From owner-freebsd-net Mon Jan 13 19: 0:11 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69F3537B401; Mon, 13 Jan 2003 19:00:10 -0800 (PST) Received: from flavatown.mail.pas.earthlink.net (flavatown.mail.pas.earthlink.net [207.217.120.148]) by mx1.FreeBSD.org (Postfix) with ESMTP id D915043E4A; Mon, 13 Jan 2003 19:00:09 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from stork (stork.mail.pas.earthlink.net [207.217.120.188]) by flavatown.mail.pas.earthlink.net (8.11.6+Sun/8.11.6) with ESMTP id h0E2iqV07347; Mon, 13 Jan 2003 18:44:52 -0800 (PST) Received: from pool0171.cvx21-bradley.dialup.earthlink.net ([209.179.192.171] helo=mindspring.com) by stork with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 18YH3u-0006bp-00; Mon, 13 Jan 2003 18:44:23 -0800 Message-ID: <3E237930.FC51AB75@mindspring.com> Date: Mon, 13 Jan 2003 18:42:56 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Radoslav Vasilev Cc: freebsd-net@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: kld && inetsw.pr_protocol overriding + old reuse References: <000b01c2bb5e$eb42f8f0$13e309d9@deckland> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a47d619ed94123ae94c607727ffcde9a6aa8438e0f32a48e08350badd9bab72f9c350badd9bab72f9c Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Radoslav Vasilev wrote: > I'm interested in whether the following could be acomplished: > there's KLD module, installing some new syscalls in the kernel, as well as > installing new ``struct ipprotosw'' for some protocol or another(let's > assume IPPROTO_UDP). > Could we just add some code in the begging of the new protocol handler > (counting, statistics , etc...) and call the old one after doing that. If > possible, what should be the preparation for that last call ? > Any help appreciated! This can't really be done, without actually hacking over top of the location that contained the code associated with the previous symbol. The reason for this is that the input path sometimes ends up making direct calls, assuming that the protocol stack is stacked the way it's expected to be stacked (e.g. direct calls to routines that are in struct ipprotosw). If you need to hack over the function, you need a lot more knowledge of assembly language; it is occasionally useful for profiling an existing system. The usual reason for wanting to do this is to make TCP/IP connections that are invisible to the OS, in order to attempt to turn FreeBSD boxes into DDOS robots, without the knowledge of their owners. 8-|. If you have a specific reason for this, you can replace the entry points with explicit entry points for your own routines, that call the real (renamed) routines, indirectly, and then replace the pointers. This will work fine on systems which legitimately belong to you, and for which you are willing to recompile the kernel, in order to make your modules work. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message