diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2017-10-01 21:18:00 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-11-17 00:44:51 +0100 |
| commit | 227060e1c4f40881494c18ae48675f03b92d6354 (patch) | |
| tree | 9f02f88d725946e243edc2a50ab7281ea94f0cd2 | |
| download | blind-operator-mode-227060e1c4f40881494c18ae48675f03b92d6354.tar.xz blind-operator-mode-227060e1c4f40881494c18ae48675f03b92d6354.zip | |
Add hide-allowed-ips
This hides allowed IPs from userspace by nopping out the tree traversal
function.
Requested-by: William Öling <william@azirevpn.com>
| -rw-r--r-- | Makefile | 32 | ||||
| -rw-r--r-- | README | 18 | ||||
| -rw-r--r-- | dkms.conf | 7 | ||||
| -rw-r--r-- | hide-allowed-ips.c | 88 | ||||
| -rwxr-xr-x | modprobe.sh | 4 |
5 files changed, 149 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..d466cb5 --- /dev/null +++ b/Makefile @@ -0,0 +1,32 @@ +ifneq ($(KERNELRELEASE),) +obj-m := hide-allowed-ips.o +else +KERNELDIR ?= /lib/modules/$(shell uname -r)/build +PWD := $(shell pwd) + +default: build + +install: maybe-clean hide-allowed-ips.c Makefile dkms.conf + echo hide-allowed-ips > /etc/modules-load.d/hide-allowed-ips.conf + echo softdep wireguard pre: hide-allowed-ips > /etc/modprobe.d/hide-allowed-ips.conf + -dkms remove hide-allowed-ips/0.0.1 --all + dkms add . + dkms autoinstall +uninstall: + rm -f /etc/modules-load.d/hide-allowed-ips.conf + rm -f /etc/modprobe.d/hide-allowed-ips.conf + dkms remove hide-allowed-ips/0.0.1 --all + -rmmod hide-allowed-ips +build: + $(MAKE) -C $(KERNELDIR) M=$(PWD) +clean: + $(MAKE) -C $(KERNELDIR) M=$(PWD) clean +ifneq ($(wildcard *.o *.ko .tmp* .*.cmd hide-allowed-ips.*),hide-allowed-ips.c) +maybe-clean: clean +else +maybe-clean: +endif + +.PHONY: maybe-clean clean build install uninstall +endif + @@ -0,0 +1,18 @@ +AllowedIPs Hider +================ + +Some people are delusional and think that by hiding things from userspace, +they can actually hide things. This here is a rootkit-style monkey-patcher +that nops out a random function in the WireGuard module. Subsequent calls +to wg(8) will not reveal the AllowedIPs. But of course there are still ways +of recovering it. + +This whole thing is incredibly stupid, but it is nonetheless an interesting +exercise. If you have any sense at all, you won't go near this code and +will discard this idea entirely. + +Installation +------------ + +On a DKMS-enabled machine, simply run `make install`. Things should magically +work from then on. diff --git a/dkms.conf b/dkms.conf new file mode 100644 index 0000000..ac929ab --- /dev/null +++ b/dkms.conf @@ -0,0 +1,7 @@ +PACKAGE_NAME="hide-allowed-ips" +PACKAGE_VERSION="0.0.1" +AUTOINSTALL=yes +POST_INSTALL="modprobe.sh" +BUILT_MODULE_NAME="hide-allowed-ips" +DEST_MODULE_LOCATION="/kernel/net" +BUILD_DEPENDS="wireguard" diff --git a/hide-allowed-ips.c b/hide-allowed-ips.c new file mode 100644 index 0000000..427890b --- /dev/null +++ b/hide-allowed-ips.c @@ -0,0 +1,88 @@ +/* Copyright (C) 2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + * + * This module is complete bullshit. There is no good reason to use it, + * unless you are also complete bullshit. + * + * It simply monkey-patches a random function in the wireguard module + * so that some random piece of data doesn't get put in a netlink + * message. It doesn't actually give you any real security or help + * with any real attack model. + * + * Only use if you're peddling snake oil. + */ + +#define pr_fmt(fmt) "wireguard: " fmt + +#include <linux/module.h> +#include <linux/kallsyms.h> + +static void patch_allowed_ips(bool warn_on_failure) +{ + unsigned long addr, cr0; + + preempt_disable(); + addr = kallsyms_lookup_name("routing_table_walk_by_peer"); + if (!addr) { + if (warn_on_failure) + pr_err("unable to find function for hiding allowed IPs\n"); + goto out; + } + + pr_info("live-patching function 0x%pK to hide allowed IPs\n", (void *)addr); + + barrier(); + cr0 = read_cr0(); + write_cr0(cr0 & ~X86_CR0_WP); + barrier(); + + /* xor eax,eax; ret; */ + memcpy((void *)addr, "\x31\xc0\xc3", 3); + + barrier(); + write_cr0(cr0); + barrier(); +out: + preempt_enable(); +} + +static int module_load_notify(struct notifier_block *self, unsigned long state, void *data) +{ + struct module *mod = data; + + mutex_lock(&module_mutex); + if (state == MODULE_STATE_COMING && !strcmp(mod->name, "wireguard")) + patch_allowed_ips(true); + mutex_unlock(&module_mutex); + + return 0; +} + +static struct notifier_block module_load_nb = { + .notifier_call = module_load_notify +}; + +static int __init mod_init(void) +{ + int ret; + + ret = register_module_notifier(&module_load_nb); + if (ret) + return ret; + + mutex_lock(&module_mutex); + patch_allowed_ips(!!find_module("wireguard")); + mutex_unlock(&module_mutex); + + return 0; +} + +static void __exit mod_exit(void) +{ + unregister_module_notifier(&module_load_nb); +} + +module_init(mod_init); +module_exit(mod_exit); +MODULE_LICENSE("GPL v2"); +MODULE_AUTHOR("Jason A. Donenfeld"); +MODULE_DESCRIPTION("Rancid monkey-patcher"); diff --git a/modprobe.sh b/modprobe.sh new file mode 100755 index 0000000..bc958bf --- /dev/null +++ b/modprobe.sh @@ -0,0 +1,4 @@ +#!/bin/sh +rmmod hide-allowed-ips +depmod -a +exec modprobe hide-allowed-ips |