问题
I am building NKE(Network Kernal Extension) for filtering and modifying the packets on the fly. myipfilter_output_redirect callback gives mbuf_t pointer and based on the researched knowledge it has every information related to the network call. I want to read the html from this mbuf_t and inject one css/html into it. how can I achieve it?
static errno_t myipfilter_output(void* cookie, mbuf_t* data, ipf_pktopts_t options) {
if (data)
log_ip_packet(data, kMyFiltDirOut);
return 0;
}
static errno_t myipfilter_input(void* cookie, mbuf_t* data, int offset, u_int8_t protocol) {
if (data)
log_ip_packet(data, kMyFiltDirIn);
return 0;
}
static void myipfilter_detach(void* cookie) {
/* cookie isn't dynamically allocated, no need to free in this case */
struct myfilter_stats* stats = (struct myfilter_stats*)cookie;
printf("UDP_IN %lu UDP OUT: %lu TCP_IN: %lu TCP_OUT: %lu ICMP_IN: %lu ICMP OUT: %lu OTHER_IN: %lu OTHER_OUT: %lu\n",
stats->udp_packets[kMyFiltDirIn],
stats->udp_packets[kMyFiltDirOut],
stats->tcp_packets[kMyFiltDirIn],
stats->tcp_packets[kMyFiltDirOut],
stats->icmp_packets[kMyFiltDirIn],
stats->icmp_packets[kMyFiltDirOut],
stats->other_packets[kMyFiltDirIn],
stats->other_packets[kMyFiltDirOut]);
g_filter_detached = TRUE;
}
static struct ipf_filter g_my_ip_filter = {
&g_filter_stats,
"com.xxx.NetworKext",
myipfilter_input,
myipfilter_output_redirect, // myipfilter_output,
myipfilter_detach
};
kern_return_t MyIPFilter_start () {
printf("MyIPFilter_start called");
int result;
result = ipf_addv4(&g_my_ip_filter, &g_filter_ref);
return result;
}
kern_return_t MyIPFilter_stop () {
printf("MyIPFilter_stop called");
ipf_remove(g_filter_ref);
return KERN_SUCCESS;
}
static errno_t myipfilter_output_redirect(void* cookie, mbuf_t* data, ipf_pktopts_t options)
{
// not printing all html and css tags
printf("myipfilter_output_redirect called");
unsigned char* dataString = NULL;
for (mbuf_t mb = *data; mb; mb = mbuf_next(mb))
{
dataString = mbuf_data(mb);
size_t len = mbuf_len(mb);
for (size_t i = 0; i < len; i++)
{
printf("%c", dataString[i]);
}
}
printf("dataString: %s", dataString);
}
I have made a sample repo if you can help here anything.
回答1:
you should choose socket filter and in order to retrieve HTML payload you should read mbuf_t using mbuf_t data. Below method prints every bytes from the starts so put it in your sf_data_in_func call back.
print_mbuf_data(*data);
This would work for you.
static void print_mbuf_data(mbuf_t mb){
// unsigned char *tmp_buffer = (unsigned char *) mbuf_datastart(mb);
unsigned char *tmp_buffer = (unsigned char *) mbuf_data(mb);
unsigned long line = 0, index = 0, character = 0, hex_length = 0x80; // hex_length has limit of 64 decimal
unsigned long length = mbuf_len(mb);
unsigned char hex_temp [0x80]; // buffer has limit of 64 decimal
for (index = 0; index < length; index += 0x80)
{
memset(hex_temp, 0, hex_length);
line = length - index > 0x80 ? 0x80 : length - index;
for (character = 0; character < line; character++)
{
snprintf(((char *) hex_temp + strlen((char *) hex_temp)),
hex_length - strlen((char *) hex_temp), "%c", tmp_buffer[index + character]);
}
printf("%s", hex_temp);
}
}
来源:https://stackoverflow.com/questions/52219440/monitoring-network-packets-using-network-kernal-extension