Do not add hostnames less than 4 characters long

Only domains and subdomains from the blacklist file would be processed
with HTTP modifications. Does not affect HTTPS data.

Makefile

@@ -1,14 +1,17 @@
-CPREFIX = x86_64-w64-mingw32
+ifndef MSYSTEM
+	CPREFIX = x86_64-w64-mingw32-
+endif
+
 WINDIVERTHEADERS = ../../include
 WINDIVERTLIBS = ../binary
 
 TARGET = goodbyedpi.exe
 LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32
-CC = $(CPREFIX)-gcc
+CC = $(CPREFIX)gcc
-CCWINDRES = $(CPREFIX)-windres
+CCWINDRES = $(CPREFIX)windres
-CFLAGS = -Wall -I $(WINDIVERTHEADERS) -L $(WINDIVERTLIBS) \
+CFLAGS = -Wall -Wextra -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
          -O2 -pie -fPIE -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
-LDFLAGS = -pie
+LDFLAGS = -Wl,-O1,--sort-common,--as-needed
 
 .PHONY: default all clean
 
@@ -27,7 +30,7 @@ manifest:
 .PRECIOUS: $(TARGET) $(OBJECTS)
 
 $(TARGET): $(OBJECTS)
-	$(CC) $(OBJECTS) -Wall $(LIBS) -s -o $@
+	$(CC) $(OBJECTS) -Wall $(LDFLAGS) $(LIBS) -s -o $@
 
 clean:
 	-rm -f *.o

README.md

@@ -21,9 +21,12 @@ Usage: goodbyedpi.exe [OPTION...]
  -e [value]  set HTTPS fragmentation to value
  -a          additional space between Method and Request-URI (enables -s, may break sites)
  -w          try to find and parse HTTP traffic on all processed ports (not only on port 80)
- --port      additional TCP port to perform fragmentation on (and HTTP tricks with -w)
+ --port      [value]    additional TCP port to perform fragmentation on (and HTTP tricks with -w)
- --dns-addr  redirect UDP DNS requests to the supplied IP address (experimental)
+ --dns-addr  [value]    redirect UDP DNS requests to the supplied IP address (experimental)
- --dns-port  redirect UDP DNS requests to the supplied port (53 by default)
+ --dns-port  [value]    redirect UDP DNS requests to the supplied port (53 by default)
+ --dns-verb             print verbose DNS redirection messages
+ --blacklist [txtfile]  perform HTTP tricks only to host names and subdomains from
+                        supplied text file. This option can be supplied multiple times.
 
  -1          -p -r -s -f 2 -e 2 (most compatible mode, default)
  -2          -p -r -s -f 2 -e 40 (better speed yet still compatible)
@@ -65,11 +68,11 @@ This project can be build using **GNU Make** and [**mingw**](https://mingw-w64.o
 
 To build x86 exe run:
 
-`make CPREFIX=i686-w64-mingw32 WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/x86`
+`make CPREFIX=i686-w64-mingw32- WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/x86`
 
 And for x86_64:
 
-`make CPREFIX=x86_64-w64-mingw32 WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/amd64`
+`make CPREFIX=x86_64-w64-mingw32- WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/amd64`
 
 # How to install as Windows Service
 

blackwhitelist.c

@@ -0,0 +1,110 @@
+/*
+ * Blacklist for GoodbyeDPI HTTP DPI circumvention tricks
+ *
+ * This is a simple domain hash table.
+ * Domain records are added from a text file, where every
+ * domain is separated with a new line.
+ */
+#include <windows.h>
+#include <stdio.h>
+#include "goodbyedpi.h"
+#include "uthash.h"
+#include "getline.h"
+
+typedef struct blackwhitelist_record {
+    const char *host;
+    UT_hash_handle hh;   /* makes this structure hashable */
+} blackwhitelist_record_t;
+
+static blackwhitelist_record_t *blackwhitelist = NULL;
+
+static int check_get_hostname(const char *host) {
+    blackwhitelist_record_t *tmp_record = NULL;
+    if (!blackwhitelist) return FALSE;
+
+    HASH_FIND_STR(blackwhitelist, host, tmp_record);
+    if (tmp_record) {
+        debug("check_get_hostname found host\n");
+        return TRUE;
+    }
+    debug("check_get_hostname host not found\n");
+    return FALSE;
+}
+
+static int add_hostname(const char *host) {
+    if (!host)
+        return FALSE;
+
+    int host_len = strlen(host);
+
+    blackwhitelist_record_t *tmp_record = malloc(sizeof(blackwhitelist_record_t));
+    char *host_c = malloc(host_len + 1);
+
+    if (!check_get_hostname(host)) {
+        strncpy(host_c, host, host_len);
+        host_c[host_len] = '\0';
+        tmp_record->host = host_c;
+        HASH_ADD_KEYPTR(hh, blackwhitelist, tmp_record->host,
+                        strlen(tmp_record->host), tmp_record);
+        debug("Added host %s\n", host_c);
+        return TRUE;
+    }
+    debug("Not added host %s\n", host);
+    free(tmp_record);
+    free(host_c);
+    return FALSE;
+}
+
+int blackwhitelist_load_list(const char *filename) {
+    char *line = malloc(HOST_MAXLEN + 1);
+    size_t linelen = HOST_MAXLEN + 1;
+    int cnt = 0;
+    ssize_t read;
+
+    FILE *fp = fopen(filename, "r");
+    if (!fp) return FALSE;
+
+    while ((read = getline(&line, &linelen, fp)) != -1) {
+        /* works with both \n and \r\n */
+        line[strcspn(line, "\r\n")] = '\0';
+        if (strlen(line) > HOST_MAXLEN) {
+            printf("WARNING: host %s exceeds maximum host length and has not been added\n",
+                line);
+            continue;
+        }
+        if (strlen(line) < 4)
+            continue;
+        if (add_hostname(line))
+            cnt++;
+    }
+    free(line);
+    if (!blackwhitelist) return FALSE;
+    printf("Loaded %d hosts from file %s\n", cnt, filename);
+    fclose(fp);
+    return TRUE;
+}
+
+int blackwhitelist_check_hostname(const char *host_addr, int host_len) {
+    char current_host[HOST_MAXLEN + 1];
+    char *tokenized_host = NULL;
+
+    if (host_len > HOST_MAXLEN) return FALSE;
+    if (host_addr && host_len) {
+        memcpy(current_host, host_addr, host_len);
+        current_host[host_len] = '\0';
+    }
+
+    if (check_get_hostname(current_host))
+            return TRUE;
+
+    tokenized_host = strchr(current_host, '.');
+    while (tokenized_host != NULL && tokenized_host < (current_host + HOST_MAXLEN)) {
+        /* Search hostname only if there is next token */
+        if (strchr(tokenized_host + 1, '.') && check_get_hostname(tokenized_host + 1))
+            return TRUE;
+        tokenized_host = strchr(tokenized_host + 1, '.');
+    }
+
+    debug("____blackwhitelist_check_hostname FALSE: host %s\n", current_host);
+    return FALSE;
+}

blackwhitelist.h

@@ -0,0 +1,2 @@
+int blackwhitelist_load_list(const char *filename);
+int blackwhitelist_check_hostname(const char *host_addr, int host_len);

dnsredir.c

@@ -13,6 +13,7 @@
 #include <windows.h>
 #include <time.h>
 #include <stdio.h>
+#include "goodbyedpi.h"
 #include "dnsredir.h"
 #include "uthash.h"
 
@@ -21,14 +22,6 @@
 
 #define DNS_CLEANUP_INTERVAL_SEC 30
 
-#ifndef debug
-#define debug(...) do {} while (0)
-#endif
-
-#ifndef debug
-#define debug(...) printf(...)
-#endif
-
 /* HACK!
  * uthash uses strlen() for HASH_FIND_STR.
  * We have null bytes in our key, so we can't use strlen()
@@ -108,10 +101,10 @@ static int check_get_udp_conntrack_key(const char *key, udp_connrecord_t **connr
 
 static int add_udp_conntrack(const uint32_t srcip, const uint16_t srcport,
                              const uint32_t dstip, const uint16_t dstport) {
-    udp_connrecord_t *tmp_connrecord = malloc(sizeof(udp_connrecord_t));
     if (!(srcip && srcport && dstip && dstport))
         return FALSE;
 
+    udp_connrecord_t *tmp_connrecord = malloc(sizeof(udp_connrecord_t));
     construct_key(srcip, srcport, tmp_connrecord->key);
 
     if (!check_get_udp_conntrack_key(tmp_connrecord->key, NULL)) {
@@ -123,6 +116,7 @@ static int add_udp_conntrack(const uint32_t srcip, const uint16_t srcport,
         return TRUE;
     }
     debug("Not added UDP conntrack\n");
+    free(tmp_connrecord);
     return FALSE;
 }
 
@@ -146,6 +140,20 @@ void dns_cleanup() {
     }
 }
 
+int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing) {
+    if (packet_dataLen < 16) return FALSE;
+
+    if (outgoing && (ntohs(*(const uint16_t*)(packet_data + 2)) & 0xFA00) == 0 &&
+        (ntohs(*(const uint32_t*)(packet_data + 6))) == 0) {
+        return TRUE;
+    }
+    else if (!outgoing &&
+        (ntohs(*(const uint16_t*)(packet_data + 2)) & 0xF800) == 0x8000) {
+        return TRUE;
+    }
+    return FALSE;
+}
+
 int dns_handle_outgoing(const uint32_t srcip, const uint16_t srcport,
                         const uint32_t dstip, const uint16_t dstport,
                         const char *packet_data, const UINT packet_dataLen) {
@@ -155,8 +163,7 @@ int dns_handle_outgoing(const uint32_t srcip, const uint16_t srcport,
 
     dns_cleanup();
 
-    if ((ntohs(*(const uint16_t*)(packet_data + 2)) & 0xFA00) == 0 &&
+    if (dns_is_dns_packet(packet_data, packet_dataLen, 1)) {
-        (ntohs(*(const uint32_t*)(packet_data + 6))) == 0) {
         /* Looks like DNS request */
         debug("trying to add srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
         return add_udp_conntrack(srcip, srcport, dstip, dstport);
@@ -166,7 +173,6 @@ int dns_handle_outgoing(const uint32_t srcip, const uint16_t srcport,
 }
 
 int dns_handle_incoming(const uint32_t srcip, const uint16_t srcport,
-                        const uint32_t dstip, const uint16_t dstport,
                         const char *packet_data, const UINT packet_dataLen,
                         conntrack_info_t *conn_info) {
 
@@ -178,7 +184,7 @@ int dns_handle_incoming(const uint32_t srcip, const uint16_t srcport,
 
     dns_cleanup();
 
-    if ((ntohs(*(const uint16_t*)(packet_data + 2)) & 0xF800) == 0x8000) {
+    if (dns_is_dns_packet(packet_data, packet_dataLen, 0)) {
         /* Looks like DNS response */
         construct_key(srcip, srcport, key);
         if (check_get_udp_conntrack_key(key, &tmp_connrecord) && tmp_connrecord) {

dnsredir.h

@@ -8,7 +8,6 @@ typedef struct conntrack_info {
 } conntrack_info_t;
 
 int dns_handle_incoming(const uint32_t srcip, const uint16_t srcport,
-                        const uint32_t dstip, const uint16_t dstport,
                         const char *packet_data, const UINT packet_dataLen,
                         conntrack_info_t *conn_info);
 
@@ -17,3 +16,4 @@ int dns_handle_outgoing(const uint32_t srcip, const uint16_t srcport,
                         const char *packet_data, const UINT packet_dataLen);
 
 void flush_dns_cache();
+int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing);

getline.c

@@ -0,0 +1,92 @@
+/*	$NetBSD: getdelim.c,v 1.2 2015/12/25 20:12:46 joerg Exp $	*/
+/*	NetBSD-src: getline.c,v 1.2 2014/09/16 17:23:50 christos Exp 	*/
+
+/*-
+ * Copyright (c) 2011 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "getline.h"
+
+#if !HAVE_GETDELIM
+
+ssize_t
+getdelim(char **buf, size_t *bufsiz, int delimiter, FILE *fp)
+{
+	char *ptr, *eptr;
+
+
+	if (*buf == NULL || *bufsiz == 0) {
+		*bufsiz = BUFSIZ;
+		if ((*buf = malloc(*bufsiz)) == NULL)
+			return -1;
+	}
+
+	for (ptr = *buf, eptr = *buf + *bufsiz;;) {
+		int c = fgetc(fp);
+		if (c == -1) {
+			if (feof(fp)) {
+				ssize_t diff = (ssize_t)(ptr - *buf);
+				if (diff != 0) {
+					*ptr = '\0';
+					return diff;
+				}
+			}
+			return -1;
+		}
+		*ptr++ = c;
+		if (c == delimiter) {
+			*ptr = '\0';
+			return ptr - *buf;
+		}
+		if (ptr + 2 >= eptr) {
+			char *nbuf;
+			size_t nbufsiz = *bufsiz * 2;
+			ssize_t d = ptr - *buf;
+			if ((nbuf = realloc(*buf, nbufsiz)) == NULL)
+				return -1;
+			*buf = nbuf;
+			*bufsiz = nbufsiz;
+			eptr = nbuf + nbufsiz;
+			ptr = nbuf + d;
+		}
+	}
+}
+
+#endif
+
+#if !HAVE_GETLINE
+
+ssize_t
+getline(char **buf, size_t *bufsiz, FILE *fp)
+{
+	return getdelim(buf, bufsiz, '\n', fp);
+}
+
+#endif

getline.h

@@ -0,0 +1,7 @@
+#if !HAVE_GETDELIM
+ssize_t	getdelim(char **, size_t *, int, FILE *);
+#endif
+
+#if !HAVE_GETLINE
+ssize_t	getline(char **, size_t *, FILE *);
+#endif

goodbyedpi.c

@@ -10,7 +10,9 @@
 #include <string.h>
 #include <getopt.h>
 #include "windivert.h"
+#include "goodbyedpi.h"
 #include "dnsredir.h"
+#include "blackwhitelist.h"
 
 #define die() do { printf("Something went wrong!\n" \
     "Make sure you're running this program with administrator privileges\n"); \
@@ -22,7 +24,6 @@
 #define TCP_HDR_LEN 20
 #define IPV4_TOTALLEN_OFFSET 2
 #define TCP_WINDOWSIZE_OFFSET 14
-#define HOST_MAXLEN 253
 
 #define DIVERT_NO_LOCALNETS_DST "(" \
                    "(ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and " \
@@ -62,6 +63,8 @@ static struct option long_options[] = {
     {"port",      required_argument, 0,  'z' },
     {"dns-addr",  required_argument, 0,  'd' },
     {"dns-port",  required_argument, 0,  'g' },
+    {"dns-verb",  no_argument,       0,  'v' },
+    {"blacklist", required_argument, 0,  'b' },
     {0,           0,                 0,   0  }
 };
 
@@ -134,7 +137,7 @@ static void deinit_all() {
     }
 }
 
-static void sigint_handler(int sig) {
+static void sigint_handler(int sig __attribute__((unused))) {
     deinit_all();
     exit(EXIT_SUCCESS);
 }
@@ -205,7 +208,7 @@ static void change_window_size(const char *pkt, int size) {
 
 /* HTTP method end without trailing space */
 static PVOID find_http_method_end(const char *pkt, int offset) {
-    int i;
+    unsigned int i;
     for (i = 0; i<(sizeof(http_methods) / sizeof(*http_methods)); i++) {
         if (memcmp(pkt, http_methods[i], strlen(http_methods[i])) == 0) {
             return (char*)pkt + strlen(http_methods[i]) - 1;
@@ -242,7 +245,8 @@ int main(int argc, char *argv[]) {
         do_fragment_https = 0, do_host = 0,
         do_host_removespace = 0, do_additional_space = 0,
         do_http_allports = 0,
-        do_host_mixedcase = 0, do_dns_redirect = 0;
+        do_host_mixedcase = 0, do_dns_redirect = 0,
+        do_dns_verb = 0, do_blacklist = 0;
     int http_fragment_size = 2;
     int https_fragment_size = 2;
     uint32_t dns_addr = 0;
@@ -281,6 +285,7 @@ int main(int argc, char *argv[]) {
                 do_passivedpi = do_host = do_host_removespace \
                 = do_fragment_https = 1;
                 https_fragment_size = 40;
+                break;
             case '4':
                 do_passivedpi = do_host = do_host_removespace = 1;
                 break;
@@ -350,7 +355,7 @@ int main(int argc, char *argv[]) {
                     exit(EXIT_FAILURE);
                 }
                 dns_port = atoi(optarg);
-                if (dns_port <= 0 || dns_port > 65535) {
+                if (atoi(optarg) <= 0 || atoi(optarg) > 65535) {
                     printf("DNS port parameter error!\n");
                     exit(EXIT_FAILURE);
                 }
@@ -359,6 +364,16 @@ int main(int argc, char *argv[]) {
                 }
                 dns_port = ntohs(dns_port);
                 break;
+            case 'v':
+                do_dns_verb = 1;
+                break;
+            case 'b':
+                do_blacklist = 1;
+                if (!blackwhitelist_load_list(optarg)) {
+                    printf("Can't load blacklist from file!\n");
+                    exit(EXIT_FAILURE);
+                }
+                break;
             default:
                 printf("Usage: goodbyedpi.exe [OPTION...]\n"
                 " -p          block passive DPI\n"
@@ -369,9 +384,12 @@ int main(int argc, char *argv[]) {
                 " -f [value]  set HTTP fragmentation to value\n"
                 " -e [value]  set HTTPS fragmentation to value\n"
                 " -w          try to find and parse HTTP traffic on all processed ports (not only on port 80)\n"
-                " --port      additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
+                " --port      [value]    additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
-                " --dns-addr  redirect UDP DNS requests to the supplied IP address (experimental)\n"
+                " --dns-addr  [value]    redirect UDP DNS requests to the supplied IP address (experimental)\n"
-                " --dns-port  redirect UDP DNS requests to the supplied port (53 by default)\n"
+                " --dns-port  [value]    redirect UDP DNS requests to the supplied port (53 by default)\n"
+                " --dns-verb             print verbose DNS redirection messages\n"
+                " --blacklist [txtfile]  perform HTTP tricks only to host names and subdomains from\n"
+                "                        supplied text file. This option can be supplied multiple times.\n"
                 "\n"
                 " -1          -p -r -s -f 2 -e 2 (most compatible mode, default)\n"
                 " -2          -p -r -s -f 2 -e 40 (better speed yet still compatible)\n"
@@ -460,11 +478,13 @@ int main(int argc, char *argv[]) {
 
                     /* Find Host header */
                     if (find_header_and_get_info(packet_data, packet_dataLen,
-                        http_host_find, &hdr_name_addr, &hdr_value_addr, &hdr_value_len)) {
+                        http_host_find, &hdr_name_addr, &hdr_value_addr, &hdr_value_len) &&
+                        hdr_value_len > 0 && hdr_value_len <= HOST_MAXLEN &&
+                        (do_blacklist ? blackwhitelist_check_hostname(hdr_value_addr, hdr_value_len) : 1)) {
                         host_addr = hdr_value_addr;
                         host_len = hdr_value_len;
 
-                        if (do_host_mixedcase && host_len > 0 && host_len <= HOST_MAXLEN) {
+                        if (do_host_mixedcase) {
                             mix_case(host_addr, host_len);
                             should_recalc_checksum = 1;
                         }
@@ -505,8 +525,7 @@ int main(int argc, char *argv[]) {
                                  *
                                  * Nothing is done if User-Agent header is missing.
                                  */
-                                if (host_len > 0 && host_len <= HOST_MAXLEN &&
+                                if (useragent_addr && useragent_len > 0) {
-                                    useragent_addr && useragent_len > 0) {
                                     /* useragent_addr is in the beginning of User-Agent value */
 
                                     if (useragent_addr > host_addr) {
@@ -566,7 +585,6 @@ int main(int argc, char *argv[]) {
 
                 if (addr.Direction == WINDIVERT_DIRECTION_INBOUND) {
                     if (dns_handle_incoming(ppIpHdr->DstAddr, ppUdpHdr->DstPort,
-                                        ppIpHdr->SrcAddr, ppUdpHdr->SrcPort,
                                         packet_data, packet_dataLen,
                                         &dns_conn_info))
                     {
@@ -578,7 +596,13 @@ int main(int argc, char *argv[]) {
                         should_recalc_checksum = 1;
                     }
                     else {
-                        printf("[DNS] Error handling incoming packet!\n");
+                        if (dns_is_dns_packet(packet_data, packet_dataLen, 0))
+                            should_reinject = 0;
+
+                        if (do_dns_verb && !should_reinject) {
+                            printf("[DNS] Error handling incoming packet: srcport = %hu, dstport = %hu\n",
+                               ntohs(ppUdpHdr->SrcPort), ntohs(ppUdpHdr->DstPort));
+                        }
                     }
                 }
 
@@ -594,7 +618,13 @@ int main(int argc, char *argv[]) {
                         should_recalc_checksum = 1;
                     }
                     else {
-                        printf("[DNS] Error handling outgoing packet!\n");
+                        if (dns_is_dns_packet(packet_data, packet_dataLen, 1))
+                            should_reinject = 0;
+
+                        if (do_dns_verb && !should_reinject) {
+                            printf("[DNS] Error handling outgoing packet: srcport = %hu, dstport = %hu\n",
+                               ntohs(ppUdpHdr->SrcPort), ntohs(ppUdpHdr->DstPort));
+                        }
                     }
                 }
             }

goodbyedpi.h

@@ -0,0 +1,7 @@
+#define HOST_MAXLEN 253
+
+#ifndef DEBUG
+#define debug(...) do {} while (0)
+#else
+#define debug(...) printf(__VA_ARGS__)
+#endif