2gW94/GoodbyeDPI
1
0
Fork 0
mirror of https://github.com/ValdikSS/GoodbyeDPI.git synced 2025-12-17 21:04:36 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: 2gW94:0.1.2rc2
Branches Tags
2gW94:master 2gW94:more-fakes 2gW94:EgorWeders-patch-1 2gW94:quic_block 2gW94:test_windres 2gW94:openvpn 2gW94:windivert2 2gW94:masterv6 2gW94:ipv6 2gW94:windivert-test
2gW94:0.2.3rc3 2gW94:0.2.3rc2 2gW94:0.2.3rc1 2gW94:0.2.2 2gW94:0.2.1 2gW94:0.2.0 2gW94:0.1.8 2gW94:0.1.7 2gW94:0.1.6 2gW94:0.1.5 2gW94:0.1.5rc3 2gW94:0.1.5rc2 2gW94:0.1.5rc1 2gW94:0.1.4 2gW94:0.1.3 2gW94:0.1.2 2gW94:0.1.2rc3 2gW94:0.1.2rc2 2gW94:0.1.2rc1 2gW94:0.1.1 2gW94:0.1.0 2gW94:0.0.9 2gW94:0.0.8 2gW94:0.0.7 2gW94:0.0.6 2gW94:0.0.5 2gW94:0.0.4 2gW94:0.0.3 2gW94:0.0.2 2gW94:0.0.1
...
compare: 2gW94:0.2.1
Branches Tags
2gW94:master 2gW94:more-fakes 2gW94:EgorWeders-patch-1 2gW94:quic_block 2gW94:test_windres 2gW94:openvpn 2gW94:windivert2 2gW94:masterv6 2gW94:ipv6 2gW94:windivert-test
2gW94:0.2.3rc3 2gW94:0.2.3rc2 2gW94:0.2.3rc1 2gW94:0.2.2 2gW94:0.2.1 2gW94:0.2.0 2gW94:0.1.8 2gW94:0.1.7 2gW94:0.1.6 2gW94:0.1.5 2gW94:0.1.5rc3 2gW94:0.1.5rc2 2gW94:0.1.5rc1 2gW94:0.1.4 2gW94:0.1.3 2gW94:0.1.2 2gW94:0.1.2rc3 2gW94:0.1.2rc2 2gW94:0.1.2rc1 2gW94:0.1.1 2gW94:0.1.0 2gW94:0.0.9 2gW94:0.0.8 2gW94:0.0.7 2gW94:0.0.6 2gW94:0.0.5 2gW94:0.0.4 2gW94:0.0.3 2gW94:0.0.2 2gW94:0.0.1

112 Commits
0.1.2rc2 ... 0.2.1

Author SHA1 Message Date
ValdikSS
406cf2ca68 GoodbyeDPI v0.2.1 2021-12-30 21:14:23 +03:00
ValdikSS
277b1fb4ef SNI extraction bugfix: add forgotten hyphen as an allowed domain character 
This fixes --allow-no-sni option for domains with hyphen.
 2021-12-30 19:16:43 +03:00
ValdikSS
5494be72ba GoodbyeDPI v0.2.0 2021-12-30 03:46:51 +03:00
ValdikSS
09089e0364 Update readme 2021-12-30 03:45:50 +03:00
ValdikSS
c92cd77c51 Ensure the resource file to be compiled before linking 2021-12-30 03:45:20 +03:00
ValdikSS
f97a2d04f0 Use --max-payload-size=1200 for -5 and -6 modes. 2021-12-30 03:44:37 +03:00
ValdikSS
d7c681d1a2 Add Max Payload Size limit option (--max-payload-size) 
This option excludes TCP packets with the data payload larger than
defined value from being copied by WinDivert driver to GoodbyeDPI.

As most of HTTP and TLS ClientHello packets are repatively small,
and file transfers are usually big and are sent/received using
the whole available MTU/MSS, we can just exclude them from
being processed by our userspace program to reduce unnecessary
CPU load.
 2021-12-30 03:41:12 +03:00
ValdikSS
ab74ddc425 Update readme 2021-12-29 16:22:43 +03:00
ValdikSS
cc1676ad92 --allow-no-sni option. Useful with --blacklist and undetectable SNI. 
This option is added specially for protonmail.com, as it sends
low Window Size in SYN-ACK for requests from Russia, to force
the client to fragment the packet. GoodbyeDPI doesn't do reassembling
and can't extract SNI in this case, thus won't circumvent the
censorship if --blacklist option is used.
 2021-12-29 16:18:56 +03:00
ValdikSS
7f59593a28 Check TLS Handshake ClientHello byte if packet length is enough 2021-12-29 16:14:12 +03:00
ValdikSS
372cc6a45d Properly handle Native Fragmentation packet of bigger or equal size than the fragment size 2021-12-29 16:10:18 +03:00
ValdikSS
46c4f36de8 Add Fake Packet maximum TTL limit to Auto TTL mode 
This patchset adds maximum TTL size of the fake packet to be sent,
to further  improve compatibility with asymmertic routing and
non-standard TTL value set on servers.
 2021-12-29 02:05:39 +03:00
ValdikSS
8911e459d8 Exit when native fragmentation is enabled but http/https values are not set 2021-12-28 23:48:57 +03:00
ValdikSS
f4edcf7b4f Small text output enhancements 2021-12-28 23:48:57 +03:00
ValdikSS
bb8bafb663 Add Auto TTL range adjustment, introduce min-ttl and use it for --set-ttl as well. 2021-12-28 23:48:57 +03:00
ValdikSS
e25d7432de Better Auto TTL adjusting algorithm which honors short distance 
Say you set --auto-ttl to 4.
If the TTL distance to the destination host is too short, say 6, auto-ttl
would decrease it by 4 and send a fake packet with TTL 2, which is too low
for the packet to travel via DPI system.
But if you set --auto-ttl to a lower value such as 2, that may introduce
issues over long lines where outgoing-path TTL and incoming-path TTL may have
difference more than 2 hops due to higher chance of assymetric routing along
the path.

To solve this issue, this commit introduce auto-ttl range of two values.
If the incoming TTL distance is more than autottl2, it is subtracted by
autottl2 value.
If the distance is less than autottl2, the distance value is used as a
normalized weigth of [autottl1; autottl2] scale.

The simplified formula is as follows:

    128 > extracted_ttl > 98: // Server is running Windows
      nhops = 128 - extracted_ttl
    64 > extracted_ttl > 34: // Server is running Linux/FreeBSD/other
      nhops = 64 - extracted_ttl

    if (nhops - autottl2 < autottl2)
        ttl_of_fake_packet = nhops - autottl1 - trunc((autottl2 - autottl1) * ((float)nhops/10));
    else
        ttl_of_fake_packet = nhops - autottl2
 2021-12-28 22:28:55 +03:00
ValdikSS
c60dbf7ca7 Remove man-db auto-update for slightly faster installation 2021-12-28 00:31:54 +03:00
ValdikSS
b1273c8e10 Update Makefile, add more warning options 2021-12-28 00:31:54 +03:00
ValdikSS
9e98b478df Update readme 2021-12-28 00:31:54 +03:00
ValdikSS
67c226dc7c Fix all types and warnings 2021-12-28 00:31:47 +03:00
ValdikSS
46219e95e7 Update uthash to 2.3.0 2021-12-27 06:58:20 +03:00
ValdikSS
6eec99e874 GoodbyeDPI v0.1.8 2021-12-26 20:29:24 +03:00
ValdikSS
b799b33fed Update readme 2021-12-26 20:24:16 +03:00
ValdikSS
76c4658985 Update github issue templates 2021-12-26 20:10:18 +03:00
ValdikSS
d61a9f8022 Handle only (default_ttl - 30) range in Auto TTL 2021-12-26 19:05:03 +03:00
ValdikSS
fc15088c33 Fix spelling 2021-12-26 18:42:26 +03:00
ValdikSS
1ea70f9bc9 Do not print "Error receiving packet!" upon exiting 2021-12-26 18:39:44 +03:00
ValdikSS
ed42c5d627 Fix all the warnings and notes 2021-12-26 17:45:37 +03:00
ValdikSS
a79377f606 Github Actions: rebuild only on src directory changes 2021-12-26 15:12:13 +03:00
ValdikSS
db37b4f1f2 Add Github Actions build script 2021-12-26 15:03:35 +03:00
ValdikSS
9fcf097cb7 Use Auto TTL = 4 by default 
Previous value of 2 caused issues with the services connected via
very different uplink/downlink routing links.
 2021-12-25 20:43:56 +03:00
ValdikSS
e1e09f9103 Add safekeeping TTL value for Auto TTL 2021-12-25 13:56:57 +03:00
ValdikSS
a5c2f9fac9 Introduce -5 and -6 modes and make -5 default 
Modern modesets (more stable, more compatible, faster):
 -5          -f 2 -e 2 --auto-ttl --reverse-frag (this is the default now)
 -6          -f 2 -e 2 --wrong-seq --reverse-frag
 2021-12-25 13:56:57 +03:00
ValdikSS
11c322aaed Show fragmentation value issues only when Window Size is used 2021-12-25 13:07:39 +03:00
ValdikSS
88d4a60cdf Merge branch 'badseq_for_master' into master 2021-12-25 12:30:08 +03:00
ValdikSS
b45b463d51 Update readme 2021-12-25 12:24:25 +03:00
ValdikSS
80fcd9c5cf Replace required/optional brackets in the readme 2021-12-25 12:24:25 +03:00
ValdikSS
21ff80b43c Automatic TTL value picker for --set-ttl Fake Packet mode 
This is a per-connection (per-destination) automatic TTL adjusting feature.
Basically a --set-ttl mode where you don't need to set specific TTL value.

It works as follows:
 1. All incoming SYN/ACKs (the response to client's SYN) are intercepted
 2. TTL value is extracted from SYN/ACK
 3. New TTL is calculated with the simple formula:
    128 > extracted_ttl > 64: // Server is running Windows
      fakepacket_ttl = 128 - extracted_ttl - decrement
    64 > extracted_ttl > 34: // Server is running Linux/FreeBSD/other
      fakepacket_ttl = 64 - extracted_ttl - decrement
 4. Fake packet is sent

To comply with the multi-path multi-hop server connections
where 1 hop dispersion is not rare, decrement should be at least of
value "2", which is the default.

The patch does not process "too strange" TTL values (bigger than 128,
less than 34).
 2021-12-25 12:24:25 +03:00
ValdikSS
bbb6af89fe New Fake Packet circumvention method: wrong SEQ/ACK numbers 
This method sends Fake Packet with the TCP SEQ/ACK numbers "in the past":
-66000 is used for ACK (right out of the ACK permissive window in Linux stack),
-10000 is used for SEQ (without any reasoning).

This method is pretty effective in Russia.
It also could be handy in a networks which prohibit changing TTL values
(mobile networks with tethering block/premium feature).
 2021-12-25 11:55:26 +03:00
ValdikSS
b57a204d96 Apply each Fake Packet method to each packet separately 
Before: --set-ttl and --wrong-chksum generated single Fake Packet with both low TTL and incorrect checksum.
Now:    --set-ttl and --wrong-chksum generate two packets: one with low TTL, another with incorrect checksum.
 2021-12-25 10:49:26 +03:00
ValdikSS
3899a719c1 Update Makefile, make fortify work on modern mingw compilers 2021-12-25 10:24:43 +03:00
ValdikSS
b9682ac222 Print parsed hostnames in DEBUG mode 2021-12-25 10:24:43 +03:00
ValdikSS
35c6e401db Handle TLS SNI in blacklist option 
Now blacklist applies not only to HTTP websites, but also to HTTPS.

Fixes #213
 2021-12-25 10:23:43 +03:00
ValdikSS
cf7d1c69e0 Add TLS Server Name Indication (SNI) extractor 2021-12-25 10:09:37 +03:00
ValdikSS
5b79d8e8ba Update Makefile, make fortify work on modern mingw compilers 2021-12-25 01:50:34 +03:00
ValdikSS
787c4d25c3 Update readme 2021-12-24 22:28:59 +03:00
ValdikSS
7d50748e2e GoodbyeDPI version 0.1.7 2021-12-24 22:17:32 +03:00
ValdikSS
e28cb52645 Send native-fragged fragments in the reversed order 
Some websites (or more precisely, TLS terminators/balancers) can't
handle segmented TLS ClientHello packet properly, requiring the whole
ClientHello in a single segment, otherwise the connection gets dropped.

However they still operate with a proper TCP stack.
Cheat on them: send the latter segment first (with TCP SEQ "in the future"),
the former segment second (with "current" SEQ), allowing OS TCP
stack to combine it in a single TCP read().

This fixes long-standing number of TCP fragmentation issues:
Fixes #4, #158, #224, #59, #192 and many others.
 2021-12-24 22:07:07 +03:00
ValdikSS
e3638786da Add Native Fragmentation support (without window size) 
This patch adds `--native-frag` option for userspace TCP
segmentation (packet splitting), without shrinking
TCP Window Size in SYN/ACK.

Compared to Window Size shrinking, this method does not require
waiting for ACK, which saves two RTTs.

This is preferrable method of operation since it has no cons.
It's faster and easier to handle in the software.
 2021-12-24 21:36:43 +03:00
ValdikSS
ad60d30caa Fix fake packet handling without other modifying parameters 
Fixes #150
 2021-12-24 21:30:15 +03:00
ValdikSS
505b8bf516 Merge pull request #171 from msekmfb/master 
Add PowerTunnel for Android to similar projects
 2020-03-08 14:38:40 +03:00
msekmfb
0c04f201eb Add PowerTunnel for Android to similar projects 2020-03-08 11:11:35 +03:00
ValdikSS
19b777cdb2 Update README.md 
Add PowerTunnel (manual merge of #168)
 2020-02-09 22:24:43 +03:00
ValdikSS
b69ab64d5d Update README.md 2020-02-09 19:22:30 +03:00
ValdikSS
b5d75a6c8e Version v0.1.6 2019-10-31 22:36:29 +03:00
ValdikSS
f2de8fce8d Fake Request Mode 2019-10-31 22:36:12 +03:00
ValdikSS
2b3e4a4683 Merge pull request #135 from alisharifi76/master 
Add 'GreenTunnel' to 'Similar projects' section.
 2019-04-03 01:33:02 +03:00
alisharifi76
7e2f782376 Add 'GreenTunnel' to 'Similar projects' section. 2019-03-29 22:32:05 +04:30
ValdikSS
7a0b8f5229 Update issue templates 2019-02-18 01:33:03 +03:00
ValdikSS
f569c64aca Update issue templates 2019-02-18 01:25:06 +03:00
ValdikSS
5459181fca Merge pull request #121 from drogga/patch-1 
Update README.md
 2019-01-31 15:29:18 +03:00
drogga
23485b67b4 Update README.md 
add KB3033929 download link for Windows 7 x64
 2019-01-31 21:23:41 +09:00
KOLANICH
ff4c11a6eb Integers fixes (with small modifications), closes #84 
Signed-off-by: ValdikSS <iam@valdikss.org.ru>
 2019-01-03 19:31:32 +03:00
ValdikSS
1c7fe5f843 Use newlines for current options information 2019-01-03 16:10:26 +03:00
ValdikSS
46db057662 Add version number into greeting message 2019-01-03 16:10:26 +03:00
ValdikSS
b95c45ee62 Update README.md 2018-10-14 18:24:36 +03:00
ValdikSS
39507e66e0 Update README.md 2018-07-24 15:54:55 +03:00
ValdikSS
c4d0ba1297 Skip impostor and loopback packets. Fixes #53. 2018-07-24 15:49:50 +03:00
ValdikSS
d6c2b825aa Update README.md 2018-07-20 16:37:19 +03:00
ValdikSS
aad03f2e4a Enable PIE, High Entropy ASLR and add more warnings to Makefile 2018-07-19 21:31:38 +03:00
ValdikSS
a028cb01f4 WinDivert 1.4 support 2018-07-19 21:31:38 +03:00
ValdikSS
38b1ff1a92 Fix -f and -e options 2018-07-19 21:31:37 +03:00
ValdikSS
3bd92d67ac Merge pull request #83 from KOLANICH/editorconfig 
Added .editorconfig
 2018-06-26 22:08:15 +03:00
KOLANICH
464bbcbb6b Added .editorconfig 2018-05-16 18:35:31 +03:00
ValdikSS
50e70ace76 Handle HTTP redirects within IPv6 Flow Label = 0x00 packets 2018-02-17 18:26:16 +03:00
ValdikSS
135c97ae69 Move program source code to src directory 2018-02-17 15:22:38 +03:00
ValdikSS
c377119136 Update README.md 2018-02-17 15:21:51 +03:00
ValdikSS
185a0e0211 Merge branch 'ipv6' into masterv6 2018-02-16 23:36:26 +03:00
ValdikSS
860f483ac3 IPv6 DNS redirection 2018-02-16 19:45:55 +03:00
ValdikSS
3d36127f5b Handle IPv6 packets and prepare for IPv6 DNS redirection 2018-02-16 17:35:24 +03:00
ValdikSS
aa28d3e12a Make sure to search DLLs only in safe path, not in current working dir 2018-02-15 15:41:28 +03:00
ValdikSS
dc4d0a36d9 Update README.md 2018-01-21 14:37:05 +03:00
ValdikSS
cc770d302c Add GoodbyeDPI Github link to the welcome message. 2018-01-21 14:36:41 +03:00
ValdikSS
2e23d93762 New option: --ip-id. Handles additional IP ID numbers of passive DPI. 2018-01-21 14:35:30 +03:00
ValdikSS
14ae107b53 Handle only IP IDs in [0x0; 0xF] (or→and) 2018-01-21 13:03:15 +03:00
ValdikSS
1bdfbb8c45 Move active filter template and passive filter to defines 2018-01-21 12:25:22 +03:00
ValdikSS
5eddb5f18a Fix crash on error (free→LocalFree) and print KB3033929 message 2018-01-21 01:28:17 +03:00
ValdikSS
f638e23ab6 Fix build with -DDEBUG 2018-01-21 01:27:55 +03:00
ValdikSS
8e7f4ff505 Properly exclude Teredo 2017-12-25 00:05:28 +03:00
ValdikSS
bb8fc64f18 Handle ip.id up to 0xF. 
Some DPI send several TCP RST or HTTP redirection packets with
increasing IP ID number. Handle them all.
 2017-12-24 20:37:49 +03:00
ValdikSS
490525387d Remove unused string 2017-12-24 20:28:25 +03:00
ValdikSS
5e9e1f0eb6 Preliminary IPv6 support. 
No IPv6 support in DNS redirection code. IPv6 DNS request packets
would be dropped.
 2017-12-24 20:21:32 +03:00
ValdikSS
3ffce30871 Minor modifications. 
* puts() instead of printf("%s")
* strdup() instead of malloc + strcpy
 2017-12-24 20:19:18 +03:00
ValdikSS
eaac2d1a80 Minor service fixes 2017-12-21 23:52:23 +03:00
ValdikSS
ccd21a4281 ntohs -> htons (they produce the same output, but still) 2017-12-21 23:50:07 +03:00
ValdikSS
23babdc8fa Windows Service support. 
Program can now be started as a Windows Service. No additional
arguments needed. Refer to `service_install` and `service_remove`
scripts in released zip file.
 2017-12-20 17:03:22 +03:00
ValdikSS
95765f3ed9 Store fragment_size_message as a pointer 2017-12-20 17:01:21 +03:00
ValdikSS
a5b185c2a9 Set proper options if started without arguments 2017-12-20 12:36:21 +03:00
ValdikSS
c9cd3ac8c7 Fix signed/unsigned integer comparison warning for HTTP fragmentation 2017-12-20 04:05:28 +03:00
ValdikSS
fab9662ac9 Use WinDivert TCP Header structure to change Window Size 2017-12-20 04:04:40 +03:00
ValdikSS
a88ab4337e Apply HTTP Persistent fragmentation only for sufficiently large packets 2017-12-20 03:33:30 +03:00
ValdikSS
582503452f Implement TCP fragmentation for HTTP Persistent (keep-alive) sessions. 
New option `-k` splits HTTP request into two segments, and either
send only the first one (Windows would retransmit the other one
based on ACK number in ACK reply) or both (with `-n` enabled).

This fixes behaviour on some DPI which trace persistent sessions
but do not reassemble packages.
 2017-12-20 02:10:59 +03:00
ValdikSS
03e36b968a Free allocated error message string 2017-12-20 01:48:38 +03:00
ValdikSS
312d2b1d55 Remove unused IPV4_TOTALLEN_OFFSET 2017-12-20 01:48:20 +03:00
ValdikSS
6827b6ad51 Do not add hostnames less than 4 characters long 2017-12-17 01:46:32 +03:00
ValdikSS
60e87f769a Minor modifications 2017-12-17 00:28:11 +03:00
ValdikSS
bfed8638e5 Implement blacklist. 
Only domains and subdomains from the blacklist file would be processed
with HTTP modifications. Does not affect HTTPS data.
 2017-12-17 00:26:11 +03:00
ValdikSS
72516c0b2b Add information about --dns-verb option 2017-12-16 20:24:40 +03:00
ValdikSS
f11ca2400c Fix memory leak in dnsredir 2017-12-16 17:53:06 +03:00
ValdikSS
dd4d6bc5c6 Do not print DNS warnings by default and drop duplicate requests. 
Windows is known to use all available interfaces for DNS requests,
which is handled as a duplicate (retransmission) in dns redirector.

It's safe to just drop these duplicates.
 2017-12-16 14:30:42 +03:00
R4SAS
30bb1a665a make it more usable with MSYS and linux MinGW both (#48) 
* make it more usable

* update README
 2017-12-13 18:13:54 +04:00
ValdikSS
5f231996d4 Fix incorrect host header memmove()s. Fixes #47 2017-12-13 01:42:29 +03:00
30 changed files with 2807 additions and 883 deletions
Expand all files Collapse all files

8
.editorconfig Normal file
View File

@@ -0,0 +1,8 @@
root = true
[*]
charset = utf-8
indent_style = space
indent_size = 4
insert_final_newline = true
end_of_line = lf

47
.github/ISSUE_TEMPLATE/bug.yml vendored Normal file
View File

@@ -0,0 +1,47 @@
name: Bug Report / Сообщение об ошибке
description: File a bug report / Сообщить об ошибке в проекте
body:
- type: markdown
attributes:
value: |
Please pay some attention!
GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
Пожалуйста, прочтите!
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
- type: input
id: os
attributes:
label: Operating system / операционная система
description: Enter your Windows version. For Windows 10 and 11 include build/update number.
placeholder: ex. Windows 10 20H2
validations:
required: true
- type: dropdown
id: is-svc
attributes:
label: Running as service / Запуск программы как сервис
description: Do you use GoodbyeDPI as a Windows Service?
options:
- I run it as a regular program / Запускаю программу обычным образом
- I installed it as a service / Установил как сервис Windows
validations:
required: true
- type: textarea
id: what-happened
attributes:
label: Describe the issue / Опишите проблему
description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается проблема
placeholder: Attach the screenshots for clarity / При необходимости приложите скриншоты
validations:
required: true
- type: textarea
id: additional-info
attributes:
label: Additional information / Дополнительная информация
description: If you have a hints on why this bug happens, you can express it here / Если у вас есть предположения об источнике бага, вы можете изложить их здесь

5
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@@ -0,0 +1,5 @@
blank_issues_enabled: false
contact_links:
- name: Questions about the program / Вопросы по програме
url: https://ntc.party/c/community-software/goodbyedpi/8
about: Please ask and answer questions on forum / Пожалуйста, задавайте вопросы только на форуме

15
.github/ISSUE_TEMPLATE/feature.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
name: Feature request / Предложить новую функциональность
description: Suggest an idea or function for this project / Предложить новую идею или функциональность в программе
body:
- type: markdown
attributes:
value: |
If you think of a great function or circumvention method which is missing from the program, go ahead and suggest it here.
Если вы придумали новую функцию или метод обхода, которого еще нет в программе, напишите о нем подробнее здесь.
- type: textarea
id: description
attributes:
label: Describe your feature / Опишите ваше предложение
validations:
required: true

76
.github/workflows/build.yml vendored Normal file
View File

@@ -0,0 +1,76 @@
name: Build GoodbyeDPI
on:
push:
paths:
- 'src/**'
env:
WINDIVERT_URL: https://www.reqrypt.org/download/WinDivert-1.4.3-A.zip
WINDIVERT_NAME: WinDivert-1.4.3-A.zip
WINDIVERT_SHA256: 4084bc3931f31546d375ed89e3f842776efa46f321ed0adcd32d3972a7d02566
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Declare short commit variable
id: vars
run: |
echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
- name: Install MinGW-w64
run: >
sudo rm /var/lib/man-db/auto-update &&
sudo DEBIAN_FRONTEND=noninteractive XZ_DEFAULTS="-T0" XZ_OPT="-T0" eatmydata
apt install -y --no-install-recommends gcc-mingw-w64
- name: Download WinDivert from cache
id: windivert-cache
uses: actions/cache@v2
with:
path: ${{ env. WINDIVERT_NAME }}
key: ${{ env. WINDIVERT_SHA256 }}
- name: Download WinDivert from the website
if: steps.windivert-cache.outputs.cache-hit != 'true'
run: >
wget ${{ env. WINDIVERT_URL }} &&
(echo ${{ env. WINDIVERT_SHA256 }} ${{ env. WINDIVERT_NAME }} | sha256sum -c)
- name: Unpack WinDivert
run: unzip ${{ env. WINDIVERT_NAME }}
- name: Compile x86_64
run: >
cd src && make clean &&
make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../WinDivert-1.4.3-A/include WINDIVERTLIBS=../WinDivert-1.4.3-A/x86_64 -j4
- name: Prepare x86_64 directory
run: |
mkdir goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
cp src/goodbyedpi.exe WinDivert-1.4.3-A/x86_64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
- name: Upload output file x86_64 (64 bit)
uses: actions/upload-artifact@v2
with:
name: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
path: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
- name: Compile i686
run: >
cd src && make clean &&
make CPREFIX=i686-w64-mingw32- WINDIVERTHEADERS=../WinDivert-1.4.3-A/include WINDIVERTLIBS=../WinDivert-1.4.3-A/x86 -j4
- name: Prepare x86 directory
run: |
mkdir goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
cp src/goodbyedpi.exe WinDivert-1.4.3-A/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
- name: Upload output file x86
uses: actions/upload-artifact@v2
with:
name: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
path: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}

34
Makefile
View File

@@ -1,34 +0,0 @@
CPREFIX = x86_64-w64-mingw32
WINDIVERTHEADERS = ../../include
WINDIVERTLIBS = ../binary
TARGET = goodbyedpi.exe
LIBS = -L $(WINDIVERTLIBS) -lWinDivert -lws2_32
CC = $(CPREFIX)-gcc
CCWINDRES = $(CPREFIX)-windres
CFLAGS = -Wall -I $(WINDIVERTHEADERS) -L $(WINDIVERTLIBS) \
-O2 -pie -fPIE -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
LDFLAGS = -pie
.PHONY: default all clean
default: manifest $(TARGET)
all: default
OBJECTS = $(patsubst %.c, %.o, $(wildcard *.c)) goodbyedpi-rc.o
HEADERS = $(wildcard *.h)
%.o: %.c $(HEADERS)
$(CC) $(CFLAGS) -c $< -o $@
manifest:
$(CCWINDRES) goodbyedpi-rc.rc goodbyedpi-rc.o
.PRECIOUS: $(TARGET) $(OBJECTS)
$(TARGET): $(OBJECTS)
$(CC) $(OBJECTS) -Wall $(LIBS) -s -o $@
clean:
-rm -f *.o
-rm -f $(TARGET)

122
README.md
View File

@@ -1,11 +1,19 @@
GoodbyeDPI — Passive Deep Packet Inspection blocker and Active DPI circumvention utility GoodbyeDPI — Deep Packet Inspection circumvention utility
========================= =========================
This software designed to bypass Deep Packet Inspection systems found in many Internet Service Providers which block access to certain websites. This software designed to bypass Deep Packet Inspection systems found in many Internet Service Providers which block access to certain websites.
It handles DPI connected using optical splitter or port mirroring (**Passive DPI**) which do not block any data but just replying faster than requested destination, and **Active DPI** connected in sequence. It handles DPI connected using optical splitter or port mirroring (**Passive DPI**) which do not block any data but just replying faster than requested destination, and **Active DPI** connected in sequence.
**Windows 7, 8, 8.1 and 10** with administrator privileges required. **Windows 7, 8, 8.1, 10 or 11** with administrator privileges required.
# Quick start
* **For Russia**: Download [latest version from Releases page](https://github.com/ValdikSS/GoodbyeDPI/releases), unpack the file and run **1_russia_blacklist_dnsredir.cmd** script.
* For other countries: Download [latest version from Releases page](https://github.com/ValdikSS/GoodbyeDPI/releases), unpack the file and run **2_any_country_dnsredir.cmd**.
These scripts launch GoodbyeDPI in recommended mode with DNS resolver redirection to Yandex DNS on non-standard port (to prevent DNS poisoning).
If it works — congratulations! You can use it as-is or configure further.
# How to use # How to use
@@ -17,43 +25,87 @@ Usage: goodbyedpi.exe [OPTION...]
-r replace Host with hoSt -r replace Host with hoSt
-s remove space between host header and its value -s remove space between host header and its value
-m mix Host header case (test.com -> tEsT.cOm) -m mix Host header case (test.com -> tEsT.cOm)
-f [value] set HTTP fragmentation to value -f <value> set HTTP fragmentation to value
-e [value] set HTTPS fragmentation to value -k <value> enable HTTP persistent (keep-alive) fragmentation and set it to value
-n do not wait for first segment ACK when -k is enabled
-e <value> set HTTPS fragmentation to value
-a additional space between Method and Request-URI (enables -s, may break sites) -a additional space between Method and Request-URI (enables -s, may break sites)
-w try to find and parse HTTP traffic on all processed ports (not only on port 80) -w try to find and parse HTTP traffic on all processed ports (not only on port 80)
--port additional TCP port to perform fragmentation on (and HTTP tricks with -w) --port <value> additional TCP port to perform fragmentation on (and HTTP tricks with -w)
--dns-addr redirect UDP DNS requests to the supplied IP address (experimental) --ip-id <value> handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
--dns-port redirect UDP DNS requests to the supplied port (53 by default) This option can be supplied multiple times.
--dns-addr <value> redirect UDP DNS requests to the supplied IP address (experimental)
--dns-port <value> redirect UDP DNS requests to the supplied port (53 by default)
--dnsv6-addr <value> redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
--dnsv6-port <value> redirect UDPv6 DNS requests to the supplied port (53 by default)
--dns-verb print verbose DNS redirection messages
--blacklist <txtfile> perform circumvention tricks only to host names and subdomains from
supplied text file (HTTP Host/TLS SNI).
This option can be supplied multiple times.
--allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.
--set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.
DANGEROUS! May break websites in unexpected ways. Use with care.
--auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease
it based on a distance. If the distance is shorter than a2, TTL is decreased
by a2. If it's longer, (a1; a2) scale is used with the distance as a weight.
If the resulting TTL is more than m(ax), set it to m.
Default (if set): --auto-ttl 1-4-10. Also sets --min-ttl 3.
--min-ttl <value> minimum TTL distance (128/64 - TTL) for which to send Fake Request
in --set-ttl and --auto-ttl modes.
--wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.
May not work in a VM or with some routers, but is safer than set-ttl.
--wrong-seq activate Fake Request Mode and send it with TCP SEQ/ACK in the past.
--native-frag fragment (split) the packets by sending them in smaller packets, without
shrinking the Window Size. Works faster (does not slow down the connection)
and better.
--reverse-frag fragment (split) the packets just as --native-frag, but send them in the
reversed order. Works with the websites which could not handle segmented
HTTPS TLS ClientHello (because they receive the TCP flow "combined").
--max-payload [value] packets with TCP payload data more than [value] won't be processed.
Use this option to reduce CPU usage by skipping huge amount of data
(like file transfers) in already established sessions.
May skip some huge HTTP requests from being processed.
-1 -p -r -s -f 2 -e 2 (most compatible mode, default)
-2 -p -r -s -f 2 -e 40 (better speed yet still compatible) LEGACY modesets:
-3 -p -r -s -e 40 (even better speed) -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)
-2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)
-3 -p -r -s -e 40 (better speed for HTTP and HTTPS)
-4 -p -r -s (best speed) -4 -p -r -s (best speed)
Modern modesets (more stable, more compatible, faster):
-5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)
-6 -f 2 -e 2 --wrong-seq --reverse-frag
``` ```
Try to run `goodbyedpi.exe -1 -a -m --dns-addr 77.88.8.8 --dns-port 1253` first. This is the most hardcore mode which will show if this program is suitable for your ISP and DPI vendor. If you can open blocked websites with these options, it means your ISP has DPI which can be circumvented. This is the slowest and prone to break websites mode, but suitable for most DPI. To check if your ISP's DPI could be circumvented, first make sure that your provider does not poison DNS answers by enabling "Secure DNS (DNS over HTTPS)" option in your browser.
Try `-1` to see if it works too. * **Chrome**: Settings → [Privacy and security](chrome://settings/security) → Use secure DNS → With: NextDNS
* **Firefox**: [Settings](about:preferences) → Network Settings → Enable DNS over HTTPS → Use provider: NextDNS
Then try `goodbyedpi.exe -2`. It should be faster for HTTPS sites. Mode `-3` speed ups HTTP websites. Then run the `goodbyedpi.exe` executable without any options. If it works — congratulations! You can use it as-is or configure further, for example by using `--blacklist` option if the list of blocked websites is known and available for your country.
Use `goodbyedpi.exe -4` if it works for your ISP's DPI. This is the fastest mode but not compatible with every DPI. If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resover running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
Check the .cmd scripts and modify it according to your preference and network conditions.
# How does it work # How does it work
### Passive DPI ### Passive DPI
Most Passive DPI send HTTP 302 Redirect if you try to access blocked website over HTTP and TCP Reset in case of HTTPS, faster than destination website. Packets sent by DPI always have IP Identification field equal to `0x0000` or `0x0001`, as seen with Russian providers. These packets, if they redirect you to another website (censorship page), are blocked by GoodbyeDPI. Most Passive DPI send HTTP 302 Redirect if you try to access blocked website over HTTP and TCP Reset in case of HTTPS, faster than destination website. Packets sent by DPI usually have IP Identification field equal to `0x0000` or `0x0001`, as seen with Russian providers. These packets, if they redirect you to another website (censorship page), are blocked by GoodbyeDPI.
### Active DPI ### Active DPI
Active DPI is more tricky to fool. Currently the software uses 4 methods to circumvent Active DPI: Active DPI is more tricky to fool. Currently the software uses 7 methods to circumvent Active DPI:
* TCP-level fragmentation for first data packet * TCP-level fragmentation for first data packet
* TCP-level fragmentation for persistent (keep-alive) HTTP sessions
* Replacing `Host` header with `hoSt` * Replacing `Host` header with `hoSt`
* Removing space between header name and value in `Host` header * Removing space between header name and value in `Host` header
* Adding additional space between HTTP Method (GET, POST etc) and URI * Adding additional space between HTTP Method (GET, POST etc) and URI
* Mixing case of Host header value * Mixing case of Host header value
* Sending fake HTTP/HTTPS packets with low Time-To-Live value, incorrect checksum or incorrect TCP Sequence/Acknowledgement numbers to fool DPI and prevent delivering them to the destination
These methods should not break any website as they're fully compatible with TCP and HTTP standards, yet it's sufficient to prevent DPI data classification and to circumvent censorship. Additional space may break some websites, although it's acceptable by HTTP/1.1 specification (see 19.3 Tolerant Applications). These methods should not break any website as they're fully compatible with TCP and HTTP standards, yet it's sufficient to prevent DPI data classification and to circumvent censorship. Additional space may break some websites, although it's acceptable by HTTP/1.1 specification (see 19.3 Tolerant Applications).
@@ -65,38 +117,32 @@ This project can be build using **GNU Make** and [**mingw**](https://mingw-w64.o
To build x86 exe run: To build x86 exe run:
`make CPREFIX=i686-w64-mingw32 WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/x86` `make CPREFIX=i686-w64-mingw32- WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/x86`
And for x86_64: And for x86_64:
`make CPREFIX=x86_64-w64-mingw32 WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/amd64` `make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/amd64`
# How to install as Windows Service # How to install as Windows Service
One way is using an [srvstart](http://www.rozanski.org.uk/software) program. Check examples in `service_install_russia_blacklist.cmd`, `service_install_russia_blacklist_dnsredir.cmd` and `service_remove.cmd` scripts.
Unpack it to `goodbyedpi` directory and create 3 files:
Modify them according to your own needs.
# Known issues
* Horribly outdated Windows 7 installations are not able to load WinDivert driver due to missing support for SHA256 digital signatures. Install KB3033929 [x86](https://www.microsoft.com/en-us/download/details.aspx?id=46078)/[x64](https://www.microsoft.com/en-us/download/details.aspx?id=46148), or better, update the whole system using Windows Update.
* ~~Some SSL/TLS stacks unable to process fragmented ClientHello packets, and HTTPS websites won't open. Bug: [#4](https://github.com/ValdikSS/GoodbyeDPI/issues/4), [#64](https://github.com/ValdikSS/GoodbyeDPI/issues/64).~~ Fragmentation issues are fixed in v0.1.7.
* ~~ESET Antivirus is incompatible with WinDivert driver [#91](https://github.com/ValdikSS/GoodbyeDPI/issues/91). This is most probably antivirus bug, not WinDivert.~~
*goodbyedpi.ini*
```INI
[GoodByeDPI]
startup=goodbyedpi.exe
shutdown_method=winmessage
auto_restart=n
```
*srvinstall.bat*
```Batchfile
srvstart install GoodByeDPI -c %CD%\goodbyedpi.ini
```
*srvremove.bat*
```Batchfile
srvstart remove GoodByeDPI
```
Run these batch files as Administrator to install/remove service.
Open Windows Services panel to run service or make it start automaticaly.
# Similar projects # Similar projects
[zapret](https://github.com/bol-van/zapret) by @bol-van (for Linux). - **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux).
- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows).
- **[DPITunnel](https://github.com/zhenyolka/DPITunnel)** by @zhenyolka (for Android).
- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux).
- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android).
# Kudos # Kudos

19
dnsredir.h
View File

@@ -1,19 +0,0 @@
#include <stdint.h>
typedef struct conntrack_info {
uint32_t srcip;
uint16_t srcport;
uint32_t dstip;
uint16_t dstport;
} conntrack_info_t;
int dns_handle_incoming(const uint32_t srcip, const uint16_t srcport,
const uint32_t dstip, const uint16_t dstport,
const char *packet_data, const UINT packet_dataLen,
conntrack_info_t *conn_info);
int dns_handle_outgoing(const uint32_t srcip, const uint16_t srcport,
const uint32_t dstip, const uint16_t dstport,
const char *packet_data, const UINT packet_dataLen);
void flush_dns_cache();

619
goodbyedpi.c
View File

@@ -1,619 +0,0 @@
/*
* GoodbyeDPI — Passive DPI blocker and Active DPI circumvention utility.
*/
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>
#include <getopt.h>
#include "windivert.h"
#include "dnsredir.h"
#define die() do { printf("Something went wrong!\n" \
"Make sure you're running this program with administrator privileges\n"); \
sleep(10); exit(EXIT_FAILURE); } while (0)
#define MAX_FILTERS 4
#define MAX_PACKET_SIZE 9016
#define IPV4_HDR_LEN 20
#define TCP_HDR_LEN 20
#define IPV4_TOTALLEN_OFFSET 2
#define TCP_WINDOWSIZE_OFFSET 14
#define HOST_MAXLEN 253
#define DIVERT_NO_LOCALNETS_DST "(" \
"(ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and " \
"(ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and " \
"(ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and " \
"(ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and " \
"(ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)" \
")"
#define DIVERT_NO_LOCALNETS_SRC "(" \
"(ip.SrcAddr < 127.0.0.1 or ip.SrcAddr > 127.255.255.255) and " \
"(ip.SrcAddr < 10.0.0.0 or ip.SrcAddr > 10.255.255.255) and " \
"(ip.SrcAddr < 192.168.0.0 or ip.SrcAddr > 192.168.255.255) and " \
"(ip.SrcAddr < 172.16.0.0 or ip.SrcAddr > 172.31.255.255) and " \
"(ip.SrcAddr < 169.254.0.0 or ip.SrcAddr > 169.254.255.255)" \
")"
static HANDLE filters[MAX_FILTERS];
static int filter_num = 0;
static const char *http10_redirect_302 = "HTTP/1.0 302 ";
static const char *http11_redirect_302 = "HTTP/1.1 302 ";
static const char *http_host_find = "\r\nHost: ";
static const char *http_host_replace = "\r\nhoSt: ";
static const char *http_useragent_find = "\r\nUser-Agent: ";
static const char *location_http = "\r\nLocation: http://";
static const char *connection_close = "\r\nConnection: close";
static const char *http_methods[] = {
"GET ",
"HEAD ",
"POST ",
"PUT ",
"DELETE ",
"CONNECT ",
"OPTIONS ",
};
static struct option long_options[] = {
{"port", required_argument, 0, 'z' },
{"dns-addr", required_argument, 0, 'd' },
{"dns-port", required_argument, 0, 'g' },
{0, 0, 0, 0 }
};
static char *filter_string = NULL;
static char *filter_string_template = "(ip and tcp and "
"(inbound and (("
"((ip.Id == 0x0001 or ip.Id == 0x0000) and tcp.SrcPort == 80 and tcp.Ack) or "
"((tcp.SrcPort == 80 or tcp.SrcPort == 443) and tcp.Ack and tcp.Syn)"
") and " DIVERT_NO_LOCALNETS_SRC ") or "
"(outbound and "
"(tcp.DstPort == 80 or tcp.DstPort == 443) and tcp.Ack and "
DIVERT_NO_LOCALNETS_DST ")"
"))";
static void add_filter_str(int proto, int port) {
const char *udp = " or (ip and udp and (udp.SrcPort == %d or udp.DstPort == %d))";
const char *tcp = " or (ip and tcp and (tcp.SrcPort == %d or tcp.DstPort == %d))";
char *current_filter = filter_string;
int new_filter_size = strlen(current_filter) +
(proto == IPPROTO_UDP ? strlen(udp) : strlen(tcp)) + 16;
char *new_filter = malloc(new_filter_size);
strcpy(new_filter, current_filter);
if (proto == IPPROTO_UDP)
sprintf(&(new_filter[strlen(new_filter)]), udp, port, port);
else
sprintf(&(new_filter[strlen(new_filter)]), tcp, port, port);
filter_string = new_filter;
free(current_filter);
}
static char* dumb_memmem(const char* haystack, int hlen, const char* needle, int nlen) {
// naive implementation
if (nlen > hlen) return NULL;
int i;
for (i=0; i<hlen-nlen+1; i++) {
if (memcmp(haystack+i,needle,nlen)==0) {
return (char*)(haystack+i);
}
}
return NULL;
}
static HANDLE init(char *filter, UINT64 flags) {
LPTSTR errormessage = NULL;
filter = WinDivertOpen(filter, WINDIVERT_LAYER_NETWORK, 0, flags);
if (filter != INVALID_HANDLE_VALUE)
return filter;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, GetLastError(), MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
(LPTSTR)&errormessage, 0, NULL);
printf("%s", errormessage);
return NULL;
}
static int deinit(HANDLE handle) {
if (handle) {
WinDivertClose(handle);
return TRUE;
}
return FALSE;
}
static void deinit_all() {
for (int i = 0; i < filter_num; i++) {
deinit(filters[i]);
}
}
static void sigint_handler(int sig) {
deinit_all();
exit(EXIT_SUCCESS);
}
static void mix_case(char *pktdata, int pktlen) {
int i;
if (pktlen <= 0) return;
for (i = 0; i < pktlen; i++) {
if (i % 2) {
pktdata[i] = toupper(pktdata[i]);
}
}
}
static int is_passivedpi_redirect(const char *pktdata, int pktlen) {
/* First check if this is HTTP 302 redirect */
if (memcmp(pktdata, http11_redirect_302, strlen(http11_redirect_302)) == 0 ||
memcmp(pktdata, http10_redirect_302, strlen(http10_redirect_302)) == 0)
{
/* Then check if this is a redirect to new http site with Connection: close */
if (dumb_memmem(pktdata, pktlen, location_http, strlen(location_http)) &&
dumb_memmem(pktdata, pktlen, connection_close, strlen(connection_close))) {
return TRUE;
}
}
return FALSE;
}
static int find_header_and_get_info(const char *pktdata, int pktlen,
const char *hdrname,
char **hdrnameaddr,
char **hdrvalueaddr, int *hdrvaluelen) {
char *data_addr_rn;
char *hdr_begin;
*hdrvaluelen = 0;
*hdrnameaddr = NULL;
*hdrvalueaddr = NULL;
/* Search for the header */
hdr_begin = dumb_memmem(pktdata, pktlen,
hdrname, strlen(hdrname));
if (!hdr_begin) return FALSE;
if ((PVOID)pktdata > (PVOID)hdr_begin) return FALSE;
/* Set header address */
*hdrnameaddr = hdr_begin;
*hdrvalueaddr = (PVOID)hdr_begin + strlen(hdrname);
/* Search for header end (\r\n) */
data_addr_rn = dumb_memmem(*hdrvalueaddr,
pktlen - ((PVOID)*hdrvalueaddr - (PVOID)pktdata),
"\r\n", 2);
if (data_addr_rn) {
*hdrvaluelen = (PVOID)data_addr_rn - (PVOID)*hdrvalueaddr;
if (*hdrvaluelen > 0 && *hdrvaluelen <= 512)
return TRUE;
}
return FALSE;
}
static void change_window_size(const char *pkt, int size) {
if (size >= 1 && size <= 65535) {
*(uint16_t*)(pkt + IPV4_HDR_LEN + TCP_WINDOWSIZE_OFFSET) = htons(size);
}
}
/* HTTP method end without trailing space */
static PVOID find_http_method_end(const char *pkt, int offset) {
int i;
for (i = 0; i<(sizeof(http_methods) / sizeof(*http_methods)); i++) {
if (memcmp(pkt, http_methods[i], strlen(http_methods[i])) == 0) {
return (char*)pkt + strlen(http_methods[i]) - 1;
}
/* Try to find HTTP method in a second part of fragmented packet */
if ((offset == 1 || offset == 2) &&
memcmp(pkt, http_methods[i] + offset,
strlen(http_methods[i]) - offset) == 0
)
{
return (char*)pkt + strlen(http_methods[i]) - offset - 1;
}
}
return NULL;
}
int main(int argc, char *argv[]) {
static const char fragment_size_message[] =
"Fragment size should be in range [0 - 65535]\n";
int i, should_reinject, should_recalc_checksum = 0;
int opt;
HANDLE w_filter = NULL;
WINDIVERT_ADDRESS addr;
char packet[MAX_PACKET_SIZE];
PVOID packet_data;
UINT packetLen;
UINT packet_dataLen;
PWINDIVERT_IPHDR ppIpHdr;
PWINDIVERT_TCPHDR ppTcpHdr;
PWINDIVERT_UDPHDR ppUdpHdr;
conntrack_info_t dns_conn_info;
int do_passivedpi = 0, do_fragment_http = 0,
do_fragment_https = 0, do_host = 0,
do_host_removespace = 0, do_additional_space = 0,
do_http_allports = 0,
do_host_mixedcase = 0, do_dns_redirect = 0;
int http_fragment_size = 2;
int https_fragment_size = 2;
uint32_t dns_addr = 0;
uint16_t dns_port = htons(53);
char *host_addr, *useragent_addr, *method_addr;
int host_len, useragent_len;
char *hdr_name_addr = NULL, *hdr_value_addr = NULL;
int hdr_value_len;
if (filter_string == NULL) {
filter_string = malloc(strlen(filter_string_template) + 1);
strcpy(filter_string, filter_string_template);
}
printf("GoodbyeDPI: Passive DPI blocker and Active DPI circumvention utility\n");
if (argc == 1) {
/* enable mode -1 by default */
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https = 1;
}
while ((opt = getopt_long(argc, argv, "1234prsaf:e:mw", long_options, NULL)) != -1) {
switch (opt) {
case '1':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https = 1;
break;
case '2':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https = 1;
https_fragment_size = 40;
break;
case '3':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_https = 1;
https_fragment_size = 40;
case '4':
do_passivedpi = do_host = do_host_removespace = 1;
break;
case 'p':
do_passivedpi = 1;
break;
case 'r':
do_host = 1;
break;
case 's':
do_host_removespace = 1;
break;
case 'a':
do_additional_space = 1;
do_host_removespace = 1;
break;
case 'm':
do_host_mixedcase = 1;
break;
case 'f':
do_fragment_http = 1;
http_fragment_size = atoi(optarg);
if (http_fragment_size <= 0 || http_fragment_size > 65535) {
printf(fragment_size_message);
exit(EXIT_FAILURE);
}
break;
case 'e':
do_fragment_https = 1;
https_fragment_size = atoi(optarg);
if (https_fragment_size <= 0 || https_fragment_size > 65535) {
printf(fragment_size_message);
exit(EXIT_FAILURE);
}
break;
case 'w':
do_http_allports = 1;
break;
case 'z':
/* i is used as a temporary variable here */
i = atoi(optarg);
if (i <= 0 || i > 65535) {
printf("Port parameter error!\n");
exit(EXIT_FAILURE);
}
if (i != 80 && i != 443)
add_filter_str(IPPROTO_TCP, i);
i = 0;
break;
case 'd':
if (!do_dns_redirect) {
do_dns_redirect = 1;
dns_addr = inet_addr(optarg);
if (!dns_addr) {
printf("DNS address parameter error!\n");
exit(EXIT_FAILURE);
}
add_filter_str(IPPROTO_UDP, 53);
flush_dns_cache();
}
break;
case 'g':
if (!do_dns_redirect) {
printf("--dns-port should be used with --dns-addr!\n"
"Make sure you use --dns-addr and pass it before "
"--dns-port\n");
exit(EXIT_FAILURE);
}
dns_port = atoi(optarg);
if (dns_port <= 0 || dns_port > 65535) {
printf("DNS port parameter error!\n");
exit(EXIT_FAILURE);
}
if (dns_port != 53) {
add_filter_str(IPPROTO_UDP, dns_port);
}
dns_port = ntohs(dns_port);
break;
default:
printf("Usage: goodbyedpi.exe [OPTION...]\n"
" -p block passive DPI\n"
" -r replace Host with hoSt\n"
" -s remove space between host header and its value\n"
" -a additional space between Method and Request-URI (enables -s, may break sites)\n"
" -m mix Host header case (test.com -> tEsT.cOm)\n"
" -f [value] set HTTP fragmentation to value\n"
" -e [value] set HTTPS fragmentation to value\n"
" -w try to find and parse HTTP traffic on all processed ports (not only on port 80)\n"
" --port additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
" --dns-addr redirect UDP DNS requests to the supplied IP address (experimental)\n"
" --dns-port redirect UDP DNS requests to the supplied port (53 by default)\n"
"\n"
" -1 -p -r -s -f 2 -e 2 (most compatible mode, default)\n"
" -2 -p -r -s -f 2 -e 40 (better speed yet still compatible)\n"
" -3 -p -r -s -e 40 (even better speed)\n"
" -4 -p -r -s (best speed)\n");
exit(EXIT_FAILURE);
}
}
printf("Block passive: %d, Fragment HTTP: %d, Fragment HTTPS: %d, "
"hoSt: %d, Host no space: %d, Additional space: %d, Mix Host: %d, "
"HTTP AllPorts: %d, DNS redirect: %d\n",
do_passivedpi, (do_fragment_http ? http_fragment_size : 0),
(do_fragment_https ? https_fragment_size : 0),
do_host, do_host_removespace, do_additional_space, do_host_mixedcase,
do_http_allports, do_dns_redirect
);
if (do_fragment_http && http_fragment_size > 2) {
printf("WARNING: HTTP fragmentation values > 2 are not fully compatible "
"with other options. Please use values <= 2 or disable HTTP fragmentation "
"completely.\n");
}
printf("\nOpening filter\n");
filter_num = 0;
if (do_passivedpi) {
/* IPv4 filter for inbound RST packets with ID = 0 or 1 */
filters[filter_num] = init(
"inbound and ip and tcp and "
"(ip.Id == 0x0001 or ip.Id == 0x0000) and "
"(tcp.SrcPort == 443 or tcp.SrcPort == 80) and tcp.Rst and "
DIVERT_NO_LOCALNETS_SRC,
WINDIVERT_FLAG_DROP);
filter_num++;
}
/*
* IPv4 filter for inbound HTTP redirection packets and
* active DPI circumvention
*/
filters[filter_num] = init(filter_string, 0);
w_filter = filters[filter_num];
filter_num++;
for (i = 0; i < filter_num; i++) {
if (filters[i] == NULL)
die();
}
printf("Filter activated!\n");
signal(SIGINT, sigint_handler);
while (1) {
if (WinDivertRecv(w_filter, packet, sizeof(packet), &addr, &packetLen)) {
//printf("Got %s packet, len=%d!\n", addr.Direction ? "inbound" : "outbound",
// packetLen);
should_reinject = 1;
should_recalc_checksum = 0;
if (WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen)) {
//printf("Got parsed packet, len=%d!\n", packet_dataLen);
/* Got a TCP packet WITH DATA */
/* Handle INBOUND packet with data and find HTTP REDIRECT in there */
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND && packet_dataLen > 16) {
/* If INBOUND packet with DATA (tcp.Ack) */
/* Drop packets from filter with HTTP 30x Redirect */
if (do_passivedpi && is_passivedpi_redirect(packet_data, packet_dataLen)) {
//printf("Dropping HTTP Redirect packet!\n");
should_reinject = 0;
}
}
/* Handle OUTBOUND packet on port 80, search for Host header */
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
packet_dataLen > 16 &&
(do_http_allports ? 1 : (ppTcpHdr->DstPort == htons(80))) &&
find_http_method_end(packet_data,
(do_fragment_http ? http_fragment_size : 0)) &&
(do_host || do_host_removespace || do_host_mixedcase))
{
/* Find Host header */
if (find_header_and_get_info(packet_data, packet_dataLen,
http_host_find, &hdr_name_addr, &hdr_value_addr, &hdr_value_len)) {
host_addr = hdr_value_addr;
host_len = hdr_value_len;
if (do_host_mixedcase && host_len > 0 && host_len <= HOST_MAXLEN) {
mix_case(host_addr, host_len);
should_recalc_checksum = 1;
}
if (do_host) {
/* Replace "Host: " with "hoSt: " */
memcpy(hdr_name_addr, http_host_replace, strlen(http_host_replace));
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
/* If removing space between host header and its value
* and adding additional space between Method and Request-URI */
if (do_additional_space && do_host_removespace) {
/* End of "Host:" without trailing space */
method_addr = find_http_method_end(packet_data,
(do_fragment_http ? http_fragment_size : 0));
if (method_addr) {
memmove(method_addr + 1, method_addr,
(PVOID)host_addr - (PVOID)method_addr - 1);
should_recalc_checksum = 1;
}
}
/* If just removing space between host header and its value */
else if (do_host_removespace) {
if (find_header_and_get_info(packet_data, packet_dataLen,
http_useragent_find, &hdr_name_addr,
&hdr_value_addr, &hdr_value_len))
{
useragent_addr = hdr_value_addr;
useragent_len = hdr_value_len;
/* We move Host header value by one byte to the left and then
* "insert" stolen space to the end of User-Agent value because
* some web servers are not tolerant to additional space in the
* end of Host header.
*
* Nothing is done if User-Agent header is missing.
*/
if (host_len > 0 && host_len <= HOST_MAXLEN &&
useragent_addr && useragent_len > 0) {
/* useragent_addr is in the beginning of User-Agent value */
if (useragent_addr > host_addr) {
/* Move one byte to the LEFT from "Host:"
* to the end of User-Agent
*/
memmove(host_addr - 1, host_addr, useragent_len);
host_addr -= 1;
/* Put space in the end of User-Agent header */
*(char*)((PVOID)useragent_addr + useragent_len - 1) = ' ';
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
else {
/* User-Agent goes BEFORE Host header */
/* Move one byte to the RIGHT from the end of User-Agent
* to the "Host:"
*/
memmove((PVOID)useragent_addr + useragent_len + 1,
(PVOID)useragent_addr + useragent_len,
useragent_len - 1);
/* Put space in the end of User-Agent header */
*(char*)((PVOID)useragent_addr + useragent_len) = ' ';
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
} /* if (host_len <= HOST_MAXLEN && useragent_addr) */
} /* if (find_header_and_get_info http_useragent) */
} /* else if (do_host_removespace) */
} /* if (find_header_and_get_info http_host) */
} /* Handle OUTBOUND packet with data */
} /* Handle TCP packet with data */
/* Else if we got TCP packet without data */
else if (WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, NULL, NULL)) {
/* If we got INBOUND SYN+ACK packet */
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND &&
ppTcpHdr->Syn == 1 && ppTcpHdr->Ack == 1) {
//printf("Changing Window Size!\n");
if (do_fragment_http && ppTcpHdr->SrcPort == htons(80)) {
change_window_size(packet, http_fragment_size);
should_recalc_checksum = 1;
}
else if (do_fragment_https && ppTcpHdr->SrcPort != htons(80)) {
change_window_size(packet, https_fragment_size);
should_recalc_checksum = 1;
}
}
}
/* Else if we got UDP packet with data */
else if (do_dns_redirect && WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, NULL, &ppUdpHdr, &packet_data, &packet_dataLen)) {
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND) {
if (dns_handle_incoming(ppIpHdr->DstAddr, ppUdpHdr->DstPort,
ppIpHdr->SrcAddr, ppUdpHdr->SrcPort,
packet_data, packet_dataLen,
&dns_conn_info))
{
/* Changing source IP and port to the values
* from DNS conntrack */
ppIpHdr->SrcAddr = dns_conn_info.dstip;
ppUdpHdr->DstPort = dns_conn_info.srcport;
ppUdpHdr->SrcPort = dns_conn_info.dstport;
should_recalc_checksum = 1;
}
else {
printf("[DNS] Error handling incoming packet!\n");
}
}
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND) {
if (dns_handle_outgoing(ppIpHdr->SrcAddr, ppUdpHdr->SrcPort,
ppIpHdr->DstAddr, ppUdpHdr->DstPort,
packet_data, packet_dataLen))
{
/* Changing destination IP and port to the values
* from configuration */
ppIpHdr->DstAddr = dns_addr;
ppUdpHdr->DstPort = dns_port;
should_recalc_checksum = 1;
}
else {
printf("[DNS] Error handling outgoing packet!\n");
}
}
}
if (should_reinject) {
//printf("Re-injecting!\n");
if (should_recalc_checksum) {
WinDivertHelperCalcChecksums(packet, packetLen, 0);
}
else {
WinDivertHelperCalcChecksums(packet, packetLen,
WINDIVERT_HELPER_NO_REPLACE);
}
WinDivertSend(w_filter, packet, packetLen, &addr, NULL);
}
}
else {
// error, ignore
printf("Error receiving packet!\n");
break;
}
}
}

55
src/Makefile Normal file
View File

@@ -0,0 +1,55 @@
ifndef MSYSTEM
CPREFIX = x86_64-w64-mingw32-
endif
WINDIVERTHEADERS = ../../../include
WINDIVERTLIBS = ../../binary
MINGWLIB = /usr/x86_64-w64-mingw32/lib/
TARGET = goodbyedpi.exe
# Linking SSP does not work for some reason, the executable doesn't start.
#LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a
CC = $(CPREFIX)gcc
CCWINDRES = $(CPREFIX)windres
CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
-O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
-Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 \
-Wformat-security -Wno-format-nonliteral -Wshadow -Wstrict-aliasing=1 \
-Wnull-dereference -Warray-bounds=2 -Wimplicit-fallthrough=3 \
-Wstringop-overflow=4 \
-Wformat-signedness -Wstrict-overflow=2 -Wcast-align=strict \
-Wfloat-equal -Wcast-align -Wsign-conversion \
#-fstack-protector-strong
LDFLAGS = -fstack-protector -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
-Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
ifdef BIT64
LDFLAGS += -Wl,--high-entropy-va -Wl,--pic-executable,-e,mainCRTStartup
else
CFLAGS += -m32
LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup -m32
endif
.PHONY: default all clean
default: $(TARGET)
all: default
OBJECTS = $(patsubst %.c, %.o, $(wildcard *.c utils/*.c)) goodbyedpi-rc.o
HEADERS = $(wildcard *.h utils/*.h)
%.o: %.c $(HEADERS)
$(CC) $(CFLAGS) -c $< -o $@
goodbyedpi-rc.o:
$(CCWINDRES) goodbyedpi-rc.rc goodbyedpi-rc.o
.PRECIOUS: $(TARGET) $(OBJECTS)
$(TARGET): $(OBJECTS)
$(CC) $(OBJECTS) $(LDFLAGS) $(LIBS) -s -o $@
clean:
-rm -f *.o utils/*.o
-rm -f $(TARGET)

110
src/blackwhitelist.c Normal file
View File

@@ -0,0 +1,110 @@
/*
* Blacklist for GoodbyeDPI HTTP DPI circumvention tricks
*
* This is a simple domain hash table.
* Domain records are added from a text file, where every
* domain is separated with a new line.
*/
#include <windows.h>
#include <stdio.h>
#include "goodbyedpi.h"
#include "utils/uthash.h"
#include "utils/getline.h"
typedef struct blackwhitelist_record {
const char *host;
UT_hash_handle hh; /* makes this structure hashable */
} blackwhitelist_record_t;
static blackwhitelist_record_t *blackwhitelist = NULL;
static int check_get_hostname(const char *host) {
blackwhitelist_record_t *tmp_record = NULL;
if (!blackwhitelist) return FALSE;
HASH_FIND_STR(blackwhitelist, host, tmp_record);
if (tmp_record) {
debug("check_get_hostname found host\n");
return TRUE;
}
debug("check_get_hostname host not found\n");
return FALSE;
}
static int add_hostname(const char *host) {
if (!host)
return FALSE;
blackwhitelist_record_t *tmp_record = malloc(sizeof(blackwhitelist_record_t));
char *host_c = NULL;
if (!check_get_hostname(host)) {
host_c = strdup(host);
tmp_record->host = host_c;
HASH_ADD_KEYPTR(hh, blackwhitelist, tmp_record->host,
strlen(tmp_record->host), tmp_record);
debug("Added host %s\n", host_c);
return TRUE;
}
debug("Not added host %s\n", host);
free(tmp_record);
if (host_c)
free(host_c);
return FALSE;
}
int blackwhitelist_load_list(const char *filename) {
char *line = malloc(HOST_MAXLEN + 1);
size_t linelen = HOST_MAXLEN + 1;
int cnt = 0;
ssize_t read;
FILE *fp = fopen(filename, "r");
if (!fp) return FALSE;
while ((read = getline(&line, &linelen, fp)) != -1) {
/* works with both \n and \r\n */
line[strcspn(line, "\r\n")] = '\0';
if (strlen(line) > HOST_MAXLEN) {
printf("WARNING: host %s exceeds maximum host length and has not been added\n",
line);
continue;
}
if (strlen(line) < 3) {
printf("WARNING: host %s is less than 3 bytes, skipping\n", line);
continue;
}
if (add_hostname(line))
cnt++;
}
free(line);
if (!blackwhitelist) return FALSE;
printf("Loaded %d hosts from file %s\n", cnt, filename);
fclose(fp);
return TRUE;
}
int blackwhitelist_check_hostname(const char *host_addr, size_t host_len) {
char current_host[HOST_MAXLEN + 1];
char *tokenized_host = NULL;
if (host_len > HOST_MAXLEN) return FALSE;
if (host_addr && host_len) {
memcpy(current_host, host_addr, host_len);
current_host[host_len] = '\0';
}
if (check_get_hostname(current_host))
return TRUE;
tokenized_host = strchr(current_host, '.');
while (tokenized_host != NULL && tokenized_host < (current_host + HOST_MAXLEN)) {
/* Search hostname only if there is next token */
if (strchr(tokenized_host + 1, '.') && check_get_hostname(tokenized_host + 1))
return TRUE;
tokenized_host = strchr(tokenized_host + 1, '.');
}
debug("____blackwhitelist_check_hostname FALSE: host %s\n", current_host);
return FALSE;
}

2
src/blackwhitelist.h Normal file
View File

@@ -0,0 +1,2 @@
int blackwhitelist_load_list(const char *filename);
int blackwhitelist_check_hostname(const char *host_addr, size_t host_len);

136
dnsredir.c → src/dnsredir.c
View File

@@ -13,22 +13,15 @@
#include <windows.h> #include <windows.h>
#include <time.h> #include <time.h>
#include <stdio.h> #include <stdio.h>
#include "goodbyedpi.h"
#include "dnsredir.h" #include "dnsredir.h"
#include "uthash.h" #include "utils/uthash.h"
// IPv6 incompatible! /* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + srcport[2]) */
#define UDP_CONNRECORD_KEY_LEN 6 #define UDP_CONNRECORD_KEY_LEN 19
#define DNS_CLEANUP_INTERVAL_SEC 30 #define DNS_CLEANUP_INTERVAL_SEC 30
#ifndef debug
#define debug(...) do {} while (0)
#endif
#ifndef debug
#define debug(...) printf(...)
#endif
/* HACK! /* HACK!
* uthash uses strlen() for HASH_FIND_STR. * uthash uses strlen() for HASH_FIND_STR.
* We have null bytes in our key, so we can't use strlen() * We have null bytes in our key, so we can't use strlen()
@@ -39,10 +32,10 @@
#define uthash_strlen(s) UDP_CONNRECORD_KEY_LEN #define uthash_strlen(s) UDP_CONNRECORD_KEY_LEN
typedef struct udp_connrecord { typedef struct udp_connrecord {
/* key (srcip[4] + srcport[2]) */ /* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + srcport[2]) */
char key[UDP_CONNRECORD_KEY_LEN]; char key[UDP_CONNRECORD_KEY_LEN];
time_t time; /* time when this record was added */ time_t time; /* time when this record was added */
uint32_t dstip; uint32_t dstip[4];
uint16_t dstport; uint16_t dstport;
UT_hash_handle hh; /* makes this structure hashable */ UT_hash_handle hh; /* makes this structure hashable */
} udp_connrecord_t; } udp_connrecord_t;
@@ -51,7 +44,7 @@ static time_t last_cleanup = 0;
static udp_connrecord_t *conntrack = NULL; static udp_connrecord_t *conntrack = NULL;
void flush_dns_cache() { void flush_dns_cache() {
BOOL WINAPI (*DnsFlushResolverCache)(); INT_PTR WINAPI (*DnsFlushResolverCache)();
HMODULE dnsapi = LoadLibrary("dnsapi.dll"); HMODULE dnsapi = LoadLibrary("dnsapi.dll");
if (dnsapi == NULL) if (dnsapi == NULL)
@@ -60,32 +53,66 @@ void flush_dns_cache() {
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
DnsFlushResolverCache = (void*)GetProcAddress(dnsapi, "DnsFlushResolverCache"); DnsFlushResolverCache = GetProcAddress(dnsapi, "DnsFlushResolverCache");
if (DnsFlushResolverCache == NULL || !DnsFlushResolverCache()) if (DnsFlushResolverCache == NULL || !DnsFlushResolverCache())
printf("Can't flush DNS cache!"); printf("Can't flush DNS cache!");
FreeLibrary(dnsapi); FreeLibrary(dnsapi);
} }
inline static void construct_key(const uint32_t srcip, const uint16_t srcport, char *key) { inline static void fill_key_data(char *key, const uint8_t is_ipv6, const uint32_t srcip[4],
const uint16_t srcport)
{
if (is_ipv6) {
*(uint8_t*)(key) = '6';
ipv6_copy_addr((uint32_t*)(key + sizeof(uint8_t)), srcip);
}
else {
*(uint8_t*)(key) = '4';
ipv4_copy_addr((uint32_t*)(key + sizeof(uint8_t)), srcip);
}
*(uint16_t*)(key + sizeof(uint8_t) + sizeof(uint32_t) * 4) = srcport;
}
inline static void fill_data_from_key(uint8_t *is_ipv6, uint32_t srcip[4], uint16_t *srcport,
const char *key)
{
if (key[0] == '6') {
*is_ipv6 = 1;
ipv6_copy_addr(srcip, (uint32_t*)(key + sizeof(uint8_t)));
}
else {
*is_ipv6 = 0;
ipv4_copy_addr(srcip, (uint32_t*)(key + sizeof(uint8_t)));
}
*srcport = *(uint16_t*)(key + sizeof(uint8_t) + sizeof(uint32_t) * 4);
}
inline static void construct_key(const uint32_t srcip[4], const uint16_t srcport,
char *key, const uint8_t is_ipv6)
{
debug("Construct key enter\n"); debug("Construct key enter\n");
if (key) { if (key) {
debug("Constructing key\n"); debug("Constructing key\n");
fill_key_data(key, is_ipv6, srcip, srcport);
*(uint32_t*)(key) = srcip;
*(uint16_t*)(key + sizeof(srcip)) = srcport;
} }
debug("Construct key end\n"); debug("Construct key end\n");
} }
inline static void deconstruct_key(const char *key, udp_connrecord_t *connrecord, inline static void deconstruct_key(const char *key, const udp_connrecord_t *connrecord,
conntrack_info_t *conn_info) { conntrack_info_t *conn_info)
{
debug("Deconstruct key enter\n"); debug("Deconstruct key enter\n");
if (key && conn_info) { if (key && conn_info) {
debug("Deconstructing key\n"); debug("Deconstructing key\n");
fill_data_from_key(&conn_info->is_ipv6, conn_info->srcip,
&conn_info->srcport, key);
if (conn_info->is_ipv6)
ipv6_copy_addr(conn_info->dstip, connrecord->dstip);
else
ipv4_copy_addr(conn_info->dstip, connrecord->dstip);
conn_info->srcip = *(uint32_t*)(key);
conn_info->srcport = *(uint16_t*)(key + sizeof(conn_info->srcip));
conn_info->dstip = connrecord->dstip;
conn_info->dstport = connrecord->dstport; conn_info->dstport = connrecord->dstport;
} }
debug("Deconstruct key end\n"); debug("Deconstruct key end\n");
@@ -106,27 +133,37 @@ static int check_get_udp_conntrack_key(const char *key, udp_connrecord_t **connr
return FALSE; return FALSE;
} }
static int add_udp_conntrack(const uint32_t srcip, const uint16_t srcport, static int add_udp_conntrack(const uint32_t srcip[4], const uint16_t srcport,
const uint32_t dstip, const uint16_t dstport) { const uint32_t dstip[4], const uint16_t dstport,
udp_connrecord_t *tmp_connrecord = malloc(sizeof(udp_connrecord_t)); const uint8_t is_ipv6
)
{
if (!(srcip && srcport && dstip && dstport)) if (!(srcip && srcport && dstip && dstport))
return FALSE; return FALSE;
construct_key(srcip, srcport, tmp_connrecord->key); udp_connrecord_t *tmp_connrecord = malloc(sizeof(udp_connrecord_t));
construct_key(srcip, srcport, tmp_connrecord->key, is_ipv6);
if (!check_get_udp_conntrack_key(tmp_connrecord->key, NULL)) { if (!check_get_udp_conntrack_key(tmp_connrecord->key, NULL)) {
tmp_connrecord->time = time(NULL); tmp_connrecord->time = time(NULL);
tmp_connrecord->dstip = dstip;
if (is_ipv6) {
ipv6_copy_addr(tmp_connrecord->dstip, dstip);
}
else {
ipv4_copy_addr(tmp_connrecord->dstip, dstip);
}
tmp_connrecord->dstport = dstport; tmp_connrecord->dstport = dstport;
HASH_ADD_STR(conntrack, key, tmp_connrecord); HASH_ADD_STR(conntrack, key, tmp_connrecord);
debug("Added UDP conntrack\n"); debug("Added UDP conntrack\n");
return TRUE; return TRUE;
} }
debug("Not added UDP conntrack\n"); debug("Not added UDP conntrack\n");
free(tmp_connrecord);
return FALSE; return FALSE;
} }
void dns_cleanup() { static void dns_cleanup() {
udp_connrecord_t *tmp_connrecord, *tmp_connrecord2 = NULL; udp_connrecord_t *tmp_connrecord, *tmp_connrecord2 = NULL;
if (last_cleanup == 0) { if (last_cleanup == 0) {
@@ -146,30 +183,43 @@ void dns_cleanup() {
} }
} }
int dns_handle_outgoing(const uint32_t srcip, const uint16_t srcport, int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing) {
const uint32_t dstip, const uint16_t dstport, if (packet_dataLen < 16) return FALSE;
const char *packet_data, const UINT packet_dataLen) {
if (outgoing && (ntohs(*(const uint16_t*)(packet_data + 2)) & 0xFA00) == 0 &&
(ntohs(*(const uint32_t*)(packet_data + 6))) == 0) {
return TRUE;
}
else if (!outgoing &&
(ntohs(*(const uint16_t*)(packet_data + 2)) & 0xF800) == 0x8000) {
return TRUE;
}
return FALSE;
}
int dns_handle_outgoing(const uint32_t srcip[4], const uint16_t srcport,
const uint32_t dstip[4], const uint16_t dstport,
const char *packet_data, const UINT packet_dataLen,
const uint8_t is_ipv6)
{
if (packet_dataLen < 16) if (packet_dataLen < 16)
return FALSE; return FALSE;
dns_cleanup(); dns_cleanup();
if ((ntohs(*(const uint16_t*)(packet_data + 2)) & 0xFA00) == 0 && if (dns_is_dns_packet(packet_data, packet_dataLen, 1)) {
(ntohs(*(const uint32_t*)(packet_data + 6))) == 0) {
/* Looks like DNS request */ /* Looks like DNS request */
debug("trying to add srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport)); debug("trying to add srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return add_udp_conntrack(srcip, srcport, dstip, dstport); return add_udp_conntrack(srcip, srcport, dstip, dstport, is_ipv6);
} }
debug("____dns_handle_outgoing FALSE: srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport)); debug("____dns_handle_outgoing FALSE: srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return FALSE; return FALSE;
} }
int dns_handle_incoming(const uint32_t srcip, const uint16_t srcport, int dns_handle_incoming(const uint32_t srcip[4], const uint16_t srcport,
const uint32_t dstip, const uint16_t dstport,
const char *packet_data, const UINT packet_dataLen, const char *packet_data, const UINT packet_dataLen,
conntrack_info_t *conn_info) { conntrack_info_t *conn_info, const uint8_t is_ipv6)
{
char key[UDP_CONNRECORD_KEY_LEN]; char key[UDP_CONNRECORD_KEY_LEN];
udp_connrecord_t *tmp_connrecord = NULL; udp_connrecord_t *tmp_connrecord = NULL;
@@ -178,9 +228,9 @@ int dns_handle_incoming(const uint32_t srcip, const uint16_t srcport,
dns_cleanup(); dns_cleanup();
if ((ntohs(*(const uint16_t*)(packet_data + 2)) & 0xF800) == 0x8000) { if (dns_is_dns_packet(packet_data, packet_dataLen, 0)) {
/* Looks like DNS response */ /* Looks like DNS response */
construct_key(srcip, srcport, key); construct_key(srcip, srcport, key, is_ipv6);
if (check_get_udp_conntrack_key(key, &tmp_connrecord) && tmp_connrecord) { if (check_get_udp_conntrack_key(key, &tmp_connrecord) && tmp_connrecord) {
/* Connection exists in conntrack, moving on */ /* Connection exists in conntrack, moving on */
deconstruct_key(key, tmp_connrecord, conn_info); deconstruct_key(key, tmp_connrecord, conn_info);
@@ -189,6 +239,6 @@ int dns_handle_incoming(const uint32_t srcip, const uint16_t srcport,
return TRUE; return TRUE;
} }
} }
debug("____dns_handle_incoming FALSE: srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport)); debug("____dns_handle_incoming FALSE: srcport = %hu\n", ntohs(srcport));
return FALSE; return FALSE;
} }

39
src/dnsredir.h Normal file
View File

@@ -0,0 +1,39 @@
#ifndef _DNSREDIR_H
#define _DNSREDIR_H
#include <stdint.h>
typedef struct conntrack_info {
uint8_t is_ipv6;
uint32_t srcip[4];
uint16_t srcport;
uint32_t dstip[4];
uint16_t dstport;
} conntrack_info_t;
inline static void ipv4_copy_addr(uint32_t dst[4], const uint32_t src[4]) {
dst[0] = src[0];
dst[1] = 0;
dst[2] = 0;
dst[3] = 0;
}
inline static void ipv6_copy_addr(uint32_t dst[4], const uint32_t src[4]) {
dst[0] = src[0];
dst[1] = src[1];
dst[2] = src[2];
dst[3] = src[3];
}
int dns_handle_incoming(const uint32_t srcip[4], const uint16_t srcport,
const char *packet_data, const UINT packet_dataLen,
conntrack_info_t *conn_info, const uint8_t is_ipv6);
int dns_handle_outgoing(const uint32_t srcip[4], const uint16_t srcport,
const uint32_t dstip[4], const uint16_t dstport,
const char *packet_data, const UINT packet_dataLen,
const uint8_t is_ipv6
);
void flush_dns_cache();
int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing);
#endif

195
src/fakepackets.c Normal file
View File

@@ -0,0 +1,195 @@
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <unistd.h>
#include <in6addr.h>
#include <ws2tcpip.h>
#include "windivert.h"
#include "goodbyedpi.h"
static const unsigned char fake_http_request[] = "GET / HTTP/1.1\r\nHost: www.w3.org\r\n"
"User-Agent: curl/7.65.3\r\nAccept: */*\r\n"
"Accept-Encoding: deflate, gzip, br\r\n\r\n";
static const unsigned char fake_https_request[] = {
0x16, 0x03, 0x01, 0x02, 0x00, 0x01, 0x00, 0x01, 0xfc, 0x03, 0x03, 0x9a, 0x8f, 0xa7, 0x6a, 0x5d,
0x57, 0xf3, 0x62, 0x19, 0xbe, 0x46, 0x82, 0x45, 0xe2, 0x59, 0x5c, 0xb4, 0x48, 0x31, 0x12, 0x15,
0x14, 0x79, 0x2c, 0xaa, 0xcd, 0xea, 0xda, 0xf0, 0xe1, 0xfd, 0xbb, 0x20, 0xf4, 0x83, 0x2a, 0x94,
0xf1, 0x48, 0x3b, 0x9d, 0xb6, 0x74, 0xba, 0x3c, 0x81, 0x63, 0xbc, 0x18, 0xcc, 0x14, 0x45, 0x57,
0x6c, 0x80, 0xf9, 0x25, 0xcf, 0x9c, 0x86, 0x60, 0x50, 0x31, 0x2e, 0xe9, 0x00, 0x22, 0x13, 0x01,
0x13, 0x03, 0x13, 0x02, 0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2c, 0xc0, 0x30,
0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f, 0x00, 0x35,
0x01, 0x00, 0x01, 0x91, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x0d, 0x00, 0x00, 0x0a, 0x77, 0x77, 0x77,
0x2e, 0x77, 0x33, 0x2e, 0x6f, 0x72, 0x67, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00,
0x00, 0x0a, 0x00, 0x0e, 0x00, 0x0c, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, 0x00,
0x01, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10, 0x00, 0x0e,
0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x00, 0x05,
0x00, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x6b, 0x00, 0x69, 0x00, 0x1d, 0x00,
0x20, 0xb0, 0xe4, 0xda, 0x34, 0xb4, 0x29, 0x8d, 0xd3, 0x5c, 0x70, 0xd3, 0xbe, 0xe8, 0xa7, 0x2a,
0x6b, 0xe4, 0x11, 0x19, 0x8b, 0x18, 0x9d, 0x83, 0x9a, 0x49, 0x7c, 0x83, 0x7f, 0xa9, 0x03, 0x8c,
0x3c, 0x00, 0x17, 0x00, 0x41, 0x04, 0x4c, 0x04, 0xa4, 0x71, 0x4c, 0x49, 0x75, 0x55, 0xd1, 0x18,
0x1e, 0x22, 0x62, 0x19, 0x53, 0x00, 0xde, 0x74, 0x2f, 0xb3, 0xde, 0x13, 0x54, 0xe6, 0x78, 0x07,
0x94, 0x55, 0x0e, 0xb2, 0x6c, 0xb0, 0x03, 0xee, 0x79, 0xa9, 0x96, 0x1e, 0x0e, 0x98, 0x17, 0x78,
0x24, 0x44, 0x0c, 0x88, 0x80, 0x06, 0x8b, 0xd4, 0x80, 0xbf, 0x67, 0x7c, 0x37, 0x6a, 0x5b, 0x46,
0x4c, 0xa7, 0x98, 0x6f, 0xb9, 0x22, 0x00, 0x2b, 0x00, 0x09, 0x08, 0x03, 0x04, 0x03, 0x03, 0x03,
0x02, 0x03, 0x01, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08,
0x04, 0x08, 0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x03, 0x02, 0x01, 0x00,
0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01, 0x00, 0x15, 0x00, 0x96, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00
};
static int send_fake_data(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BOOL is_https,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
) {
char packet_fake[MAX_PACKET_SIZE];
WINDIVERT_ADDRESS addr_new;
PVOID packet_data;
UINT packet_dataLen;
UINT packetLen_new;
PWINDIVERT_IPHDR ppIpHdr;
PWINDIVERT_IPV6HDR ppIpV6Hdr;
PWINDIVERT_TCPHDR ppTcpHdr;
unsigned const char *fake_request_data = is_https ? fake_https_request : fake_http_request;
UINT fake_request_size = is_https ? sizeof(fake_https_request) : sizeof(fake_http_request) - 1;
memcpy(&addr_new, addr, sizeof(WINDIVERT_ADDRESS));
memcpy(packet_fake, pkt, packetLen);
addr_new.PseudoTCPChecksum = 0;
addr_new.PseudoIPChecksum = 0;
if (!is_ipv6) {
// IPv4 TCP Data packet
if (!WinDivertHelperParsePacket(packet_fake, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
return 1;
}
else {
// IPv6 TCP Data packet
if (!WinDivertHelperParsePacket(packet_fake, packetLen, NULL,
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
return 1;
}
if (packetLen + fake_request_size + 1 > MAX_PACKET_SIZE)
return 2;
memcpy(packet_data, fake_request_data, fake_request_size);
packetLen_new = packetLen - packet_dataLen + fake_request_size;
if (!is_ipv6) {
ppIpHdr->Length = htons(
ntohs(ppIpHdr->Length) -
packet_dataLen + fake_request_size
);
if (set_ttl)
ppIpHdr->TTL = set_ttl;
}
else {
ppIpV6Hdr->Length = htons(
ntohs(ppIpV6Hdr->Length) -
packet_dataLen + fake_request_size
);
if (set_ttl)
ppIpV6Hdr->HopLimit = set_ttl;
}
if (set_seq) {
// This is the smallest ACK drift Linux can't handle already, since at least v2.6.18.
// https://github.com/torvalds/linux/blob/v2.6.18/net/netfilter/nf_conntrack_proto_tcp.c#L395
ppTcpHdr->AckNum = htonl(ntohl(ppTcpHdr->AckNum) - 66000);
// This is just random, no specifics about this value.
ppTcpHdr->SeqNum = htonl(ntohl(ppTcpHdr->SeqNum) - 10000);
}
// Recalculate the checksum
WinDivertHelperCalcChecksums(packet_fake, packetLen_new, &addr_new, 0ULL);
if (set_checksum) {
// ...and damage it
ppTcpHdr->Checksum = htons(ntohs(ppTcpHdr->Checksum) - 1);
}
//printf("Pseudo checksum: %d\n", addr_new.PseudoTCPChecksum);
WinDivertSend(
w_filter, packet_fake,
packetLen_new,
&addr_new, NULL
);
debug("Fake packet: OK");
return 0;
}
static int send_fake_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BOOL is_https,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
) {
if (set_ttl) {
send_fake_data(w_filter, addr, pkt, packetLen,
is_ipv6, is_https,
set_ttl, FALSE, FALSE);
}
if (set_checksum) {
send_fake_data(w_filter, addr, pkt, packetLen,
is_ipv6, is_https,
FALSE, set_checksum, FALSE);
}
if (set_seq) {
send_fake_data(w_filter, addr, pkt, packetLen,
is_ipv6, is_https,
FALSE, FALSE, set_seq);
}
return 0;
}
int send_fake_http_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
) {
return send_fake_request(w_filter, addr, pkt, packetLen,
is_ipv6, FALSE,
set_ttl, set_checksum, set_seq);
}
int send_fake_https_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
) {
return send_fake_request(w_filter, addr, pkt, packetLen,
is_ipv6, TRUE,
set_ttl, set_checksum, set_seq);
}

18
src/fakepackets.h Normal file
View File

@@ -0,0 +1,18 @@
int send_fake_http_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
);
int send_fake_https_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
);

0
goodbyedpi-rc.rc → src/goodbyedpi-rc.rc
View File

1423
src/goodbyedpi.c Normal file
View File

File diff suppressed because it is too large Load Diff

2
goodbyedpi.exe.manifest → src/goodbyedpi.exe.manifest
View File

@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="GoodbyeDPI" type="win32"/> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="GoodbyeDPI" type="win32"/>
<description>Divert</description> <description>GoodbyeDPI</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security> <security>
<requestedPrivileges> <requestedPrivileges>

11
src/goodbyedpi.h Normal file
View File

@@ -0,0 +1,11 @@
#define HOST_MAXLEN 253
#define MAX_PACKET_SIZE 9016
#ifndef DEBUG
#define debug(...) do {} while (0)
#else
#define debug(...) printf(__VA_ARGS__)
#endif
int main(int argc, char *argv[]);
void deinit_all();

0
icon.ico → src/icon.ico
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

96
src/service.c Normal file
View File

@@ -0,0 +1,96 @@
#include <windows.h>
#include <stdio.h>
#include "goodbyedpi.h"
#include "service.h"
#define SERVICE_NAME "GoodbyeDPI"
static SERVICE_STATUS ServiceStatus;
static SERVICE_STATUS_HANDLE hStatus;
static int service_argc = 0;
static char **service_argv = NULL;
int service_register(int argc, char *argv[])
{
int i, ret;
SERVICE_TABLE_ENTRY ServiceTable[] = {
{SERVICE_NAME, (LPSERVICE_MAIN_FUNCTION)service_main},
{NULL, NULL}
};
/*
* Save argc & argv as service_main is called with different
* arguments, which are passed from "start" command, not
* from the program command line.
* We don't need this behaviour.
*
* Note that if StartServiceCtrlDispatcher() succeedes
* it does not return until the service is stopped,
* so we should copy all arguments first and then
* handle the failure.
*/
if (!service_argc && !service_argv) {
service_argc = argc;
service_argv = malloc(sizeof(void*) * (size_t)argc);
for (i = 0; i < argc; i++) {
service_argv[i] = strdup(argv[i]);
}
}
ret = StartServiceCtrlDispatcher(ServiceTable);
if (service_argc && service_argv) {
for (i = 0; i < service_argc; i++) {
free(service_argv[i]);
}
free(service_argv);
}
return ret;
}
void service_main(int argc __attribute__((unused)),
char *argv[] __attribute__((unused)))
{
ServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwCheckPoint = 1;
ServiceStatus.dwWaitHint = 0;
hStatus = RegisterServiceCtrlHandler(
SERVICE_NAME,
(LPHANDLER_FUNCTION)service_controlhandler);
if (hStatus == (SERVICE_STATUS_HANDLE)0)
{
// Registering Control Handler failed
return;
}
SetServiceStatus(hStatus, &ServiceStatus);
// Calling main with saved argc & argv
ServiceStatus.dwWin32ExitCode = (DWORD)main(service_argc, service_argv);
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus(hStatus, &ServiceStatus);
return;
}
// Control handler function
void service_controlhandler(DWORD request)
{
switch(request)
{
case SERVICE_CONTROL_STOP:
case SERVICE_CONTROL_SHUTDOWN:
deinit_all();
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
default:
break;
}
// Report current status
SetServiceStatus(hStatus, &ServiceStatus);
return;
}

3
src/service.h Normal file
View File

@@ -0,0 +1,3 @@
int service_register();
void service_main(int argc, char *argv[]);
void service_controlhandler(DWORD request);

252
src/ttltrack.c Normal file
View File

@@ -0,0 +1,252 @@
/**
* TCP (TTL) Connection Tracker for GoodbyeDPI
*
* Monitors SYN/ACK only, to extract the TTL value of the remote server.
*
*/
#include <windows.h>
#include <time.h>
#include <stdio.h>
#include <math.h>
#include "goodbyedpi.h"
#include "ttltrack.h"
#include "utils/uthash.h"
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + dstip[16] + srcport[2] + dstport[2]) */
#define TCP_CONNRECORD_KEY_LEN 37
#define TCP_CLEANUP_INTERVAL_SEC 30
/* HACK!
* uthash uses strlen() for HASH_FIND_STR.
* We have null bytes in our key, so we can't use strlen()
* And since it's always TCP_CONNRECORD_KEY_LEN bytes long,
* we don't need to use any string function to determine length.
*/
#undef uthash_strlen
#define uthash_strlen(s) TCP_CONNRECORD_KEY_LEN
typedef struct tcp_connrecord {
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + dstip[16] + srcport[2] + dstport[2]) */
char key[TCP_CONNRECORD_KEY_LEN];
time_t time; /* time when this record was added */
uint16_t ttl;
UT_hash_handle hh; /* makes this structure hashable */
} tcp_connrecord_t;
static time_t last_cleanup = 0;
static tcp_connrecord_t *conntrack = NULL;
inline static void fill_key_data(char *key, const uint8_t is_ipv6, const uint32_t srcip[4],
const uint32_t dstip[4], const uint16_t srcport, const uint16_t dstport)
{
unsigned int offset = 0;
if (is_ipv6) {
*(uint8_t*)(key) = '6';
offset += sizeof(uint8_t);
ipv6_copy_addr((uint32_t*)(key + offset), srcip);
offset += sizeof(uint32_t) * 4;
ipv6_copy_addr((uint32_t*)(key + offset), dstip);
offset += sizeof(uint32_t) * 4;
}
else {
*(uint8_t*)(key) = '4';
offset += sizeof(uint8_t);
ipv4_copy_addr((uint32_t*)(key + offset), srcip);
offset += sizeof(uint32_t) * 4;
ipv4_copy_addr((uint32_t*)(key + offset), dstip);
offset += sizeof(uint32_t) * 4;
}
*(uint16_t*)(key + offset) = srcport;
offset += sizeof(srcport);
*(uint16_t*)(key + offset) = dstport;
offset += sizeof(dstport);
}
inline static void fill_data_from_key(uint8_t *is_ipv6, uint32_t srcip[4], uint32_t dstip[4],
uint16_t *srcport, uint16_t *dstport, const char *key)
{
unsigned int offset = 0;
if (key[0] == '6') {
*is_ipv6 = 1;
offset += sizeof(uint8_t);
ipv6_copy_addr(srcip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
ipv6_copy_addr(dstip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
}
else {
*is_ipv6 = 0;
offset += sizeof(uint8_t);
ipv4_copy_addr(srcip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
ipv4_copy_addr(dstip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
}
*srcport = *(uint16_t*)(key + offset);
offset += sizeof(*srcport);
*dstport = *(uint16_t*)(key + offset);
offset += sizeof(*dstport);
}
inline static void construct_key(const uint32_t srcip[4], const uint32_t dstip[4],
const uint16_t srcport, const uint16_t dstport,
char *key, const uint8_t is_ipv6)
{
debug("Construct key enter\n");
if (key) {
debug("Constructing key\n");
fill_key_data(key, is_ipv6, srcip, dstip, srcport, dstport);
}
debug("Construct key end\n");
}
inline static void deconstruct_key(const char *key, const tcp_connrecord_t *connrecord,
tcp_conntrack_info_t *conn_info)
{
debug("Deconstruct key enter\n");
if (key && conn_info) {
debug("Deconstructing key\n");
fill_data_from_key(&conn_info->is_ipv6,
conn_info->srcip, conn_info->dstip,
&conn_info->srcport, &conn_info->dstport,
key);
conn_info->ttl = connrecord->ttl;
}
debug("Deconstruct key end\n");
}
static int check_get_tcp_conntrack_key(const char *key, tcp_connrecord_t **connrecord) {
tcp_connrecord_t *tmp_connrecord = NULL;
if (!conntrack) return FALSE;
HASH_FIND_STR(conntrack, key, tmp_connrecord);
if (tmp_connrecord) {
if (connrecord)
*connrecord = tmp_connrecord;
debug("check_get_tcp_conntrack_key found key\n");
return TRUE;
}
debug("check_get_tcp_conntrack_key key not found\n");
return FALSE;
}
static int add_tcp_conntrack(const uint32_t srcip[4], const uint32_t dstip[4],
const uint16_t srcport, const uint16_t dstport,
const uint8_t is_ipv6, const uint8_t ttl
)
{
if (!(srcip && srcport && dstip && dstport))
return FALSE;
tcp_connrecord_t *tmp_connrecord = malloc(sizeof(tcp_connrecord_t));
construct_key(srcip, dstip, srcport, dstport, tmp_connrecord->key, is_ipv6);
if (!check_get_tcp_conntrack_key(tmp_connrecord->key, NULL)) {
tmp_connrecord->time = time(NULL);
tmp_connrecord->ttl = ttl;
HASH_ADD_STR(conntrack, key, tmp_connrecord);
debug("Added TCP conntrack %u:%hu - %u:%hu\n", srcip[0], ntohs(srcport), dstip[0], ntohs(dstport));
return TRUE;
}
debug("Not added TCP conntrack %u:%hu - %u:%hu\n", srcip[0], ntohs(srcport), dstip[0], ntohs(dstport));
free(tmp_connrecord);
return FALSE;
}
static void tcp_cleanup() {
tcp_connrecord_t *tmp_connrecord, *tmp_connrecord2 = NULL;
if (last_cleanup == 0) {
last_cleanup = time(NULL);
return;
}
if (difftime(time(NULL), last_cleanup) >= TCP_CLEANUP_INTERVAL_SEC) {
last_cleanup = time(NULL);
HASH_ITER(hh, conntrack, tmp_connrecord, tmp_connrecord2) {
if (difftime(last_cleanup, tmp_connrecord->time) >= TCP_CLEANUP_INTERVAL_SEC) {
HASH_DEL(conntrack, tmp_connrecord);
free(tmp_connrecord);
}
}
}
}
int tcp_handle_incoming(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
uint8_t is_ipv6, uint8_t ttl)
{
tcp_cleanup();
debug("trying to add TCP srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return add_tcp_conntrack(srcip, dstip, srcport, dstport, is_ipv6, ttl);
debug("____tcp_handle_incoming FALSE: srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return FALSE;
}
int tcp_handle_outgoing(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
tcp_conntrack_info_t *conn_info,
uint8_t is_ipv6)
{
char key[TCP_CONNRECORD_KEY_LEN];
tcp_connrecord_t *tmp_connrecord = NULL;
if (!conn_info)
return FALSE;
tcp_cleanup();
construct_key(dstip, srcip, dstport, srcport, key, is_ipv6);
if (check_get_tcp_conntrack_key(key, &tmp_connrecord) && tmp_connrecord) {
/* Connection exists in conntrack, moving on */
deconstruct_key(key, tmp_connrecord, conn_info);
HASH_DEL(conntrack, tmp_connrecord);
free(tmp_connrecord);
debug("____tcp_handle_outgoing TRUE: srcport = %hu\n", ntohs(srcport));
return TRUE;
}
debug("____tcp_handle_outgoing FALSE: srcport = %hu\n", ntohs(srcport));
return FALSE;
}
int tcp_get_auto_ttl(const uint8_t ttl, const uint8_t autottl1,
const uint8_t autottl2, const uint8_t minhops,
const uint8_t maxttl) {
uint8_t nhops = 0;
uint8_t ttl_of_fake_packet = 0;
if (ttl > 98 && ttl < 128) {
nhops = 128 - ttl;
}
else if (ttl > 34 && ttl < 64) {
nhops = 64 - ttl;
}
else {
return 0;
}
if (nhops <= autottl1 || nhops < minhops) {
return 0;
}
ttl_of_fake_packet = nhops - autottl2;
if (ttl_of_fake_packet < autottl2 && nhops <= 9) {
ttl_of_fake_packet = nhops - autottl1 - trunc((autottl2 - autottl1) * ((float)nhops/10));
}
if (maxttl && ttl_of_fake_packet > maxttl) {
ttl_of_fake_packet = maxttl;
}
return ttl_of_fake_packet;
}

27
src/ttltrack.h Normal file
View File

@@ -0,0 +1,27 @@
#ifndef _TTLTRACK_H
#define _TTLTRACK_H
#include <stdint.h>
#include "dnsredir.h"
typedef struct tcp_conntrack_info {
uint8_t is_ipv6;
uint8_t ttl;
uint32_t srcip[4];
uint16_t srcport;
uint32_t dstip[4];
uint16_t dstport;
} tcp_conntrack_info_t;
int tcp_handle_incoming(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
uint8_t is_ipv6, uint8_t ttl);
int tcp_handle_outgoing(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
tcp_conntrack_info_t *conn_info,
uint8_t is_ipv6);
int tcp_get_auto_ttl(const uint8_t ttl, const uint8_t autottl1,
const uint8_t autottl2, const uint8_t minhops,
const uint8_t maxttl);
#endif

92
src/utils/getline.c Normal file
View File

@@ -0,0 +1,92 @@
/* $NetBSD: getdelim.c,v 1.2 2015/12/25 20:12:46 joerg Exp $ */
/* NetBSD-src: getline.c,v 1.2 2014/09/16 17:23:50 christos Exp */
/*-
* Copyright (c) 2011 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Christos Zoulas.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <stdio.h>
#include <stdlib.h>
#include "getline.h"
#if !HAVE_GETDELIM
ssize_t
getdelim(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
{
char *ptr, *eptr;
if (*buf == NULL || *bufsiz == 0) {
*bufsiz = BUFSIZ;
if ((*buf = malloc(*bufsiz)) == NULL)
return -1;
}
for (ptr = *buf, eptr = *buf + *bufsiz;;) {
int c = fgetc(fp);
if (c == -1) {
if (feof(fp)) {
ssize_t diff = (ssize_t)(ptr - *buf);
if (diff != 0) {
*ptr = '\0';
return diff;
}
}
return -1;
}
*ptr++ = c;
if (c == delimiter) {
*ptr = '\0';
return ptr - *buf;
}
if (ptr + 2 >= eptr) {
char *nbuf;
size_t nbufsiz = *bufsiz * 2;
ssize_t d = ptr - *buf;
if ((nbuf = realloc(*buf, nbufsiz)) == NULL)
return -1;
*buf = nbuf;
*bufsiz = nbufsiz;
eptr = nbuf + nbufsiz;
ptr = nbuf + d;
}
}
}
#endif
#if !HAVE_GETLINE
ssize_t
getline(char **buf, size_t *bufsiz, FILE *fp)
{
return getdelim(buf, bufsiz, '\n', fp);
}
#endif

7
src/utils/getline.h Normal file
View File

@@ -0,0 +1,7 @@
#if !HAVE_GETDELIM
ssize_t getdelim(char **, size_t *, int, FILE *);
#endif
#if !HAVE_GETLINE
ssize_t getline(char **, size_t *, FILE *);
#endif

90
src/utils/repl_str.c Normal file
View File

@@ -0,0 +1,90 @@
#include <string.h>
#include <stdlib.h>
#include <stddef.h>
#if (__STDC_VERSION__ >= 199901L)
#include <stdint.h>
#endif
char *repl_str(const char *str, const char *from, const char *to) {
/* Adjust each of the below values to suit your needs. */
/* Increment positions cache size initially by this number. */
size_t cache_sz_inc = 16;
/* Thereafter, each time capacity needs to be increased,
* multiply the increment by this factor. */
const size_t cache_sz_inc_factor = 3;
/* But never increment capacity by more than this number. */
const size_t cache_sz_inc_max = 1048576;
char *pret, *ret = NULL;
const char *pstr2, *pstr = str;
size_t i, count = 0;
#if (__STDC_VERSION__ >= 199901L)
uintptr_t *pos_cache_tmp, *pos_cache = NULL;
#else
ptrdiff_t *pos_cache_tmp, *pos_cache = NULL;
#endif
size_t cache_sz = 0;
size_t cpylen, orglen, retlen, tolen, fromlen = strlen(from);
/* Find all matches and cache their positions. */
while ((pstr2 = strstr(pstr, from)) != NULL) {
count++;
/* Increase the cache size when necessary. */
if (cache_sz < count) {
cache_sz += cache_sz_inc;
pos_cache_tmp = realloc(pos_cache, sizeof(*pos_cache) * cache_sz);
if (pos_cache_tmp == NULL) {
goto end_repl_str;
} else pos_cache = pos_cache_tmp;
cache_sz_inc *= cache_sz_inc_factor;
if (cache_sz_inc > cache_sz_inc_max) {
cache_sz_inc = cache_sz_inc_max;
}
}
pos_cache[count-1] = (uintptr_t)(pstr2 - str);
pstr = pstr2 + fromlen;
}
orglen = (size_t)(pstr - str) + strlen(pstr);
/* Allocate memory for the post-replacement string. */
if (count > 0) {
tolen = strlen(to);
retlen = orglen + (tolen - fromlen) * count;
} else retlen = orglen;
ret = malloc(retlen + 1);
if (ret == NULL) {
goto end_repl_str;
}
if (count == 0) {
/* If no matches, then just duplicate the string. */
strcpy(ret, str);
} else {
/* Otherwise, duplicate the string whilst performing
* the replacements using the position cache. */
pret = ret;
memcpy(pret, str, pos_cache[0]);
pret += pos_cache[0];
for (i = 0; i < count; i++) {
memcpy(pret, to, tolen);
pret += tolen;
pstr = str + pos_cache[i] + fromlen;
cpylen = (i == count-1 ? orglen : pos_cache[i+1]) - pos_cache[i] - fromlen;
memcpy(pret, pstr, cpylen);
pret += cpylen;
}
ret[retlen] = '\0';
}
end_repl_str:
/* Free the cache and return the post-replacement string,
* which will be NULL in the event of an error. */
free(pos_cache);
return ret;
}

1
src/utils/repl_str.h Normal file
View File

@@ -0,0 +1 @@
char *repl_str(const char *str, const char *from, const char *to);

182
uthash.h → src/utils/uthash.h
View File

@@ -1,5 +1,5 @@
/* /*
Copyright (c) 2003-2017, Troy D. Hanson http://troydhanson.github.com/uthash/ Copyright (c) 2003-2021, Troy D. Hanson http://troydhanson.github.io/uthash/
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
@@ -24,12 +24,22 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#ifndef UTHASH_H #ifndef UTHASH_H
#define UTHASH_H #define UTHASH_H
#define UTHASH_VERSION 2.0.2 #define UTHASH_VERSION 2.3.0
#include <string.h> /* memcmp, memset, strlen */ #include <string.h> /* memcmp, memset, strlen */
#include <stddef.h> /* ptrdiff_t */ #include <stddef.h> /* ptrdiff_t */
#include <stdlib.h> /* exit */ #include <stdlib.h> /* exit */
#if defined(HASH_DEFINE_OWN_STDINT) && HASH_DEFINE_OWN_STDINT
/* This codepath is provided for backward compatibility, but I plan to remove it. */
#warning "HASH_DEFINE_OWN_STDINT is deprecated; please use HASH_NO_STDINT instead"
typedef unsigned int uint32_t;
typedef unsigned char uint8_t;
#elif defined(HASH_NO_STDINT) && HASH_NO_STDINT
#else
#include <stdint.h> /* uint8_t, uint32_t */
#endif
/* These macros use decltype or the earlier __typeof GNU extension. /* These macros use decltype or the earlier __typeof GNU extension.
As decltype is only available in newer compilers (VS2010 or gcc 4.3+ As decltype is only available in newer compilers (VS2010 or gcc 4.3+
when compiling c++ source) this code uses whatever method is needed when compiling c++ source) this code uses whatever method is needed
@@ -62,23 +72,6 @@ do {
} while (0) } while (0)
#endif #endif
/* a number of the hash function use uint32_t which isn't defined on Pre VS2010 */
#if defined(_WIN32)
#if defined(_MSC_VER) && _MSC_VER >= 1600
#include <stdint.h>
#elif defined(__WATCOMC__) || defined(__MINGW32__) || defined(__CYGWIN__)
#include <stdint.h>
#else
typedef unsigned int uint32_t;
typedef unsigned char uint8_t;
#endif
#elif defined(__GNUC__) && !defined(__VXWORKS__)
#include <stdint.h>
#else
typedef unsigned int uint32_t;
typedef unsigned char uint8_t;
#endif
#ifndef uthash_malloc #ifndef uthash_malloc
#define uthash_malloc(sz) malloc(sz) /* malloc fcn */ #define uthash_malloc(sz) malloc(sz) /* malloc fcn */
#endif #endif
@@ -88,13 +81,18 @@ typedef unsigned char uint8_t;
#ifndef uthash_bzero #ifndef uthash_bzero
#define uthash_bzero(a,n) memset(a,'\0',n) #define uthash_bzero(a,n) memset(a,'\0',n)
#endif #endif
#ifndef uthash_memcmp
#define uthash_memcmp(a,b,n) memcmp(a,b,n)
#endif
#ifndef uthash_strlen #ifndef uthash_strlen
#define uthash_strlen(s) strlen(s) #define uthash_strlen(s) strlen(s)
#endif #endif
#ifndef HASH_FUNCTION
#define HASH_FUNCTION(keyptr,keylen,hashv) HASH_JEN(keyptr, keylen, hashv)
#endif
#ifndef HASH_KEYCMP
#define HASH_KEYCMP(a,b,n) memcmp(a,b,n)
#endif
#ifndef uthash_noexpand_fyi #ifndef uthash_noexpand_fyi
#define uthash_noexpand_fyi(tbl) /* can be defined to log noexpand */ #define uthash_noexpand_fyi(tbl) /* can be defined to log noexpand */
#endif #endif
@@ -136,7 +134,7 @@ typedef unsigned char uint8_t;
/* calculate the element whose hash handle address is hhp */ /* calculate the element whose hash handle address is hhp */
#define ELMT_FROM_HH(tbl,hhp) ((void*)(((char*)(hhp)) - ((tbl)->hho))) #define ELMT_FROM_HH(tbl,hhp) ((void*)(((char*)(hhp)) - ((tbl)->hho)))
/* calculate the hash handle from element address elp */ /* calculate the hash handle from element address elp */
#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle *)(((char*)(elp)) + ((tbl)->hho))) #define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle*)(void*)(((char*)(elp)) + ((tbl)->hho)))
#define HASH_ROLLBACK_BKT(hh, head, itemptrhh) \ #define HASH_ROLLBACK_BKT(hh, head, itemptrhh) \
do { \ do { \
@@ -150,7 +148,7 @@ do {
#define HASH_VALUE(keyptr,keylen,hashv) \ #define HASH_VALUE(keyptr,keylen,hashv) \
do { \ do { \
HASH_FCN(keyptr, keylen, hashv); \ HASH_FUNCTION(keyptr, keylen, hashv); \
} while (0) } while (0)
#define HASH_FIND_BYHASHVALUE(hh,head,keyptr,keylen,hashval,out) \ #define HASH_FIND_BYHASHVALUE(hh,head,keyptr,keylen,hashval,out) \
@@ -167,9 +165,12 @@ do {
#define HASH_FIND(hh,head,keyptr,keylen,out) \ #define HASH_FIND(hh,head,keyptr,keylen,out) \
do { \ do { \
unsigned _hf_hashv; \ (out) = NULL; \
HASH_VALUE(keyptr, keylen, _hf_hashv); \ if (head) { \
HASH_FIND_BYHASHVALUE(hh, head, keyptr, keylen, _hf_hashv, out); \ unsigned _hf_hashv; \
HASH_VALUE(keyptr, keylen, _hf_hashv); \
HASH_FIND_BYHASHVALUE(hh, head, keyptr, keylen, _hf_hashv, out); \
} \
} while (0) } while (0)
#ifdef HASH_BLOOM #ifdef HASH_BLOOM
@@ -397,7 +398,7 @@ do {
do { \ do { \
IF_HASH_NONFATAL_OOM( int _ha_oomed = 0; ) \ IF_HASH_NONFATAL_OOM( int _ha_oomed = 0; ) \
(add)->hh.hashv = (hashval); \ (add)->hh.hashv = (hashval); \
(add)->hh.key = (char*) (keyptr); \ (add)->hh.key = (const void*) (keyptr); \
(add)->hh.keylen = (unsigned) (keylen_in); \ (add)->hh.keylen = (unsigned) (keylen_in); \
if (!(head)) { \ if (!(head)) { \
(add)->hh.next = NULL; \ (add)->hh.next = NULL; \
@@ -478,11 +479,20 @@ do {
/* convenience forms of HASH_FIND/HASH_ADD/HASH_DEL */ /* convenience forms of HASH_FIND/HASH_ADD/HASH_DEL */
#define HASH_FIND_STR(head,findstr,out) \ #define HASH_FIND_STR(head,findstr,out) \
HASH_FIND(hh,head,findstr,(unsigned)uthash_strlen(findstr),out) do { \
unsigned _uthash_hfstr_keylen = (unsigned)uthash_strlen(findstr); \
HASH_FIND(hh, head, findstr, _uthash_hfstr_keylen, out); \
} while (0)
#define HASH_ADD_STR(head,strfield,add) \ #define HASH_ADD_STR(head,strfield,add) \
HASH_ADD(hh,head,strfield[0],(unsigned)uthash_strlen(add->strfield),add) do { \
unsigned _uthash_hastr_keylen = (unsigned)uthash_strlen((add)->strfield); \
HASH_ADD(hh, head, strfield[0], _uthash_hastr_keylen, add); \
} while (0)
#define HASH_REPLACE_STR(head,strfield,add,replaced) \ #define HASH_REPLACE_STR(head,strfield,add,replaced) \
HASH_REPLACE(hh,head,strfield[0],(unsigned)uthash_strlen(add->strfield),add,replaced) do { \
unsigned _uthash_hrstr_keylen = (unsigned)uthash_strlen((add)->strfield); \
HASH_REPLACE(hh, head, strfield[0], _uthash_hrstr_keylen, add, replaced); \
} while (0)
#define HASH_FIND_INT(head,findint,out) \ #define HASH_FIND_INT(head,findint,out) \
HASH_FIND(hh,head,findint,sizeof(int),out) HASH_FIND(hh,head,findint,sizeof(int),out)
#define HASH_ADD_INT(head,intfield,add) \ #define HASH_ADD_INT(head,intfield,add) \
@@ -502,7 +512,8 @@ do {
* This is for uthash developer only; it compiles away if HASH_DEBUG isn't defined. * This is for uthash developer only; it compiles away if HASH_DEBUG isn't defined.
*/ */
#ifdef HASH_DEBUG #ifdef HASH_DEBUG
#define HASH_OOPS(...) do { fprintf(stderr,__VA_ARGS__); exit(-1); } while (0) #include <stdio.h> /* fprintf, stderr */
#define HASH_OOPS(...) do { fprintf(stderr, __VA_ARGS__); exit(-1); } while (0)
#define HASH_FSCK(hh,head,where) \ #define HASH_FSCK(hh,head,where) \
do { \ do { \
struct UT_hash_handle *_thh; \ struct UT_hash_handle *_thh; \
@@ -569,13 +580,6 @@ do {
#define HASH_EMIT_KEY(hh,head,keyptr,fieldlen) #define HASH_EMIT_KEY(hh,head,keyptr,fieldlen)
#endif #endif
/* default to Jenkin's hash unless overridden e.g. DHASH_FUNCTION=HASH_SAX */
#ifdef HASH_FUNCTION
#define HASH_FCN HASH_FUNCTION
#else
#define HASH_FCN HASH_JEN
#endif
/* The Bernstein hash function, used in Perl prior to v5.6. Note (x<<5+x)=x*33. */ /* The Bernstein hash function, used in Perl prior to v5.6. Note (x<<5+x)=x*33. */
#define HASH_BER(key,keylen,hashv) \ #define HASH_BER(key,keylen,hashv) \
do { \ do { \
@@ -674,7 +678,8 @@ do {
case 4: _hj_i += ( (unsigned)_hj_key[3] << 24 ); /* FALLTHROUGH */ \ case 4: _hj_i += ( (unsigned)_hj_key[3] << 24 ); /* FALLTHROUGH */ \
case 3: _hj_i += ( (unsigned)_hj_key[2] << 16 ); /* FALLTHROUGH */ \ case 3: _hj_i += ( (unsigned)_hj_key[2] << 16 ); /* FALLTHROUGH */ \
case 2: _hj_i += ( (unsigned)_hj_key[1] << 8 ); /* FALLTHROUGH */ \ case 2: _hj_i += ( (unsigned)_hj_key[1] << 8 ); /* FALLTHROUGH */ \
case 1: _hj_i += _hj_key[0]; \ case 1: _hj_i += _hj_key[0]; /* FALLTHROUGH */ \
default: ; \
} \ } \
HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ HASH_JEN_MIX(_hj_i, _hj_j, hashv); \
} while (0) } while (0)
@@ -722,6 +727,8 @@ do {
case 1: hashv += *_sfh_key; \ case 1: hashv += *_sfh_key; \
hashv ^= hashv << 10; \ hashv ^= hashv << 10; \
hashv += hashv >> 1; \ hashv += hashv >> 1; \
break; \
default: ; \
} \ } \
\ \
/* Force "avalanching" of final 127 bits */ \ /* Force "avalanching" of final 127 bits */ \
@@ -733,87 +740,6 @@ do {
hashv += hashv >> 6; \ hashv += hashv >> 6; \
} while (0) } while (0)
#ifdef HASH_USING_NO_STRICT_ALIASING
/* The MurmurHash exploits some CPU's (x86,x86_64) tolerance for unaligned reads.
* For other types of CPU's (e.g. Sparc) an unaligned read causes a bus error.
* MurmurHash uses the faster approach only on CPU's where we know it's safe.
*
* Note the preprocessor built-in defines can be emitted using:
*
* gcc -m64 -dM -E - < /dev/null (on gcc)
* cc -## a.c (where a.c is a simple test file) (Sun Studio)
*/
#if (defined(__i386__) || defined(__x86_64__) || defined(_M_IX86))
#define MUR_GETBLOCK(p,i) p[i]
#else /* non intel */
#define MUR_PLUS0_ALIGNED(p) (((unsigned long)p & 3UL) == 0UL)
#define MUR_PLUS1_ALIGNED(p) (((unsigned long)p & 3UL) == 1UL)
#define MUR_PLUS2_ALIGNED(p) (((unsigned long)p & 3UL) == 2UL)
#define MUR_PLUS3_ALIGNED(p) (((unsigned long)p & 3UL) == 3UL)
#define WP(p) ((uint32_t*)((unsigned long)(p) & ~3UL))
#if (defined(__BIG_ENDIAN__) || defined(SPARC) || defined(__ppc__) || defined(__ppc64__))
#define MUR_THREE_ONE(p) ((((*WP(p))&0x00ffffff) << 8) | (((*(WP(p)+1))&0xff000000) >> 24))
#define MUR_TWO_TWO(p) ((((*WP(p))&0x0000ffff) <<16) | (((*(WP(p)+1))&0xffff0000) >> 16))
#define MUR_ONE_THREE(p) ((((*WP(p))&0x000000ff) <<24) | (((*(WP(p)+1))&0xffffff00) >> 8))
#else /* assume little endian non-intel */
#define MUR_THREE_ONE(p) ((((*WP(p))&0xffffff00) >> 8) | (((*(WP(p)+1))&0x000000ff) << 24))
#define MUR_TWO_TWO(p) ((((*WP(p))&0xffff0000) >>16) | (((*(WP(p)+1))&0x0000ffff) << 16))
#define MUR_ONE_THREE(p) ((((*WP(p))&0xff000000) >>24) | (((*(WP(p)+1))&0x00ffffff) << 8))
#endif
#define MUR_GETBLOCK(p,i) (MUR_PLUS0_ALIGNED(p) ? ((p)[i]) : \
(MUR_PLUS1_ALIGNED(p) ? MUR_THREE_ONE(p) : \
(MUR_PLUS2_ALIGNED(p) ? MUR_TWO_TWO(p) : \
MUR_ONE_THREE(p))))
#endif
#define MUR_ROTL32(x,r) (((x) << (r)) | ((x) >> (32 - (r))))
#define MUR_FMIX(_h) \
do { \
_h ^= _h >> 16; \
_h *= 0x85ebca6bu; \
_h ^= _h >> 13; \
_h *= 0xc2b2ae35u; \
_h ^= _h >> 16; \
} while (0)
#define HASH_MUR(key,keylen,hashv) \
do { \
const uint8_t *_mur_data = (const uint8_t*)(key); \
const int _mur_nblocks = (int)(keylen) / 4; \
uint32_t _mur_h1 = 0xf88D5353u; \
uint32_t _mur_c1 = 0xcc9e2d51u; \
uint32_t _mur_c2 = 0x1b873593u; \
uint32_t _mur_k1 = 0; \
const uint8_t *_mur_tail; \
const uint32_t *_mur_blocks = (const uint32_t*)(_mur_data+(_mur_nblocks*4)); \
int _mur_i; \
for (_mur_i = -_mur_nblocks; _mur_i != 0; _mur_i++) { \
_mur_k1 = MUR_GETBLOCK(_mur_blocks,_mur_i); \
_mur_k1 *= _mur_c1; \
_mur_k1 = MUR_ROTL32(_mur_k1,15); \
_mur_k1 *= _mur_c2; \
\
_mur_h1 ^= _mur_k1; \
_mur_h1 = MUR_ROTL32(_mur_h1,13); \
_mur_h1 = (_mur_h1*5U) + 0xe6546b64u; \
} \
_mur_tail = (const uint8_t*)(_mur_data + (_mur_nblocks*4)); \
_mur_k1=0; \
switch ((keylen) & 3U) { \
case 0: break; \
case 3: _mur_k1 ^= (uint32_t)_mur_tail[2] << 16; /* FALLTHROUGH */ \
case 2: _mur_k1 ^= (uint32_t)_mur_tail[1] << 8; /* FALLTHROUGH */ \
case 1: _mur_k1 ^= (uint32_t)_mur_tail[0]; \
_mur_k1 *= _mur_c1; \
_mur_k1 = MUR_ROTL32(_mur_k1,15); \
_mur_k1 *= _mur_c2; \
_mur_h1 ^= _mur_k1; \
} \
_mur_h1 ^= (uint32_t)(keylen); \
MUR_FMIX(_mur_h1); \
hashv = _mur_h1; \
} while (0)
#endif /* HASH_USING_NO_STRICT_ALIASING */
/* iterate over items in a known bucket to find desired item */ /* iterate over items in a known bucket to find desired item */
#define HASH_FIND_IN_BKT(tbl,hh,head,keyptr,keylen_in,hashval,out) \ #define HASH_FIND_IN_BKT(tbl,hh,head,keyptr,keylen_in,hashval,out) \
do { \ do { \
@@ -824,7 +750,7 @@ do {
} \ } \
while ((out) != NULL) { \ while ((out) != NULL) { \
if ((out)->hh.hashv == (hashval) && (out)->hh.keylen == (keylen_in)) { \ if ((out)->hh.hashv == (hashval) && (out)->hh.keylen == (keylen_in)) { \
if (uthash_memcmp((out)->hh.key, keyptr, keylen_in) == 0) { \ if (HASH_KEYCMP((out)->hh.key, keyptr, keylen_in) == 0) { \
break; \ break; \
} \ } \
} \ } \
@@ -910,12 +836,12 @@ do {
struct UT_hash_handle *_he_thh, *_he_hh_nxt; \ struct UT_hash_handle *_he_thh, *_he_hh_nxt; \
UT_hash_bucket *_he_new_buckets, *_he_newbkt; \ UT_hash_bucket *_he_new_buckets, *_he_newbkt; \
_he_new_buckets = (UT_hash_bucket*)uthash_malloc( \ _he_new_buckets = (UT_hash_bucket*)uthash_malloc( \
2UL * (tbl)->num_buckets * sizeof(struct UT_hash_bucket)); \ sizeof(struct UT_hash_bucket) * (tbl)->num_buckets * 2U); \
if (!_he_new_buckets) { \ if (!_he_new_buckets) { \
HASH_RECORD_OOM(oomed); \ HASH_RECORD_OOM(oomed); \
} else { \ } else { \
uthash_bzero(_he_new_buckets, \ uthash_bzero(_he_new_buckets, \
2UL * (tbl)->num_buckets * sizeof(struct UT_hash_bucket)); \ sizeof(struct UT_hash_bucket) * (tbl)->num_buckets * 2U); \
(tbl)->ideal_chain_maxlen = \ (tbl)->ideal_chain_maxlen = \
((tbl)->num_items >> ((tbl)->log2_num_buckets+1U)) + \ ((tbl)->num_items >> ((tbl)->log2_num_buckets+1U)) + \
((((tbl)->num_items & (((tbl)->num_buckets*2U)-1U)) != 0U) ? 1U : 0U); \ ((((tbl)->num_items & (((tbl)->num_buckets*2U)-1U)) != 0U) ? 1U : 0U); \
@@ -928,7 +854,9 @@ do {
_he_newbkt = &(_he_new_buckets[_he_bkt]); \ _he_newbkt = &(_he_new_buckets[_he_bkt]); \
if (++(_he_newbkt->count) > (tbl)->ideal_chain_maxlen) { \ if (++(_he_newbkt->count) > (tbl)->ideal_chain_maxlen) { \
(tbl)->nonideal_items++; \ (tbl)->nonideal_items++; \
_he_newbkt->expand_mult = _he_newbkt->count / (tbl)->ideal_chain_maxlen; \ if (_he_newbkt->count > _he_newbkt->expand_mult * (tbl)->ideal_chain_maxlen) { \
_he_newbkt->expand_mult++; \
} \
} \ } \
_he_thh->hh_prev = NULL; \ _he_thh->hh_prev = NULL; \
_he_thh->hh_next = _he_newbkt->hh_head; \ _he_thh->hh_next = _he_newbkt->hh_head; \
@@ -1061,7 +989,7 @@ do {
_elt = ELMT_FROM_HH((src)->hh_src.tbl, _src_hh); \ _elt = ELMT_FROM_HH((src)->hh_src.tbl, _src_hh); \
if (cond(_elt)) { \ if (cond(_elt)) { \
IF_HASH_NONFATAL_OOM( int _hs_oomed = 0; ) \ IF_HASH_NONFATAL_OOM( int _hs_oomed = 0; ) \
_dst_hh = (UT_hash_handle*)(((char*)_elt) + _dst_hho); \ _dst_hh = (UT_hash_handle*)(void*)(((char*)_elt) + _dst_hho); \
_dst_hh->key = _src_hh->key; \ _dst_hh->key = _src_hh->key; \
_dst_hh->keylen = _src_hh->keylen; \ _dst_hh->keylen = _src_hh->keylen; \
_dst_hh->hashv = _src_hh->hashv; \ _dst_hh->hashv = _src_hh->hashv; \
@@ -1200,7 +1128,7 @@ typedef struct UT_hash_handle {
void *next; /* next element in app order */ void *next; /* next element in app order */
struct UT_hash_handle *hh_prev; /* previous hh in bucket order */ struct UT_hash_handle *hh_prev; /* previous hh in bucket order */
struct UT_hash_handle *hh_next; /* next hh in bucket order */ struct UT_hash_handle *hh_next; /* next hh in bucket order */
void *key; /* ptr to enclosing struct's key */ const void *key; /* ptr to enclosing struct's key */
unsigned keylen; /* enclosing struct's key len */ unsigned keylen; /* enclosing struct's key len */
unsigned hashv; /* result of hash-fcn(key) */ unsigned hashv; /* result of hash-fcn(key) */
} UT_hash_handle; } UT_hash_handle;