2gW94/GoodbyeDPI
1
0
Fork 0
mirror of https://github.com/ValdikSS/GoodbyeDPI.git synced 2025-12-17 21:04:36 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: 2gW94:0.0.2
Branches Tags
2gW94:master 2gW94:more-fakes 2gW94:EgorWeders-patch-1 2gW94:quic_block 2gW94:test_windres 2gW94:openvpn 2gW94:windivert2 2gW94:masterv6 2gW94:ipv6 2gW94:windivert-test
2gW94:0.2.3rc3 2gW94:0.2.3rc2 2gW94:0.2.3rc1 2gW94:0.2.2 2gW94:0.2.1 2gW94:0.2.0 2gW94:0.1.8 2gW94:0.1.7 2gW94:0.1.6 2gW94:0.1.5 2gW94:0.1.5rc3 2gW94:0.1.5rc2 2gW94:0.1.5rc1 2gW94:0.1.4 2gW94:0.1.3 2gW94:0.1.2 2gW94:0.1.2rc3 2gW94:0.1.2rc2 2gW94:0.1.2rc1 2gW94:0.1.1 2gW94:0.1.0 2gW94:0.0.9 2gW94:0.0.8 2gW94:0.0.7 2gW94:0.0.6 2gW94:0.0.5 2gW94:0.0.4 2gW94:0.0.3 2gW94:0.0.2 2gW94:0.0.1
...
compare: 2gW94:0.1.5
Branches Tags
2gW94:master 2gW94:more-fakes 2gW94:EgorWeders-patch-1 2gW94:quic_block 2gW94:test_windres 2gW94:openvpn 2gW94:windivert2 2gW94:masterv6 2gW94:ipv6 2gW94:windivert-test
2gW94:0.2.3rc3 2gW94:0.2.3rc2 2gW94:0.2.3rc1 2gW94:0.2.2 2gW94:0.2.1 2gW94:0.2.0 2gW94:0.1.8 2gW94:0.1.7 2gW94:0.1.6 2gW94:0.1.5 2gW94:0.1.5rc3 2gW94:0.1.5rc2 2gW94:0.1.5rc1 2gW94:0.1.4 2gW94:0.1.3 2gW94:0.1.2 2gW94:0.1.2rc3 2gW94:0.1.2rc2 2gW94:0.1.2rc1 2gW94:0.1.1 2gW94:0.1.0 2gW94:0.0.9 2gW94:0.0.8 2gW94:0.0.7 2gW94:0.0.6 2gW94:0.0.5 2gW94:0.0.4 2gW94:0.0.3 2gW94:0.0.2 2gW94:0.0.1

85 Commits
0.0.2 ... 0.1.5

Author SHA1 Message Date
ValdikSS
1c7fe5f843 Use newlines for current options information 2019-01-03 16:10:26 +03:00
ValdikSS
46db057662 Add version number into greeting message 2019-01-03 16:10:26 +03:00
ValdikSS
b95c45ee62 Update README.md 2018-10-14 18:24:36 +03:00
ValdikSS
39507e66e0 Update README.md 2018-07-24 15:54:55 +03:00
ValdikSS
c4d0ba1297 Skip impostor and loopback packets. Fixes #53. 2018-07-24 15:49:50 +03:00
ValdikSS
d6c2b825aa Update README.md 2018-07-20 16:37:19 +03:00
ValdikSS
aad03f2e4a Enable PIE, High Entropy ASLR and add more warnings to Makefile 2018-07-19 21:31:38 +03:00
ValdikSS
a028cb01f4 WinDivert 1.4 support 2018-07-19 21:31:38 +03:00
ValdikSS
38b1ff1a92 Fix -f and -e options 2018-07-19 21:31:37 +03:00
ValdikSS
3bd92d67ac Merge pull request #83 from KOLANICH/editorconfig 
Added .editorconfig
 2018-06-26 22:08:15 +03:00
KOLANICH
464bbcbb6b Added .editorconfig 2018-05-16 18:35:31 +03:00
ValdikSS
50e70ace76 Handle HTTP redirects within IPv6 Flow Label = 0x00 packets 2018-02-17 18:26:16 +03:00
ValdikSS
135c97ae69 Move program source code to src directory 2018-02-17 15:22:38 +03:00
ValdikSS
c377119136 Update README.md 2018-02-17 15:21:51 +03:00
ValdikSS
185a0e0211 Merge branch 'ipv6' into masterv6 2018-02-16 23:36:26 +03:00
ValdikSS
860f483ac3 IPv6 DNS redirection 2018-02-16 19:45:55 +03:00
ValdikSS
3d36127f5b Handle IPv6 packets and prepare for IPv6 DNS redirection 2018-02-16 17:35:24 +03:00
ValdikSS
aa28d3e12a Make sure to search DLLs only in safe path, not in current working dir 2018-02-15 15:41:28 +03:00
ValdikSS
dc4d0a36d9 Update README.md 2018-01-21 14:37:05 +03:00
ValdikSS
cc770d302c Add GoodbyeDPI Github link to the welcome message. 2018-01-21 14:36:41 +03:00
ValdikSS
2e23d93762 New option: --ip-id. Handles additional IP ID numbers of passive DPI. 2018-01-21 14:35:30 +03:00
ValdikSS
14ae107b53 Handle only IP IDs in [0x0; 0xF] (or→and) 2018-01-21 13:03:15 +03:00
ValdikSS
1bdfbb8c45 Move active filter template and passive filter to defines 2018-01-21 12:25:22 +03:00
ValdikSS
5eddb5f18a Fix crash on error (free→LocalFree) and print KB3033929 message 2018-01-21 01:28:17 +03:00
ValdikSS
f638e23ab6 Fix build with -DDEBUG 2018-01-21 01:27:55 +03:00
ValdikSS
8e7f4ff505 Properly exclude Teredo 2017-12-25 00:05:28 +03:00
ValdikSS
bb8fc64f18 Handle ip.id up to 0xF. 
Some DPI send several TCP RST or HTTP redirection packets with
increasing IP ID number. Handle them all.
 2017-12-24 20:37:49 +03:00
ValdikSS
490525387d Remove unused string 2017-12-24 20:28:25 +03:00
ValdikSS
5e9e1f0eb6 Preliminary IPv6 support. 
No IPv6 support in DNS redirection code. IPv6 DNS request packets
would be dropped.
 2017-12-24 20:21:32 +03:00
ValdikSS
3ffce30871 Minor modifications. 
* puts() instead of printf("%s")
* strdup() instead of malloc + strcpy
 2017-12-24 20:19:18 +03:00
ValdikSS
eaac2d1a80 Minor service fixes 2017-12-21 23:52:23 +03:00
ValdikSS
ccd21a4281 ntohs -> htons (they produce the same output, but still) 2017-12-21 23:50:07 +03:00
ValdikSS
23babdc8fa Windows Service support. 
Program can now be started as a Windows Service. No additional
arguments needed. Refer to `service_install` and `service_remove`
scripts in released zip file.
 2017-12-20 17:03:22 +03:00
ValdikSS
95765f3ed9 Store fragment_size_message as a pointer 2017-12-20 17:01:21 +03:00
ValdikSS
a5b185c2a9 Set proper options if started without arguments 2017-12-20 12:36:21 +03:00
ValdikSS
c9cd3ac8c7 Fix signed/unsigned integer comparison warning for HTTP fragmentation 2017-12-20 04:05:28 +03:00
ValdikSS
fab9662ac9 Use WinDivert TCP Header structure to change Window Size 2017-12-20 04:04:40 +03:00
ValdikSS
a88ab4337e Apply HTTP Persistent fragmentation only for sufficiently large packets 2017-12-20 03:33:30 +03:00
ValdikSS
582503452f Implement TCP fragmentation for HTTP Persistent (keep-alive) sessions. 
New option `-k` splits HTTP request into two segments, and either
send only the first one (Windows would retransmit the other one
based on ACK number in ACK reply) or both (with `-n` enabled).

This fixes behaviour on some DPI which trace persistent sessions
but do not reassemble packages.
 2017-12-20 02:10:59 +03:00
ValdikSS
03e36b968a Free allocated error message string 2017-12-20 01:48:38 +03:00
ValdikSS
312d2b1d55 Remove unused IPV4_TOTALLEN_OFFSET 2017-12-20 01:48:20 +03:00
ValdikSS
6827b6ad51 Do not add hostnames less than 4 characters long 2017-12-17 01:46:32 +03:00
ValdikSS
60e87f769a Minor modifications 2017-12-17 00:28:11 +03:00
ValdikSS
bfed8638e5 Implement blacklist. 
Only domains and subdomains from the blacklist file would be processed
with HTTP modifications. Does not affect HTTPS data.
 2017-12-17 00:26:11 +03:00
ValdikSS
72516c0b2b Add information about --dns-verb option 2017-12-16 20:24:40 +03:00
ValdikSS
f11ca2400c Fix memory leak in dnsredir 2017-12-16 17:53:06 +03:00
ValdikSS
dd4d6bc5c6 Do not print DNS warnings by default and drop duplicate requests. 
Windows is known to use all available interfaces for DNS requests,
which is handled as a duplicate (retransmission) in dns redirector.

It's safe to just drop these duplicates.
 2017-12-16 14:30:42 +03:00
R4SAS
30bb1a665a make it more usable with MSYS and linux MinGW both (#48) 
* make it more usable

* update README
 2017-12-13 18:13:54 +04:00
ValdikSS
5f231996d4 Fix incorrect host header memmove()s. Fixes #47 2017-12-13 01:42:29 +03:00
ValdikSS
81718f1a53 Small fix for dnsredir 2017-12-10 20:44:50 +03:00
ValdikSS
064cf575b6 Parse DNS packet only when DNS redirection is enabled 2017-12-09 02:36:45 +03:00
ValdikSS
a67f42eebc Use defined HOST_MAXLEN 2017-12-07 22:38:41 +03:00
ValdikSS
363b2dca37 Flush DNS cache if --dns-addr is used 2017-12-07 22:38:21 +03:00
ValdikSS
1e8835cfe5 Small fixes 2017-12-07 13:03:01 +03:00
ValdikSS
c6c071e35f Update README.md 2017-12-06 03:21:07 +03:00
ValdikSS
a182f52207 New experimental feature: UDP DNS redirection 2017-12-06 03:09:58 +03:00
ValdikSS
61e39bc095 New feature: additional processed TCP ports 2017-12-06 03:07:16 +03:00
ValdikSS
9b9be302cb New option "-w": try to find and parse HTTP traffic on all processed ports (not only on port 80) 2017-12-06 03:07:11 +03:00
ValdikSS
c7905f0b31 Mix HTTP Host header value 2017-12-04 22:06:46 +03:00
ValdikSS
da1e2e8aac Serious refactoring 2017-12-04 22:01:25 +03:00
ValdikSS
87c354addf Update Makefile 2017-09-07 17:35:57 +03:00
ValdikSS
9fa2956065 Calculate checksums even there's no packet modifications. 2017-09-07 17:35:25 +03:00
ValdikSS
2f0429027d Small refactoring 2017-09-04 22:14:17 +03:00
ValdikSS
feb03c74c8 Print message of HTTP fragmentation > 2 incompatibility. 
We can't reliably distinguish HTTP data from other data on port 80 when fragmentation is used.
HTTP method code has a special case which tries to find HTTP method when fragmentation = 1 or 2 is used,
but not for other values.
 2017-08-28 11:46:59 +03:00
ValdikSS
4c13435ee3 Handle Host header after User-Agent header in the HTTP packet. Fixes #29. 
Most browsers would put Host header as early as they could, but not Microsoft Edge.
 2017-08-28 11:45:05 +03:00
ValdikSS
ee665ee3bd Search for HTTP methods in fragmented packets with Window Size 1 or 2. Fixes #30. 2017-08-28 11:43:55 +03:00
ValdikSS
00e4964e73 Remove webdav HTTP methods. They are rarely used and less probably filtered. 2017-08-28 11:42:30 +03:00
ValdikSS
2fe377a23f Do not handle traffic from private IP ranges 2017-08-15 14:09:47 +03:00
ValdikSS
b74c974235 Print error message if filter initialization fails 2017-08-15 14:09:06 +03:00
ValdikSS
96fb5f9516 Block passive DPI packets only with "Connection: close". Fixes #17. 
Some servers set "don't fragment" flag and never increase TCP ID
field. If they send HTTP redirection to another website, it would
be blocked by the program.
This is a hack to block redirects only with "Connection: close"
header as presumably legal redirects are most likely would
use keep-alive.
 2017-08-15 08:28:25 +03:00
ValdikSS
c1ca4f9804 Merge pull request #10 from beatcracker/patch-1 
Fixed typos
 2017-07-10 20:01:56 +04:00
beatcracker
13261e1a92 Fixed typos 2017-07-10 18:44:56 +03:00
ValdikSS
4387e7c690 Merge pull request #7 from pash7ka/patch-2 
bugfix: wrong config file name
 2017-06-14 12:23:33 +04:00
Pavel Rubin
08902b9a57 bugfix: wrong config file name 2017-06-14 02:13:39 +03:00
ValdikSS
f5ac7c0d67 Change TCP Window Size based on SrcPort, not DstPort. 
When HTTPS fragment size was set, the program always used it for HTTP, even
if HTTP fragmentation was disabled. This is due to a bug which checked DstPort,
not SrcPort, and the packets passed DstPort != htons(80) HTTPS check.
 2017-06-11 21:50:22 +03:00
ValdikSS
2a5e4a071b Create README.md 2017-06-11 08:35:15 +03:00
Pavel Rubin
ae3abff0b2 Update README.md 
Guide to install as a windows service
 2017-06-04 19:22:33 +03:00
ValdikSS
d9e27f193c Reimplement -s option to fix unACKed data 
Old code used to reduce packet size by one byte to remove space in
HTTP Host header. This introduces one unACKed byte which OS later
tried to send to the host. This byte was \n (the last byte in original
packet) which broke POST requests.

New code in this commit moves "stolen" space in the end of User-Agent
header value and do not reduce packet size anymore.
User-Agent value is used because not all web servers are compatible
with additional space in the end of Host value.

Fix #3
 2017-05-25 00:25:21 +03:00
ValdikSS
c721ab0506 Always check for valid HTTP method before any modifications 2017-05-25 00:18:01 +03:00
ValdikSS
70765fa895 New option: additional space between Method and Request-URI (enables -s, may break sites) 2017-05-23 13:30:46 +03:00
ValdikSS
a2d5be1eed const char for window size function 2017-05-23 13:23:20 +03:00
ValdikSS
f08bbcc36e Update Readme 2017-05-20 12:27:43 +03:00
ValdikSS
30fd25bc24 Replace char* with const char* where appropriate 2017-05-20 12:25:20 +03:00
ValdikSS
9fea771d2c Less invasive Passive DPI block. Fix #2. 2017-05-20 12:24:29 +03:00
ValdikSS
bb05d357a7 Fix for getopt -4 2017-05-18 00:12:49 +03:00
21 changed files with 2996 additions and 346 deletions
Expand all files Collapse all files

8
.editorconfig Normal file
View File

@@ -0,0 +1,8 @@
root = true
[*]
charset = utf-8
indent_style = space
indent_size = 4
insert_final_newline = true
end_of_line = lf

33
Makefile
View File

@@ -1,33 +0,0 @@
CPREFIX = x86_64-w64-mingw32
WINDIVERTHEADERS = ../../include
WINDIVERTLIBS = ../binary
TARGET = goodbyedpi.exe
LIBS = -L $(WINDIVERTLIBS) -lWinDivert -lws2_32
CC = $(CPREFIX)-gcc
CCWINDRES = $(CPREFIX)-windres
CFLAGS = -Wall -I $(WINDIVERTHEADERS) -L $(WINDIVERTLIBS) \
-O2 -fPIE -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
.PHONY: default all clean
default: manifest $(TARGET)
all: default
OBJECTS = $(patsubst %.c, %.o, $(wildcard *.c)) goodbyedpi-rc.o
HEADERS = $(wildcard *.h)
%.o: %.c $(HEADERS)
$(CC) $(CFLAGS) -c $< -o $@
manifest:
$(CCWINDRES) goodbyedpi-rc.rc goodbyedpi-rc.o
.PRECIOUS: $(TARGET) $(OBJECTS)
$(TARGET): $(OBJECTS)
$(CC) $(OBJECTS) -Wall $(LIBS) -s -o $@
clean:
-rm -f *.o
-rm -f $(TARGET)

52
README.md
View File

@@ -16,16 +16,33 @@ Usage: goodbyedpi.exe [OPTION...]
-p block passive DPI -p block passive DPI
-r replace Host with hoSt -r replace Host with hoSt
-s remove space between host header and its value -s remove space between host header and its value
-m mix Host header case (test.com -> tEsT.cOm)
-f [value] set HTTP fragmentation to value -f [value] set HTTP fragmentation to value
-k [value] enable HTTP persistent (keep-alive) fragmentation and set it to value
-n do not wait for first segment ACK when -k is enabled
-e [value] set HTTPS fragmentation to value -e [value] set HTTPS fragmentation to value
-a additional space between Method and Request-URI (enables -s, may break sites)
-w try to find and parse HTTP traffic on all processed ports (not only on port 80)
--port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)
--ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
This option can be supplied multiple times.
--dns-addr [value] redirect UDP DNS requests to the supplied IP address (experimental)
--dns-port [value] redirect UDP DNS requests to the supplied port (53 by default)
--dnsv6-addr [value] redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
--dnsv6-port [value] redirect UDPv6 DNS requests to the supplied port (53 by default)
--dns-verb print verbose DNS redirection messages
--blacklist [txtfile] perform HTTP tricks only to host names and subdomains from
supplied text file. This option can be supplied multiple times.
-1 enables all options, -f 2 -e 2 (most compatible mode, default) -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)
-2 enables all options, -f 2 -e 40 (better speed yet still compatible) -2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)
-3 all options except HTTP fragmentation, -e 40 (even better speed) -3 -p -r -s -e 40 (better speed for HTTP and HTTPS)
-4 all options except fragmentation (best speed) -4 -p -r -s (best speed)
``` ```
Try to run `goodbyedpi.exe` without any arguments first. If you can open blocked websites it means your ISP has DPI which can be circumvented. This is the slowest mode. To check if your ISP's DPI could be circumvented, run `3_all_dnsredir_hardcore.cmd` first. This is the most hardcore mode which will show if this program is suitable for your ISP and DPI vendor at all. If you can open blocked websites with this mode, it means your ISP has DPI which can be circumvented. This is the slowest and prone to break websites mode, but suitable for most DPI.
Try `goodbyedpi -1` to see if it works too.
Then try `goodbyedpi.exe -2`. It should be faster for HTTPS sites. Mode `-3` speed ups HTTP websites. Then try `goodbyedpi.exe -2`. It should be faster for HTTPS sites. Mode `-3` speed ups HTTP websites.
@@ -35,17 +52,20 @@ Use `goodbyedpi.exe -4` if it works for your ISP's DPI. This is the fastest mode
### Passive DPI ### Passive DPI
Most Passive DPI send HTTP 301 Redirect if you try to access blocked website over HTTP and TCP Reset in case of HTTPS, faster than destination website. Packets sent by DPI have always have IP Identification field equal to `0x0000` or `0x0001`, as seen with Russian providers. These packets are blocked by GoodbyeDPI. Most Passive DPI send HTTP 302 Redirect if you try to access blocked website over HTTP and TCP Reset in case of HTTPS, faster than destination website. Packets sent by DPI usually have IP Identification field equal to `0x0000` or `0x0001`, as seen with Russian providers. These packets, if they redirect you to another website (censorship page), are blocked by GoodbyeDPI.
### Active DPI ### Active DPI
Active DPI is more tricky to fool. Currently the software uses 3 methods to circumvent Active DPI: Active DPI is more tricky to fool. Currently the software uses 6 methods to circumvent Active DPI:
* TCP-level fragmentation for first data packet * TCP-level fragmentation for first data packet
* TCP-level fragmentation for persistent (keep-alive) HTTP sessions
* Replacing `Host` header with `hoSt` * Replacing `Host` header with `hoSt`
* Removing space between header name and value in `Host` header * Removing space between header name and value in `Host` header
* Adding additional space between HTTP Method (GET, POST etc) and URI
* Mixing case of Host header value
These methods do not break any website as are fully compatible with TCP and HTTP standards, yet it's sufficient to prevent DPI data classification and to circumvent censorship. These methods should not break any website as they're fully compatible with TCP and HTTP standards, yet it's sufficient to prevent DPI data classification and to circumvent censorship. Additional space may break some websites, although it's acceptable by HTTP/1.1 specification (see 19.3 Tolerant Applications).
The program loads WinDivert driver which uses Windows Filtering Platform to set filters and redirect packets to the userspace. It's running as long as console window is visible and terminates when you close the window. The program loads WinDivert driver which uses Windows Filtering Platform to set filters and redirect packets to the userspace. It's running as long as console window is visible and terminates when you close the window.
@@ -55,11 +75,23 @@ This project can be build using **GNU Make** and [**mingw**](https://mingw-w64.o
To build x86 exe run: To build x86 exe run:
`make CPREFIX=i686-w64-mingw32 WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/x86` `make CPREFIX=i686-w64-mingw32- WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/x86`
And for x86_64: And for x86_64:
`make CPREFIX=x86_64-w64-mingw32 WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/amd64` `make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/amd64`
# How to install as Windows Service
Use `service_install_russia_blacklist.cmd`, `service_install_russia_blacklist_dnsredir.cmd` and `service_remove.cmd` scripts.
Modify them according to your own needs.
# Known issues
* Horribly outdated Windows 7 installations are not able to load WinDivert driver due to missing support for SHA256 digital signatures. Install [KB3033929](https://www.microsoft.com/en-us/download/details.aspx?id=46078), or better, update the whole system using Windows Update.
* Some SSL/TLS stacks unable to process fragmented ClientHello packets, and HTTPS websites won't open. Bug: [#4](https://github.com/ValdikSS/GoodbyeDPI/issues/4), [#64](https://github.com/ValdikSS/GoodbyeDPI/issues/64).
* ESET Antivirus is incompatible with WinDivert driver [#91](https://github.com/ValdikSS/GoodbyeDPI/issues/91). This is most probably antivirus bug, not WinDivert.
# Similar projects # Similar projects

300
goodbyedpi.c
View File

@@ -1,300 +0,0 @@
/*
* GoodbyeDPI — Passive DPI blocker and Active DPI circumvention utility.
*/
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>
#include <winsock2.h>
#include "windivert.h"
#define die() do { printf("Something went wrong!\n" \
"Make sure you're running this program with administrator privileges\n"); \
sleep(10); exit(EXIT_FAILURE); } while (0)
#define MAX_FILTERS 4
#define MAX_PACKET_SIZE 1516
#define IPV4_HDR_LEN 20
#define TCP_HDR_LEN 20
#define IPV4_TOTALLEN_OFFSET 2
#define TCP_WINDOWSIZE_OFFSET 14
static HANDLE filters[MAX_FILTERS];
static int filter_num = 0;
static const char *http_redirect_10 = "HTTP/1.0 30";
static const char *http_redirect_11 = "HTTP/1.1 30";
static const char *http_host_find = "\r\nHost: ";
static const char *http_host_replace = "\r\nhoSt: ";
static char* dumb_memmem(char* haystack, int hlen, char* needle, int nlen) {
// naive implementation
if (nlen > hlen) return 0;
int i;
for (i=0; i<hlen-nlen+1; i++) {
if (memcmp(haystack+i,needle,nlen)==0) {
return haystack+i;
}
}
return NULL;
}
static HANDLE init(char *filter, UINT64 flags) {
filter = WinDivertOpen(filter, WINDIVERT_LAYER_NETWORK, 0, flags);
if (filter != INVALID_HANDLE_VALUE)
return filter;
return NULL;
}
static int deinit(HANDLE handle) {
if (handle) {
WinDivertClose(handle);
return 1;
}
return 0;
}
static void deinit_all() {
for (int i = 0; i < filter_num; i++) {
deinit(filters[i]);
}
}
static void sigint_handler(int sig) {
deinit_all();
exit(EXIT_SUCCESS);
}
static int find_passivedpi_redirect(char *pktdata) {
if (memcmp(pktdata, http_redirect_11, strlen(http_redirect_11)) == 0
|| memcmp(pktdata, http_redirect_10, strlen(http_redirect_10)) == 0) {
return 1;
}
return 0;
}
/* Finds Host header with \r\n before it */
static PVOID find_host_header(char *pktdata, int pktlen) {
return dumb_memmem(pktdata, pktlen,
(char*)http_host_find, strlen(http_host_find));
}
static void change_window_size(char *pkt, int size) {
*(uint16_t*)(pkt + IPV4_HDR_LEN + TCP_WINDOWSIZE_OFFSET) = htons(size);
}
int main(int argc, char *argv[]) {
static const char fragment_size_message[] =
"Fragment size should be in range [0 - 65535]\n";
int i, should_reinject = 0;
int opt;
HANDLE w_filter = NULL;
WINDIVERT_ADDRESS addr;
char packet[MAX_PACKET_SIZE];
PVOID packet_data;
UINT packetLen;
UINT packet_dataLen;
PWINDIVERT_IPHDR ppIpHdr;
PWINDIVERT_TCPHDR ppTcpHdr;
int do_passivedpi = 0, do_fragment_http = 0,
do_fragment_https = 0, do_host = 0,
do_host_removespace = 0;
int http_fragment_size = 2;
int https_fragment_size = 2;
char *data_addr, *data_addr_rn, *host_addr;
int host_len, fromhost_uptoend_len;
printf("GoodbyeDPI: Passive DPI blocker and Active DPI circumvention utility\n");
if (argc == 1) {
/* enable mode -1 by default */
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https = 1;
}
while ((opt = getopt(argc, argv, "123prsf:e:")) != -1) {
switch (opt) {
case '1':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https = 1;
break;
case '2':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https = 1;
https_fragment_size = 40;
break;
case '3':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_https = 1;
https_fragment_size = 40;
case '4':
do_passivedpi = do_host = do_host_removespace = 1;
break;
case 'p':
do_passivedpi = 1;
break;
case 'r':
do_host = 1;
break;
case 's':
do_host_removespace = 1;
break;
case 'f':
do_fragment_http = 1;
http_fragment_size = atoi(optarg);
if (http_fragment_size <= 0 || http_fragment_size > 65535) {
printf(fragment_size_message);
exit(EXIT_FAILURE);
}
break;
case 'e':
do_fragment_https = 1;
https_fragment_size = atoi(optarg);
if (https_fragment_size <= 0 || https_fragment_size > 65535) {
printf(fragment_size_message);
exit(EXIT_FAILURE);
}
break;
default:
printf("Usage: goodbyedpi.exe [OPTION...]\n"
" -p block passive DPI\n"
" -r replace Host with hoSt\n"
" -s remove space between host header and its value\n"
" -f [value] set HTTP fragmentation to value\n"
" -e [value] set HTTPS fragmentation to value\n"
"\n"
" -1 enables all options, -f 2 -e 2 (most compatible mode, default)\n"
" -2 enables all options, -f 2 -e 40 (better speed yet still compatible)\n"
" -3 all options except HTTP fragmentation, -e 40 (even better speed)\n"
" -4 all options except fragmentation (best speed)\n");
exit(EXIT_FAILURE);
}
}
printf("Block passive: %d, Fragment HTTP: %d, Fragment HTTPS: %d, "
"hoSt: %d, Host no space: %d\n",
do_passivedpi, (do_fragment_http ? http_fragment_size : 0),
(do_fragment_https ? https_fragment_size : 0),
do_host, do_host_removespace);
printf("\nOpening filter\n");
filter_num = 0;
if (do_passivedpi) {
/* Filter for inbound RST packets with ID = 0 or 1 */
filters[filter_num] = init("inbound and (ip.Id == 0x0001 or ip.Id == 0x0000) and "
"(tcp.SrcPort == 443 or tcp.SrcPort == 80) and tcp.Rst",
WINDIVERT_FLAG_DROP);
filter_num++;
}
/*
* Filter for inbound HTTP redirection packets and
* active DPI circumvention
*/
filters[filter_num] = init("(inbound and (ip.Id == 0x0001 or ip.Id == 0x0000) and tcp.SrcPort == 80 and tcp.Ack) "
"or (inbound and (tcp.SrcPort == 80 or tcp.SrcPort == 443) and tcp.Ack and tcp.Syn) "
"or (outbound and (tcp.DstPort == 80 or tcp.DstPort == 443) and tcp.Ack)",
0);
w_filter = filters[filter_num];
filter_num++;
for (i = 0; i < filter_num; i++) {
if (filters[i] == NULL)
die();
}
printf("Filter activated!\n");
signal(SIGINT, sigint_handler);
while (1) {
if (WinDivertRecv(w_filter, packet, sizeof(packet), &addr, &packetLen)) {
//printf("Got %s packet, len=%d!\n", addr.Direction ? "inbound" : "outbound",
// packetLen);
should_reinject = 1;
if (WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen)) {
//printf("Got parsed packet, len=%d!\n", packet_dataLen);
/* Got a packet WITH DATA */
/* Handle INBOUND packet with data and find HTTP REDIRECT in there */
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND && packet_dataLen > 16) {
/* If INBOUND packet with DATA (tcp.Ack) */
/* Drop packets from filter with HTTP 30x Redirect */
if (do_passivedpi && find_passivedpi_redirect(packet_data)) {
//printf("Dropping HTTP Redirect packet!\n");
should_reinject = 0;
}
}
/* Handle OUTBOUND packet, search for Host header */
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
packet_dataLen > 16 && ppTcpHdr->DstPort == htons(80) &&
(do_host || do_host_removespace)) {
data_addr = find_host_header(packet_data, packet_dataLen);
if (do_host && data_addr) {
/* Replace "Host: " with "hoSt: " */
memcpy(data_addr, http_host_replace, strlen(http_host_replace));
//printf("Replaced Host header!\n");
}
if (do_host_removespace && data_addr) {
host_addr = data_addr + strlen(http_host_find);
fromhost_uptoend_len = packet_dataLen - ((PVOID)host_addr - packet_data);
data_addr_rn = dumb_memmem(host_addr,
fromhost_uptoend_len,
"\r\n", 2);
if (data_addr_rn) {
host_len = data_addr_rn - host_addr;
if (host_len <= 64) {
/* Move memory left by 1 byte and reduce packet size for 1 byte */
memmove(host_addr - 1, host_addr, fromhost_uptoend_len);
/* Reduce "Total Length" in IP header by 1 byte */
*(uint16_t*)(packet + IPV4_TOTALLEN_OFFSET) = ntohs(
htons(*(uint16_t*)(packet + IPV4_TOTALLEN_OFFSET)) - 1);
/* Reduce packetLen by 1 byte */
packetLen--;
//printf("Replaced Host header!\n");
}
}
}
WinDivertHelperCalcChecksums(packet, packetLen, 0);
}
}
/* Else if we got TCP packet without data */
else if (WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, NULL, NULL)) {
/* If we got SYN+ACK packet */
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND &&
ppTcpHdr->Syn == 1) {
//printf("Changing Window Size!\n");
if (do_fragment_http && ppTcpHdr->DstPort == htons(80)) {
change_window_size(packet, http_fragment_size);
WinDivertHelperCalcChecksums(packet, packetLen, 0);
}
else if (do_fragment_https && ppTcpHdr->DstPort != htons(80)) {
change_window_size(packet, https_fragment_size);
WinDivertHelperCalcChecksums(packet, packetLen, 0);
}
}
}
if (should_reinject) {
//printf("Re-injecting!\n");
WinDivertSend(w_filter, packet, packetLen, &addr, NULL);
}
}
else {
// error, ignore
printf("Error receiving packet!\n");
break;
}
}
}

50
src/Makefile Normal file
View File

@@ -0,0 +1,50 @@
ifndef MSYSTEM
CPREFIX = x86_64-w64-mingw32-
endif
WINDIVERTHEADERS = ../../../include
WINDIVERTLIBS = ../../binary
MINGWLIB = /usr/x86_64-w64-mingw32/lib/
TARGET = goodbyedpi.exe
# Linking SSP does not work for some reason, the executable doesn't start.
#LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32
CC = $(CPREFIX)gcc
CCWINDRES = $(CPREFIX)windres
CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
-O2 -D_FORTIFY_SOURCE=2 \
-Wall -Wextra -Wpedantic -Wformat=2 -Wshadow -Wstrict-aliasing=1 -Werror=format-security \
-Wfloat-equal -Wcast-align -Wsign-conversion \
#-fstack-protector-strong
LDFLAGS = -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
-Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
ifdef BIT64
LDFLAGS += -Wl,--high-entropy-va -Wl,--pic-executable,-e,mainCRTStartup
else
LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup
endif
.PHONY: default all clean
default: manifest $(TARGET)
all: default
OBJECTS = $(patsubst %.c, %.o, $(wildcard *.c utils/*.c)) goodbyedpi-rc.o
HEADERS = $(wildcard *.h utils/*.h)
%.o: %.c $(HEADERS)
$(CC) $(CFLAGS) -c $< -o $@
manifest:
$(CCWINDRES) goodbyedpi-rc.rc goodbyedpi-rc.o
.PRECIOUS: $(TARGET) $(OBJECTS)
$(TARGET): $(OBJECTS)
$(CC) $(OBJECTS) $(LDFLAGS) $(LIBS) -s -o $@
clean:
-rm -f *.o utils/*.o
-rm -f $(TARGET)

110
src/blackwhitelist.c Normal file
View File

@@ -0,0 +1,110 @@
/*
* Blacklist for GoodbyeDPI HTTP DPI circumvention tricks
*
* This is a simple domain hash table.
* Domain records are added from a text file, where every
* domain is separated with a new line.
*/
#include <windows.h>
#include <stdio.h>
#include "goodbyedpi.h"
#include "utils/uthash.h"
#include "utils/getline.h"
typedef struct blackwhitelist_record {
const char *host;
UT_hash_handle hh; /* makes this structure hashable */
} blackwhitelist_record_t;
static blackwhitelist_record_t *blackwhitelist = NULL;
static int check_get_hostname(const char *host) {
blackwhitelist_record_t *tmp_record = NULL;
if (!blackwhitelist) return FALSE;
HASH_FIND_STR(blackwhitelist, host, tmp_record);
if (tmp_record) {
debug("check_get_hostname found host\n");
return TRUE;
}
debug("check_get_hostname host not found\n");
return FALSE;
}
static int add_hostname(const char *host) {
if (!host)
return FALSE;
int host_len = strlen(host);
blackwhitelist_record_t *tmp_record = malloc(sizeof(blackwhitelist_record_t));
char *host_c = malloc(host_len + 1);
if (!check_get_hostname(host)) {
strncpy(host_c, host, host_len);
host_c[host_len] = '\0';
tmp_record->host = host_c;
HASH_ADD_KEYPTR(hh, blackwhitelist, tmp_record->host,
strlen(tmp_record->host), tmp_record);
debug("Added host %s\n", host_c);
return TRUE;
}
debug("Not added host %s\n", host);
free(tmp_record);
free(host_c);
return FALSE;
}
int blackwhitelist_load_list(const char *filename) {
char *line = malloc(HOST_MAXLEN + 1);
size_t linelen = HOST_MAXLEN + 1;
int cnt = 0;
ssize_t read;
FILE *fp = fopen(filename, "r");
if (!fp) return FALSE;
while ((read = getline(&line, &linelen, fp)) != -1) {
/* works with both \n and \r\n */
line[strcspn(line, "\r\n")] = '\0';
if (strlen(line) > HOST_MAXLEN) {
printf("WARNING: host %s exceeds maximum host length and has not been added\n",
line);
continue;
}
if (strlen(line) < 4)
continue;
if (add_hostname(line))
cnt++;
}
free(line);
if (!blackwhitelist) return FALSE;
printf("Loaded %d hosts from file %s\n", cnt, filename);
fclose(fp);
return TRUE;
}
int blackwhitelist_check_hostname(const char *host_addr, int host_len) {
char current_host[HOST_MAXLEN + 1];
char *tokenized_host = NULL;
if (host_len > HOST_MAXLEN) return FALSE;
if (host_addr && host_len) {
memcpy(current_host, host_addr, host_len);
current_host[host_len] = '\0';
}
if (check_get_hostname(current_host))
return TRUE;
tokenized_host = strchr(current_host, '.');
while (tokenized_host != NULL && tokenized_host < (current_host + HOST_MAXLEN)) {
/* Search hostname only if there is next token */
if (strchr(tokenized_host + 1, '.') && check_get_hostname(tokenized_host + 1))
return TRUE;
tokenized_host = strchr(tokenized_host + 1, '.');
}
debug("____blackwhitelist_check_hostname FALSE: host %s\n", current_host);
return FALSE;
}

2
src/blackwhitelist.h Normal file
View File

@@ -0,0 +1,2 @@
int blackwhitelist_load_list(const char *filename);
int blackwhitelist_check_hostname(const char *host_addr, int host_len);

244
src/dnsredir.c Normal file
View File

@@ -0,0 +1,244 @@
/*
* DNS UDP Connection Tracker for GoodbyeDPI
*
* This is a simple connection tracker for DNS UDP data.
* It's not a proper one. The caveats as follows:
* * Uses only source IP address and port as a hash key;
* * One-shot only. Removes conntrack record as soon as gets the reply;
* * Does not properly parse DNS request and response, only checks some bytes;
*
* But anyway, it works fine for DNS.
*/
#include <windows.h>
#include <time.h>
#include <stdio.h>
#include "goodbyedpi.h"
#include "dnsredir.h"
#include "utils/uthash.h"
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + srcport[2]) */
#define UDP_CONNRECORD_KEY_LEN 19
#define DNS_CLEANUP_INTERVAL_SEC 30
/* HACK!
* uthash uses strlen() for HASH_FIND_STR.
* We have null bytes in our key, so we can't use strlen()
* And since it's always UDP_CONNRECORD_KEY_LEN bytes long,
* we don't need to use any string function to determine length.
*/
#undef uthash_strlen
#define uthash_strlen(s) UDP_CONNRECORD_KEY_LEN
typedef struct udp_connrecord {
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + srcport[2]) */
char key[UDP_CONNRECORD_KEY_LEN];
time_t time; /* time when this record was added */
uint32_t dstip[4];
uint16_t dstport;
UT_hash_handle hh; /* makes this structure hashable */
} udp_connrecord_t;
static time_t last_cleanup = 0;
static udp_connrecord_t *conntrack = NULL;
void flush_dns_cache() {
BOOL WINAPI (*DnsFlushResolverCache)();
HMODULE dnsapi = LoadLibrary("dnsapi.dll");
if (dnsapi == NULL)
{
printf("Can't load dnsapi.dll to flush DNS cache!\n");
exit(EXIT_FAILURE);
}
DnsFlushResolverCache = (void*)GetProcAddress(dnsapi, "DnsFlushResolverCache");
if (DnsFlushResolverCache == NULL || !DnsFlushResolverCache())
printf("Can't flush DNS cache!");
FreeLibrary(dnsapi);
}
inline static void fill_key_data(char *key, const uint8_t is_ipv6, const uint32_t srcip[4],
const uint16_t srcport)
{
if (is_ipv6) {
*(uint8_t*)(key) = '6';
ipv6_copy_addr((uint32_t*)(key + sizeof(uint8_t)), srcip);
}
else {
*(uint8_t*)(key) = '4';
ipv4_copy_addr((uint32_t*)(key + sizeof(uint8_t)), srcip);
}
*(uint16_t*)(key + sizeof(uint8_t) + sizeof(uint32_t) * 4) = srcport;
}
inline static void fill_data_from_key(uint8_t *is_ipv6, uint32_t srcip[4], uint16_t *srcport,
const char *key)
{
if (key[0] == '6') {
*is_ipv6 = 1;
ipv6_copy_addr(srcip, (uint32_t*)(key + sizeof(uint8_t)));
}
else {
*is_ipv6 = 0;
ipv4_copy_addr(srcip, (uint32_t*)(key + sizeof(uint8_t)));
}
*srcport = *(uint16_t*)(key + sizeof(uint8_t) + sizeof(uint32_t) * 4);
}
inline static void construct_key(const uint32_t srcip[4], const uint16_t srcport,
char *key, int is_ipv6)
{
debug("Construct key enter\n");
if (key) {
debug("Constructing key\n");
fill_key_data(key, is_ipv6, srcip, srcport);
}
debug("Construct key end\n");
}
inline static void deconstruct_key(const char *key, const udp_connrecord_t *connrecord,
conntrack_info_t *conn_info)
{
debug("Deconstruct key enter\n");
if (key && conn_info) {
debug("Deconstructing key\n");
fill_data_from_key(&conn_info->is_ipv6, conn_info->srcip,
&conn_info->srcport, key);
if (conn_info->is_ipv6)
ipv6_copy_addr(conn_info->dstip, connrecord->dstip);
else
ipv4_copy_addr(conn_info->dstip, connrecord->dstip);
conn_info->dstport = connrecord->dstport;
}
debug("Deconstruct key end\n");
}
static int check_get_udp_conntrack_key(const char *key, udp_connrecord_t **connrecord) {
udp_connrecord_t *tmp_connrecord = NULL;
if (!conntrack) return FALSE;
HASH_FIND_STR(conntrack, key, tmp_connrecord);
if (tmp_connrecord) {
if (connrecord)
*connrecord = tmp_connrecord;
debug("check_get_udp_conntrack_key found key\n");
return TRUE;
}
debug("check_get_udp_conntrack_key key not found\n");
return FALSE;
}
static int add_udp_conntrack(const uint32_t srcip[4], const uint16_t srcport,
const uint32_t dstip[4], const uint16_t dstport,
const int is_ipv6
)
{
if (!(srcip && srcport && dstip && dstport))
return FALSE;
udp_connrecord_t *tmp_connrecord = malloc(sizeof(udp_connrecord_t));
construct_key(srcip, srcport, tmp_connrecord->key, is_ipv6);
if (!check_get_udp_conntrack_key(tmp_connrecord->key, NULL)) {
tmp_connrecord->time = time(NULL);
if (is_ipv6) {
ipv6_copy_addr(tmp_connrecord->dstip, dstip);
}
else {
ipv4_copy_addr(tmp_connrecord->dstip, dstip);
}
tmp_connrecord->dstport = dstport;
HASH_ADD_STR(conntrack, key, tmp_connrecord);
debug("Added UDP conntrack\n");
return TRUE;
}
debug("Not added UDP conntrack\n");
free(tmp_connrecord);
return FALSE;
}
static void dns_cleanup() {
udp_connrecord_t *tmp_connrecord, *tmp_connrecord2 = NULL;
if (last_cleanup == 0) {
last_cleanup = time(NULL);
return;
}
if (difftime(time(NULL), last_cleanup) >= DNS_CLEANUP_INTERVAL_SEC) {
last_cleanup = time(NULL);
HASH_ITER(hh, conntrack, tmp_connrecord, tmp_connrecord2) {
if (difftime(last_cleanup, tmp_connrecord->time) >= DNS_CLEANUP_INTERVAL_SEC) {
HASH_DEL(conntrack, tmp_connrecord);
free(tmp_connrecord);
}
}
}
}
int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing) {
if (packet_dataLen < 16) return FALSE;
if (outgoing && (ntohs(*(const uint16_t*)(packet_data + 2)) & 0xFA00) == 0 &&
(ntohs(*(const uint32_t*)(packet_data + 6))) == 0) {
return TRUE;
}
else if (!outgoing &&
(ntohs(*(const uint16_t*)(packet_data + 2)) & 0xF800) == 0x8000) {
return TRUE;
}
return FALSE;
}
int dns_handle_outgoing(const uint32_t srcip[4], const uint16_t srcport,
const uint32_t dstip[4], const uint16_t dstport,
const char *packet_data, const UINT packet_dataLen,
const uint8_t is_ipv6)
{
if (packet_dataLen < 16)
return FALSE;
dns_cleanup();
if (dns_is_dns_packet(packet_data, packet_dataLen, 1)) {
/* Looks like DNS request */
debug("trying to add srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return add_udp_conntrack(srcip, srcport, dstip, dstport, is_ipv6);
}
debug("____dns_handle_outgoing FALSE: srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return FALSE;
}
int dns_handle_incoming(const uint32_t srcip[4], const uint16_t srcport,
const char *packet_data, const UINT packet_dataLen,
conntrack_info_t *conn_info, const uint8_t is_ipv6)
{
char key[UDP_CONNRECORD_KEY_LEN];
udp_connrecord_t *tmp_connrecord = NULL;
if (packet_dataLen < 16 || !conn_info)
return FALSE;
dns_cleanup();
if (dns_is_dns_packet(packet_data, packet_dataLen, 0)) {
/* Looks like DNS response */
construct_key(srcip, srcport, key, is_ipv6);
if (check_get_udp_conntrack_key(key, &tmp_connrecord) && tmp_connrecord) {
/* Connection exists in conntrack, moving on */
deconstruct_key(key, tmp_connrecord, conn_info);
HASH_DEL(conntrack, tmp_connrecord);
free(tmp_connrecord);
return TRUE;
}
}
debug("____dns_handle_incoming FALSE: srcport = %hu\n", ntohs(srcport));
return FALSE;
}

36
src/dnsredir.h Normal file
View File

@@ -0,0 +1,36 @@
#include <stdint.h>
typedef struct conntrack_info {
uint8_t is_ipv6;
uint32_t srcip[4];
uint16_t srcport;
uint32_t dstip[4];
uint16_t dstport;
} conntrack_info_t;
inline static void ipv4_copy_addr(uint32_t dst[4], const uint32_t src[4]) {
dst[0] = src[0];
dst[1] = 0;
dst[2] = 0;
dst[3] = 0;
}
inline static void ipv6_copy_addr(uint32_t dst[4], const uint32_t src[4]) {
dst[0] = src[0];
dst[1] = src[1];
dst[2] = src[2];
dst[3] = src[3];
}
int dns_handle_incoming(const uint32_t srcip[4], const uint16_t srcport,
const char *packet_data, const UINT packet_dataLen,
conntrack_info_t *conn_info, const uint8_t is_ipv6);
int dns_handle_outgoing(const uint32_t srcip[4], const uint16_t srcport,
const uint32_t dstip[4], const uint16_t dstport,
const char *packet_data, const UINT packet_dataLen,
const uint8_t is_ipv6
);
void flush_dns_cache();
int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing);

0
goodbyedpi-rc.rc → src/goodbyedpi-rc.rc
View File

994
src/goodbyedpi.c Normal file
View File

@@ -0,0 +1,994 @@
/*
* GoodbyeDPI — Passive DPI blocker and Active DPI circumvention utility.
*/
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>
#include <getopt.h>
#include <in6addr.h>
#include <ws2tcpip.h>
#include "windivert.h"
#include "goodbyedpi.h"
#include "utils/repl_str.h"
#include "service.h"
#include "dnsredir.h"
#include "blackwhitelist.h"
// My mingw installation does not load inet_pton definition for some reason
WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
#define GOODBYEDPI_VERSION "v0.1.5"
#define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
#define MAX_FILTERS 4
#define MAX_PACKET_SIZE 9016
#define DIVERT_NO_LOCALNETSv4_DST "(" \
"(ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and " \
"(ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and " \
"(ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and " \
"(ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and " \
"(ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)" \
")"
#define DIVERT_NO_LOCALNETSv4_SRC "(" \
"(ip.SrcAddr < 127.0.0.1 or ip.SrcAddr > 127.255.255.255) and " \
"(ip.SrcAddr < 10.0.0.0 or ip.SrcAddr > 10.255.255.255) and " \
"(ip.SrcAddr < 192.168.0.0 or ip.SrcAddr > 192.168.255.255) and " \
"(ip.SrcAddr < 172.16.0.0 or ip.SrcAddr > 172.31.255.255) and " \
"(ip.SrcAddr < 169.254.0.0 or ip.SrcAddr > 169.254.255.255)" \
")"
#define DIVERT_NO_LOCALNETSv6_DST "(" \
"(ipv6.DstAddr > ::1) and " \
"(ipv6.DstAddr < 2001::0 or ipv6.DstAddr > 2001:1::0) and " \
"(ipv6.DstAddr < fc00::0 or ipv6.DstAddr > fe00::0) and " \
"(ipv6.DstAddr < fe80::0 or ipv6.DstAddr > fec0::0) and " \
"(ipv6.DstAddr < ff00::0 or ipv6.DstAddr > ffff::0)" \
")"
#define DIVERT_NO_LOCALNETSv6_SRC "(" \
"(ipv6.SrcAddr > ::1) and " \
"(ipv6.SrcAddr < 2001::0 or ipv6.SrcAddr > 2001:1::0) and " \
"(ipv6.SrcAddr < fc00::0 or ipv6.SrcAddr > fe00::0) and " \
"(ipv6.SrcAddr < fe80::0 or ipv6.SrcAddr > fec0::0) and " \
"(ipv6.SrcAddr < ff00::0 or ipv6.SrcAddr > ffff::0)" \
")"
/* #IPID# is a template to find&replace */
#define IPID_TEMPLATE "#IPID#"
#define FILTER_STRING_TEMPLATE \
"(tcp and !impostor and !loopback and " \
"((inbound and (" \
"(" \
"(" \
"(ipv6 or (ip.Id >= 0x0 and ip.Id <= 0xF) " IPID_TEMPLATE \
") and " \
"tcp.SrcPort == 80 and tcp.Ack" \
") or " \
"((tcp.SrcPort == 80 or tcp.SrcPort == 443) and tcp.Ack and tcp.Syn)" \
")" \
" and (" DIVERT_NO_LOCALNETSv4_SRC " or " DIVERT_NO_LOCALNETSv6_SRC "))) or " \
"(outbound and " \
"(tcp.DstPort == 80 or tcp.DstPort == 443) and tcp.Ack and " \
"(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST "))" \
"))"
#define FILTER_PASSIVE_STRING_TEMPLATE "inbound and ip and tcp and " \
"!impostor and !loopback and " \
"((ip.Id <= 0xF and ip.Id >= 0x0) " IPID_TEMPLATE ") and " \
"(tcp.SrcPort == 443 or tcp.SrcPort == 80) and tcp.Rst and " \
DIVERT_NO_LOCALNETSv4_SRC
#define SET_HTTP_FRAGMENT_SIZE_OPTION(fragment_size) do { \
if (!http_fragment_size) { \
if (fragment_size <= 0 || fragment_size > 65535) { \
puts("Fragment size should be in range [0 - 65535]\n"); \
exit(EXIT_FAILURE); \
} \
http_fragment_size = fragment_size; \
} \
else if (http_fragment_size != (unsigned int)fragment_size) { \
printf( \
"WARNING: HTTP fragment size is already set to %d, not changing.\n", \
http_fragment_size \
); \
} \
} while (0)
static int running_from_service = 0;
static HANDLE filters[MAX_FILTERS];
static int filter_num = 0;
static const char *http10_redirect_302 = "HTTP/1.0 302 ";
static const char *http11_redirect_302 = "HTTP/1.1 302 ";
static const char *http_host_find = "\r\nHost: ";
static const char *http_host_replace = "\r\nhoSt: ";
static const char *http_useragent_find = "\r\nUser-Agent: ";
static const char *location_http = "\r\nLocation: http://";
static const char *connection_close = "\r\nConnection: close";
static const char *http_methods[] = {
"GET ",
"HEAD ",
"POST ",
"PUT ",
"DELETE ",
"CONNECT ",
"OPTIONS ",
};
static struct option long_options[] = {
{"port", required_argument, 0, 'z' },
{"dns-addr", required_argument, 0, 'd' },
{"dns-port", required_argument, 0, 'g' },
{"dnsv6-addr", required_argument, 0, '!' },
{"dnsv6-port", required_argument, 0, '@' },
{"dns-verb", no_argument, 0, 'v' },
{"blacklist", required_argument, 0, 'b' },
{"ip-id", required_argument, 0, 'i' },
{0, 0, 0, 0 }
};
static char *filter_string = NULL;
static char *filter_passive_string = NULL;
static void add_filter_str(int proto, int port) {
const char *udp = " or (udp and !impostor and !loopback and " \
"(udp.SrcPort == %d or udp.DstPort == %d))";
const char *tcp = " or (tcp and !impostor and !loopback and " \
"(tcp.SrcPort == %d or tcp.DstPort == %d))";
char *current_filter = filter_string;
int new_filter_size = strlen(current_filter) +
(proto == IPPROTO_UDP ? strlen(udp) : strlen(tcp)) + 16;
char *new_filter = malloc(new_filter_size);
strcpy(new_filter, current_filter);
if (proto == IPPROTO_UDP)
sprintf(&(new_filter[strlen(new_filter)]), udp, port, port);
else
sprintf(&(new_filter[strlen(new_filter)]), tcp, port, port);
filter_string = new_filter;
free(current_filter);
}
static void add_ip_id_str(int id) {
char *newstr;
const char *ipid = " or ip.Id == %d";
char *addfilter = malloc(strlen(ipid) + 16);
sprintf(addfilter, ipid, id);
newstr = repl_str(filter_string, IPID_TEMPLATE, addfilter);
free(filter_string);
filter_string = newstr;
newstr = repl_str(filter_passive_string, IPID_TEMPLATE, addfilter);
free(filter_passive_string);
filter_passive_string = newstr;
}
static void finalize_filter_strings() {
char *newstr;
newstr = repl_str(filter_string, IPID_TEMPLATE, "");
free(filter_string);
filter_string = newstr;
newstr = repl_str(filter_passive_string, IPID_TEMPLATE, "");
free(filter_passive_string);
filter_passive_string = newstr;
}
static char* dumb_memmem(const char* haystack, int hlen, const char* needle, int nlen) {
// naive implementation
if (nlen > hlen) return NULL;
int i;
for (i=0; i<hlen-nlen+1; i++) {
if (memcmp(haystack+i,needle,nlen)==0) {
return (char*)(haystack+i);
}
}
return NULL;
}
static HANDLE init(char *filter, UINT64 flags) {
LPTSTR errormessage = NULL;
DWORD errorcode = 0;
filter = WinDivertOpen(filter, WINDIVERT_LAYER_NETWORK, 0, flags);
if (filter != INVALID_HANDLE_VALUE)
return filter;
errorcode = GetLastError();
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, errorcode, MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
(LPTSTR)&errormessage, 0, NULL);
printf("Error opening filter: %s", errormessage);
LocalFree(errormessage);
if (errorcode == 577)
printf("Windows Server 2016 systems must have secure boot disabled to be "
"able to load WinDivert driver.\n"
"Windows 7 systems must be up-to-date or at least have KB3033929 installed.\n"
"https://www.microsoft.com/en-us/download/details.aspx?id=46078\n\n"
"WARNING! If you see this error on Windows 7, it means your system is horribly "
"outdated and SHOULD NOT BE USED TO ACCESS THE INTERNET!\n"
"Most probably, you don't have security patches installed and anyone in you LAN or "
"public Wi-Fi network can get full access to your computer (MS17-010 and others).\n"
"You should install updates IMMEDIATELY.\n");
return NULL;
}
static int deinit(HANDLE handle) {
if (handle) {
WinDivertClose(handle);
return TRUE;
}
return FALSE;
}
void deinit_all() {
for (int i = 0; i < filter_num; i++) {
deinit(filters[i]);
}
}
static void sigint_handler(int sig __attribute__((unused))) {
deinit_all();
exit(EXIT_SUCCESS);
}
static void mix_case(char *pktdata, int pktlen) {
int i;
if (pktlen <= 0) return;
for (i = 0; i < pktlen; i++) {
if (i % 2) {
pktdata[i] = toupper(pktdata[i]);
}
}
}
static int is_passivedpi_redirect(const char *pktdata, int pktlen) {
/* First check if this is HTTP 302 redirect */
if (memcmp(pktdata, http11_redirect_302, strlen(http11_redirect_302)) == 0 ||
memcmp(pktdata, http10_redirect_302, strlen(http10_redirect_302)) == 0)
{
/* Then check if this is a redirect to new http site with Connection: close */
if (dumb_memmem(pktdata, pktlen, location_http, strlen(location_http)) &&
dumb_memmem(pktdata, pktlen, connection_close, strlen(connection_close))) {
return TRUE;
}
}
return FALSE;
}
static int find_header_and_get_info(const char *pktdata, int pktlen,
const char *hdrname,
char **hdrnameaddr,
char **hdrvalueaddr, int *hdrvaluelen) {
char *data_addr_rn;
char *hdr_begin;
*hdrvaluelen = 0;
*hdrnameaddr = NULL;
*hdrvalueaddr = NULL;
/* Search for the header */
hdr_begin = dumb_memmem(pktdata, pktlen,
hdrname, strlen(hdrname));
if (!hdr_begin) return FALSE;
if ((PVOID)pktdata > (PVOID)hdr_begin) return FALSE;
/* Set header address */
*hdrnameaddr = hdr_begin;
*hdrvalueaddr = (PVOID)hdr_begin + strlen(hdrname);
/* Search for header end (\r\n) */
data_addr_rn = dumb_memmem(*hdrvalueaddr,
pktlen - ((PVOID)*hdrvalueaddr - (PVOID)pktdata),
"\r\n", 2);
if (data_addr_rn) {
*hdrvaluelen = (PVOID)data_addr_rn - (PVOID)*hdrvalueaddr;
if (*hdrvaluelen > 0 && *hdrvaluelen <= 512)
return TRUE;
}
return FALSE;
}
static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, int size) {
if (size >= 1 && size <= 65535) {
ppTcpHdr->Window = htons(size);
}
}
/* HTTP method end without trailing space */
static PVOID find_http_method_end(const char *pkt, int http_frag, int *is_fragmented) {
unsigned int i;
for (i = 0; i<(sizeof(http_methods) / sizeof(*http_methods)); i++) {
if (memcmp(pkt, http_methods[i], strlen(http_methods[i])) == 0) {
if (is_fragmented)
*is_fragmented = 0;
return (char*)pkt + strlen(http_methods[i]) - 1;
}
/* Try to find HTTP method in a second part of fragmented packet */
if ((http_frag == 1 || http_frag == 2) &&
memcmp(pkt, http_methods[i] + http_frag,
strlen(http_methods[i]) - http_frag) == 0
)
{
if (is_fragmented)
*is_fragmented = 1;
return (char*)pkt + strlen(http_methods[i]) - http_frag - 1;
}
}
return NULL;
}
int main(int argc, char *argv[]) {
static enum packet_type_e {
unknown,
ipv4_tcp, ipv4_tcp_data, ipv4_udp_data,
ipv6_tcp, ipv6_tcp_data, ipv6_udp_data
} packet_type;
int i, should_reinject, should_recalc_checksum = 0;
int opt;
int packet_v4, packet_v6;
HANDLE w_filter = NULL;
WINDIVERT_ADDRESS addr;
char packet[MAX_PACKET_SIZE];
PVOID packet_data;
UINT packetLen;
UINT packet_dataLen;
PWINDIVERT_IPHDR ppIpHdr;
PWINDIVERT_IPV6HDR ppIpV6Hdr;
PWINDIVERT_TCPHDR ppTcpHdr;
PWINDIVERT_UDPHDR ppUdpHdr;
conntrack_info_t dns_conn_info;
int do_passivedpi = 0, do_fragment_http = 0,
do_fragment_http_persistent = 0,
do_fragment_http_persistent_nowait = 0,
do_fragment_https = 0, do_host = 0,
do_host_removespace = 0, do_additional_space = 0,
do_http_allports = 0,
do_host_mixedcase = 0,
do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
do_dns_verb = 0, do_blacklist = 0;
unsigned int http_fragment_size = 0;
unsigned int https_fragment_size = 0;
uint32_t dnsv4_addr = 0;
struct in6_addr dnsv6_addr = {0};
struct in6_addr dns_temp_addr = {0};
uint16_t dnsv4_port = htons(53);
uint16_t dnsv6_port = htons(53);
char *host_addr, *useragent_addr, *method_addr;
int host_len, useragent_len;
int http_req_fragmented;
char *hdr_name_addr = NULL, *hdr_value_addr = NULL;
int hdr_value_len;
// Make sure to search DLLs only in safe path, not in current working dir.
SetDllDirectory("");
SetSearchPathMode(BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE | BASE_SEARCH_PATH_PERMANENT);
if (!running_from_service) {
running_from_service = 1;
if (service_register(argc, argv)) {
/* We've been called as a service. Register service
* and exit this thread. main() would be called from
* service.c next time.
*
* Note that if service_register() succeedes it does
* not return until the service is stopped.
* That is why we should set running_from_service
* before calling service_register and unset it
* afterwards.
*/
return 0;
}
running_from_service = 0;
}
if (filter_string == NULL)
filter_string = strdup(FILTER_STRING_TEMPLATE);
if (filter_passive_string == NULL)
filter_passive_string = strdup(FILTER_PASSIVE_STRING_TEMPLATE);
printf(
"GoodbyeDPI " GOODBYEDPI_VERSION
": Passive DPI blocker and Active DPI circumvention utility\n"
"https://github.com/ValdikSS/GoodbyeDPI\n\n"
);
if (argc == 1) {
/* enable mode -1 by default */
http_fragment_size = https_fragment_size = 2;
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https \
= do_fragment_http_persistent \
= do_fragment_http_persistent_nowait = 1;
}
while ((opt = getopt_long(argc, argv, "1234prsaf:e:mwk:n", long_options, NULL)) != -1) {
switch (opt) {
case '1':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https \
= do_fragment_http_persistent \
= do_fragment_http_persistent_nowait = 1;
break;
case '2':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https \
= do_fragment_http_persistent \
= do_fragment_http_persistent_nowait = 1;
https_fragment_size = 40;
break;
case '3':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_https = 1;
https_fragment_size = 40;
break;
case '4':
do_passivedpi = do_host = do_host_removespace = 1;
break;
case 'p':
do_passivedpi = 1;
break;
case 'r':
do_host = 1;
break;
case 's':
do_host_removespace = 1;
break;
case 'a':
do_additional_space = 1;
do_host_removespace = 1;
break;
case 'm':
do_host_mixedcase = 1;
break;
case 'f':
do_fragment_http = 1;
SET_HTTP_FRAGMENT_SIZE_OPTION(atoi(optarg));
break;
case 'k':
do_fragment_http_persistent = 1;
SET_HTTP_FRAGMENT_SIZE_OPTION(atoi(optarg));
break;
case 'n':
do_fragment_http_persistent_nowait = 1;
break;
case 'e':
do_fragment_https = 1;
https_fragment_size = atoi(optarg);
if (https_fragment_size <= 0 || https_fragment_size > 65535) {
puts("Fragment size should be in range [0 - 65535]\n");
exit(EXIT_FAILURE);
}
break;
case 'w':
do_http_allports = 1;
break;
case 'z':
/* i is used as a temporary variable here */
i = atoi(optarg);
if (i <= 0 || i > 65535) {
printf("Port parameter error!\n");
exit(EXIT_FAILURE);
}
if (i != 80 && i != 443)
add_filter_str(IPPROTO_TCP, i);
i = 0;
break;
case 'i':
/* i is used as a temporary variable here */
i = atoi(optarg);
if (i < 0 || i > 65535) {
printf("IP ID parameter error!\n");
exit(EXIT_FAILURE);
}
add_ip_id_str(i);
i = 0;
break;
case 'd':
if ((inet_pton(AF_INET, optarg, dns_temp_addr.s6_addr) == 1) &&
!do_dnsv4_redirect)
{
do_dnsv4_redirect = 1;
if (inet_pton(AF_INET, optarg, &dnsv4_addr) != 1) {
puts("DNS address parameter error!");
exit(EXIT_FAILURE);
}
add_filter_str(IPPROTO_UDP, 53);
flush_dns_cache();
break;
}
puts("DNS address parameter error!");
exit(EXIT_FAILURE);
break;
case '!':
if ((inet_pton(AF_INET6, optarg, dns_temp_addr.s6_addr) == 1) &&
!do_dnsv6_redirect)
{
do_dnsv6_redirect = 1;
if (inet_pton(AF_INET6, optarg, dnsv6_addr.s6_addr) != 1) {
puts("DNS address parameter error!");
exit(EXIT_FAILURE);
}
add_filter_str(IPPROTO_UDP, 53);
flush_dns_cache();
break;
}
puts("DNS address parameter error!");
exit(EXIT_FAILURE);
break;
case 'g':
if (!do_dnsv4_redirect) {
puts("--dns-port should be used with --dns-addr!\n"
"Make sure you use --dns-addr and pass it before "
"--dns-port");
exit(EXIT_FAILURE);
}
dnsv4_port = atoi(optarg);
if (atoi(optarg) <= 0 || atoi(optarg) > 65535) {
puts("DNS port parameter error!");
exit(EXIT_FAILURE);
}
if (dnsv4_port != 53) {
add_filter_str(IPPROTO_UDP, dnsv4_port);
}
dnsv4_port = htons(dnsv4_port);
break;
case '@':
if (!do_dnsv6_redirect) {
puts("--dnsv6-port should be used with --dnsv6-addr!\n"
"Make sure you use --dnsv6-addr and pass it before "
"--dnsv6-port");
exit(EXIT_FAILURE);
}
dnsv6_port = atoi(optarg);
if (atoi(optarg) <= 0 || atoi(optarg) > 65535) {
puts("DNS port parameter error!");
exit(EXIT_FAILURE);
}
if (dnsv6_port != 53) {
add_filter_str(IPPROTO_UDP, dnsv6_port);
}
dnsv6_port = htons(dnsv6_port);
break;
case 'v':
do_dns_verb = 1;
break;
case 'b':
do_blacklist = 1;
if (!blackwhitelist_load_list(optarg)) {
printf("Can't load blacklist from file!\n");
exit(EXIT_FAILURE);
}
break;
default:
puts("Usage: goodbyedpi.exe [OPTION...]\n"
" -p block passive DPI\n"
" -r replace Host with hoSt\n"
" -s remove space between host header and its value\n"
" -a additional space between Method and Request-URI (enables -s, may break sites)\n"
" -m mix Host header case (test.com -> tEsT.cOm)\n"
" -f [value] set HTTP fragmentation to value\n"
" -k [value] enable HTTP persistent (keep-alive) fragmentation and set it to value\n"
" -n do not wait for first segment ACK when -k is enabled\n"
" -e [value] set HTTPS fragmentation to value\n"
" -w try to find and parse HTTP traffic on all processed ports (not only on port 80)\n"
" --port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
" --ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).\n"
" --dns-addr [value] redirect UDPv4 DNS requests to the supplied IPv4 address (experimental)\n"
" --dns-port [value] redirect UDPv4 DNS requests to the supplied port (53 by default)\n"
" --dnsv6-addr [value] redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)\n"
" --dnsv6-port [value] redirect UDPv6 DNS requests to the supplied port (53 by default)\n"
" --dns-verb print verbose DNS redirection messages\n"
" --blacklist [txtfile] perform HTTP tricks only to host names and subdomains from\n"
" supplied text file. This option can be supplied multiple times.\n"
"\n"
" -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)\n"
" -2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)\n"
" -3 -p -r -s -e 40 (better speed for HTTP and HTTPS)\n"
" -4 -p -r -s (best speed)");
exit(EXIT_FAILURE);
}
}
if (!http_fragment_size)
http_fragment_size = 2;
if (!https_fragment_size)
https_fragment_size = 2;
printf("Block passive: %d\nFragment HTTP: %d\nFragment persistent HTTP: %d\n"
"Fragment HTTPS: %d\nhoSt: %d\nHost no space: %d\nAdditional space: %d\n"
"Mix Host: %d\nHTTP AllPorts: %d\nHTTP Persistent Nowait: %d\n"
"DNS redirect: %d\nDNSv6 redirect: %d\n",
do_passivedpi, (do_fragment_http ? http_fragment_size : 0),
(do_fragment_http_persistent ? http_fragment_size : 0),
(do_fragment_https ? https_fragment_size : 0),
do_host, do_host_removespace, do_additional_space, do_host_mixedcase,
do_http_allports, do_fragment_http_persistent_nowait, do_dnsv4_redirect,
do_dnsv6_redirect
);
if (do_fragment_http && http_fragment_size > 2) {
printf("WARNING: HTTP fragmentation values > 2 are not fully compatible "
"with other options. Please use values <= 2 or disable HTTP fragmentation "
"completely.\n");
}
printf("\nOpening filter\n");
finalize_filter_strings();
filter_num = 0;
if (do_passivedpi) {
/* IPv4 only filter for inbound RST packets with ID [0x0; 0xF] */
filters[filter_num] = init(
filter_passive_string,
WINDIVERT_FLAG_DROP);
if (filters[filter_num] == NULL)
die();
filter_num++;
}
/*
* IPv4 & IPv6 filter for inbound HTTP redirection packets and
* active DPI circumvention
*/
filters[filter_num] = init(filter_string, 0);
w_filter = filters[filter_num];
filter_num++;
for (i = 0; i < filter_num; i++) {
if (filters[i] == NULL)
die();
}
printf("Filter activated!\n");
signal(SIGINT, sigint_handler);
while (1) {
if (WinDivertRecv(w_filter, packet, sizeof(packet), &addr, &packetLen)) {
debug("Got %s packet, len=%d!\n", addr.Direction ? "inbound" : "outbound",
packetLen);
should_reinject = 1;
should_recalc_checksum = 0;
ppIpHdr = (PWINDIVERT_IPHDR)NULL;
ppIpV6Hdr = (PWINDIVERT_IPV6HDR)NULL;
ppTcpHdr = (PWINDIVERT_TCPHDR)NULL;
ppUdpHdr = (PWINDIVERT_UDPHDR)NULL;
packet_v4 = packet_v6 = 0;
packet_type = unknown;
// Parse network packet and set it's type
if ((packet_v4 = WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen)))
{
packet_type = ipv4_tcp_data;
}
else if ((packet_v6 = WinDivertHelperParsePacket(packet, packetLen, NULL,
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen)))
{
packet_type = ipv6_tcp_data;
}
else if ((packet_v4 = WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, NULL, NULL)))
{
packet_type = ipv4_tcp;
}
else if ((packet_v6 = WinDivertHelperParsePacket(packet, packetLen, NULL,
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, NULL, NULL)))
{
packet_type = ipv6_tcp;
}
else if ((packet_v4 = WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, NULL, &ppUdpHdr, &packet_data, &packet_dataLen)))
{
packet_type = ipv4_udp_data;
}
else if ((packet_v6 = WinDivertHelperParsePacket(packet, packetLen, NULL,
&ppIpV6Hdr, NULL, NULL, NULL, &ppUdpHdr, &packet_data, &packet_dataLen)))
{
packet_type = ipv6_udp_data;
}
debug("packet_type: %d, packet_v4: %d, packet_v6: %d\n", packet_type, packet_v4, packet_v6);
if (packet_type == ipv4_tcp_data || packet_type == ipv6_tcp_data) {
//printf("Got parsed packet, len=%d!\n", packet_dataLen);
/* Got a TCP packet WITH DATA */
/* Handle INBOUND packet with data and find HTTP REDIRECT in there */
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND && packet_dataLen > 16) {
/* If INBOUND packet with DATA (tcp.Ack) */
/* Drop packets from filter with HTTP 30x Redirect */
if (do_passivedpi && is_passivedpi_redirect(packet_data, packet_dataLen)) {
if (packet_v4) {
//printf("Dropping HTTP Redirect packet!\n");
should_reinject = 0;
}
else if (packet_v6 && WINDIVERT_IPV6HDR_GET_FLOWLABEL(ppIpV6Hdr) == 0x0) {
/* Contrary to IPv4 where we get only packets with IP ID 0x0-0xF,
* for IPv6 we got all the incoming data packets since we can't
* filter them in a driver.
*
* Handle only IPv6 Flow Label == 0x0 for now
*/
//printf("Dropping HTTP Redirect packet!\n");
should_reinject = 0;
}
}
}
/* Handle OUTBOUND packet on port 80, search for Host header */
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
packet_dataLen > 16 &&
(do_http_allports ? 1 : (ppTcpHdr->DstPort == htons(80))) &&
find_http_method_end(packet_data,
(do_fragment_http ? http_fragment_size : 0),
&http_req_fragmented) &&
(do_host || do_host_removespace ||
do_host_mixedcase || do_fragment_http_persistent))
{
/* Find Host header */
if (find_header_and_get_info(packet_data, packet_dataLen,
http_host_find, &hdr_name_addr, &hdr_value_addr, &hdr_value_len) &&
hdr_value_len > 0 && hdr_value_len <= HOST_MAXLEN &&
(do_blacklist ? blackwhitelist_check_hostname(hdr_value_addr, hdr_value_len) : 1))
{
host_addr = hdr_value_addr;
host_len = hdr_value_len;
/*
* Handle new HTTP request in new
* connection (when Window Size modification disabled)
* or already established connection (keep-alive).
* We split HTTP request into two packets: one of http_fragment_size length
* and another of original_size - http_fragment_size length.
*
* The second packet of a splitted part is not really needed to be sent
* as Windows understand that is hasn't been sent by checking
* ack number of received packet and retransmitting missing part again,
* but it's better to send it anyway since it eliminates one RTT.
*/
if (do_fragment_http_persistent && !http_req_fragmented &&
(packet_dataLen > http_fragment_size))
{
if (packet_v4)
ppIpHdr->Length = htons(
ntohs(ppIpHdr->Length) -
packet_dataLen + http_fragment_size
);
else if (packet_v6)
ppIpV6Hdr->Length = htons(
ntohs(ppIpV6Hdr->Length) -
packet_dataLen + http_fragment_size
);
WinDivertHelperCalcChecksums(
packet, packetLen - packet_dataLen + http_fragment_size, &addr, 0
);
WinDivertSend(
w_filter, packet,
packetLen - packet_dataLen + http_fragment_size,
&addr, NULL
);
if (do_fragment_http_persistent_nowait) {
if (packet_v4)
ppIpHdr->Length = htons(
ntohs(ppIpHdr->Length) -
http_fragment_size + packet_dataLen - http_fragment_size
);
else if (packet_v6)
ppIpV6Hdr->Length = htons(
ntohs(ppIpV6Hdr->Length) -
http_fragment_size + packet_dataLen - http_fragment_size
);
memmove(packet_data,
packet_data + http_fragment_size,
packet_dataLen);
packet_dataLen -= http_fragment_size;
packetLen -= http_fragment_size;
hdr_value_addr -= http_fragment_size;
hdr_name_addr -= http_fragment_size;
host_addr = hdr_value_addr;
ppTcpHdr->SeqNum = htonl(ntohl(ppTcpHdr->SeqNum) + http_fragment_size);
should_recalc_checksum = 1;
}
else {
continue;
}
}
if (do_host_mixedcase) {
mix_case(host_addr, host_len);
should_recalc_checksum = 1;
}
if (do_host) {
/* Replace "Host: " with "hoSt: " */
memcpy(hdr_name_addr, http_host_replace, strlen(http_host_replace));
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
/* If removing space between host header and its value
* and adding additional space between Method and Request-URI */
if (do_additional_space && do_host_removespace) {
/* End of "Host:" without trailing space */
method_addr = find_http_method_end(packet_data,
(do_fragment_http ? http_fragment_size : 0),
NULL);
if (method_addr) {
memmove(method_addr + 1, method_addr,
(PVOID)host_addr - (PVOID)method_addr - 1);
should_recalc_checksum = 1;
}
}
/* If just removing space between host header and its value */
else if (do_host_removespace) {
if (find_header_and_get_info(packet_data, packet_dataLen,
http_useragent_find, &hdr_name_addr,
&hdr_value_addr, &hdr_value_len))
{
useragent_addr = hdr_value_addr;
useragent_len = hdr_value_len;
/* We move Host header value by one byte to the left and then
* "insert" stolen space to the end of User-Agent value because
* some web servers are not tolerant to additional space in the
* end of Host header.
*
* Nothing is done if User-Agent header is missing.
*/
if (useragent_addr && useragent_len > 0) {
/* useragent_addr is in the beginning of User-Agent value */
if (useragent_addr > host_addr) {
/* Move one byte to the LEFT from "Host:"
* to the end of User-Agent
*/
memmove(host_addr - 1, host_addr,
(PVOID)useragent_addr + useragent_len - (PVOID)host_addr);
host_addr -= 1;
/* Put space in the end of User-Agent header */
*(char*)((PVOID)useragent_addr + useragent_len - 1) = ' ';
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
else {
/* User-Agent goes BEFORE Host header */
/* Move one byte to the RIGHT from the end of User-Agent
* to the "Host:"
*/
memmove((PVOID)useragent_addr + useragent_len + 1,
(PVOID)useragent_addr + useragent_len,
(PVOID)host_addr - 1 - ((PVOID)useragent_addr + useragent_len));
/* Put space in the end of User-Agent header */
*(char*)((PVOID)useragent_addr + useragent_len) = ' ';
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
} /* if (host_len <= HOST_MAXLEN && useragent_addr) */
} /* if (find_header_and_get_info http_useragent) */
} /* else if (do_host_removespace) */
} /* if (find_header_and_get_info http_host) */
} /* Handle OUTBOUND packet with data */
} /* Handle TCP packet with data */
/* Else if we got TCP packet without data */
else if (packet_type == ipv4_tcp || packet_type == ipv6_tcp) {
/* If we got INBOUND SYN+ACK packet */
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND &&
ppTcpHdr->Syn == 1 && ppTcpHdr->Ack == 1) {
//printf("Changing Window Size!\n");
/*
* Window Size is changed even if do_fragment_http_persistent
* is enabled as there could be non-HTTP data on port 80
*/
if (do_fragment_http && ppTcpHdr->SrcPort == htons(80)) {
change_window_size(ppTcpHdr, http_fragment_size);
should_recalc_checksum = 1;
}
else if (do_fragment_https && ppTcpHdr->SrcPort != htons(80)) {
change_window_size(ppTcpHdr, https_fragment_size);
should_recalc_checksum = 1;
}
}
}
/* Else if we got UDP packet with data */
else if ((do_dnsv4_redirect && (packet_type == ipv4_udp_data)) ||
(do_dnsv6_redirect && (packet_type == ipv6_udp_data)))
{
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND) {
if ((packet_v4 && dns_handle_incoming(&ppIpHdr->DstAddr, ppUdpHdr->DstPort,
packet_data, packet_dataLen,
&dns_conn_info, 0))
||
(packet_v6 && dns_handle_incoming(ppIpV6Hdr->DstAddr, ppUdpHdr->DstPort,
packet_data, packet_dataLen,
&dns_conn_info, 1)))
{
/* Changing source IP and port to the values
* from DNS conntrack */
if (packet_v4)
ppIpHdr->SrcAddr = dns_conn_info.dstip[0];
else if (packet_v6)
ipv6_copy_addr(ppIpV6Hdr->SrcAddr, dns_conn_info.dstip);
ppUdpHdr->DstPort = dns_conn_info.srcport;
ppUdpHdr->SrcPort = dns_conn_info.dstport;
should_recalc_checksum = 1;
}
else {
if (dns_is_dns_packet(packet_data, packet_dataLen, 0))
should_reinject = 0;
if (do_dns_verb && !should_reinject) {
printf("[DNS] Error handling incoming packet: srcport = %hu, dstport = %hu\n",
ntohs(ppUdpHdr->SrcPort), ntohs(ppUdpHdr->DstPort));
}
}
}
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND) {
if ((packet_v4 && dns_handle_outgoing(&ppIpHdr->SrcAddr, ppUdpHdr->SrcPort,
&ppIpHdr->DstAddr, ppUdpHdr->DstPort,
packet_data, packet_dataLen, 0))
||
(packet_v6 && dns_handle_outgoing(ppIpV6Hdr->SrcAddr, ppUdpHdr->SrcPort,
ppIpV6Hdr->DstAddr, ppUdpHdr->DstPort,
packet_data, packet_dataLen, 1)))
{
/* Changing destination IP and port to the values
* from configuration */
if (packet_v4) {
ppIpHdr->DstAddr = dnsv4_addr;
ppUdpHdr->DstPort = dnsv4_port;
}
else if (packet_v6) {
ipv6_copy_addr(ppIpV6Hdr->DstAddr, (uint32_t*)dnsv6_addr.s6_addr);
ppUdpHdr->DstPort = dnsv6_port;
}
should_recalc_checksum = 1;
}
else {
if (dns_is_dns_packet(packet_data, packet_dataLen, 1))
should_reinject = 0;
if (do_dns_verb && !should_reinject) {
printf("[DNS] Error handling outgoing packet: srcport = %hu, dstport = %hu\n",
ntohs(ppUdpHdr->SrcPort), ntohs(ppUdpHdr->DstPort));
}
}
}
}
if (should_reinject) {
//printf("Re-injecting!\n");
if (should_recalc_checksum) {
WinDivertHelperCalcChecksums(packet, packetLen, &addr, NULL);
}
WinDivertSend(w_filter, packet, packetLen, &addr, NULL);
}
}
else {
// error, ignore
printf("Error receiving packet!\n");
break;
}
}
}

2
goodbyedpi.exe.manifest → src/goodbyedpi.exe.manifest
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="GoodbyeDPI" type="win32"/> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="GoodbyeDPI" type="win32"/>
<description>Divert</description> <description>GoodbyeDPI</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security> <security>
<requestedPrivileges> <requestedPrivileges>

10
src/goodbyedpi.h Normal file
View File

@@ -0,0 +1,10 @@
#define HOST_MAXLEN 253
#ifndef DEBUG
#define debug(...) do {} while (0)
#else
#define debug(...) printf(__VA_ARGS__)
#endif
int main(int argc, char *argv[]);
void deinit_all();

0
icon.ico → src/icon.ico
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

96
src/service.c Normal file
View File

@@ -0,0 +1,96 @@
#include <windows.h>
#include <stdio.h>
#include "goodbyedpi.h"
#include "service.h"
#define SERVICE_NAME "GoodbyeDPI"
static SERVICE_STATUS ServiceStatus;
static SERVICE_STATUS_HANDLE hStatus;
static int service_argc = 0;
static char **service_argv = NULL;
int service_register(int argc, char *argv[])
{
int i, ret;
SERVICE_TABLE_ENTRY ServiceTable[] = {
{SERVICE_NAME, (LPSERVICE_MAIN_FUNCTION)service_main},
{NULL, NULL}
};
/*
* Save argc & argv as service_main is called with different
* arguments, which are passed from "start" command, not
* from the program command line.
* We don't need this behaviour.
*
* Note that if StartServiceCtrlDispatcher() succeedes
* it does not return until the service is stopped,
* so we should copy all arguments first and then
* handle the failure.
*/
if (!service_argc && !service_argv) {
service_argc = argc;
service_argv = malloc(sizeof(void*) * argc);
for (i = 0; i < argc; i++) {
service_argv[i] = strdup(argv[i]);
}
}
ret = StartServiceCtrlDispatcher(ServiceTable);
if (service_argc && service_argv) {
for (i = 0; i < service_argc; i++) {
free(service_argv[i]);
}
free(service_argv);
}
return ret;
}
void service_main(int argc __attribute__((unused)),
char *argv[] __attribute__((unused)))
{
ServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwCheckPoint = 1;
ServiceStatus.dwWaitHint = 0;
hStatus = RegisterServiceCtrlHandler(
SERVICE_NAME,
(LPHANDLER_FUNCTION)service_controlhandler);
if (hStatus == (SERVICE_STATUS_HANDLE)0)
{
// Registering Control Handler failed
return;
}
SetServiceStatus(hStatus, &ServiceStatus);
// Calling main with saved argc & argv
ServiceStatus.dwWin32ExitCode = main(service_argc, service_argv);
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus(hStatus, &ServiceStatus);
return;
}
// Control handler function
void service_controlhandler(DWORD request)
{
switch(request)
{
case SERVICE_CONTROL_STOP:
case SERVICE_CONTROL_SHUTDOWN:
deinit_all();
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
default:
break;
}
// Report current status
SetServiceStatus(hStatus, &ServiceStatus);
return;
}

3
src/service.h Normal file
View File

@@ -0,0 +1,3 @@
int service_register();
void service_main(int argc, char *argv[]);
void service_controlhandler(DWORD request);

92
src/utils/getline.c Normal file
View File

@@ -0,0 +1,92 @@
/* $NetBSD: getdelim.c,v 1.2 2015/12/25 20:12:46 joerg Exp $ */
/* NetBSD-src: getline.c,v 1.2 2014/09/16 17:23:50 christos Exp */
/*-
* Copyright (c) 2011 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Christos Zoulas.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <stdio.h>
#include <stdlib.h>
#include "getline.h"
#if !HAVE_GETDELIM
ssize_t
getdelim(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
{
char *ptr, *eptr;
if (*buf == NULL || *bufsiz == 0) {
*bufsiz = BUFSIZ;
if ((*buf = malloc(*bufsiz)) == NULL)
return -1;
}
for (ptr = *buf, eptr = *buf + *bufsiz;;) {
int c = fgetc(fp);
if (c == -1) {
if (feof(fp)) {
ssize_t diff = (ssize_t)(ptr - *buf);
if (diff != 0) {
*ptr = '\0';
return diff;
}
}
return -1;
}
*ptr++ = c;
if (c == delimiter) {
*ptr = '\0';
return ptr - *buf;
}
if (ptr + 2 >= eptr) {
char *nbuf;
size_t nbufsiz = *bufsiz * 2;
ssize_t d = ptr - *buf;
if ((nbuf = realloc(*buf, nbufsiz)) == NULL)
return -1;
*buf = nbuf;
*bufsiz = nbufsiz;
eptr = nbuf + nbufsiz;
ptr = nbuf + d;
}
}
}
#endif
#if !HAVE_GETLINE
ssize_t
getline(char **buf, size_t *bufsiz, FILE *fp)
{
return getdelim(buf, bufsiz, '\n', fp);
}
#endif

7
src/utils/getline.h Normal file
View File

@@ -0,0 +1,7 @@
#if !HAVE_GETDELIM
ssize_t getdelim(char **, size_t *, int, FILE *);
#endif
#if !HAVE_GETLINE
ssize_t getline(char **, size_t *, FILE *);
#endif

90
src/utils/repl_str.c Normal file
View File

@@ -0,0 +1,90 @@
#include <string.h>
#include <stdlib.h>
#include <stddef.h>
#if (__STDC_VERSION__ >= 199901L)
#include <stdint.h>
#endif
char *repl_str(const char *str, const char *from, const char *to) {
/* Adjust each of the below values to suit your needs. */
/* Increment positions cache size initially by this number. */
size_t cache_sz_inc = 16;
/* Thereafter, each time capacity needs to be increased,
* multiply the increment by this factor. */
const size_t cache_sz_inc_factor = 3;
/* But never increment capacity by more than this number. */
const size_t cache_sz_inc_max = 1048576;
char *pret, *ret = NULL;
const char *pstr2, *pstr = str;
size_t i, count = 0;
#if (__STDC_VERSION__ >= 199901L)
uintptr_t *pos_cache_tmp, *pos_cache = NULL;
#else
ptrdiff_t *pos_cache_tmp, *pos_cache = NULL;
#endif
size_t cache_sz = 0;
size_t cpylen, orglen, retlen, tolen, fromlen = strlen(from);
/* Find all matches and cache their positions. */
while ((pstr2 = strstr(pstr, from)) != NULL) {
count++;
/* Increase the cache size when necessary. */
if (cache_sz < count) {
cache_sz += cache_sz_inc;
pos_cache_tmp = realloc(pos_cache, sizeof(*pos_cache) * cache_sz);
if (pos_cache_tmp == NULL) {
goto end_repl_str;
} else pos_cache = pos_cache_tmp;
cache_sz_inc *= cache_sz_inc_factor;
if (cache_sz_inc > cache_sz_inc_max) {
cache_sz_inc = cache_sz_inc_max;
}
}
pos_cache[count-1] = pstr2 - str;
pstr = pstr2 + fromlen;
}
orglen = pstr - str + strlen(pstr);
/* Allocate memory for the post-replacement string. */
if (count > 0) {
tolen = strlen(to);
retlen = orglen + (tolen - fromlen) * count;
} else retlen = orglen;
ret = malloc(retlen + 1);
if (ret == NULL) {
goto end_repl_str;
}
if (count == 0) {
/* If no matches, then just duplicate the string. */
strcpy(ret, str);
} else {
/* Otherwise, duplicate the string whilst performing
* the replacements using the position cache. */
pret = ret;
memcpy(pret, str, pos_cache[0]);
pret += pos_cache[0];
for (i = 0; i < count; i++) {
memcpy(pret, to, tolen);
pret += tolen;
pstr = str + pos_cache[i] + fromlen;
cpylen = (i == count-1 ? orglen : pos_cache[i+1]) - pos_cache[i] - fromlen;
memcpy(pret, pstr, cpylen);
pret += cpylen;
}
ret[retlen] = '\0';
}
end_repl_str:
/* Free the cache and return the post-replacement string,
* which will be NULL in the event of an error. */
free(pos_cache);
return ret;
}

1
src/utils/repl_str.h Normal file
View File

@@ -0,0 +1 @@
char *repl_str(const char *str, const char *from, const char *to);

1208
src/utils/uthash.h Normal file
View File

File diff suppressed because it is too large Load Diff