I WROTE A KERNEL MODULE. It doesn’t do anything useful or anything, but still! This is a pretty quick post because there was an awesome talk today by Mel Chua and I need to sleep.
The source for the module is at https://gist.github.com/jvns/6878994
It intercepts any incoming packets and prints “Hello packet” to the kernel log for each one. It uses a the Netfilter framework, which I learned about from this document.
To install it, you can run:
$ make $ insmod hello-packet.ko
$ rmmod hello-packet.ko
to remove it.
http://kernelnewbies.org is a fantastic resource and I’ve been learning a lot from it.
Some more resources:
- Instructions for writing a “hello world” kernel module
- Some examples if you’re interested in learning about rootkits: 1, 2, 3, 4 (pdf)
(I think I’m going to work on writing a rootkit tomorrow. eee.)
Some things I learned along the way:
- You can’t use
mallocinside the kernel (?!!?). This is because anything that’s used in the kernel needs to be defined in the kernel, and
mallocis in glibc. This seems obvious in retrospect, but kind of blew my mind
- Similarly, you can’t use anything from glibc in the kernel.
- There are apparently things called
vmallocthat you can use instead. I don’t know what these are yet.
- It is really easy to write a firewall that doesn’t let any packets
in or out – just replace
NF_DROPin my kernel module.