Last Updated: August 14, 2006
Some sample modules for Linux 2.6.
hijacking - (C source) (Directory)
Kernel function hijacking example. This example replaces udp_queue_rcv_skb() in net/ipv4/udp.c with a function that will just drop the packet. The module needs the address of the original "udp_queue_rcv_skb()" function as a parameter (addr) when loaded. This can be looked up by "cat /proc/kallsyms | grep udp_queue_rcv_skb"
packet_type - (C source) (Directory)
Add a packet_type handler and see if we can prevent other packet_type's from handling an skb Specifically, we will register our packet_type to be the first handler invoked by netif_receive_skb() If the packet received meets certain conditions, then, drop it, i.e, prevent subsequent ptype_all and ptype_base handlers in netif_receive_skb() from processing the packet. Help taken from Phrack, Issue 55, Article 12
netfilter - (C source) (Directory)
Simple netfilter hook
Some user-level programs.
named-pipes - (C source) (Directory)
Creates a named pipe (/tmp/fifo_test) Anyone else can write to this file, the reader program prints out what it reads (e.g.: 'cat > /tmp/fifo_test' can be used to write to the pipe). It seems that a pipe can have multiple readers, and if so, only one of them gets a particular message at a time. For example, run reader.c and also do a cat /tmp/fifo_test Then write to the pipe (echo "test" > /tmp/fifo_test) and only one of the two (reader or cat) will get the data on the pipe. See also mknod(1)
bit-scan - (C source) (Directory)
Bit-scanning and inline assembly Uses x86 BSF/BSR instructions to scan the bit representation of a number
cpu-time-counter - (Directory)
Uses processor's timestamp counter to estimate clockspeed of processor (rdtsc - read timestamp counter instruction in Pentiums)
packet - (C source) (Directory)
Read raw packets, directly from the NIC. This uses the PF_PACKET address family. Note that things like tcpdump use the pcap(3) library instead. See http://www.tcpdump.org/pcap.htm for a tutorial on that The pcap library provides a higher-level abstraction and is more portable that the PF_PACKET interface. Of course, the Linux implementation of pcap uses the PF_PACKET interface as is seen by running an strace on tcpdump
real-time-clock - (C source) (Perl source) (Directory)
Real-Time Clock User-program to utilize Linux's rtc driver (and thus /dev/rtc) The C-program is essentially that in: Documentation/rtc.txt in Linux kernel sources The perl program is a port of the initial parts of that
accept - (C source) (Directory)
Test to see if a process opens a listening socket and then forks, who receives the connection. This test seems to suggest that only one of the processes will react to the accept(), and study of kernel code also suggests this is true. Specifically, the kernel only wakes one process up, so the guy at the head of the wait queue will get it.
cpuuser - (C source) (Directory)
Simple program that tries to keep CPU usage of the process at a specified, fixed amount. CPU usage is measured over a fixed, given time window - during which the process alternately executes a dummy loop and then sleeps. Uses the rdtsc (read timestamp counter) instruction