Julia Evans

Day 5: I wrote a kernel module!!!

I WROTE A KERNEL MODULE. It doesn’t do anything useful or anything, but still! This is a pretty quick post because there was an awesome talk today by Mel Chua and I need to sleep.

The source for the module is at https://gist.github.com/jvns/6878994

It intercepts any incoming packets and prints “Hello packet” to the kernel log for each one. It uses a the Netfilter framework, which I learned about from this document.

To install it, you can run:

$ make
$ insmod hello-packet.ko

and then

$ rmmod hello-packet.ko

to remove it.

http://kernelnewbies.org is a fantastic resource and I’ve been learning a lot from it.

Some more resources:

(I think I’m going to work on writing a rootkit tomorrow. eee.)

Some things I learned along the way:

  • You can’t use malloc inside the kernel (?!!?). This is because anything that’s used in the kernel needs to be defined in the kernel, and malloc is in glibc. This seems obvious in retrospect, but kind of blew my mind
  • Similarly, you can’t use anything from glibc in the kernel.
  • There are apparently things called kmalloc and vmalloc that you can use instead. I don’t know what these are yet.
  • It is really easy to write a firewall that doesn’t let any packets in or out – just replace NF_ACCEPT with NF_DROP in my kernel module.