2gW94/GoodbyeDPI
1
0
Fork 0
mirror of https://github.com/ValdikSS/GoodbyeDPI.git synced 2025-12-17 12:54:36 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: 2gW94:0.1.5rc2
Branches Tags
2gW94:master 2gW94:more-fakes 2gW94:EgorWeders-patch-1 2gW94:quic_block 2gW94:test_windres 2gW94:openvpn 2gW94:windivert2 2gW94:masterv6 2gW94:ipv6 2gW94:windivert-test
2gW94:0.2.3rc3 2gW94:0.2.3rc2 2gW94:0.2.3rc1 2gW94:0.2.2 2gW94:0.2.1 2gW94:0.2.0 2gW94:0.1.8 2gW94:0.1.7 2gW94:0.1.6 2gW94:0.1.5 2gW94:0.1.5rc3 2gW94:0.1.5rc2 2gW94:0.1.5rc1 2gW94:0.1.4 2gW94:0.1.3 2gW94:0.1.2 2gW94:0.1.2rc3 2gW94:0.1.2rc2 2gW94:0.1.2rc1 2gW94:0.1.1 2gW94:0.1.0 2gW94:0.0.9 2gW94:0.0.8 2gW94:0.0.7 2gW94:0.0.6 2gW94:0.0.5 2gW94:0.0.4 2gW94:0.0.3 2gW94:0.0.2 2gW94:0.0.1
...
compare: 2gW94:0.1.8
Branches Tags
2gW94:master 2gW94:more-fakes 2gW94:EgorWeders-patch-1 2gW94:quic_block 2gW94:test_windres 2gW94:openvpn 2gW94:windivert2 2gW94:masterv6 2gW94:ipv6 2gW94:windivert-test
2gW94:0.2.3rc3 2gW94:0.2.3rc2 2gW94:0.2.3rc1 2gW94:0.2.2 2gW94:0.2.1 2gW94:0.2.0 2gW94:0.1.8 2gW94:0.1.7 2gW94:0.1.6 2gW94:0.1.5 2gW94:0.1.5rc3 2gW94:0.1.5rc2 2gW94:0.1.5rc1 2gW94:0.1.4 2gW94:0.1.3 2gW94:0.1.2 2gW94:0.1.2rc3 2gW94:0.1.2rc2 2gW94:0.1.2rc1 2gW94:0.1.1 2gW94:0.1.0 2gW94:0.0.9 2gW94:0.0.8 2gW94:0.0.7 2gW94:0.0.6 2gW94:0.0.5 2gW94:0.0.4 2gW94:0.0.3 2gW94:0.0.2 2gW94:0.0.1

48 Commits
0.1.5rc2 ... 0.1.8

Author SHA1 Message Date
ValdikSS
6eec99e874 GoodbyeDPI v0.1.8 2021-12-26 20:29:24 +03:00
ValdikSS
b799b33fed Update readme 2021-12-26 20:24:16 +03:00
ValdikSS
76c4658985 Update github issue templates 2021-12-26 20:10:18 +03:00
ValdikSS
d61a9f8022 Handle only (default_ttl - 30) range in Auto TTL 2021-12-26 19:05:03 +03:00
ValdikSS
fc15088c33 Fix spelling 2021-12-26 18:42:26 +03:00
ValdikSS
1ea70f9bc9 Do not print "Error receiving packet!" upon exiting 2021-12-26 18:39:44 +03:00
ValdikSS
ed42c5d627 Fix all the warnings and notes 2021-12-26 17:45:37 +03:00
ValdikSS
a79377f606 Github Actions: rebuild only on src directory changes 2021-12-26 15:12:13 +03:00
ValdikSS
db37b4f1f2 Add Github Actions build script 2021-12-26 15:03:35 +03:00
ValdikSS
9fcf097cb7 Use Auto TTL = 4 by default 
Previous value of 2 caused issues with the services connected via
very different uplink/downlink routing links.
 2021-12-25 20:43:56 +03:00
ValdikSS
e1e09f9103 Add safekeeping TTL value for Auto TTL 2021-12-25 13:56:57 +03:00
ValdikSS
a5c2f9fac9 Introduce -5 and -6 modes and make -5 default 
Modern modesets (more stable, more compatible, faster):
 -5          -f 2 -e 2 --auto-ttl --reverse-frag (this is the default now)
 -6          -f 2 -e 2 --wrong-seq --reverse-frag
 2021-12-25 13:56:57 +03:00
ValdikSS
11c322aaed Show fragmentation value issues only when Window Size is used 2021-12-25 13:07:39 +03:00
ValdikSS
88d4a60cdf Merge branch 'badseq_for_master' into master 2021-12-25 12:30:08 +03:00
ValdikSS
b45b463d51 Update readme 2021-12-25 12:24:25 +03:00
ValdikSS
80fcd9c5cf Replace required/optional brackets in the readme 2021-12-25 12:24:25 +03:00
ValdikSS
21ff80b43c Automatic TTL value picker for --set-ttl Fake Packet mode 
This is a per-connection (per-destination) automatic TTL adjusting feature.
Basically a --set-ttl mode where you don't need to set specific TTL value.

It works as follows:
 1. All incoming SYN/ACKs (the response to client's SYN) are intercepted
 2. TTL value is extracted from SYN/ACK
 3. New TTL is calculated with the simple formula:
    128 > extracted_ttl > 64: // Server is running Windows
      fakepacket_ttl = 128 - extracted_ttl - decrement
    64 > extracted_ttl > 34: // Server is running Linux/FreeBSD/other
      fakepacket_ttl = 64 - extracted_ttl - decrement
 4. Fake packet is sent

To comply with the multi-path multi-hop server connections
where 1 hop dispersion is not rare, decrement should be at least of
value "2", which is the default.

The patch does not process "too strange" TTL values (bigger than 128,
less than 34).
 2021-12-25 12:24:25 +03:00
ValdikSS
bbb6af89fe New Fake Packet circumvention method: wrong SEQ/ACK numbers 
This method sends Fake Packet with the TCP SEQ/ACK numbers "in the past":
-66000 is used for ACK (right out of the ACK permissive window in Linux stack),
-10000 is used for SEQ (without any reasoning).

This method is pretty effective in Russia.
It also could be handy in a networks which prohibit changing TTL values
(mobile networks with tethering block/premium feature).
 2021-12-25 11:55:26 +03:00
ValdikSS
b57a204d96 Apply each Fake Packet method to each packet separately 
Before: --set-ttl and --wrong-chksum generated single Fake Packet with both low TTL and incorrect checksum.
Now:    --set-ttl and --wrong-chksum generate two packets: one with low TTL, another with incorrect checksum.
 2021-12-25 10:49:26 +03:00
ValdikSS
3899a719c1 Update Makefile, make fortify work on modern mingw compilers 2021-12-25 10:24:43 +03:00
ValdikSS
b9682ac222 Print parsed hostnames in DEBUG mode 2021-12-25 10:24:43 +03:00
ValdikSS
35c6e401db Handle TLS SNI in blacklist option 
Now blacklist applies not only to HTTP websites, but also to HTTPS.

Fixes #213
 2021-12-25 10:23:43 +03:00
ValdikSS
cf7d1c69e0 Add TLS Server Name Indication (SNI) extractor 2021-12-25 10:09:37 +03:00
ValdikSS
5b79d8e8ba Update Makefile, make fortify work on modern mingw compilers 2021-12-25 01:50:34 +03:00
ValdikSS
787c4d25c3 Update readme 2021-12-24 22:28:59 +03:00
ValdikSS
7d50748e2e GoodbyeDPI version 0.1.7 2021-12-24 22:17:32 +03:00
ValdikSS
e28cb52645 Send native-fragged fragments in the reversed order 
Some websites (or more precisely, TLS terminators/balancers) can't
handle segmented TLS ClientHello packet properly, requiring the whole
ClientHello in a single segment, otherwise the connection gets dropped.

However they still operate with a proper TCP stack.
Cheat on them: send the latter segment first (with TCP SEQ "in the future"),
the former segment second (with "current" SEQ), allowing OS TCP
stack to combine it in a single TCP read().

This fixes long-standing number of TCP fragmentation issues:
Fixes #4, #158, #224, #59, #192 and many others.
 2021-12-24 22:07:07 +03:00
ValdikSS
e3638786da Add Native Fragmentation support (without window size) 
This patch adds `--native-frag` option for userspace TCP
segmentation (packet splitting), without shrinking
TCP Window Size in SYN/ACK.

Compared to Window Size shrinking, this method does not require
waiting for ACK, which saves two RTTs.

This is preferrable method of operation since it has no cons.
It's faster and easier to handle in the software.
 2021-12-24 21:36:43 +03:00
ValdikSS
ad60d30caa Fix fake packet handling without other modifying parameters 
Fixes #150
 2021-12-24 21:30:15 +03:00
ValdikSS
505b8bf516 Merge pull request #171 from msekmfb/master 
Add PowerTunnel for Android to similar projects
 2020-03-08 14:38:40 +03:00
msekmfb
0c04f201eb Add PowerTunnel for Android to similar projects 2020-03-08 11:11:35 +03:00
ValdikSS
19b777cdb2 Update README.md 
Add PowerTunnel (manual merge of #168)
 2020-02-09 22:24:43 +03:00
ValdikSS
b69ab64d5d Update README.md 2020-02-09 19:22:30 +03:00
ValdikSS
b5d75a6c8e Version v0.1.6 2019-10-31 22:36:29 +03:00
ValdikSS
f2de8fce8d Fake Request Mode 2019-10-31 22:36:12 +03:00
ValdikSS
2b3e4a4683 Merge pull request #135 from alisharifi76/master 
Add 'GreenTunnel' to 'Similar projects' section.
 2019-04-03 01:33:02 +03:00
alisharifi76
7e2f782376 Add 'GreenTunnel' to 'Similar projects' section. 2019-03-29 22:32:05 +04:30
ValdikSS
7a0b8f5229 Update issue templates 2019-02-18 01:33:03 +03:00
ValdikSS
f569c64aca Update issue templates 2019-02-18 01:25:06 +03:00
ValdikSS
5459181fca Merge pull request #121 from drogga/patch-1 
Update README.md
 2019-01-31 15:29:18 +03:00
drogga
23485b67b4 Update README.md 
add KB3033929 download link for Windows 7 x64
 2019-01-31 21:23:41 +09:00
KOLANICH
ff4c11a6eb Integers fixes (with small modifications), closes #84 
Signed-off-by: ValdikSS <iam@valdikss.org.ru>
 2019-01-03 19:31:32 +03:00
ValdikSS
1c7fe5f843 Use newlines for current options information 2019-01-03 16:10:26 +03:00
ValdikSS
46db057662 Add version number into greeting message 2019-01-03 16:10:26 +03:00
ValdikSS
b95c45ee62 Update README.md 2018-10-14 18:24:36 +03:00
ValdikSS
39507e66e0 Update README.md 2018-07-24 15:54:55 +03:00
ValdikSS
c4d0ba1297 Skip impostor and loopback packets. Fixes #53. 2018-07-24 15:49:50 +03:00
ValdikSS
d6c2b825aa Update README.md 2018-07-20 16:37:19 +03:00
18 changed files with 1152 additions and 211 deletions
Expand all files Collapse all files

47
.github/ISSUE_TEMPLATE/bug.yml vendored Normal file
View File

@@ -0,0 +1,47 @@
name: Bug Report / Сообщение об ошибке
description: File a bug report / Сообщить об ошибке в проекте
body:
- type: markdown
attributes:
value: |
Please pay some attention!
GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
Пожалуйста, прочтите!
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
- type: input
id: os
attributes:
label: Operating system / операционная система
description: Enter your Windows version. For Windows 10 and 11 include build/update number.
placeholder: ex. Windows 10 20H2
validations:
required: true
- type: dropdown
id: is-svc
attributes:
label: Running as service / Запуск программы как сервис
description: Do you use GoodbyeDPI as a Windows Service?
options:
- I run it as a regular program / Запускаю программу обычным образом
- I installed it as a service / Установил как сервис Windows
validations:
required: true
- type: textarea
id: what-happened
attributes:
label: Describe the issue / Опишите проблему
description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается проблема
placeholder: Attach the screenshots for clarity / При необходимости приложите скриншоты
validations:
required: true
- type: textarea
id: additional-info
attributes:
label: Additional information / Дополнительная информация
description: If you have a hints on why this bug happens, you can express it here / Если у вас есть предположения об источнике бага, вы можете изложить их здесь

5
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@@ -0,0 +1,5 @@
blank_issues_enabled: false
contact_links:
- name: Questions about the program / Вопросы по програме
url: https://ntc.party/c/community-software/goodbyedpi/8
about: Please ask and answer questions on forum / Пожалуйста, задавайте вопросы только на форуме

15
.github/ISSUE_TEMPLATE/feature.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
name: Feature request / Предложить новую функциональность
description: Suggest an idea or function for this project / Предложить новую идею или функциональность в программе
body:
- type: markdown
attributes:
value: |
If you think of a great function or circumvention method which is missing from the program, go ahead and suggest it here.
Если вы придумали новую функцию или метод обхода, которого еще нет в программе, напишите о нем подробнее здесь.
- type: textarea
id: description
attributes:
label: Describe your feature / Опишите ваше предложение
validations:
required: true

75
.github/workflows/build.yml vendored Normal file
View File

@@ -0,0 +1,75 @@
name: Build GoodbyeDPI
on:
push:
paths:
- 'src/**'
env:
WINDIVERT_URL: https://www.reqrypt.org/download/WinDivert-1.4.3-A.zip
WINDIVERT_NAME: WinDivert-1.4.3-A.zip
WINDIVERT_SHA256: 4084bc3931f31546d375ed89e3f842776efa46f321ed0adcd32d3972a7d02566
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Declare short commit variable
id: vars
run: |
echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
- name: Install MinGW-w64
run: >
sudo DEBIAN_FRONTEND=noninteractive XZ_DEFAULTS="-T0" XZ_OPT="-T0" eatmydata
apt install -y --no-install-recommends gcc-mingw-w64
- name: Download WinDivert from cache
id: windivert-cache
uses: actions/cache@v2
with:
path: ${{ env. WINDIVERT_NAME }}
key: ${{ env. WINDIVERT_SHA256 }}
- name: Download WinDivert from the website
if: steps.windivert-cache.outputs.cache-hit != 'true'
run: >
wget ${{ env. WINDIVERT_URL }} &&
(echo ${{ env. WINDIVERT_SHA256 }} ${{ env. WINDIVERT_NAME }} | sha256sum -c)
- name: Unpack WinDivert
run: unzip ${{ env. WINDIVERT_NAME }}
- name: Compile x86_64
run: >
cd src && make clean &&
make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../WinDivert-1.4.3-A/include WINDIVERTLIBS=../WinDivert-1.4.3-A/x86_64 -j4
- name: Prepare x86_64 directory
run: |
mkdir goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
cp src/goodbyedpi.exe WinDivert-1.4.3-A/x86_64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
- name: Upload output file x86_64 (64 bit)
uses: actions/upload-artifact@v2
with:
name: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
path: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
- name: Compile i686
run: >
cd src && make clean &&
make CPREFIX=i686-w64-mingw32- WINDIVERTHEADERS=../WinDivert-1.4.3-A/include WINDIVERTLIBS=../WinDivert-1.4.3-A/x86 -j4
- name: Prepare x86 directory
run: |
mkdir goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
cp src/goodbyedpi.exe WinDivert-1.4.3-A/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
- name: Upload output file x86
uses: actions/upload-artifact@v2
with:
name: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
path: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}

74
README.md
View File

@@ -17,36 +17,59 @@ Usage: goodbyedpi.exe [OPTION...]
-r replace Host with hoSt
-s remove space between host header and its value
-m mix Host header case (test.com -> tEsT.cOm)
-f [value] set HTTP fragmentation to value
-k [value] enable HTTP persistent (keep-alive) fragmentation and set it to value
-f <value> set HTTP fragmentation to value
-k <value> enable HTTP persistent (keep-alive) fragmentation and set it to value
-n do not wait for first segment ACK when -k is enabled
-e [value] set HTTPS fragmentation to value
-e <value> set HTTPS fragmentation to value
-a additional space between Method and Request-URI (enables -s, may break sites)
-w try to find and parse HTTP traffic on all processed ports (not only on port 80)
--port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)
--ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
--port <value> additional TCP port to perform fragmentation on (and HTTP tricks with -w)
--ip-id <value> handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
This option can be supplied multiple times.
--dns-addr [value] redirect UDP DNS requests to the supplied IP address (experimental)
--dns-port [value] redirect UDP DNS requests to the supplied port (53 by default)
--dnsv6-addr [value] redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
--dnsv6-port [value] redirect UDPv6 DNS requests to the supplied port (53 by default)
--dns-addr <value> redirect UDP DNS requests to the supplied IP address (experimental)
--dns-port <value> redirect UDP DNS requests to the supplied port (53 by default)
--dnsv6-addr <value> redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
--dnsv6-port <value> redirect UDPv6 DNS requests to the supplied port (53 by default)
--dns-verb print verbose DNS redirection messages
--blacklist [txtfile] perform HTTP tricks only to host names and subdomains from
supplied text file. This option can be supplied multiple times.
--blacklist <txtfile> perform circumvention tricks only to host names and subdomains from
supplied text file (HTTP Host/TLS SNI).
This option can be supplied multiple times.
--set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.
DANGEROUS! May break websites in unexpected ways. Use with care.
--auto-ttl [decttl] activate Fake Request Mode, automatically detect TTL and decrease
it from standard 64 or 128 by decttl (128/64 - TTL - 4 by default).
--wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.
May not work in a VM or with some routers, but is safer than set-ttl.
--wrong-seq activate Fake Request Mode and send it with TCP SEQ/ACK in the past.
--native-frag fragment (split) the packets by sending them in smaller packets, without
shrinking the Window Size. Works faster (does not slow down the connection)
and better.
--reverse-frag fragment (split) the packets just as --native-frag, but send them in the
reversed order. Works with the websites which could not handle segmented
HTTPS TLS ClientHello (because they receive the TCP flow "combined").
-1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)
LEGACY modesets:
-1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)
-2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)
-3 -p -r -s -e 40 (better speed for HTTP and HTTPS)
-4 -p -r -s (best speed)
Modern modesets (more stable, more compatible, faster):
-5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)
-6 -f 2 -e 2 --wrong-seq --reverse-frag
```
To check if your ISP's DPI could be circumvented, run `3_all_dnsredir_hardcore.cmd` first. This is the most hardcore mode which will show if this program is suitable for your ISP and DPI vendor at all. If you can open blocked websites with this mode, it means your ISP has DPI which can be circumvented. This is the slowest and prone to break websites mode, but suitable for most DPI.
To check if your ISP's DPI could be circumvented, first make sure that your provider does not poison DNS answers by enabling "Secure DNS (DNS over HTTPS)" option in your browser.
Try `goodbyedpi -1` to see if it works too.
* **Chrome**: Settings → [Privacy and security](chrome://settings/security) > Use secure DNS → With: NextDNS
* **Firefox**: [Settings](about:preferences) → Network Settings → Enable DNS over HTTPS → Use provider: NextDNS
Then try `goodbyedpi.exe -2`. It should be faster for HTTPS sites. Mode `-3` speed ups HTTP websites.
Then run the `goodbyedpi.exe` executable without any options. If it works — congratulations! You can use it as-is or configure further, for example by using `--blacklist` option if the list of blocked websites is known and available for your country.
Use `goodbyedpi.exe -4` if it works for your ISP's DPI. This is the fastest mode but not compatible with every DPI.
If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resover running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
Check the .cmd scripts and modify it according to your preference and network conditions.
# How does it work
@@ -56,7 +79,7 @@ Most Passive DPI send HTTP 302 Redirect if you try to access blocked website ove
### Active DPI
Active DPI is more tricky to fool. Currently the software uses 6 methods to circumvent Active DPI:
Active DPI is more tricky to fool. Currently the software uses 7 methods to circumvent Active DPI:
* TCP-level fragmentation for first data packet
* TCP-level fragmentation for persistent (keep-alive) HTTP sessions
@@ -64,6 +87,7 @@ Active DPI is more tricky to fool. Currently the software uses 6 methods to circ
* Removing space between header name and value in `Host` header
* Adding additional space between HTTP Method (GET, POST etc) and URI
* Mixing case of Host header value
* Sending fake HTTP/HTTPS packets with low Time-To-Live value, incorrect checksum or incorrect TCP Sequence/Acknowledgement numbers to fool DPI and prevent delivering them to the destination
These methods should not break any website as they're fully compatible with TCP and HTTP standards, yet it's sufficient to prevent DPI data classification and to circumvent censorship. Additional space may break some websites, although it's acceptable by HTTP/1.1 specification (see 19.3 Tolerant Applications).
@@ -83,12 +107,24 @@ And for x86_64:
# How to install as Windows Service
Use `service_install_russia_blacklist.cmd`, `service_install_russia_blacklist_dnsredir.cmd` and `service_remove.cmd` scripts.
Check examples in `service_install_russia_blacklist.cmd`, `service_install_russia_blacklist_dnsredir.cmd` and `service_remove.cmd` scripts.
Modify them according to your own needs.
# Known issues
* Horribly outdated Windows 7 installations are not able to load WinDivert driver due to missing support for SHA256 digital signatures. Install KB3033929 [x86](https://www.microsoft.com/en-us/download/details.aspx?id=46078)/[x64](https://www.microsoft.com/en-us/download/details.aspx?id=46148), or better, update the whole system using Windows Update.
* ~~Some SSL/TLS stacks unable to process fragmented ClientHello packets, and HTTPS websites won't open. Bug: [#4](https://github.com/ValdikSS/GoodbyeDPI/issues/4), [#64](https://github.com/ValdikSS/GoodbyeDPI/issues/64).~~ Fragmentation issues are fixed in v0.1.7.
* ~~ESET Antivirus is incompatible with WinDivert driver [#91](https://github.com/ValdikSS/GoodbyeDPI/issues/91). This is most probably antivirus bug, not WinDivert.~~
# Similar projects
[zapret](https://github.com/bol-van/zapret) by @bol-van (for Linux).
- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux).
- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows).
- **[DPITunnel](https://github.com/zhenyolka/DPITunnel)** by @zhenyolka (for Android).
- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux).
- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android).
# Kudos

11
src/Makefile
View File

@@ -9,21 +9,22 @@ MINGWLIB = /usr/x86_64-w64-mingw32/lib/
TARGET = goodbyedpi.exe
# Linking SSP does not work for some reason, the executable doesn't start.
#LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a
CC = $(CPREFIX)gcc
CCWINDRES = $(CPREFIX)windres
CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
-O2 -D_FORTIFY_SOURCE=2 \
-Wall -Wextra -Wpedantic -Wformat=2 -Wshadow -Wstrict-aliasing=1 -Werror=format-security \
-O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
-Wall -Wextra -Wpedantic -Wformat=2 -Wno-format-nonliteral -Wshadow -Wstrict-aliasing=1 -Werror=format-security \
-Wfloat-equal -Wcast-align -Wsign-conversion \
#-fstack-protector-strong
LDFLAGS = -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
LDFLAGS = -fstack-protector -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
-Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
ifdef BIT64
LDFLAGS += -Wl,--high-entropy-va -Wl,--pic-executable,-e,mainCRTStartup
else
LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup
CFLAGS += -m32
LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup -m32
endif
.PHONY: default all clean

12
src/blackwhitelist.c
View File

@@ -35,14 +35,11 @@ static int add_hostname(const char *host) {
if (!host)
return FALSE;
int host_len = strlen(host);
blackwhitelist_record_t *tmp_record = malloc(sizeof(blackwhitelist_record_t));
char *host_c = malloc(host_len + 1);
char *host_c = NULL;
if (!check_get_hostname(host)) {
strncpy(host_c, host, host_len);
host_c[host_len] = '\0';
host_c = strdup(host);
tmp_record->host = host_c;
HASH_ADD_KEYPTR(hh, blackwhitelist, tmp_record->host,
strlen(tmp_record->host), tmp_record);
@@ -51,7 +48,8 @@ static int add_hostname(const char *host) {
}
debug("Not added host %s\n", host);
free(tmp_record);
free(host_c);
if (host_c)
free(host_c);
return FALSE;
}
@@ -84,7 +82,7 @@ int blackwhitelist_load_list(const char *filename) {
return TRUE;
}
int blackwhitelist_check_hostname(const char *host_addr, int host_len) {
int blackwhitelist_check_hostname(const char *host_addr, size_t host_len) {
char current_host[HOST_MAXLEN + 1];
char *tokenized_host = NULL;

2
src/blackwhitelist.h
View File

@@ -1,2 +1,2 @@
int blackwhitelist_load_list(const char *filename);
int blackwhitelist_check_hostname(const char *host_addr, int host_len);
int blackwhitelist_check_hostname(const char *host_addr, size_t host_len);

8
src/dnsredir.c
View File

@@ -44,7 +44,7 @@ static time_t last_cleanup = 0;
static udp_connrecord_t *conntrack = NULL;
void flush_dns_cache() {
BOOL WINAPI (*DnsFlushResolverCache)();
long long int WINAPI (*DnsFlushResolverCache)();
HMODULE dnsapi = LoadLibrary("dnsapi.dll");
if (dnsapi == NULL)
@@ -53,7 +53,7 @@ void flush_dns_cache() {
exit(EXIT_FAILURE);
}
DnsFlushResolverCache = (void*)GetProcAddress(dnsapi, "DnsFlushResolverCache");
DnsFlushResolverCache = GetProcAddress(dnsapi, "DnsFlushResolverCache");
if (DnsFlushResolverCache == NULL || !DnsFlushResolverCache())
printf("Can't flush DNS cache!");
FreeLibrary(dnsapi);
@@ -89,7 +89,7 @@ inline static void fill_data_from_key(uint8_t *is_ipv6, uint32_t srcip[4], uint1
}
inline static void construct_key(const uint32_t srcip[4], const uint16_t srcport,
char *key, int is_ipv6)
char *key, const uint8_t is_ipv6)
{
debug("Construct key enter\n");
if (key) {
@@ -135,7 +135,7 @@ static int check_get_udp_conntrack_key(const char *key, udp_connrecord_t **connr
static int add_udp_conntrack(const uint32_t srcip[4], const uint16_t srcport,
const uint32_t dstip[4], const uint16_t dstport,
const int is_ipv6
const uint8_t is_ipv6
)
{
if (!(srcip && srcport && dstip && dstport))

3
src/dnsredir.h
View File

@@ -1,3 +1,5 @@
#ifndef _DNSREDIR_H
#define _DNSREDIR_H
#include <stdint.h>
typedef struct conntrack_info {
@@ -34,3 +36,4 @@ int dns_handle_outgoing(const uint32_t srcip[4], const uint16_t srcport,
void flush_dns_cache();
int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing);
#endif

195
src/fakepackets.c Normal file
View File

@@ -0,0 +1,195 @@
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <unistd.h>
#include <in6addr.h>
#include <ws2tcpip.h>
#include "windivert.h"
#include "goodbyedpi.h"
static const unsigned char fake_http_request[] = "GET / HTTP/1.1\r\nHost: www.w3.org\r\n"
"User-Agent: curl/7.65.3\r\nAccept: */*\r\n"
"Accept-Encoding: deflate, gzip, br\r\n\r\n";
static const unsigned char fake_https_request[] = {
0x16, 0x03, 0x01, 0x02, 0x00, 0x01, 0x00, 0x01, 0xfc, 0x03, 0x03, 0x9a, 0x8f, 0xa7, 0x6a, 0x5d,
0x57, 0xf3, 0x62, 0x19, 0xbe, 0x46, 0x82, 0x45, 0xe2, 0x59, 0x5c, 0xb4, 0x48, 0x31, 0x12, 0x15,
0x14, 0x79, 0x2c, 0xaa, 0xcd, 0xea, 0xda, 0xf0, 0xe1, 0xfd, 0xbb, 0x20, 0xf4, 0x83, 0x2a, 0x94,
0xf1, 0x48, 0x3b, 0x9d, 0xb6, 0x74, 0xba, 0x3c, 0x81, 0x63, 0xbc, 0x18, 0xcc, 0x14, 0x45, 0x57,
0x6c, 0x80, 0xf9, 0x25, 0xcf, 0x9c, 0x86, 0x60, 0x50, 0x31, 0x2e, 0xe9, 0x00, 0x22, 0x13, 0x01,
0x13, 0x03, 0x13, 0x02, 0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2c, 0xc0, 0x30,
0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f, 0x00, 0x35,
0x01, 0x00, 0x01, 0x91, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x0d, 0x00, 0x00, 0x0a, 0x77, 0x77, 0x77,
0x2e, 0x77, 0x33, 0x2e, 0x6f, 0x72, 0x67, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00,
0x00, 0x0a, 0x00, 0x0e, 0x00, 0x0c, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, 0x00,
0x01, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10, 0x00, 0x0e,
0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x00, 0x05,
0x00, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x6b, 0x00, 0x69, 0x00, 0x1d, 0x00,
0x20, 0xb0, 0xe4, 0xda, 0x34, 0xb4, 0x29, 0x8d, 0xd3, 0x5c, 0x70, 0xd3, 0xbe, 0xe8, 0xa7, 0x2a,
0x6b, 0xe4, 0x11, 0x19, 0x8b, 0x18, 0x9d, 0x83, 0x9a, 0x49, 0x7c, 0x83, 0x7f, 0xa9, 0x03, 0x8c,
0x3c, 0x00, 0x17, 0x00, 0x41, 0x04, 0x4c, 0x04, 0xa4, 0x71, 0x4c, 0x49, 0x75, 0x55, 0xd1, 0x18,
0x1e, 0x22, 0x62, 0x19, 0x53, 0x00, 0xde, 0x74, 0x2f, 0xb3, 0xde, 0x13, 0x54, 0xe6, 0x78, 0x07,
0x94, 0x55, 0x0e, 0xb2, 0x6c, 0xb0, 0x03, 0xee, 0x79, 0xa9, 0x96, 0x1e, 0x0e, 0x98, 0x17, 0x78,
0x24, 0x44, 0x0c, 0x88, 0x80, 0x06, 0x8b, 0xd4, 0x80, 0xbf, 0x67, 0x7c, 0x37, 0x6a, 0x5b, 0x46,
0x4c, 0xa7, 0x98, 0x6f, 0xb9, 0x22, 0x00, 0x2b, 0x00, 0x09, 0x08, 0x03, 0x04, 0x03, 0x03, 0x03,
0x02, 0x03, 0x01, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08,
0x04, 0x08, 0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x03, 0x02, 0x01, 0x00,
0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01, 0x00, 0x15, 0x00, 0x96, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00
};
static int send_fake_data(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BOOL is_https,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
) {
char packet_fake[MAX_PACKET_SIZE];
WINDIVERT_ADDRESS addr_new;
PVOID packet_data;
UINT packet_dataLen;
UINT packetLen_new;
PWINDIVERT_IPHDR ppIpHdr;
PWINDIVERT_IPV6HDR ppIpV6Hdr;
PWINDIVERT_TCPHDR ppTcpHdr;
unsigned const char *fake_request_data = is_https ? fake_https_request : fake_http_request;
UINT fake_request_size = is_https ? sizeof(fake_https_request) : sizeof(fake_http_request) - 1;
memcpy(&addr_new, addr, sizeof(WINDIVERT_ADDRESS));
memcpy(packet_fake, pkt, packetLen);
addr_new.PseudoTCPChecksum = 0;
addr_new.PseudoIPChecksum = 0;
if (!is_ipv6) {
// IPv4 TCP Data packet
if (!WinDivertHelperParsePacket(packet_fake, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
return 1;
}
else {
// IPv6 TCP Data packet
if (!WinDivertHelperParsePacket(packet_fake, packetLen, NULL,
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
return 1;
}
if (packetLen + fake_request_size + 1 > MAX_PACKET_SIZE)
return 2;
memcpy(packet_data, fake_request_data, fake_request_size);
packetLen_new = packetLen - packet_dataLen + fake_request_size;
if (!is_ipv6) {
ppIpHdr->Length = htons(
ntohs(ppIpHdr->Length) -
packet_dataLen + fake_request_size
);
if (set_ttl)
ppIpHdr->TTL = set_ttl;
}
else {
ppIpV6Hdr->Length = htons(
ntohs(ppIpV6Hdr->Length) -
packet_dataLen + fake_request_size
);
if (set_ttl)
ppIpV6Hdr->HopLimit = set_ttl;
}
if (set_seq) {
// This is the smallest ACK drift Linux can't handle already, since at least v2.6.18.
// https://github.com/torvalds/linux/blob/v2.6.18/net/netfilter/nf_conntrack_proto_tcp.c#L395
ppTcpHdr->AckNum = htonl(ntohl(ppTcpHdr->AckNum) - 66000);
// This is just random, no specifics about this value.
ppTcpHdr->SeqNum = htonl(ntohl(ppTcpHdr->SeqNum) - 10000);
}
// Recalculate the checksum
WinDivertHelperCalcChecksums(packet_fake, packetLen_new, &addr_new, (UINT64)NULL);
if (set_checksum) {
// ...and damage it
ppTcpHdr->Checksum = htons(ntohs(ppTcpHdr->Checksum) - 1);
}
//printf("Pseudo checksum: %d\n", addr_new.PseudoTCPChecksum);
WinDivertSend(
w_filter, packet_fake,
packetLen_new,
&addr_new, NULL
);
debug("Fake packet: OK");
return 0;
}
static int send_fake_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BOOL is_https,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
) {
if (set_ttl) {
send_fake_data(w_filter, addr, pkt, packetLen,
is_ipv6, is_https,
set_ttl, FALSE, FALSE);
}
if (set_checksum) {
send_fake_data(w_filter, addr, pkt, packetLen,
is_ipv6, is_https,
FALSE, set_checksum, FALSE);
}
if (set_seq) {
send_fake_data(w_filter, addr, pkt, packetLen,
is_ipv6, is_https,
FALSE, FALSE, set_seq);
}
return 0;
}
int send_fake_http_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
) {
return send_fake_request(w_filter, addr, pkt, packetLen,
is_ipv6, FALSE,
set_ttl, set_checksum, set_seq);
}
int send_fake_https_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
) {
return send_fake_request(w_filter, addr, pkt, packetLen,
is_ipv6, TRUE,
set_ttl, set_checksum, set_seq);
}

18
src/fakepackets.h Normal file
View File

@@ -0,0 +1,18 @@
int send_fake_http_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
);
int send_fake_https_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
);

623
src/goodbyedpi.c
View File

@@ -16,15 +16,18 @@
#include "utils/repl_str.h"
#include "service.h"
#include "dnsredir.h"
#include "ttltrack.h"
#include "blackwhitelist.h"
#include "fakepackets.h"
// My mingw installation does not load inet_pton definition for some reason
WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
#define GOODBYEDPI_VERSION "v0.1.8"
#define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
#define MAX_FILTERS 4
#define MAX_PACKET_SIZE 9016
#define DIVERT_NO_LOCALNETSv4_DST "(" \
"(ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and " \
@@ -59,7 +62,7 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
/* #IPID# is a template to find&replace */
#define IPID_TEMPLATE "#IPID#"
#define FILTER_STRING_TEMPLATE \
"(tcp and " \
"(tcp and !impostor and !loopback and " \
"((inbound and (" \
"(" \
"(" \
@@ -75,17 +78,14 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
"(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST "))" \
"))"
#define FILTER_PASSIVE_STRING_TEMPLATE "inbound and ip and tcp and " \
"!impostor and !loopback and " \
"((ip.Id <= 0xF and ip.Id >= 0x0) " IPID_TEMPLATE ") and " \
"(tcp.SrcPort == 443 or tcp.SrcPort == 80) and tcp.Rst and " \
DIVERT_NO_LOCALNETSv4_SRC
#define SET_HTTP_FRAGMENT_SIZE_OPTION(fragment_size) do { \
if (!http_fragment_size) { \
if (fragment_size <= 0 || fragment_size > 65535) { \
puts("Fragment size should be in range [0 - 65535]\n"); \
exit(EXIT_FAILURE); \
} \
http_fragment_size = fragment_size; \
http_fragment_size = (unsigned int)fragment_size; \
} \
else if (http_fragment_size != (unsigned int)fragment_size) { \
printf( \
@@ -95,16 +95,33 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
} \
} while (0)
#define TCP_HANDLE_OUTGOING_ADJUST_TTL() do { \
if ((packet_v4 && tcp_handle_outgoing(&ppIpHdr->SrcAddr, &ppIpHdr->DstAddr, \
ppTcpHdr->SrcPort, ppTcpHdr->DstPort, \
&tcp_conn_info, 0)) \
|| \
(packet_v6 && tcp_handle_outgoing(ppIpV6Hdr->SrcAddr, ppIpV6Hdr->DstAddr, \
ppTcpHdr->SrcPort, ppTcpHdr->DstPort, \
&tcp_conn_info, 1))) \
{ \
ttl_of_fake_packet = tcp_get_auto_ttl(tcp_conn_info.ttl, do_auto_ttl); \
if (do_tcp_verb) { \
printf("Connection TTL = %d, Fake TTL = %d\n", tcp_conn_info.ttl, ttl_of_fake_packet); \
} \
} \
} while (0)
static int running_from_service = 0;
static int exiting = 0;
static HANDLE filters[MAX_FILTERS];
static int filter_num = 0;
static const char *http10_redirect_302 = "HTTP/1.0 302 ";
static const char *http11_redirect_302 = "HTTP/1.1 302 ";
static const char *http_host_find = "\r\nHost: ";
static const char *http_host_replace = "\r\nhoSt: ";
static const char *http_useragent_find = "\r\nUser-Agent: ";
static const char *location_http = "\r\nLocation: http://";
static const char *connection_close = "\r\nConnection: close";
static const char http10_redirect_302[] = "HTTP/1.0 302 ";
static const char http11_redirect_302[] = "HTTP/1.1 302 ";
static const char http_host_find[] = "\r\nHost: ";
static const char http_host_replace[] = "\r\nhoSt: ";
static const char http_useragent_find[] = "\r\nUser-Agent: ";
static const char location_http[] = "\r\nLocation: http://";
static const char connection_close[] = "\r\nConnection: close";
static const char *http_methods[] = {
"GET ",
"HEAD ",
@@ -124,6 +141,12 @@ static struct option long_options[] = {
{"dns-verb", no_argument, 0, 'v' },
{"blacklist", required_argument, 0, 'b' },
{"ip-id", required_argument, 0, 'i' },
{"set-ttl", required_argument, 0, '$' },
{"auto-ttl", optional_argument, 0, '+' },
{"wrong-chksum",no_argument, 0, '%' },
{"wrong-seq", no_argument, 0, ')' },
{"native-frag", no_argument, 0, '*' },
{"reverse-frag",no_argument, 0, '(' },
{0, 0, 0, 0 }
};
@@ -131,19 +154,21 @@ static char *filter_string = NULL;
static char *filter_passive_string = NULL;
static void add_filter_str(int proto, int port) {
const char *udp = " or (udp and (udp.SrcPort == %d or udp.DstPort == %d))";
const char *tcp = " or (tcp and (tcp.SrcPort == %d or tcp.DstPort == %d))";
const char *udp = " or (udp and !impostor and !loopback and " \
"(udp.SrcPort == %d or udp.DstPort == %d))";
const char *tcp = " or (tcp and !impostor and !loopback and " \
"(tcp.SrcPort == %d or tcp.DstPort == %d))";
char *current_filter = filter_string;
int new_filter_size = strlen(current_filter) +
size_t new_filter_size = strlen(current_filter) +
(proto == IPPROTO_UDP ? strlen(udp) : strlen(tcp)) + 16;
char *new_filter = malloc(new_filter_size);
strcpy(new_filter, current_filter);
if (proto == IPPROTO_UDP)
sprintf(&(new_filter[strlen(new_filter)]), udp, port, port);
sprintf(new_filter + strlen(new_filter), udp, port, port);
else
sprintf(&(new_filter[strlen(new_filter)]), tcp, port, port);
sprintf(new_filter + strlen(new_filter), tcp, port, port);
filter_string = new_filter;
free(current_filter);
@@ -177,10 +202,12 @@ static void finalize_filter_strings() {
filter_passive_string = newstr;
}
static char* dumb_memmem(const char* haystack, int hlen, const char* needle, int nlen) {
static char* dumb_memmem(const char* haystack, unsigned int hlen,
const char* needle, size_t nlen)
{
// naive implementation
if (nlen > hlen) return NULL;
int i;
size_t i;
for (i=0; i<hlen-nlen+1; i++) {
if (memcmp(haystack+i,needle,nlen)==0) {
return (char*)(haystack+i);
@@ -189,6 +216,33 @@ static char* dumb_memmem(const char* haystack, int hlen, const char* needle, int
return NULL;
}
unsigned short int atousi(const char *str, const char *msg) {
long unsigned int res = strtoul(str, NULL, 10u);
enum {
limitValue=0xFFFFu
};
if(res > limitValue) {
puts(msg);
exit(EXIT_FAILURE);
}
return (unsigned short int)res;
}
BYTE atoub(const char *str, const char *msg) {
long unsigned int res = strtoul(str, NULL, 10u);
enum {
limitValue=0xFFu
};
if(res > limitValue) {
puts(msg);
exit(EXIT_FAILURE);
}
return (BYTE)res;
}
static HANDLE init(char *filter, UINT64 flags) {
LPTSTR errormessage = NULL;
DWORD errorcode = 0;
@@ -230,43 +284,44 @@ void deinit_all() {
}
static void sigint_handler(int sig __attribute__((unused))) {
exiting = 1;
deinit_all();
exit(EXIT_SUCCESS);
}
static void mix_case(char *pktdata, int pktlen) {
int i;
static void mix_case(char *pktdata, unsigned int pktlen) {
unsigned int i;
if (pktlen <= 0) return;
for (i = 0; i < pktlen; i++) {
if (i % 2) {
pktdata[i] = toupper(pktdata[i]);
pktdata[i] = (char) toupper(pktdata[i]);
}
}
}
static int is_passivedpi_redirect(const char *pktdata, int pktlen) {
static int is_passivedpi_redirect(const char *pktdata, unsigned int pktlen) {
/* First check if this is HTTP 302 redirect */
if (memcmp(pktdata, http11_redirect_302, strlen(http11_redirect_302)) == 0 ||
memcmp(pktdata, http10_redirect_302, strlen(http10_redirect_302)) == 0)
if (memcmp(pktdata, http11_redirect_302, sizeof(http11_redirect_302)-1) == 0 ||
memcmp(pktdata, http10_redirect_302, sizeof(http10_redirect_302)-1) == 0)
{
/* Then check if this is a redirect to new http site with Connection: close */
if (dumb_memmem(pktdata, pktlen, location_http, strlen(location_http)) &&
dumb_memmem(pktdata, pktlen, connection_close, strlen(connection_close))) {
if (dumb_memmem(pktdata, pktlen, location_http, sizeof(location_http)-1) &&
dumb_memmem(pktdata, pktlen, connection_close, sizeof(connection_close)-1)) {
return TRUE;
}
}
return FALSE;
}
static int find_header_and_get_info(const char *pktdata, int pktlen,
static int find_header_and_get_info(const char *pktdata, unsigned int pktlen,
const char *hdrname,
char **hdrnameaddr,
char **hdrvalueaddr, int *hdrvaluelen) {
char **hdrvalueaddr, unsigned int *hdrvaluelen) {
char *data_addr_rn;
char *hdr_begin;
*hdrvaluelen = 0;
*hdrvaluelen = 0u;
*hdrnameaddr = NULL;
*hdrvalueaddr = NULL;
@@ -274,32 +329,78 @@ static int find_header_and_get_info(const char *pktdata, int pktlen,
hdr_begin = dumb_memmem(pktdata, pktlen,
hdrname, strlen(hdrname));
if (!hdr_begin) return FALSE;
if ((PVOID)pktdata > (PVOID)hdr_begin) return FALSE;
if (pktdata > hdr_begin) return FALSE;
/* Set header address */
*hdrnameaddr = hdr_begin;
*hdrvalueaddr = (PVOID)hdr_begin + strlen(hdrname);
*hdrvalueaddr = hdr_begin + strlen(hdrname);
/* Search for header end (\r\n) */
data_addr_rn = dumb_memmem(*hdrvalueaddr,
pktlen - ((PVOID)*hdrvalueaddr - (PVOID)pktdata),
pktlen - (*hdrvalueaddr - pktdata),
"\r\n", 2);
if (data_addr_rn) {
*hdrvaluelen = (PVOID)data_addr_rn - (PVOID)*hdrvalueaddr;
if (*hdrvaluelen > 0 && *hdrvaluelen <= 512)
*hdrvaluelen = data_addr_rn - *hdrvalueaddr;
if (*hdrvaluelen > 0u && *hdrvaluelen <= 512u)
return TRUE;
}
return FALSE;
}
static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, int size) {
if (size >= 1 && size <= 65535) {
ppTcpHdr->Window = htons(size);
/**
* Very crude Server Name Indication (TLS ClientHello hostname) extractor.
*/
static int extract_sni(const char *pktdata, unsigned int pktlen,
char **hostnameaddr, unsigned int *hostnamelen) {
uint32_t ptr = 0;
unsigned char *d = (unsigned char*)pktdata;
unsigned char *hnaddr = 0;
unsigned int hnlen = 0;
while (ptr + 8 < pktlen) {
/* Search for specific Extensions sequence */
if (d[ptr] == '\0' && d[ptr+1] == '\0' && d[ptr+2] == '\0' &&
d[ptr+4] == '\0' && d[ptr+6] == '\0' && d[ptr+7] == '\0' &&
/* Check Extension length, Server Name list length
* and Server Name length relations
*/
d[ptr+3] - d[ptr+5] == 2 && d[ptr+5] - d[ptr+8] == 3)
{
if (ptr + 8 + d[ptr+8] > pktlen) {
return FALSE;
}
hnaddr = &d[ptr+9];
hnlen = d[ptr+8];
/* Limit hostname size up to 254 bytes */
if (hnlen < 2 || hnlen > 254) {
return FALSE;
}
/* Validate that hostname has only ascii lowercase characters */
for (unsigned int i=0; i<hnlen; i++) {
if (!( (hnaddr[i] >= '1' && hnaddr[i] <= '9') ||
(hnaddr[i] >= 'a' && hnaddr[i] <= 'z') ||
hnaddr[i] == '.'))
{
return FALSE;
}
}
*hostnameaddr = (char*)hnaddr;
*hostnamelen = hnlen;
return TRUE;
}
ptr++;
}
return FALSE;
}
static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, unsigned int size) {
if (size >= 1 && size <= 0xFFFFu) {
ppTcpHdr->Window = htons((u_short)size);
}
}
/* HTTP method end without trailing space */
static PVOID find_http_method_end(const char *pkt, int http_frag, int *is_fragmented) {
static PVOID find_http_method_end(const char *pkt, unsigned int http_frag, int *is_fragmented) {
unsigned int i;
for (i = 0; i<(sizeof(http_methods) / sizeof(*http_methods)); i++) {
if (memcmp(pkt, http_methods[i], strlen(http_methods[i])) == 0) {
@@ -321,6 +422,72 @@ static PVOID find_http_method_end(const char *pkt, int http_frag, int *is_fragme
return NULL;
}
/** Fragment and send the packet.
*
* This function cuts off the end of the packet (step=0) or
* the beginning of the packet (step=1) with fragment_size bytes.
*/
static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
char *packet, UINT packetLen, PVOID packet_data,
UINT packet_dataLen, int packet_v4, int packet_v6,
PWINDIVERT_IPHDR ppIpHdr, PWINDIVERT_IPV6HDR ppIpV6Hdr,
PWINDIVERT_TCPHDR ppTcpHdr,
unsigned int fragment_size, int step) {
char packet_bak[MAX_PACKET_SIZE];
memcpy(&packet_bak, packet, packetLen);
UINT orig_packetLen = packetLen;
if (step == 0) {
if (packet_v4)
ppIpHdr->Length = htons(
ntohs(ppIpHdr->Length) -
packet_dataLen + fragment_size
);
else if (packet_v6)
ppIpV6Hdr->Length = htons(
ntohs(ppIpV6Hdr->Length) -
packet_dataLen + fragment_size
);
//printf("step0 (%d:%d), pp:%d, was:%d, now:%d\n",
// packet_v4, packet_v6, ntohs(ppIpHdr->Length),
// packetLen, packetLen - packet_dataLen + fragment_size);
packetLen = packetLen - packet_dataLen + fragment_size;
}
else if (step == 1) {
if (packet_v4)
ppIpHdr->Length = htons(
ntohs(ppIpHdr->Length) - fragment_size
);
else if (packet_v6)
ppIpV6Hdr->Length = htons(
ntohs(ppIpV6Hdr->Length) - fragment_size
);
//printf("step1 (%d:%d), pp:%d, was:%d, now:%d\n", packet_v4, packet_v6, ntohs(ppIpHdr->Length),
// packetLen, packetLen - fragment_size);
memmove(packet_data,
(char*)packet_data + fragment_size,
packet_dataLen - fragment_size);
packetLen -= fragment_size;
ppTcpHdr->SeqNum = htonl(ntohl(ppTcpHdr->SeqNum) + fragment_size);
}
addr.PseudoIPChecksum = 0;
addr.PseudoTCPChecksum = 0;
WinDivertHelperCalcChecksums(
packet, packetLen, &addr, 0
);
WinDivertSend(
w_filter, packet,
packetLen,
&addr, NULL
);
memcpy(packet, &packet_bak, orig_packetLen);
//printf("Sent native fragment of %d size (step%d)\n", packetLen, step);
}
int main(int argc, char *argv[]) {
static enum packet_type_e {
unknown,
@@ -341,6 +508,7 @@ int main(int argc, char *argv[]) {
PWINDIVERT_TCPHDR ppTcpHdr;
PWINDIVERT_UDPHDR ppUdpHdr;
conntrack_info_t dns_conn_info;
tcp_conntrack_info_t tcp_conn_info;
int do_passivedpi = 0, do_fragment_http = 0,
do_fragment_http_persistent = 0,
@@ -350,20 +518,27 @@ int main(int argc, char *argv[]) {
do_http_allports = 0,
do_host_mixedcase = 0,
do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
do_dns_verb = 0, do_blacklist = 0;
do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
do_fake_packet = 0,
do_auto_ttl = 0,
do_wrong_chksum = 0,
do_wrong_seq = 0,
do_native_frag = 0, do_reverse_frag = 0;
unsigned int http_fragment_size = 0;
unsigned int https_fragment_size = 0;
unsigned int current_fragment_size = 0;
BYTE ttl_of_fake_packet = 0;
uint32_t dnsv4_addr = 0;
struct in6_addr dnsv6_addr = {0};
struct in6_addr dns_temp_addr = {0};
uint16_t dnsv4_port = htons(53);
uint16_t dnsv6_port = htons(53);
char *host_addr, *useragent_addr, *method_addr;
int host_len, useragent_len;
unsigned int host_len, useragent_len;
int http_req_fragmented;
char *hdr_name_addr = NULL, *hdr_value_addr = NULL;
int hdr_value_len;
unsigned int hdr_value_len;
// Make sure to search DLLs only in safe path, not in current working dir.
SetDllDirectory("");
@@ -393,20 +568,22 @@ int main(int argc, char *argv[]) {
filter_passive_string = strdup(FILTER_PASSIVE_STRING_TEMPLATE);
printf(
"GoodbyeDPI: Passive DPI blocker and Active DPI circumvention utility\n"
"GoodbyeDPI " GOODBYEDPI_VERSION
": Passive DPI blocker and Active DPI circumvention utility\n"
"https://github.com/ValdikSS/GoodbyeDPI\n\n"
);
if (argc == 1) {
/* enable mode -1 by default */
/* enable mode -5 by default */
do_fragment_http = do_fragment_https = 1;
do_reverse_frag = do_native_frag = 1;
http_fragment_size = https_fragment_size = 2;
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https \
= do_fragment_http_persistent \
= do_fragment_http_persistent_nowait = 1;
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
do_fake_packet = 1;
do_auto_ttl = 4;
}
while ((opt = getopt_long(argc, argv, "1234prsaf:e:mwk:n", long_options, NULL)) != -1) {
while ((opt = getopt_long(argc, argv, "123456prsaf:e:mwk:n", long_options, NULL)) != -1) {
switch (opt) {
case '1':
do_passivedpi = do_host = do_host_removespace \
@@ -419,16 +596,32 @@ int main(int argc, char *argv[]) {
= do_fragment_http = do_fragment_https \
= do_fragment_http_persistent \
= do_fragment_http_persistent_nowait = 1;
https_fragment_size = 40;
https_fragment_size = 40u;
break;
case '3':
do_passivedpi = do_host = do_host_removespace \
= do_fragment_https = 1;
https_fragment_size = 40;
https_fragment_size = 40u;
break;
case '4':
do_passivedpi = do_host = do_host_removespace = 1;
break;
case '5':
do_fragment_http = do_fragment_https = 1;
do_reverse_frag = do_native_frag = 1;
http_fragment_size = https_fragment_size = 2;
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
do_fake_packet = 1;
do_auto_ttl = 4;
break;
case '6':
do_fragment_http = do_fragment_https = 1;
do_reverse_frag = do_native_frag = 1;
http_fragment_size = https_fragment_size = 2;
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
do_fake_packet = 1;
do_wrong_seq = 1;
break;
case 'p':
do_passivedpi = 1;
break;
@@ -447,22 +640,21 @@ int main(int argc, char *argv[]) {
break;
case 'f':
do_fragment_http = 1;
SET_HTTP_FRAGMENT_SIZE_OPTION(atoi(optarg));
SET_HTTP_FRAGMENT_SIZE_OPTION(atousi(optarg, "Fragment size should be in range [0 - 0xFFFF]\n"));
break;
case 'k':
do_fragment_http_persistent = 1;
SET_HTTP_FRAGMENT_SIZE_OPTION(atoi(optarg));
do_native_frag = 1;
SET_HTTP_FRAGMENT_SIZE_OPTION(atousi(optarg, "Fragment size should be in range [0 - 0xFFFF]\n"));
break;
case 'n':
do_fragment_http_persistent = 1;
do_fragment_http_persistent_nowait = 1;
do_native_frag = 1;
break;
case 'e':
do_fragment_https = 1;
https_fragment_size = atoi(optarg);
if (https_fragment_size <= 0 || https_fragment_size > 65535) {
puts("Fragment size should be in range [0 - 65535]\n");
exit(EXIT_FAILURE);
}
https_fragment_size = atousi(optarg, "Fragment size should be in range [0 - 65535]\n");
break;
case 'w':
do_http_allports = 1;
@@ -480,11 +672,7 @@ int main(int argc, char *argv[]) {
break;
case 'i':
/* i is used as a temporary variable here */
i = atoi(optarg);
if (i < 0 || i > 65535) {
printf("IP ID parameter error!\n");
exit(EXIT_FAILURE);
}
i = atousi(optarg, "IP ID parameter error!\n");
add_ip_id_str(i);
i = 0;
break;
@@ -527,11 +715,7 @@ int main(int argc, char *argv[]) {
"--dns-port");
exit(EXIT_FAILURE);
}
dnsv4_port = atoi(optarg);
if (atoi(optarg) <= 0 || atoi(optarg) > 65535) {
puts("DNS port parameter error!");
exit(EXIT_FAILURE);
}
dnsv4_port = atousi(optarg, "DNS port parameter error!");
if (dnsv4_port != 53) {
add_filter_str(IPPROTO_UDP, dnsv4_port);
}
@@ -544,11 +728,7 @@ int main(int argc, char *argv[]) {
"--dnsv6-port");
exit(EXIT_FAILURE);
}
dnsv6_port = atoi(optarg);
if (atoi(optarg) <= 0 || atoi(optarg) > 65535) {
puts("DNS port parameter error!");
exit(EXIT_FAILURE);
}
dnsv6_port = atousi(optarg, "DNS port parameter error!");
if (dnsv6_port != 53) {
add_filter_str(IPPROTO_UDP, dnsv6_port);
}
@@ -556,6 +736,7 @@ int main(int argc, char *argv[]) {
break;
case 'v':
do_dns_verb = 1;
do_tcp_verb = 1;
break;
case 'b':
do_blacklist = 1;
@@ -564,6 +745,38 @@ int main(int argc, char *argv[]) {
exit(EXIT_FAILURE);
}
break;
case '$':
do_fake_packet = 1;
ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
break;
case '+':
do_fake_packet = 1;
do_auto_ttl = 4;
if (optarg) {
do_auto_ttl = atoub(optarg, "Set Auto TTL parameter error!");
} else if (argv[optind] && argv[optind][0] != '-') {
do_auto_ttl = atoub(argv[optind], "Set Auto TTL parameter error!");
}
break;
case '%':
do_fake_packet = 1;
do_wrong_chksum = 1;
break;
case ')':
do_fake_packet = 1;
do_wrong_seq = 1;
break;
case '*':
do_native_frag = 1;
do_fragment_http_persistent = 1;
do_fragment_http_persistent_nowait = 1;
break;
case '(':
do_reverse_frag = 1;
do_native_frag = 1;
do_fragment_http_persistent = 1;
do_fragment_http_persistent_nowait = 1;
break;
default:
puts("Usage: goodbyedpi.exe [OPTION...]\n"
" -p block passive DPI\n"
@@ -571,25 +784,46 @@ int main(int argc, char *argv[]) {
" -s remove space between host header and its value\n"
" -a additional space between Method and Request-URI (enables -s, may break sites)\n"
" -m mix Host header case (test.com -> tEsT.cOm)\n"
" -f [value] set HTTP fragmentation to value\n"
" -k [value] enable HTTP persistent (keep-alive) fragmentation and set it to value\n"
" -f <value> set HTTP fragmentation to value\n"
" -k <value> enable HTTP persistent (keep-alive) fragmentation and set it to value\n"
" -n do not wait for first segment ACK when -k is enabled\n"
" -e [value] set HTTPS fragmentation to value\n"
" -e <value> set HTTPS fragmentation to value\n"
" -w try to find and parse HTTP traffic on all processed ports (not only on port 80)\n"
" --port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
" --ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).\n"
" --dns-addr [value] redirect UDPv4 DNS requests to the supplied IPv4 address (experimental)\n"
" --dns-port [value] redirect UDPv4 DNS requests to the supplied port (53 by default)\n"
" --dnsv6-addr [value] redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)\n"
" --dnsv6-port [value] redirect UDPv6 DNS requests to the supplied port (53 by default)\n"
" --port <value> additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
" --ip-id <value> handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).\n"
" --dns-addr <value> redirect UDPv4 DNS requests to the supplied IPv4 address (experimental)\n"
" --dns-port <value> redirect UDPv4 DNS requests to the supplied port (53 by default)\n"
" --dnsv6-addr <value> redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)\n"
" --dnsv6-port <value> redirect UDPv6 DNS requests to the supplied port (53 by default)\n"
" --dns-verb print verbose DNS redirection messages\n"
" --blacklist [txtfile] perform HTTP tricks only to host names and subdomains from\n"
" supplied text file. This option can be supplied multiple times.\n"
" --blacklist <txtfile> perform circumvention tricks only to host names and subdomains from\n"
" supplied text file (HTTP Host/TLS SNI).\n"
" This option can be supplied multiple times.\n"
" --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.\n"
" DANGEROUS! May break websites in unexpected ways. Use with care.\n"
" --auto-ttl [decttl] activate Fake Request Mode, automatically detect TTL and decrease\n"
" it from standard 64 or 128 by decttl (128/64 - TTL - 4 by default).\n"
" --wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.\n"
" May not work in a VM or with some routers, but is safer than set-ttl.\n"
" Could be combined with --set-ttl\n"
" --wrong-seq activate Fake Request Mode and send it with TCP SEQ/ACK in the past.\n"
" --native-frag fragment (split) the packets by sending them in smaller packets, without\n"
" shrinking the Window Size. Works faster (does not slow down the connection)\n"
" and better.\n"
" --reverse-frag fragment (split) the packets just as --native-frag, but send them in the\n"
" reversed order. Works with the websites which could not handle segmented\n"
" HTTPS TLS ClientHello (because they receive the TCP flow \"combined\").\n"
"\n"
" -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)\n"
"\n"
"LEGACY modesets:\n"
" -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)\n"
" -2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)\n"
" -3 -p -r -s -e 40 (better speed for HTTP and HTTPS)\n"
" -4 -p -r -s (best speed)");
" -4 -p -r -s (best speed)"
"\n"
"Modern modesets (more stable, more compatible, faster):\n"
" -5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)\n"
" -6 -f 2 -e 2 --wrong-seq --reverse-frag\n");
exit(EXIT_FAILURE);
}
}
@@ -599,20 +833,25 @@ int main(int argc, char *argv[]) {
if (!https_fragment_size)
https_fragment_size = 2;
printf("Block passive: %d, Fragment HTTP: %d, Fragment persistent HTTP: %d, "
"Fragment HTTPS: %d, "
"hoSt: %d, Host no space: %d, Additional space: %d, Mix Host: %d, "
"HTTP AllPorts: %d, HTTP Persistent Nowait: %d, DNS redirect: %d, "
"DNSv6 redirect: %d\n",
printf("Block passive: %d\nFragment HTTP: %d\nFragment persistent HTTP: %d\n"
"Fragment HTTPS: %d\nNative fragmentation (splitting): %d\n"
"Fragments sending in reverse: %d\n"
"hoSt: %d\nHost no space: %d\nAdditional space: %d\n"
"Mix Host: %d\nHTTP AllPorts: %d\nHTTP Persistent Nowait: %d\n"
"DNS redirect: %d\nDNSv6 redirect: %d\n"
"Fake requests, TTL: %hu (auto: %hu)\nFake requests, wrong checksum: %d\n"
"Fake requests, wrong SEQ/ACK: %d\n",
do_passivedpi, (do_fragment_http ? http_fragment_size : 0),
(do_fragment_http_persistent ? http_fragment_size : 0),
(do_fragment_https ? https_fragment_size : 0),
do_native_frag, do_reverse_frag,
do_host, do_host_removespace, do_additional_space, do_host_mixedcase,
do_http_allports, do_fragment_http_persistent_nowait, do_dnsv4_redirect,
do_dnsv6_redirect
do_dnsv6_redirect, ttl_of_fake_packet, do_auto_ttl,
do_wrong_chksum, do_wrong_seq
);
if (do_fragment_http && http_fragment_size > 2) {
if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
printf("WARNING: HTTP fragmentation values > 2 are not fully compatible "
"with other options. Please use values <= 2 or disable HTTP fragmentation "
"completely.\n");
@@ -723,15 +962,54 @@ int main(int argc, char *argv[]) {
}
}
}
/* Handle OUTBOUND packet on port 443, search for something that resembles
* TLS handshake, send fake request.
*/
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
((do_fragment_https ? packet_dataLen == https_fragment_size : 0) ||
packet_dataLen > 16) &&
ppTcpHdr->DstPort != htons(80) &&
(do_fake_packet || do_native_frag)
)
{
if (packet_dataLen >=2 && memcmp(packet_data, "\x16\x03", 2) == 0) {
if (do_blacklist
? (extract_sni(packet_data, packet_dataLen,
&host_addr, &host_len) &&
blackwhitelist_check_hostname(host_addr, host_len))
: 1)
{
#ifdef DEBUG
unsigned char lsni[256] = {0};
extract_sni(packet_data, packet_dataLen,
&host_addr, &host_len);
memcpy(&lsni, host_addr, host_len);
printf("Blocked HTTPS website SNI: %s\n", lsni);
#endif
if (do_fake_packet) {
if (do_auto_ttl) {
TCP_HANDLE_OUTGOING_ADJUST_TTL();
}
send_fake_https_request(w_filter, &addr, packet, packetLen, packet_v6,
ttl_of_fake_packet, do_wrong_chksum, do_wrong_seq);
}
if (do_native_frag) {
// Signal for native fragmentation code handler
should_recalc_checksum = 1;
}
}
}
}
/* Handle OUTBOUND packet on port 80, search for Host header */
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
packet_dataLen > 16 &&
(do_http_allports ? 1 : (ppTcpHdr->DstPort == htons(80))) &&
find_http_method_end(packet_data,
(do_fragment_http ? http_fragment_size : 0),
(do_fragment_http ? http_fragment_size : 0u),
&http_req_fragmented) &&
(do_host || do_host_removespace ||
do_host_mixedcase || do_fragment_http_persistent))
do_host_mixedcase || do_fragment_http_persistent ||
do_fake_packet))
{
/* Find Host header */
@@ -742,68 +1020,23 @@ int main(int argc, char *argv[]) {
{
host_addr = hdr_value_addr;
host_len = hdr_value_len;
#ifdef DEBUG
unsigned char lhost[256] = {0};
memcpy(&lhost, host_addr, host_len);
printf("Blocked HTTP website Host: %s\n", lhost);
#endif
/*
* Handle new HTTP request in new
* connection (when Window Size modification disabled)
* or already established connection (keep-alive).
* We split HTTP request into two packets: one of http_fragment_size length
* and another of original_size - http_fragment_size length.
*
* The second packet of a splitted part is not really needed to be sent
* as Windows understand that is hasn't been sent by checking
* ack number of received packet and retransmitting missing part again,
* but it's better to send it anyway since it eliminates one RTT.
*/
if (do_fragment_http_persistent && !http_req_fragmented &&
(packet_dataLen > http_fragment_size))
{
if (packet_v4)
ppIpHdr->Length = htons(
ntohs(ppIpHdr->Length) -
packet_dataLen + http_fragment_size
);
else if (packet_v6)
ppIpV6Hdr->Length = htons(
ntohs(ppIpV6Hdr->Length) -
packet_dataLen + http_fragment_size
);
if (do_native_frag) {
// Signal for native fragmentation code handler
should_recalc_checksum = 1;
}
WinDivertHelperCalcChecksums(
packet, packetLen - packet_dataLen + http_fragment_size, &addr, 0
);
WinDivertSend(
w_filter, packet,
packetLen - packet_dataLen + http_fragment_size,
&addr, NULL
);
if (do_fragment_http_persistent_nowait) {
if (packet_v4)
ppIpHdr->Length = htons(
ntohs(ppIpHdr->Length) -
http_fragment_size + packet_dataLen - http_fragment_size
);
else if (packet_v6)
ppIpV6Hdr->Length = htons(
ntohs(ppIpV6Hdr->Length) -
http_fragment_size + packet_dataLen - http_fragment_size
);
memmove(packet_data,
packet_data + http_fragment_size,
packet_dataLen);
packet_dataLen -= http_fragment_size;
packetLen -= http_fragment_size;
hdr_value_addr -= http_fragment_size;
hdr_name_addr -= http_fragment_size;
host_addr = hdr_value_addr;
ppTcpHdr->SeqNum = htonl(ntohl(ppTcpHdr->SeqNum) + http_fragment_size);
should_recalc_checksum = 1;
}
else {
continue;
if (do_fake_packet) {
if (do_auto_ttl) {
TCP_HANDLE_OUTGOING_ADJUST_TTL();
}
send_fake_http_request(w_filter, &addr, packet, packetLen, packet_v6,
ttl_of_fake_packet, do_wrong_chksum, do_wrong_seq);
}
if (do_host_mixedcase) {
@@ -828,7 +1061,7 @@ int main(int argc, char *argv[]) {
if (method_addr) {
memmove(method_addr + 1, method_addr,
(PVOID)host_addr - (PVOID)method_addr - 1);
(size_t)(host_addr - method_addr - 1));
should_recalc_checksum = 1;
}
}
@@ -856,10 +1089,10 @@ int main(int argc, char *argv[]) {
* to the end of User-Agent
*/
memmove(host_addr - 1, host_addr,
(PVOID)useragent_addr + useragent_len - (PVOID)host_addr);
(size_t)(useragent_addr + useragent_len - host_addr));
host_addr -= 1;
/* Put space in the end of User-Agent header */
*(char*)((PVOID)useragent_addr + useragent_len - 1) = ' ';
*(char*)((uint8_t*)useragent_addr + useragent_len - 1) = ' ';
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
@@ -869,11 +1102,11 @@ int main(int argc, char *argv[]) {
/* Move one byte to the RIGHT from the end of User-Agent
* to the "Host:"
*/
memmove((PVOID)useragent_addr + useragent_len + 1,
(PVOID)useragent_addr + useragent_len,
(PVOID)host_addr - 1 - ((PVOID)useragent_addr + useragent_len));
memmove(useragent_addr + useragent_len + 1,
useragent_addr + useragent_len,
(size_t)(host_addr - 1 - (useragent_addr + useragent_len)));
/* Put space in the end of User-Agent header */
*(char*)((PVOID)useragent_addr + useragent_len) = ' ';
*(char*)((uint8_t*)useragent_addr + useragent_len) = ' ';
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
@@ -882,6 +1115,35 @@ int main(int argc, char *argv[]) {
} /* else if (do_host_removespace) */
} /* if (find_header_and_get_info http_host) */
} /* Handle OUTBOUND packet with data */
/*
* should_recalc_checksum mean we have detected a packet to handle and
* modified it in some way.
* Handle native fragmentation here, incl. sending the packet.
*/
if (should_reinject && should_recalc_checksum && do_native_frag)
{
current_fragment_size = 0;
if (do_fragment_http && ppTcpHdr->DstPort == htons(80)) {
current_fragment_size = http_fragment_size;
}
else if (do_fragment_https && ppTcpHdr->DstPort != htons(80)) {
current_fragment_size = https_fragment_size;
}
if (current_fragment_size) {
send_native_fragment(w_filter, addr, packet, packetLen, packet_data,
packet_dataLen,packet_v4, packet_v6,
ppIpHdr, ppIpV6Hdr, ppTcpHdr,
current_fragment_size, do_reverse_frag);
send_native_fragment(w_filter, addr, packet, packetLen, packet_data,
packet_dataLen,packet_v4, packet_v6,
ppIpHdr, ppIpV6Hdr, ppTcpHdr,
current_fragment_size, !do_reverse_frag);
continue;
}
}
} /* Handle TCP packet with data */
/* Else if we got TCP packet without data */
@@ -894,13 +1156,31 @@ int main(int argc, char *argv[]) {
* Window Size is changed even if do_fragment_http_persistent
* is enabled as there could be non-HTTP data on port 80
*/
if (do_fragment_http && ppTcpHdr->SrcPort == htons(80)) {
change_window_size(ppTcpHdr, http_fragment_size);
should_recalc_checksum = 1;
if (do_fake_packet && do_auto_ttl) {
if (!((packet_v4 && tcp_handle_incoming(&ppIpHdr->SrcAddr, &ppIpHdr->DstAddr,
ppTcpHdr->SrcPort, ppTcpHdr->DstPort,
0, ppIpHdr->TTL))
||
(packet_v6 && tcp_handle_incoming((uint32_t*)&ppIpV6Hdr->SrcAddr,
(uint32_t*)&ppIpV6Hdr->DstAddr,
ppTcpHdr->SrcPort, ppTcpHdr->DstPort,
1, ppIpV6Hdr->HopLimit))))
{
if (do_tcp_verb)
puts("[TCP WARN] Can't add TCP connection record.");
}
}
else if (do_fragment_https && ppTcpHdr->SrcPort != htons(80)) {
change_window_size(ppTcpHdr, https_fragment_size);
should_recalc_checksum = 1;
if (!do_native_frag) {
if (do_fragment_http && ppTcpHdr->SrcPort == htons(80)) {
change_window_size(ppTcpHdr, http_fragment_size);
should_recalc_checksum = 1;
}
else if (do_fragment_https && ppTcpHdr->SrcPort != htons(80)) {
change_window_size(ppTcpHdr, https_fragment_size);
should_recalc_checksum = 1;
}
}
}
}
@@ -975,14 +1255,15 @@ int main(int argc, char *argv[]) {
if (should_reinject) {
//printf("Re-injecting!\n");
if (should_recalc_checksum) {
WinDivertHelperCalcChecksums(packet, packetLen, &addr, NULL);
WinDivertHelperCalcChecksums(packet, packetLen, &addr, (UINT64)NULL);
}
WinDivertSend(w_filter, packet, packetLen, &addr, NULL);
}
}
else {
// error, ignore
printf("Error receiving packet!\n");
if (!exiting)
printf("Error receiving packet!\n");
break;
}
}

1
src/goodbyedpi.h
View File

@@ -1,4 +1,5 @@
#define HOST_MAXLEN 253
#define MAX_PACKET_SIZE 9016
#ifndef DEBUG
#define debug(...) do {} while (0)

4
src/service.c
View File

@@ -30,7 +30,7 @@ int service_register(int argc, char *argv[])
*/
if (!service_argc && !service_argv) {
service_argc = argc;
service_argv = malloc(sizeof(void*) * argc);
service_argv = malloc(sizeof(void*) * (size_t)argc);
for (i = 0; i < argc; i++) {
service_argv[i] = strdup(argv[i]);
}
@@ -71,7 +71,7 @@ void service_main(int argc __attribute__((unused)),
SetServiceStatus(hStatus, &ServiceStatus);
// Calling main with saved argc & argv
ServiceStatus.dwWin32ExitCode = main(service_argc, service_argv);
ServiceStatus.dwWin32ExitCode = (DWORD)main(service_argc, service_argv);
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus(hStatus, &ServiceStatus);
return;

241
src/ttltrack.c Normal file
View File

@@ -0,0 +1,241 @@
/**
* TCP (TTL) Connection Tracker for GoodbyeDPI
*
* Monitors SYN/ACK only, to extract the TTL value of the remote server.
*
*/
#include <windows.h>
#include <time.h>
#include <stdio.h>
#include "goodbyedpi.h"
#include "ttltrack.h"
#include "utils/uthash.h"
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + dstip[16] + srcport[2] + dstport[2]) */
#define TCP_CONNRECORD_KEY_LEN 37
#define TCP_CLEANUP_INTERVAL_SEC 30
/* HACK!
* uthash uses strlen() for HASH_FIND_STR.
* We have null bytes in our key, so we can't use strlen()
* And since it's always TCP_CONNRECORD_KEY_LEN bytes long,
* we don't need to use any string function to determine length.
*/
#undef uthash_strlen
#define uthash_strlen(s) TCP_CONNRECORD_KEY_LEN
typedef struct tcp_connrecord {
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + dstip[16] + srcport[2] + dstport[2]) */
char key[TCP_CONNRECORD_KEY_LEN];
time_t time; /* time when this record was added */
uint16_t ttl;
UT_hash_handle hh; /* makes this structure hashable */
} tcp_connrecord_t;
static time_t last_cleanup = 0;
static tcp_connrecord_t *conntrack = NULL;
inline static void fill_key_data(char *key, const uint8_t is_ipv6, const uint32_t srcip[4],
const uint32_t dstip[4], const uint16_t srcport, const uint16_t dstport)
{
unsigned int offset = 0;
if (is_ipv6) {
*(uint8_t*)(key) = '6';
offset += sizeof(uint8_t);
ipv6_copy_addr((uint32_t*)(key + offset), srcip);
offset += sizeof(uint32_t) * 4;
ipv6_copy_addr((uint32_t*)(key + offset), dstip);
offset += sizeof(uint32_t) * 4;
}
else {
*(uint8_t*)(key) = '4';
offset += sizeof(uint8_t);
ipv4_copy_addr((uint32_t*)(key + offset), srcip);
offset += sizeof(uint32_t) * 4;
ipv4_copy_addr((uint32_t*)(key + offset), dstip);
offset += sizeof(uint32_t) * 4;
}
*(uint16_t*)(key + offset) = srcport;
offset += sizeof(srcport);
*(uint16_t*)(key + offset) = dstport;
offset += sizeof(dstport);
}
inline static void fill_data_from_key(uint8_t *is_ipv6, uint32_t srcip[4], uint32_t dstip[4],
uint16_t *srcport, uint16_t *dstport, const char *key)
{
unsigned int offset = 0;
if (key[0] == '6') {
*is_ipv6 = 1;
offset += sizeof(uint8_t);
ipv6_copy_addr(srcip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
ipv6_copy_addr(dstip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
}
else {
*is_ipv6 = 0;
offset += sizeof(uint8_t);
ipv4_copy_addr(srcip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
ipv4_copy_addr(dstip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
}
*srcport = *(uint16_t*)(key + offset);
offset += sizeof(*srcport);
*dstport = *(uint16_t*)(key + offset);
offset += sizeof(*dstport);
}
inline static void construct_key(const uint32_t srcip[4], const uint32_t dstip[4],
const uint16_t srcport, const uint16_t dstport,
char *key, const uint8_t is_ipv6)
{
debug("Construct key enter\n");
if (key) {
debug("Constructing key\n");
fill_key_data(key, is_ipv6, srcip, dstip, srcport, dstport);
}
debug("Construct key end\n");
}
inline static void deconstruct_key(const char *key, const tcp_connrecord_t *connrecord,
tcp_conntrack_info_t *conn_info)
{
debug("Deconstruct key enter\n");
if (key && conn_info) {
debug("Deconstructing key\n");
fill_data_from_key(&conn_info->is_ipv6,
conn_info->srcip, conn_info->dstip,
&conn_info->srcport, &conn_info->dstport,
key);
conn_info->ttl = connrecord->ttl;
}
debug("Deconstruct key end\n");
}
static int check_get_tcp_conntrack_key(const char *key, tcp_connrecord_t **connrecord) {
tcp_connrecord_t *tmp_connrecord = NULL;
if (!conntrack) return FALSE;
HASH_FIND_STR(conntrack, key, tmp_connrecord);
if (tmp_connrecord) {
if (connrecord)
*connrecord = tmp_connrecord;
debug("check_get_tcp_conntrack_key found key\n");
return TRUE;
}
debug("check_get_tcp_conntrack_key key not found\n");
return FALSE;
}
static int add_tcp_conntrack(const uint32_t srcip[4], const uint32_t dstip[4],
const uint16_t srcport, const uint16_t dstport,
const uint8_t is_ipv6, const uint8_t ttl
)
{
if (!(srcip && srcport && dstip && dstport))
return FALSE;
tcp_connrecord_t *tmp_connrecord = malloc(sizeof(tcp_connrecord_t));
construct_key(srcip, dstip, srcport, dstport, tmp_connrecord->key, is_ipv6);
if (!check_get_tcp_conntrack_key(tmp_connrecord->key, NULL)) {
tmp_connrecord->time = time(NULL);
tmp_connrecord->ttl = ttl;
HASH_ADD_STR(conntrack, key, tmp_connrecord);
debug("Added TCP conntrack %u:%hu - %u:%hu\n", srcip[0], ntohs(srcport), dstip[0], ntohs(dstport));
return TRUE;
}
debug("Not added TCP conntrack %u:%hu - %u:%hu\n", srcip[0], ntohs(srcport), dstip[0], ntohs(dstport));
free(tmp_connrecord);
return FALSE;
}
static void tcp_cleanup() {
tcp_connrecord_t *tmp_connrecord, *tmp_connrecord2 = NULL;
if (last_cleanup == 0) {
last_cleanup = time(NULL);
return;
}
if (difftime(time(NULL), last_cleanup) >= TCP_CLEANUP_INTERVAL_SEC) {
last_cleanup = time(NULL);
HASH_ITER(hh, conntrack, tmp_connrecord, tmp_connrecord2) {
if (difftime(last_cleanup, tmp_connrecord->time) >= TCP_CLEANUP_INTERVAL_SEC) {
HASH_DEL(conntrack, tmp_connrecord);
free(tmp_connrecord);
}
}
}
}
int tcp_handle_incoming(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
uint8_t is_ipv6, uint8_t ttl)
{
tcp_cleanup();
debug("trying to add TCP srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return add_tcp_conntrack(srcip, dstip, srcport, dstport, is_ipv6, ttl);
debug("____tcp_handle_incoming FALSE: srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return FALSE;
}
int tcp_handle_outgoing(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
tcp_conntrack_info_t *conn_info,
uint8_t is_ipv6)
{
char key[TCP_CONNRECORD_KEY_LEN];
tcp_connrecord_t *tmp_connrecord = NULL;
if (!conn_info)
return FALSE;
tcp_cleanup();
construct_key(dstip, srcip, dstport, srcport, key, is_ipv6);
if (check_get_tcp_conntrack_key(key, &tmp_connrecord) && tmp_connrecord) {
/* Connection exists in conntrack, moving on */
deconstruct_key(key, tmp_connrecord, conn_info);
HASH_DEL(conntrack, tmp_connrecord);
free(tmp_connrecord);
debug("____tcp_handle_outgoing TRUE: srcport = %hu\n", ntohs(srcport));
return TRUE;
}
debug("____tcp_handle_outgoing FALSE: srcport = %hu\n", ntohs(srcport));
return FALSE;
}
int tcp_get_auto_ttl(const uint8_t ttl, const uint8_t decrease_for) {
uint8_t ttl_of_fake_packet = 0;
if (ttl > 98 && ttl < 128) {
/* Safekeeping */
if (128 - ttl > decrease_for + 1) {
ttl_of_fake_packet = 128 - ttl - decrease_for;
}
}
else if (ttl > 34 && ttl < 64) {
/* Safekeeping */
if (64 - ttl > decrease_for + 1) {
ttl_of_fake_packet = 64 - ttl - decrease_for;
}
}
else {
ttl_of_fake_packet = 0;
}
return ttl_of_fake_packet;
}

25
src/ttltrack.h Normal file
View File

@@ -0,0 +1,25 @@
#ifndef _TTLTRACK_H
#define _TTLTRACK_H
#include <stdint.h>
#include "dnsredir.h"
typedef struct tcp_conntrack_info {
uint8_t is_ipv6;
uint8_t ttl;
uint32_t srcip[4];
uint16_t srcport;
uint32_t dstip[4];
uint16_t dstport;
} tcp_conntrack_info_t;
int tcp_handle_incoming(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
uint8_t is_ipv6, uint8_t ttl);
int tcp_handle_outgoing(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
tcp_conntrack_info_t *conn_info,
uint8_t is_ipv6);
int tcp_get_auto_ttl(uint8_t ttl, uint8_t decrease_for);
#endif

4
src/utils/repl_str.c
View File

@@ -46,11 +46,11 @@ char *repl_str(const char *str, const char *from, const char *to) {
}
}
pos_cache[count-1] = pstr2 - str;
pos_cache[count-1] = (uintptr_t)(pstr2 - str);
pstr = pstr2 + fromlen;
}
orglen = pstr - str + strlen(pstr);
orglen = (size_t)(pstr - str) + strlen(pstr);
/* Allocate memory for the post-replacement string. */
if (count > 0) {