:11:49 linux kernel: [ 3305.415440] [PACKET PROXY] New packetSep 21 13:11:49 linux kernel: [ 3305.415441] seq: 618234741Sep 21 13:11:49 linux kernel: [ 3305.415442] [PACKET PROXY] Requeuing packetSep 21 13:11:49 linux kernel: [ 3305.415447] Result: 0Sep 21 13:11:49 linux kernel: [ 3305.421440] [PACKET PROXY] New packetSep 21 13:11:49 linux kernel: [ 3305.421452] seq: 2129598066Sep 21 13:11:49 linux kernel: [ 3305.421458] [PACKET PROXY] Requeuing packetSep 21 13:11:49 linux kernel: [ 3305.421477] Result: 0Sep 21 13:11:49 linux kernel: [ 3305.427449] [PACKET PROXY] New packetSep 21 13:11:49 linux kernel: [ 3305.427456] seq: 2327127721Sep 21 13:11:49 linux kernel: [ 3305.427458] [PACKET PROXY] Requeuing packetSep 21 13:11:49 linux kernel: [ 3305.427466] Result: 0Sep 21 13:11:49 linux kernel: [ 3305.427470] [PACKET PROXY] New packetSep 21 13:11:49 linux kernel: [ 3305.427471] seq: 1333567182Sep 21 13:11:49 linux kernel: [ 3305.427473] [PACKET PROXY] Requeuing packetSep 21 13:11:49 linux kernel: [ 3305.427476] Result: 0Sep 21 13:11:49 linux kernel: [ 3305.427494] [PACKET PROXY] New packetSep 21 13:11:49 linux kernel: [ 3305.427502] seq: 2650236943Sep 21 13:11:49 linux kernel: [ 3305.427506] [PACKET PROXY] Requeuing packetSep 21 13:11:49 linux kernel: [ 3305.427514] Result: 0Sep 21 13:11:49 linux kernel: [ 3305.427522] [PACKET PROXY] New packetSep 21 13:11:49 linux kernel: [ 3305.427533] seq: 444387468Sep 21 13:11:49 linux kernel: [ 3305.427534] [PACKET PROXY] Requeuing packetSep 21 13:11:49 linux kernel: [ 3305.427539] Result: 0Sep 21 13:11:49 linux kernel: [ 3305.427544] [PACKET PROXY] New packetSep 21 13:11:49 linux kernel: [ 3305.427545] seq: 1405773113Sep 21 13:11:49 linux kernel: [ 3305.427547] [PACKET PROXY] Requeuing packetSep 21 13:11:49 linux kernel: [ 3305.427550] Result: 0Sep 21 13:11:50 linux kernel: [ 3306.413448] [PACKET PROXY] Already kNown PACKETSep 21 13:11:50 linux kernel: [ 3306.413641] [PACKET PROXY] Already kNown PACKETSep 21 13:11:50 linux kernel: [ 3306.414153] [PACKET PROXY] Already kNown PACKETSep 21 13:11:50 linux kernel: [ 3306.414989] [PACKET PROXY] Already kNown PACKETSep 21 13:11:50 linux kernel: [ 3306.415102] [PACKET PROXY] Already kNown PACKETSep 21 13:11:50 linux kernel: [ 3306.417880] [PACKET PROXY] Already kNown PACKETSep 21 13:11:50 linux kernel: [ 3306.418065] [PACKET PROXY] Already kNown PACKETSep 21 13:11:50 linux kernel: [ 3306.418134] [PACKET PROXY] Already kNown PACKETSep 21 13:11:50 linux kernel: [ 3306.433788] [PACKET PROXY] New packetSep 21 13:11:50 linux kernel: [ 3306.433812] seq: 2146375282Sep 21 13:11:50 linux kernel: [ 3306.433816] [PACKET PROXY] Requeuing packetSep 21 13:11:50 linux kernel: [ 3306.433850] Result: 0Sep 21 13:11:51 linux kernel: [ 3306.441424] [PACKET PROXY] Already kNown PACKETSep 21 13:11:51 linux kernel: [ 3306.441587] [PACKET PROXY] New packetSep 21 13:11:51 linux kernel: [ 3306.441596] seq: 3958642290Sep 21 13:11:51 linux kernel: [ 3306.441610] [PACKET PROXY] Requeuing packetSep 21 13:11:51 linux kernel: [ 3306.441634] Result: 0Sep 21 13:11:51 linux kernel: [ 3306.441646] [PACKET PROXY] New packetSep 21 13:11:51 linux kernel: [ 3306.441648] seq: 1476007538Sep 21 13:11:51 linux kernel: [ 3306.441652] [PACKET PROXY] Requeuing packetSep 21 13:11:51 linux kernel: [ 3306.441660] Result: 0Sep 21 13:11:51 linux kernel: [ 3306.443131] [PACKET PROXY] New packetSep 21 13:11:51 linux kernel: [ 3306.443139] seq: 3288274546Sep 21 13:11:51 linux kernel: [ 3306.443148] [PACKET PROXY] Requeuing packetSep 21 13:11:51 linux kernel: [ 3306.443194] Result: 0Sep 21 13:11:51 linux kernel: [ 3306.443226] [PACKET PROXY] New packetSep 21 13:11:51 linux kernel: [ 3306.443231] seq: 788862834Sep 21 13:11:51 linux kernel: [ 3306.443241] [PACKET PROXY] Requeuing packetSep 21 13:11:51 linux kernel: [ 3306.443258] Result: 0Sep 21 13:11:51 linux kernel: [ 3306.443276] [PACKET PROXY] New packetSep 21 13:11:51 linux kernel: [ 3306.443278] seq: 2601129842Sep 21 13:11:51 linux kernel: [ 3306.443281] [PACKET PROXY] Requeuing packetSep 21 13:11:51 linux kernel: [ 3306.443286] Result: 0Sep 21 13:11:51 linux kernel: [ 3306.443294] [PACKET PROXY] New packetSep 21 13:11:51 linux kernel: [ 3306.443295] seq: 2131695474Sep 21 13:11:51 linux kernel: [ 3306.443299] [PACKET PROXY] Requeuing packetSep 21 13:11:51 linux kernel: [ 3306.443305] Result: 0Sep 21 13:11:51 linux kernel: [ 3306.443313] [PACKET PROXY] New packetSep 21 13:11:51 linux kernel: [ 3306.443314] seq: 3943962482Sep 21 13:11:51 linux kernel: [ 3306.443317] [PACKET PROXY] Requeuing packetSep 21 13:11:51 linux kernel: [ 3306.443320] Result: 0Sep 21 13:11:57 linux kernel: [ 3312.685399] [PACKET PROXY] New packetSep 21 13:11:57 linux kernel: [ 3312.685425] seq: 2667014159Sep 21 13:11:57 linux kernel: [ 3312.685430] [PACKET PROXY] Requeuing packetSep 21 13:11:57 linux kernel: [ 3312.685463] Result: 0
解决方法 我找到了一个更容易的解决方案,以实现我倾向于实现的目标.一种不需要自定义内核模块的解决方案.

此外,经过一些研究,NF_STolEN数据包不能简单地“重新注入”.
但是,要修改数据包,甚至不需要返回NF_STolEN.

可以只更改有效负载,调整校验和,然后返回NF_ACCEPT,因为在进一步处理数据包时,内核将重新使用您在钩子中访问的sk_buffer.

总结

以上是内存溢出为你收集整理的Linux内核模块:如何重新注入内核认为是NF_STOLEN的数据包?全部内容,希望文章能够帮你解决Linux内核模块:如何重新注入内核认为是NF_STOLEN的数据包?所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。

欢迎分享,转载请注明来源:内存溢出

原文地址:http://outofmemory.cn/yw/1047695.html

(0)
打赏 微信扫一扫微信扫一扫 支付宝扫一扫支付宝扫一扫
上一篇 2022-05-25
下一篇2022-05-25

发表评论

登录后才能评论

评论列表(0条)

    保存