mirror of
https://github.com/ValdikSS/GoodbyeDPI.git
synced 2025-12-17 12:54:36 +03:00
Compare commits
24 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
6eec99e874 | ||
|
|
b799b33fed | ||
|
|
76c4658985 | ||
|
|
d61a9f8022 | ||
|
|
fc15088c33 | ||
|
|
1ea70f9bc9 | ||
|
|
ed42c5d627 | ||
|
|
a79377f606 | ||
|
|
db37b4f1f2 | ||
|
|
9fcf097cb7 | ||
|
|
e1e09f9103 | ||
|
|
a5c2f9fac9 | ||
|
|
11c322aaed | ||
|
|
88d4a60cdf | ||
|
|
b45b463d51 | ||
|
|
80fcd9c5cf | ||
|
|
21ff80b43c | ||
|
|
bbb6af89fe | ||
|
|
b57a204d96 | ||
|
|
3899a719c1 | ||
|
|
b9682ac222 | ||
|
|
35c6e401db | ||
|
|
cf7d1c69e0 | ||
|
|
5b79d8e8ba |
@@ -1,45 +0,0 @@
|
|||||||
---
|
|
||||||
name: Bug report / сообщение об ошибке
|
|
||||||
about: Report software issue / сообщить об ошибке в программе
|
|
||||||
title: ''
|
|
||||||
labels: ''
|
|
||||||
assignees: ''
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
<!--
|
|
||||||
WARNING! Please pay some attention!
|
|
||||||
GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
|
|
||||||
Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
|
|
||||||
Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
|
|
||||||
|
|
||||||
ВНИМАНИЕ! Пожалуйста, прочтите!
|
|
||||||
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
|
|
||||||
Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
|
|
||||||
Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
|
|
||||||
-->
|
|
||||||
|
|
||||||
**Describe the bug / Опишите проблему**
|
|
||||||
A clear and concise description of what the bug is. If the issue about software incompatibility, include your operating system version and software name/version.
|
|
||||||
Подробно опишите, в чём заключается проблема. Если проблема касается совместимости с другими программами, укажите версию вашей операционной системы, имя и версию программы.
|
|
||||||
|
|
||||||
**To Reproduce / Шаги воспроизведения проблемы**
|
|
||||||
Steps to reproduce the behavior:
|
|
||||||
1. Go to '...'
|
|
||||||
2. Click on '....'
|
|
||||||
3. Scroll down to '....'
|
|
||||||
4. See error
|
|
||||||
|
|
||||||
**Expected behavior / ожидаемое поведение программы**
|
|
||||||
A clear and concise description of what you expected to happen.
|
|
||||||
Подробно опишите, как вы ожидаете, чтобы программа работала.
|
|
||||||
|
|
||||||
**Actual behavior / текущее поведение программы**
|
|
||||||
A clear and concise description of what you expected to happen.
|
|
||||||
Подробно опишите, что происходит с программой на текущий момент.
|
|
||||||
|
|
||||||
**Screenshots / Скриншоты**
|
|
||||||
If applicable, add screenshots to help explain your problem.
|
|
||||||
Если необходимо, добавьте скриншоты, объясняющие проблему.
|
|
||||||
|
|
||||||
**Additional context / дополнительная информация**
|
|
||||||
47
.github/ISSUE_TEMPLATE/bug.yml
vendored
Normal file
47
.github/ISSUE_TEMPLATE/bug.yml
vendored
Normal file
@@ -0,0 +1,47 @@
|
|||||||
|
name: Bug Report / Сообщение об ошибке
|
||||||
|
description: File a bug report / Сообщить об ошибке в проекте
|
||||||
|
|
||||||
|
body:
|
||||||
|
- type: markdown
|
||||||
|
attributes:
|
||||||
|
value: |
|
||||||
|
Please pay some attention!
|
||||||
|
GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
|
||||||
|
Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
|
||||||
|
Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
|
||||||
|
|
||||||
|
Пожалуйста, прочтите!
|
||||||
|
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
|
||||||
|
Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
|
||||||
|
Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
|
||||||
|
- type: input
|
||||||
|
id: os
|
||||||
|
attributes:
|
||||||
|
label: Operating system / операционная система
|
||||||
|
description: Enter your Windows version. For Windows 10 and 11 include build/update number.
|
||||||
|
placeholder: ex. Windows 10 20H2
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: dropdown
|
||||||
|
id: is-svc
|
||||||
|
attributes:
|
||||||
|
label: Running as service / Запуск программы как сервис
|
||||||
|
description: Do you use GoodbyeDPI as a Windows Service?
|
||||||
|
options:
|
||||||
|
- I run it as a regular program / Запускаю программу обычным образом
|
||||||
|
- I installed it as a service / Установил как сервис Windows
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: textarea
|
||||||
|
id: what-happened
|
||||||
|
attributes:
|
||||||
|
label: Describe the issue / Опишите проблему
|
||||||
|
description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается проблема
|
||||||
|
placeholder: Attach the screenshots for clarity / При необходимости приложите скриншоты
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
|
- type: textarea
|
||||||
|
id: additional-info
|
||||||
|
attributes:
|
||||||
|
label: Additional information / Дополнительная информация
|
||||||
|
description: If you have a hints on why this bug happens, you can express it here / Если у вас есть предположения об источнике бага, вы можете изложить их здесь
|
||||||
5
.github/ISSUE_TEMPLATE/config.yml
vendored
Normal file
5
.github/ISSUE_TEMPLATE/config.yml
vendored
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
blank_issues_enabled: false
|
||||||
|
contact_links:
|
||||||
|
- name: Questions about the program / Вопросы по програме
|
||||||
|
url: https://ntc.party/c/community-software/goodbyedpi/8
|
||||||
|
about: Please ask and answer questions on forum / Пожалуйста, задавайте вопросы только на форуме
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
---
|
|
||||||
name: Feature request / предложить новую функциональность
|
|
||||||
about: Suggest an idea or function for this project / предложить новую идею или функциональность
|
|
||||||
title: ''
|
|
||||||
labels: ''
|
|
||||||
assignees: ''
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
**Description / Описание**
|
|
||||||
A clear and concise description of your suggestion.
|
|
||||||
Детальное описание вашего предложения.
|
|
||||||
15
.github/ISSUE_TEMPLATE/feature.yml
vendored
Normal file
15
.github/ISSUE_TEMPLATE/feature.yml
vendored
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
name: Feature request / Предложить новую функциональность
|
||||||
|
description: Suggest an idea or function for this project / Предложить новую идею или функциональность в программе
|
||||||
|
|
||||||
|
body:
|
||||||
|
- type: markdown
|
||||||
|
attributes:
|
||||||
|
value: |
|
||||||
|
If you think of a great function or circumvention method which is missing from the program, go ahead and suggest it here.
|
||||||
|
Если вы придумали новую функцию или метод обхода, которого еще нет в программе, напишите о нем подробнее здесь.
|
||||||
|
- type: textarea
|
||||||
|
id: description
|
||||||
|
attributes:
|
||||||
|
label: Describe your feature / Опишите ваше предложение
|
||||||
|
validations:
|
||||||
|
required: true
|
||||||
75
.github/workflows/build.yml
vendored
Normal file
75
.github/workflows/build.yml
vendored
Normal file
@@ -0,0 +1,75 @@
|
|||||||
|
name: Build GoodbyeDPI
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
paths:
|
||||||
|
- 'src/**'
|
||||||
|
|
||||||
|
env:
|
||||||
|
WINDIVERT_URL: https://www.reqrypt.org/download/WinDivert-1.4.3-A.zip
|
||||||
|
WINDIVERT_NAME: WinDivert-1.4.3-A.zip
|
||||||
|
WINDIVERT_SHA256: 4084bc3931f31546d375ed89e3f842776efa46f321ed0adcd32d3972a7d02566
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
|
||||||
|
- name: Declare short commit variable
|
||||||
|
id: vars
|
||||||
|
run: |
|
||||||
|
echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
|
||||||
|
|
||||||
|
- name: Install MinGW-w64
|
||||||
|
run: >
|
||||||
|
sudo DEBIAN_FRONTEND=noninteractive XZ_DEFAULTS="-T0" XZ_OPT="-T0" eatmydata
|
||||||
|
apt install -y --no-install-recommends gcc-mingw-w64
|
||||||
|
|
||||||
|
- name: Download WinDivert from cache
|
||||||
|
id: windivert-cache
|
||||||
|
uses: actions/cache@v2
|
||||||
|
with:
|
||||||
|
path: ${{ env. WINDIVERT_NAME }}
|
||||||
|
key: ${{ env. WINDIVERT_SHA256 }}
|
||||||
|
|
||||||
|
- name: Download WinDivert from the website
|
||||||
|
if: steps.windivert-cache.outputs.cache-hit != 'true'
|
||||||
|
run: >
|
||||||
|
wget ${{ env. WINDIVERT_URL }} &&
|
||||||
|
(echo ${{ env. WINDIVERT_SHA256 }} ${{ env. WINDIVERT_NAME }} | sha256sum -c)
|
||||||
|
|
||||||
|
- name: Unpack WinDivert
|
||||||
|
run: unzip ${{ env. WINDIVERT_NAME }}
|
||||||
|
|
||||||
|
- name: Compile x86_64
|
||||||
|
run: >
|
||||||
|
cd src && make clean &&
|
||||||
|
make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../WinDivert-1.4.3-A/include WINDIVERTLIBS=../WinDivert-1.4.3-A/x86_64 -j4
|
||||||
|
|
||||||
|
- name: Prepare x86_64 directory
|
||||||
|
run: |
|
||||||
|
mkdir goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
|
||||||
|
cp src/goodbyedpi.exe WinDivert-1.4.3-A/x86_64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
|
||||||
|
|
||||||
|
- name: Upload output file x86_64 (64 bit)
|
||||||
|
uses: actions/upload-artifact@v2
|
||||||
|
with:
|
||||||
|
name: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
|
||||||
|
path: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
|
||||||
|
|
||||||
|
- name: Compile i686
|
||||||
|
run: >
|
||||||
|
cd src && make clean &&
|
||||||
|
make CPREFIX=i686-w64-mingw32- WINDIVERTHEADERS=../WinDivert-1.4.3-A/include WINDIVERTLIBS=../WinDivert-1.4.3-A/x86 -j4
|
||||||
|
|
||||||
|
- name: Prepare x86 directory
|
||||||
|
run: |
|
||||||
|
mkdir goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
|
||||||
|
cp src/goodbyedpi.exe WinDivert-1.4.3-A/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
|
||||||
|
|
||||||
|
- name: Upload output file x86
|
||||||
|
uses: actions/upload-artifact@v2
|
||||||
|
with:
|
||||||
|
name: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
|
||||||
|
path: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
|
||||||
52
README.md
52
README.md
@@ -17,26 +17,30 @@ Usage: goodbyedpi.exe [OPTION...]
|
|||||||
-r replace Host with hoSt
|
-r replace Host with hoSt
|
||||||
-s remove space between host header and its value
|
-s remove space between host header and its value
|
||||||
-m mix Host header case (test.com -> tEsT.cOm)
|
-m mix Host header case (test.com -> tEsT.cOm)
|
||||||
-f [value] set HTTP fragmentation to value
|
-f <value> set HTTP fragmentation to value
|
||||||
-k [value] enable HTTP persistent (keep-alive) fragmentation and set it to value
|
-k <value> enable HTTP persistent (keep-alive) fragmentation and set it to value
|
||||||
-n do not wait for first segment ACK when -k is enabled
|
-n do not wait for first segment ACK when -k is enabled
|
||||||
-e [value] set HTTPS fragmentation to value
|
-e <value> set HTTPS fragmentation to value
|
||||||
-a additional space between Method and Request-URI (enables -s, may break sites)
|
-a additional space between Method and Request-URI (enables -s, may break sites)
|
||||||
-w try to find and parse HTTP traffic on all processed ports (not only on port 80)
|
-w try to find and parse HTTP traffic on all processed ports (not only on port 80)
|
||||||
--port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)
|
--port <value> additional TCP port to perform fragmentation on (and HTTP tricks with -w)
|
||||||
--ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
|
--ip-id <value> handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
|
||||||
This option can be supplied multiple times.
|
This option can be supplied multiple times.
|
||||||
--dns-addr [value] redirect UDP DNS requests to the supplied IP address (experimental)
|
--dns-addr <value> redirect UDP DNS requests to the supplied IP address (experimental)
|
||||||
--dns-port [value] redirect UDP DNS requests to the supplied port (53 by default)
|
--dns-port <value> redirect UDP DNS requests to the supplied port (53 by default)
|
||||||
--dnsv6-addr [value] redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
|
--dnsv6-addr <value> redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
|
||||||
--dnsv6-port [value] redirect UDPv6 DNS requests to the supplied port (53 by default)
|
--dnsv6-port <value> redirect UDPv6 DNS requests to the supplied port (53 by default)
|
||||||
--dns-verb print verbose DNS redirection messages
|
--dns-verb print verbose DNS redirection messages
|
||||||
--blacklist [txtfile] perform HTTP tricks only to host names and subdomains from
|
--blacklist <txtfile> perform circumvention tricks only to host names and subdomains from
|
||||||
supplied text file. This option can be supplied multiple times.
|
supplied text file (HTTP Host/TLS SNI).
|
||||||
--set-ttl [value] activate Fake Request Mode and send it with supplied TTL value.
|
This option can be supplied multiple times.
|
||||||
|
--set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.
|
||||||
DANGEROUS! May break websites in unexpected ways. Use with care.
|
DANGEROUS! May break websites in unexpected ways. Use with care.
|
||||||
|
--auto-ttl [decttl] activate Fake Request Mode, automatically detect TTL and decrease
|
||||||
|
it from standard 64 or 128 by decttl (128/64 - TTL - 4 by default).
|
||||||
--wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.
|
--wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.
|
||||||
May not work in a VM or with some routers, but is safer than set-ttl.
|
May not work in a VM or with some routers, but is safer than set-ttl.
|
||||||
|
--wrong-seq activate Fake Request Mode and send it with TCP SEQ/ACK in the past.
|
||||||
--native-frag fragment (split) the packets by sending them in smaller packets, without
|
--native-frag fragment (split) the packets by sending them in smaller packets, without
|
||||||
shrinking the Window Size. Works faster (does not slow down the connection)
|
shrinking the Window Size. Works faster (does not slow down the connection)
|
||||||
and better.
|
and better.
|
||||||
@@ -44,19 +48,28 @@ Usage: goodbyedpi.exe [OPTION...]
|
|||||||
reversed order. Works with the websites which could not handle segmented
|
reversed order. Works with the websites which could not handle segmented
|
||||||
HTTPS TLS ClientHello (because they receive the TCP flow "combined").
|
HTTPS TLS ClientHello (because they receive the TCP flow "combined").
|
||||||
|
|
||||||
-1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)
|
|
||||||
|
LEGACY modesets:
|
||||||
|
-1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)
|
||||||
-2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)
|
-2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)
|
||||||
-3 -p -r -s -e 40 (better speed for HTTP and HTTPS)
|
-3 -p -r -s -e 40 (better speed for HTTP and HTTPS)
|
||||||
-4 -p -r -s (best speed)
|
-4 -p -r -s (best speed)
|
||||||
|
|
||||||
|
Modern modesets (more stable, more compatible, faster):
|
||||||
|
-5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)
|
||||||
|
-6 -f 2 -e 2 --wrong-seq --reverse-frag
|
||||||
```
|
```
|
||||||
|
|
||||||
To check if your ISP's DPI could be circumvented, run `3_all_dnsredir_hardcore.cmd` first. This is the most hardcore mode which will show if this program is suitable for your ISP and DPI vendor at all. If you can open blocked websites with this mode, it means your ISP has DPI which can be circumvented. This is the slowest and prone to break websites mode, but suitable for most DPI.
|
To check if your ISP's DPI could be circumvented, first make sure that your provider does not poison DNS answers by enabling "Secure DNS (DNS over HTTPS)" option in your browser.
|
||||||
|
|
||||||
Try `goodbyedpi -1` to see if it works too.
|
* **Chrome**: Settings → [Privacy and security](chrome://settings/security) > Use secure DNS → With: NextDNS
|
||||||
|
* **Firefox**: [Settings](about:preferences) → Network Settings → Enable DNS over HTTPS → Use provider: NextDNS
|
||||||
|
|
||||||
Then try `goodbyedpi.exe -2`. It should be faster for HTTPS sites. Mode `-3` speed ups HTTP websites.
|
Then run the `goodbyedpi.exe` executable without any options. If it works — congratulations! You can use it as-is or configure further, for example by using `--blacklist` option if the list of blocked websites is known and available for your country.
|
||||||
|
|
||||||
Use `goodbyedpi.exe -4` if it works for your ISP's DPI. This is the fastest mode but not compatible with every DPI.
|
If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resover running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
|
||||||
|
|
||||||
|
Check the .cmd scripts and modify it according to your preference and network conditions.
|
||||||
|
|
||||||
# How does it work
|
# How does it work
|
||||||
|
|
||||||
@@ -74,7 +87,7 @@ Active DPI is more tricky to fool. Currently the software uses 7 methods to circ
|
|||||||
* Removing space between header name and value in `Host` header
|
* Removing space between header name and value in `Host` header
|
||||||
* Adding additional space between HTTP Method (GET, POST etc) and URI
|
* Adding additional space between HTTP Method (GET, POST etc) and URI
|
||||||
* Mixing case of Host header value
|
* Mixing case of Host header value
|
||||||
* Sending fake HTTP/HTTPS packets with low Time-To-Live value or incorrect checksum to fool DPI and prevent delivering them to the destination
|
* Sending fake HTTP/HTTPS packets with low Time-To-Live value, incorrect checksum or incorrect TCP Sequence/Acknowledgement numbers to fool DPI and prevent delivering them to the destination
|
||||||
|
|
||||||
These methods should not break any website as they're fully compatible with TCP and HTTP standards, yet it's sufficient to prevent DPI data classification and to circumvent censorship. Additional space may break some websites, although it's acceptable by HTTP/1.1 specification (see 19.3 Tolerant Applications).
|
These methods should not break any website as they're fully compatible with TCP and HTTP standards, yet it's sufficient to prevent DPI data classification and to circumvent censorship. Additional space may break some websites, although it's acceptable by HTTP/1.1 specification (see 19.3 Tolerant Applications).
|
||||||
|
|
||||||
@@ -94,7 +107,8 @@ And for x86_64:
|
|||||||
|
|
||||||
# How to install as Windows Service
|
# How to install as Windows Service
|
||||||
|
|
||||||
Use `service_install_russia_blacklist.cmd`, `service_install_russia_blacklist_dnsredir.cmd` and `service_remove.cmd` scripts.
|
Check examples in `service_install_russia_blacklist.cmd`, `service_install_russia_blacklist_dnsredir.cmd` and `service_remove.cmd` scripts.
|
||||||
|
|
||||||
Modify them according to your own needs.
|
Modify them according to your own needs.
|
||||||
|
|
||||||
# Known issues
|
# Known issues
|
||||||
|
|||||||
11
src/Makefile
11
src/Makefile
@@ -9,21 +9,22 @@ MINGWLIB = /usr/x86_64-w64-mingw32/lib/
|
|||||||
TARGET = goodbyedpi.exe
|
TARGET = goodbyedpi.exe
|
||||||
# Linking SSP does not work for some reason, the executable doesn't start.
|
# Linking SSP does not work for some reason, the executable doesn't start.
|
||||||
#LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
|
#LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
|
||||||
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32
|
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a
|
||||||
CC = $(CPREFIX)gcc
|
CC = $(CPREFIX)gcc
|
||||||
CCWINDRES = $(CPREFIX)windres
|
CCWINDRES = $(CPREFIX)windres
|
||||||
CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
|
CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
|
||||||
-O2 -D_FORTIFY_SOURCE=2 \
|
-O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
|
||||||
-Wall -Wextra -Wpedantic -Wformat=2 -Wshadow -Wstrict-aliasing=1 -Werror=format-security \
|
-Wall -Wextra -Wpedantic -Wformat=2 -Wno-format-nonliteral -Wshadow -Wstrict-aliasing=1 -Werror=format-security \
|
||||||
-Wfloat-equal -Wcast-align -Wsign-conversion \
|
-Wfloat-equal -Wcast-align -Wsign-conversion \
|
||||||
#-fstack-protector-strong
|
#-fstack-protector-strong
|
||||||
LDFLAGS = -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
|
LDFLAGS = -fstack-protector -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
|
||||||
-Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
|
-Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
|
||||||
|
|
||||||
ifdef BIT64
|
ifdef BIT64
|
||||||
LDFLAGS += -Wl,--high-entropy-va -Wl,--pic-executable,-e,mainCRTStartup
|
LDFLAGS += -Wl,--high-entropy-va -Wl,--pic-executable,-e,mainCRTStartup
|
||||||
else
|
else
|
||||||
LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup
|
CFLAGS += -m32
|
||||||
|
LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup -m32
|
||||||
endif
|
endif
|
||||||
|
|
||||||
.PHONY: default all clean
|
.PHONY: default all clean
|
||||||
|
|||||||
@@ -35,14 +35,11 @@ static int add_hostname(const char *host) {
|
|||||||
if (!host)
|
if (!host)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
int host_len = strlen(host);
|
|
||||||
|
|
||||||
blackwhitelist_record_t *tmp_record = malloc(sizeof(blackwhitelist_record_t));
|
blackwhitelist_record_t *tmp_record = malloc(sizeof(blackwhitelist_record_t));
|
||||||
char *host_c = malloc(host_len + 1);
|
char *host_c = NULL;
|
||||||
|
|
||||||
if (!check_get_hostname(host)) {
|
if (!check_get_hostname(host)) {
|
||||||
strncpy(host_c, host, host_len);
|
host_c = strdup(host);
|
||||||
host_c[host_len] = '\0';
|
|
||||||
tmp_record->host = host_c;
|
tmp_record->host = host_c;
|
||||||
HASH_ADD_KEYPTR(hh, blackwhitelist, tmp_record->host,
|
HASH_ADD_KEYPTR(hh, blackwhitelist, tmp_record->host,
|
||||||
strlen(tmp_record->host), tmp_record);
|
strlen(tmp_record->host), tmp_record);
|
||||||
@@ -51,6 +48,7 @@ static int add_hostname(const char *host) {
|
|||||||
}
|
}
|
||||||
debug("Not added host %s\n", host);
|
debug("Not added host %s\n", host);
|
||||||
free(tmp_record);
|
free(tmp_record);
|
||||||
|
if (host_c)
|
||||||
free(host_c);
|
free(host_c);
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ static time_t last_cleanup = 0;
|
|||||||
static udp_connrecord_t *conntrack = NULL;
|
static udp_connrecord_t *conntrack = NULL;
|
||||||
|
|
||||||
void flush_dns_cache() {
|
void flush_dns_cache() {
|
||||||
BOOL WINAPI (*DnsFlushResolverCache)();
|
long long int WINAPI (*DnsFlushResolverCache)();
|
||||||
|
|
||||||
HMODULE dnsapi = LoadLibrary("dnsapi.dll");
|
HMODULE dnsapi = LoadLibrary("dnsapi.dll");
|
||||||
if (dnsapi == NULL)
|
if (dnsapi == NULL)
|
||||||
@@ -53,7 +53,7 @@ void flush_dns_cache() {
|
|||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
DnsFlushResolverCache = (void*)GetProcAddress(dnsapi, "DnsFlushResolverCache");
|
DnsFlushResolverCache = GetProcAddress(dnsapi, "DnsFlushResolverCache");
|
||||||
if (DnsFlushResolverCache == NULL || !DnsFlushResolverCache())
|
if (DnsFlushResolverCache == NULL || !DnsFlushResolverCache())
|
||||||
printf("Can't flush DNS cache!");
|
printf("Can't flush DNS cache!");
|
||||||
FreeLibrary(dnsapi);
|
FreeLibrary(dnsapi);
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
|
#ifndef _DNSREDIR_H
|
||||||
|
#define _DNSREDIR_H
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
||||||
typedef struct conntrack_info {
|
typedef struct conntrack_info {
|
||||||
@@ -34,3 +36,4 @@ int dns_handle_outgoing(const uint32_t srcip[4], const uint16_t srcport,
|
|||||||
|
|
||||||
void flush_dns_cache();
|
void flush_dns_cache();
|
||||||
int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing);
|
int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing);
|
||||||
|
#endif
|
||||||
|
|||||||
@@ -7,7 +7,7 @@
|
|||||||
#include "windivert.h"
|
#include "windivert.h"
|
||||||
#include "goodbyedpi.h"
|
#include "goodbyedpi.h"
|
||||||
|
|
||||||
static const char fake_http_request[] = "GET / HTTP/1.1\r\nHost: www.w3.org\r\n"
|
static const unsigned char fake_http_request[] = "GET / HTTP/1.1\r\nHost: www.w3.org\r\n"
|
||||||
"User-Agent: curl/7.65.3\r\nAccept: */*\r\n"
|
"User-Agent: curl/7.65.3\r\nAccept: */*\r\n"
|
||||||
"Accept-Encoding: deflate, gzip, br\r\n\r\n";
|
"Accept-Encoding: deflate, gzip, br\r\n\r\n";
|
||||||
static const unsigned char fake_https_request[] = {
|
static const unsigned char fake_https_request[] = {
|
||||||
@@ -53,7 +53,8 @@ static int send_fake_data(const HANDLE w_filter,
|
|||||||
const BOOL is_ipv6,
|
const BOOL is_ipv6,
|
||||||
const BOOL is_https,
|
const BOOL is_https,
|
||||||
const BYTE set_ttl,
|
const BYTE set_ttl,
|
||||||
const BYTE set_checksum
|
const BYTE set_checksum,
|
||||||
|
const BYTE set_seq
|
||||||
) {
|
) {
|
||||||
char packet_fake[MAX_PACKET_SIZE];
|
char packet_fake[MAX_PACKET_SIZE];
|
||||||
WINDIVERT_ADDRESS addr_new;
|
WINDIVERT_ADDRESS addr_new;
|
||||||
@@ -63,12 +64,15 @@ static int send_fake_data(const HANDLE w_filter,
|
|||||||
PWINDIVERT_IPHDR ppIpHdr;
|
PWINDIVERT_IPHDR ppIpHdr;
|
||||||
PWINDIVERT_IPV6HDR ppIpV6Hdr;
|
PWINDIVERT_IPV6HDR ppIpV6Hdr;
|
||||||
PWINDIVERT_TCPHDR ppTcpHdr;
|
PWINDIVERT_TCPHDR ppTcpHdr;
|
||||||
char *fake_request_data = is_https ? fake_https_request : fake_http_request;
|
unsigned const char *fake_request_data = is_https ? fake_https_request : fake_http_request;
|
||||||
UINT fake_request_size = is_https ? sizeof(fake_https_request) : sizeof(fake_http_request) - 1;
|
UINT fake_request_size = is_https ? sizeof(fake_https_request) : sizeof(fake_http_request) - 1;
|
||||||
|
|
||||||
memcpy(&addr_new, addr, sizeof(WINDIVERT_ADDRESS));
|
memcpy(&addr_new, addr, sizeof(WINDIVERT_ADDRESS));
|
||||||
memcpy(packet_fake, pkt, packetLen);
|
memcpy(packet_fake, pkt, packetLen);
|
||||||
|
|
||||||
|
addr_new.PseudoTCPChecksum = 0;
|
||||||
|
addr_new.PseudoIPChecksum = 0;
|
||||||
|
|
||||||
if (!is_ipv6) {
|
if (!is_ipv6) {
|
||||||
// IPv4 TCP Data packet
|
// IPv4 TCP Data packet
|
||||||
if (!WinDivertHelperParsePacket(packet_fake, packetLen, &ppIpHdr,
|
if (!WinDivertHelperParsePacket(packet_fake, packetLen, &ppIpHdr,
|
||||||
@@ -107,9 +111,16 @@ static int send_fake_data(const HANDLE w_filter,
|
|||||||
ppIpV6Hdr->HopLimit = set_ttl;
|
ppIpV6Hdr->HopLimit = set_ttl;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (set_seq) {
|
||||||
|
// This is the smallest ACK drift Linux can't handle already, since at least v2.6.18.
|
||||||
|
// https://github.com/torvalds/linux/blob/v2.6.18/net/netfilter/nf_conntrack_proto_tcp.c#L395
|
||||||
|
ppTcpHdr->AckNum = htonl(ntohl(ppTcpHdr->AckNum) - 66000);
|
||||||
|
// This is just random, no specifics about this value.
|
||||||
|
ppTcpHdr->SeqNum = htonl(ntohl(ppTcpHdr->SeqNum) - 10000);
|
||||||
|
}
|
||||||
|
|
||||||
// Recalculate the checksum
|
// Recalculate the checksum
|
||||||
addr_new.PseudoTCPChecksum = 0;
|
WinDivertHelperCalcChecksums(packet_fake, packetLen_new, &addr_new, (UINT64)NULL);
|
||||||
WinDivertHelperCalcChecksums(packet_fake, packetLen_new, &addr_new, NULL);
|
|
||||||
|
|
||||||
if (set_checksum) {
|
if (set_checksum) {
|
||||||
// ...and damage it
|
// ...and damage it
|
||||||
@@ -127,23 +138,46 @@ static int send_fake_data(const HANDLE w_filter,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int send_fake_request(const HANDLE w_filter,
|
||||||
|
const PWINDIVERT_ADDRESS addr,
|
||||||
|
const char *pkt,
|
||||||
|
const UINT packetLen,
|
||||||
|
const BOOL is_ipv6,
|
||||||
|
const BOOL is_https,
|
||||||
|
const BYTE set_ttl,
|
||||||
|
const BYTE set_checksum,
|
||||||
|
const BYTE set_seq
|
||||||
|
) {
|
||||||
|
if (set_ttl) {
|
||||||
|
send_fake_data(w_filter, addr, pkt, packetLen,
|
||||||
|
is_ipv6, is_https,
|
||||||
|
set_ttl, FALSE, FALSE);
|
||||||
|
}
|
||||||
|
if (set_checksum) {
|
||||||
|
send_fake_data(w_filter, addr, pkt, packetLen,
|
||||||
|
is_ipv6, is_https,
|
||||||
|
FALSE, set_checksum, FALSE);
|
||||||
|
}
|
||||||
|
if (set_seq) {
|
||||||
|
send_fake_data(w_filter, addr, pkt, packetLen,
|
||||||
|
is_ipv6, is_https,
|
||||||
|
FALSE, FALSE, set_seq);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
int send_fake_http_request(const HANDLE w_filter,
|
int send_fake_http_request(const HANDLE w_filter,
|
||||||
const PWINDIVERT_ADDRESS addr,
|
const PWINDIVERT_ADDRESS addr,
|
||||||
const char *pkt,
|
const char *pkt,
|
||||||
const UINT packetLen,
|
const UINT packetLen,
|
||||||
const BOOL is_ipv6,
|
const BOOL is_ipv6,
|
||||||
const BYTE set_ttl,
|
const BYTE set_ttl,
|
||||||
const BYTE set_checksum
|
const BYTE set_checksum,
|
||||||
|
const BYTE set_seq
|
||||||
) {
|
) {
|
||||||
return send_fake_data(w_filter,
|
return send_fake_request(w_filter, addr, pkt, packetLen,
|
||||||
addr,
|
is_ipv6, FALSE,
|
||||||
pkt,
|
set_ttl, set_checksum, set_seq);
|
||||||
packetLen,
|
|
||||||
is_ipv6,
|
|
||||||
FALSE,
|
|
||||||
set_ttl,
|
|
||||||
set_checksum
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int send_fake_https_request(const HANDLE w_filter,
|
int send_fake_https_request(const HANDLE w_filter,
|
||||||
@@ -152,15 +186,10 @@ int send_fake_https_request(const HANDLE w_filter,
|
|||||||
const UINT packetLen,
|
const UINT packetLen,
|
||||||
const BOOL is_ipv6,
|
const BOOL is_ipv6,
|
||||||
const BYTE set_ttl,
|
const BYTE set_ttl,
|
||||||
const BYTE set_checksum
|
const BYTE set_checksum,
|
||||||
|
const BYTE set_seq
|
||||||
) {
|
) {
|
||||||
return send_fake_data(w_filter,
|
return send_fake_request(w_filter, addr, pkt, packetLen,
|
||||||
addr,
|
is_ipv6, TRUE,
|
||||||
pkt,
|
set_ttl, set_checksum, set_seq);
|
||||||
packetLen,
|
|
||||||
is_ipv6,
|
|
||||||
TRUE,
|
|
||||||
set_ttl,
|
|
||||||
set_checksum
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,7 +4,8 @@ int send_fake_http_request(const HANDLE w_filter,
|
|||||||
const UINT packetLen,
|
const UINT packetLen,
|
||||||
const BOOL is_ipv6,
|
const BOOL is_ipv6,
|
||||||
const BYTE set_ttl,
|
const BYTE set_ttl,
|
||||||
const BYTE set_checksum
|
const BYTE set_checksum,
|
||||||
|
const BYTE set_seq
|
||||||
);
|
);
|
||||||
int send_fake_https_request(const HANDLE w_filter,
|
int send_fake_https_request(const HANDLE w_filter,
|
||||||
const PWINDIVERT_ADDRESS addr,
|
const PWINDIVERT_ADDRESS addr,
|
||||||
@@ -12,5 +13,6 @@ int send_fake_https_request(const HANDLE w_filter,
|
|||||||
const UINT packetLen,
|
const UINT packetLen,
|
||||||
const BOOL is_ipv6,
|
const BOOL is_ipv6,
|
||||||
const BYTE set_ttl,
|
const BYTE set_ttl,
|
||||||
const BYTE set_checksum
|
const BYTE set_checksum,
|
||||||
|
const BYTE set_seq
|
||||||
);
|
);
|
||||||
|
|||||||
252
src/goodbyedpi.c
252
src/goodbyedpi.c
@@ -16,13 +16,14 @@
|
|||||||
#include "utils/repl_str.h"
|
#include "utils/repl_str.h"
|
||||||
#include "service.h"
|
#include "service.h"
|
||||||
#include "dnsredir.h"
|
#include "dnsredir.h"
|
||||||
|
#include "ttltrack.h"
|
||||||
#include "blackwhitelist.h"
|
#include "blackwhitelist.h"
|
||||||
#include "fakepackets.h"
|
#include "fakepackets.h"
|
||||||
|
|
||||||
// My mingw installation does not load inet_pton definition for some reason
|
// My mingw installation does not load inet_pton definition for some reason
|
||||||
WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
|
WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
|
||||||
|
|
||||||
#define GOODBYEDPI_VERSION "v0.1.7"
|
#define GOODBYEDPI_VERSION "v0.1.8"
|
||||||
|
|
||||||
#define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
|
#define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
|
||||||
|
|
||||||
@@ -94,7 +95,24 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
|
|||||||
} \
|
} \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
|
#define TCP_HANDLE_OUTGOING_ADJUST_TTL() do { \
|
||||||
|
if ((packet_v4 && tcp_handle_outgoing(&ppIpHdr->SrcAddr, &ppIpHdr->DstAddr, \
|
||||||
|
ppTcpHdr->SrcPort, ppTcpHdr->DstPort, \
|
||||||
|
&tcp_conn_info, 0)) \
|
||||||
|
|| \
|
||||||
|
(packet_v6 && tcp_handle_outgoing(ppIpV6Hdr->SrcAddr, ppIpV6Hdr->DstAddr, \
|
||||||
|
ppTcpHdr->SrcPort, ppTcpHdr->DstPort, \
|
||||||
|
&tcp_conn_info, 1))) \
|
||||||
|
{ \
|
||||||
|
ttl_of_fake_packet = tcp_get_auto_ttl(tcp_conn_info.ttl, do_auto_ttl); \
|
||||||
|
if (do_tcp_verb) { \
|
||||||
|
printf("Connection TTL = %d, Fake TTL = %d\n", tcp_conn_info.ttl, ttl_of_fake_packet); \
|
||||||
|
} \
|
||||||
|
} \
|
||||||
|
} while (0)
|
||||||
|
|
||||||
static int running_from_service = 0;
|
static int running_from_service = 0;
|
||||||
|
static int exiting = 0;
|
||||||
static HANDLE filters[MAX_FILTERS];
|
static HANDLE filters[MAX_FILTERS];
|
||||||
static int filter_num = 0;
|
static int filter_num = 0;
|
||||||
static const char http10_redirect_302[] = "HTTP/1.0 302 ";
|
static const char http10_redirect_302[] = "HTTP/1.0 302 ";
|
||||||
@@ -124,7 +142,9 @@ static struct option long_options[] = {
|
|||||||
{"blacklist", required_argument, 0, 'b' },
|
{"blacklist", required_argument, 0, 'b' },
|
||||||
{"ip-id", required_argument, 0, 'i' },
|
{"ip-id", required_argument, 0, 'i' },
|
||||||
{"set-ttl", required_argument, 0, '$' },
|
{"set-ttl", required_argument, 0, '$' },
|
||||||
|
{"auto-ttl", optional_argument, 0, '+' },
|
||||||
{"wrong-chksum",no_argument, 0, '%' },
|
{"wrong-chksum",no_argument, 0, '%' },
|
||||||
|
{"wrong-seq", no_argument, 0, ')' },
|
||||||
{"native-frag", no_argument, 0, '*' },
|
{"native-frag", no_argument, 0, '*' },
|
||||||
{"reverse-frag",no_argument, 0, '(' },
|
{"reverse-frag",no_argument, 0, '(' },
|
||||||
{0, 0, 0, 0 }
|
{0, 0, 0, 0 }
|
||||||
@@ -146,9 +166,9 @@ static void add_filter_str(int proto, int port) {
|
|||||||
|
|
||||||
strcpy(new_filter, current_filter);
|
strcpy(new_filter, current_filter);
|
||||||
if (proto == IPPROTO_UDP)
|
if (proto == IPPROTO_UDP)
|
||||||
sprintf(&(new_filter[strlen(new_filter)]), udp, port, port);
|
sprintf(new_filter + strlen(new_filter), udp, port, port);
|
||||||
else
|
else
|
||||||
sprintf(&(new_filter[strlen(new_filter)]), tcp, port, port);
|
sprintf(new_filter + strlen(new_filter), tcp, port, port);
|
||||||
|
|
||||||
filter_string = new_filter;
|
filter_string = new_filter;
|
||||||
free(current_filter);
|
free(current_filter);
|
||||||
@@ -264,6 +284,7 @@ void deinit_all() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void sigint_handler(int sig __attribute__((unused))) {
|
static void sigint_handler(int sig __attribute__((unused))) {
|
||||||
|
exiting = 1;
|
||||||
deinit_all();
|
deinit_all();
|
||||||
exit(EXIT_SUCCESS);
|
exit(EXIT_SUCCESS);
|
||||||
}
|
}
|
||||||
@@ -308,24 +329,70 @@ static int find_header_and_get_info(const char *pktdata, unsigned int pktlen,
|
|||||||
hdr_begin = dumb_memmem(pktdata, pktlen,
|
hdr_begin = dumb_memmem(pktdata, pktlen,
|
||||||
hdrname, strlen(hdrname));
|
hdrname, strlen(hdrname));
|
||||||
if (!hdr_begin) return FALSE;
|
if (!hdr_begin) return FALSE;
|
||||||
if ((PVOID)pktdata > (PVOID)hdr_begin) return FALSE;
|
if (pktdata > hdr_begin) return FALSE;
|
||||||
|
|
||||||
/* Set header address */
|
/* Set header address */
|
||||||
*hdrnameaddr = hdr_begin;
|
*hdrnameaddr = hdr_begin;
|
||||||
*hdrvalueaddr = (PVOID)hdr_begin + strlen(hdrname);
|
*hdrvalueaddr = hdr_begin + strlen(hdrname);
|
||||||
|
|
||||||
/* Search for header end (\r\n) */
|
/* Search for header end (\r\n) */
|
||||||
data_addr_rn = dumb_memmem(*hdrvalueaddr,
|
data_addr_rn = dumb_memmem(*hdrvalueaddr,
|
||||||
pktlen - ((PVOID)*hdrvalueaddr - (PVOID)pktdata),
|
pktlen - (*hdrvalueaddr - pktdata),
|
||||||
"\r\n", 2);
|
"\r\n", 2);
|
||||||
if (data_addr_rn) {
|
if (data_addr_rn) {
|
||||||
*hdrvaluelen = (PVOID)data_addr_rn - (PVOID)*hdrvalueaddr;
|
*hdrvaluelen = data_addr_rn - *hdrvalueaddr;
|
||||||
if (*hdrvaluelen > 0u && *hdrvaluelen <= 512u)
|
if (*hdrvaluelen > 0u && *hdrvaluelen <= 512u)
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Very crude Server Name Indication (TLS ClientHello hostname) extractor.
|
||||||
|
*/
|
||||||
|
static int extract_sni(const char *pktdata, unsigned int pktlen,
|
||||||
|
char **hostnameaddr, unsigned int *hostnamelen) {
|
||||||
|
uint32_t ptr = 0;
|
||||||
|
unsigned char *d = (unsigned char*)pktdata;
|
||||||
|
unsigned char *hnaddr = 0;
|
||||||
|
unsigned int hnlen = 0;
|
||||||
|
|
||||||
|
while (ptr + 8 < pktlen) {
|
||||||
|
/* Search for specific Extensions sequence */
|
||||||
|
if (d[ptr] == '\0' && d[ptr+1] == '\0' && d[ptr+2] == '\0' &&
|
||||||
|
d[ptr+4] == '\0' && d[ptr+6] == '\0' && d[ptr+7] == '\0' &&
|
||||||
|
/* Check Extension length, Server Name list length
|
||||||
|
* and Server Name length relations
|
||||||
|
*/
|
||||||
|
d[ptr+3] - d[ptr+5] == 2 && d[ptr+5] - d[ptr+8] == 3)
|
||||||
|
{
|
||||||
|
if (ptr + 8 + d[ptr+8] > pktlen) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
hnaddr = &d[ptr+9];
|
||||||
|
hnlen = d[ptr+8];
|
||||||
|
/* Limit hostname size up to 254 bytes */
|
||||||
|
if (hnlen < 2 || hnlen > 254) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
/* Validate that hostname has only ascii lowercase characters */
|
||||||
|
for (unsigned int i=0; i<hnlen; i++) {
|
||||||
|
if (!( (hnaddr[i] >= '1' && hnaddr[i] <= '9') ||
|
||||||
|
(hnaddr[i] >= 'a' && hnaddr[i] <= 'z') ||
|
||||||
|
hnaddr[i] == '.'))
|
||||||
|
{
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
*hostnameaddr = (char*)hnaddr;
|
||||||
|
*hostnamelen = hnlen;
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
ptr++;
|
||||||
|
}
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, unsigned int size) {
|
static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, unsigned int size) {
|
||||||
if (size >= 1 && size <= 0xFFFFu) {
|
if (size >= 1 && size <= 0xFFFFu) {
|
||||||
ppTcpHdr->Window = htons((u_short)size);
|
ppTcpHdr->Window = htons((u_short)size);
|
||||||
@@ -360,12 +427,12 @@ static PVOID find_http_method_end(const char *pkt, unsigned int http_frag, int *
|
|||||||
* This function cuts off the end of the packet (step=0) or
|
* This function cuts off the end of the packet (step=0) or
|
||||||
* the beginning of the packet (step=1) with fragment_size bytes.
|
* the beginning of the packet (step=1) with fragment_size bytes.
|
||||||
*/
|
*/
|
||||||
static PVOID send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
|
static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
|
||||||
char *packet, UINT packetLen, PVOID packet_data,
|
char *packet, UINT packetLen, PVOID packet_data,
|
||||||
UINT packet_dataLen, int packet_v4, int packet_v6,
|
UINT packet_dataLen, int packet_v4, int packet_v6,
|
||||||
PWINDIVERT_IPHDR ppIpHdr, PWINDIVERT_IPV6HDR ppIpV6Hdr,
|
PWINDIVERT_IPHDR ppIpHdr, PWINDIVERT_IPV6HDR ppIpV6Hdr,
|
||||||
PWINDIVERT_TCPHDR ppTcpHdr,
|
PWINDIVERT_TCPHDR ppTcpHdr,
|
||||||
int fragment_size, int step) {
|
unsigned int fragment_size, int step) {
|
||||||
char packet_bak[MAX_PACKET_SIZE];
|
char packet_bak[MAX_PACKET_SIZE];
|
||||||
memcpy(&packet_bak, packet, packetLen);
|
memcpy(&packet_bak, packet, packetLen);
|
||||||
UINT orig_packetLen = packetLen;
|
UINT orig_packetLen = packetLen;
|
||||||
@@ -399,7 +466,7 @@ static PVOID send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
|
|||||||
//printf("step1 (%d:%d), pp:%d, was:%d, now:%d\n", packet_v4, packet_v6, ntohs(ppIpHdr->Length),
|
//printf("step1 (%d:%d), pp:%d, was:%d, now:%d\n", packet_v4, packet_v6, ntohs(ppIpHdr->Length),
|
||||||
// packetLen, packetLen - fragment_size);
|
// packetLen, packetLen - fragment_size);
|
||||||
memmove(packet_data,
|
memmove(packet_data,
|
||||||
packet_data + fragment_size,
|
(char*)packet_data + fragment_size,
|
||||||
packet_dataLen - fragment_size);
|
packet_dataLen - fragment_size);
|
||||||
packetLen -= fragment_size;
|
packetLen -= fragment_size;
|
||||||
|
|
||||||
@@ -441,6 +508,7 @@ int main(int argc, char *argv[]) {
|
|||||||
PWINDIVERT_TCPHDR ppTcpHdr;
|
PWINDIVERT_TCPHDR ppTcpHdr;
|
||||||
PWINDIVERT_UDPHDR ppUdpHdr;
|
PWINDIVERT_UDPHDR ppUdpHdr;
|
||||||
conntrack_info_t dns_conn_info;
|
conntrack_info_t dns_conn_info;
|
||||||
|
tcp_conntrack_info_t tcp_conn_info;
|
||||||
|
|
||||||
int do_passivedpi = 0, do_fragment_http = 0,
|
int do_passivedpi = 0, do_fragment_http = 0,
|
||||||
do_fragment_http_persistent = 0,
|
do_fragment_http_persistent = 0,
|
||||||
@@ -450,9 +518,11 @@ int main(int argc, char *argv[]) {
|
|||||||
do_http_allports = 0,
|
do_http_allports = 0,
|
||||||
do_host_mixedcase = 0,
|
do_host_mixedcase = 0,
|
||||||
do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
|
do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
|
||||||
do_dns_verb = 0, do_blacklist = 0,
|
do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
|
||||||
do_fake_packet = 0,
|
do_fake_packet = 0,
|
||||||
|
do_auto_ttl = 0,
|
||||||
do_wrong_chksum = 0,
|
do_wrong_chksum = 0,
|
||||||
|
do_wrong_seq = 0,
|
||||||
do_native_frag = 0, do_reverse_frag = 0;
|
do_native_frag = 0, do_reverse_frag = 0;
|
||||||
unsigned int http_fragment_size = 0;
|
unsigned int http_fragment_size = 0;
|
||||||
unsigned int https_fragment_size = 0;
|
unsigned int https_fragment_size = 0;
|
||||||
@@ -504,15 +574,16 @@ int main(int argc, char *argv[]) {
|
|||||||
);
|
);
|
||||||
|
|
||||||
if (argc == 1) {
|
if (argc == 1) {
|
||||||
/* enable mode -1 by default */
|
/* enable mode -5 by default */
|
||||||
|
do_fragment_http = do_fragment_https = 1;
|
||||||
|
do_reverse_frag = do_native_frag = 1;
|
||||||
http_fragment_size = https_fragment_size = 2;
|
http_fragment_size = https_fragment_size = 2;
|
||||||
do_passivedpi = do_host = do_host_removespace \
|
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
|
||||||
= do_fragment_http = do_fragment_https \
|
do_fake_packet = 1;
|
||||||
= do_fragment_http_persistent \
|
do_auto_ttl = 4;
|
||||||
= do_fragment_http_persistent_nowait = 1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
while ((opt = getopt_long(argc, argv, "1234prsaf:e:mwk:n", long_options, NULL)) != -1) {
|
while ((opt = getopt_long(argc, argv, "123456prsaf:e:mwk:n", long_options, NULL)) != -1) {
|
||||||
switch (opt) {
|
switch (opt) {
|
||||||
case '1':
|
case '1':
|
||||||
do_passivedpi = do_host = do_host_removespace \
|
do_passivedpi = do_host = do_host_removespace \
|
||||||
@@ -535,6 +606,22 @@ int main(int argc, char *argv[]) {
|
|||||||
case '4':
|
case '4':
|
||||||
do_passivedpi = do_host = do_host_removespace = 1;
|
do_passivedpi = do_host = do_host_removespace = 1;
|
||||||
break;
|
break;
|
||||||
|
case '5':
|
||||||
|
do_fragment_http = do_fragment_https = 1;
|
||||||
|
do_reverse_frag = do_native_frag = 1;
|
||||||
|
http_fragment_size = https_fragment_size = 2;
|
||||||
|
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
|
||||||
|
do_fake_packet = 1;
|
||||||
|
do_auto_ttl = 4;
|
||||||
|
break;
|
||||||
|
case '6':
|
||||||
|
do_fragment_http = do_fragment_https = 1;
|
||||||
|
do_reverse_frag = do_native_frag = 1;
|
||||||
|
http_fragment_size = https_fragment_size = 2;
|
||||||
|
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
|
||||||
|
do_fake_packet = 1;
|
||||||
|
do_wrong_seq = 1;
|
||||||
|
break;
|
||||||
case 'p':
|
case 'p':
|
||||||
do_passivedpi = 1;
|
do_passivedpi = 1;
|
||||||
break;
|
break;
|
||||||
@@ -649,6 +736,7 @@ int main(int argc, char *argv[]) {
|
|||||||
break;
|
break;
|
||||||
case 'v':
|
case 'v':
|
||||||
do_dns_verb = 1;
|
do_dns_verb = 1;
|
||||||
|
do_tcp_verb = 1;
|
||||||
break;
|
break;
|
||||||
case 'b':
|
case 'b':
|
||||||
do_blacklist = 1;
|
do_blacklist = 1;
|
||||||
@@ -661,10 +749,23 @@ int main(int argc, char *argv[]) {
|
|||||||
do_fake_packet = 1;
|
do_fake_packet = 1;
|
||||||
ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
|
ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
|
||||||
break;
|
break;
|
||||||
|
case '+':
|
||||||
|
do_fake_packet = 1;
|
||||||
|
do_auto_ttl = 4;
|
||||||
|
if (optarg) {
|
||||||
|
do_auto_ttl = atoub(optarg, "Set Auto TTL parameter error!");
|
||||||
|
} else if (argv[optind] && argv[optind][0] != '-') {
|
||||||
|
do_auto_ttl = atoub(argv[optind], "Set Auto TTL parameter error!");
|
||||||
|
}
|
||||||
|
break;
|
||||||
case '%':
|
case '%':
|
||||||
do_fake_packet = 1;
|
do_fake_packet = 1;
|
||||||
do_wrong_chksum = 1;
|
do_wrong_chksum = 1;
|
||||||
break;
|
break;
|
||||||
|
case ')':
|
||||||
|
do_fake_packet = 1;
|
||||||
|
do_wrong_seq = 1;
|
||||||
|
break;
|
||||||
case '*':
|
case '*':
|
||||||
do_native_frag = 1;
|
do_native_frag = 1;
|
||||||
do_fragment_http_persistent = 1;
|
do_fragment_http_persistent = 1;
|
||||||
@@ -683,26 +784,29 @@ int main(int argc, char *argv[]) {
|
|||||||
" -s remove space between host header and its value\n"
|
" -s remove space between host header and its value\n"
|
||||||
" -a additional space between Method and Request-URI (enables -s, may break sites)\n"
|
" -a additional space between Method and Request-URI (enables -s, may break sites)\n"
|
||||||
" -m mix Host header case (test.com -> tEsT.cOm)\n"
|
" -m mix Host header case (test.com -> tEsT.cOm)\n"
|
||||||
" -f [value] set HTTP fragmentation to value\n"
|
" -f <value> set HTTP fragmentation to value\n"
|
||||||
" -k [value] enable HTTP persistent (keep-alive) fragmentation and set it to value\n"
|
" -k <value> enable HTTP persistent (keep-alive) fragmentation and set it to value\n"
|
||||||
" -n do not wait for first segment ACK when -k is enabled\n"
|
" -n do not wait for first segment ACK when -k is enabled\n"
|
||||||
" -e [value] set HTTPS fragmentation to value\n"
|
" -e <value> set HTTPS fragmentation to value\n"
|
||||||
" -w try to find and parse HTTP traffic on all processed ports (not only on port 80)\n"
|
" -w try to find and parse HTTP traffic on all processed ports (not only on port 80)\n"
|
||||||
" --port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
|
" --port <value> additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
|
||||||
" --ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).\n"
|
" --ip-id <value> handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).\n"
|
||||||
" --dns-addr [value] redirect UDPv4 DNS requests to the supplied IPv4 address (experimental)\n"
|
" --dns-addr <value> redirect UDPv4 DNS requests to the supplied IPv4 address (experimental)\n"
|
||||||
" --dns-port [value] redirect UDPv4 DNS requests to the supplied port (53 by default)\n"
|
" --dns-port <value> redirect UDPv4 DNS requests to the supplied port (53 by default)\n"
|
||||||
" --dnsv6-addr [value] redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)\n"
|
" --dnsv6-addr <value> redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)\n"
|
||||||
" --dnsv6-port [value] redirect UDPv6 DNS requests to the supplied port (53 by default)\n"
|
" --dnsv6-port <value> redirect UDPv6 DNS requests to the supplied port (53 by default)\n"
|
||||||
" --dns-verb print verbose DNS redirection messages\n"
|
" --dns-verb print verbose DNS redirection messages\n"
|
||||||
" --blacklist [txtfile] perform HTTP tricks only to host names and subdomains from\n"
|
" --blacklist <txtfile> perform circumvention tricks only to host names and subdomains from\n"
|
||||||
" supplied text file. This option can be supplied multiple times.\n"
|
" supplied text file (HTTP Host/TLS SNI).\n"
|
||||||
" --set-ttl [value] activate Fake Request Mode and send it with supplied TTL value.\n"
|
" This option can be supplied multiple times.\n"
|
||||||
|
" --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.\n"
|
||||||
" DANGEROUS! May break websites in unexpected ways. Use with care.\n"
|
" DANGEROUS! May break websites in unexpected ways. Use with care.\n"
|
||||||
" Could be combined with --wrong-chksum.\n"
|
" --auto-ttl [decttl] activate Fake Request Mode, automatically detect TTL and decrease\n"
|
||||||
|
" it from standard 64 or 128 by decttl (128/64 - TTL - 4 by default).\n"
|
||||||
" --wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.\n"
|
" --wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.\n"
|
||||||
" May not work in a VM or with some routers, but is safer than set-ttl.\n"
|
" May not work in a VM or with some routers, but is safer than set-ttl.\n"
|
||||||
" Could be combined with --set-ttl\n"
|
" Could be combined with --set-ttl\n"
|
||||||
|
" --wrong-seq activate Fake Request Mode and send it with TCP SEQ/ACK in the past.\n"
|
||||||
" --native-frag fragment (split) the packets by sending them in smaller packets, without\n"
|
" --native-frag fragment (split) the packets by sending them in smaller packets, without\n"
|
||||||
" shrinking the Window Size. Works faster (does not slow down the connection)\n"
|
" shrinking the Window Size. Works faster (does not slow down the connection)\n"
|
||||||
" and better.\n"
|
" and better.\n"
|
||||||
@@ -710,10 +814,16 @@ int main(int argc, char *argv[]) {
|
|||||||
" reversed order. Works with the websites which could not handle segmented\n"
|
" reversed order. Works with the websites which could not handle segmented\n"
|
||||||
" HTTPS TLS ClientHello (because they receive the TCP flow \"combined\").\n"
|
" HTTPS TLS ClientHello (because they receive the TCP flow \"combined\").\n"
|
||||||
"\n"
|
"\n"
|
||||||
" -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)\n"
|
"\n"
|
||||||
|
"LEGACY modesets:\n"
|
||||||
|
" -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)\n"
|
||||||
" -2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)\n"
|
" -2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)\n"
|
||||||
" -3 -p -r -s -e 40 (better speed for HTTP and HTTPS)\n"
|
" -3 -p -r -s -e 40 (better speed for HTTP and HTTPS)\n"
|
||||||
" -4 -p -r -s (best speed)");
|
" -4 -p -r -s (best speed)"
|
||||||
|
"\n"
|
||||||
|
"Modern modesets (more stable, more compatible, faster):\n"
|
||||||
|
" -5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)\n"
|
||||||
|
" -6 -f 2 -e 2 --wrong-seq --reverse-frag\n");
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -729,17 +839,19 @@ int main(int argc, char *argv[]) {
|
|||||||
"hoSt: %d\nHost no space: %d\nAdditional space: %d\n"
|
"hoSt: %d\nHost no space: %d\nAdditional space: %d\n"
|
||||||
"Mix Host: %d\nHTTP AllPorts: %d\nHTTP Persistent Nowait: %d\n"
|
"Mix Host: %d\nHTTP AllPorts: %d\nHTTP Persistent Nowait: %d\n"
|
||||||
"DNS redirect: %d\nDNSv6 redirect: %d\n"
|
"DNS redirect: %d\nDNSv6 redirect: %d\n"
|
||||||
"Fake requests, TTL: %hu\nFake requests, wrong checksum: %d\n",
|
"Fake requests, TTL: %hu (auto: %hu)\nFake requests, wrong checksum: %d\n"
|
||||||
|
"Fake requests, wrong SEQ/ACK: %d\n",
|
||||||
do_passivedpi, (do_fragment_http ? http_fragment_size : 0),
|
do_passivedpi, (do_fragment_http ? http_fragment_size : 0),
|
||||||
(do_fragment_http_persistent ? http_fragment_size : 0),
|
(do_fragment_http_persistent ? http_fragment_size : 0),
|
||||||
(do_fragment_https ? https_fragment_size : 0),
|
(do_fragment_https ? https_fragment_size : 0),
|
||||||
do_native_frag, do_reverse_frag,
|
do_native_frag, do_reverse_frag,
|
||||||
do_host, do_host_removespace, do_additional_space, do_host_mixedcase,
|
do_host, do_host_removespace, do_additional_space, do_host_mixedcase,
|
||||||
do_http_allports, do_fragment_http_persistent_nowait, do_dnsv4_redirect,
|
do_http_allports, do_fragment_http_persistent_nowait, do_dnsv4_redirect,
|
||||||
do_dnsv6_redirect, ttl_of_fake_packet, do_wrong_chksum
|
do_dnsv6_redirect, ttl_of_fake_packet, do_auto_ttl,
|
||||||
|
do_wrong_chksum, do_wrong_seq
|
||||||
);
|
);
|
||||||
|
|
||||||
if (do_fragment_http && http_fragment_size > 2) {
|
if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
|
||||||
printf("WARNING: HTTP fragmentation values > 2 are not fully compatible "
|
printf("WARNING: HTTP fragmentation values > 2 are not fully compatible "
|
||||||
"with other options. Please use values <= 2 or disable HTTP fragmentation "
|
"with other options. Please use values <= 2 or disable HTTP fragmentation "
|
||||||
"completely.\n");
|
"completely.\n");
|
||||||
@@ -861,9 +973,25 @@ int main(int argc, char *argv[]) {
|
|||||||
)
|
)
|
||||||
{
|
{
|
||||||
if (packet_dataLen >=2 && memcmp(packet_data, "\x16\x03", 2) == 0) {
|
if (packet_dataLen >=2 && memcmp(packet_data, "\x16\x03", 2) == 0) {
|
||||||
|
if (do_blacklist
|
||||||
|
? (extract_sni(packet_data, packet_dataLen,
|
||||||
|
&host_addr, &host_len) &&
|
||||||
|
blackwhitelist_check_hostname(host_addr, host_len))
|
||||||
|
: 1)
|
||||||
|
{
|
||||||
|
#ifdef DEBUG
|
||||||
|
unsigned char lsni[256] = {0};
|
||||||
|
extract_sni(packet_data, packet_dataLen,
|
||||||
|
&host_addr, &host_len);
|
||||||
|
memcpy(&lsni, host_addr, host_len);
|
||||||
|
printf("Blocked HTTPS website SNI: %s\n", lsni);
|
||||||
|
#endif
|
||||||
if (do_fake_packet) {
|
if (do_fake_packet) {
|
||||||
|
if (do_auto_ttl) {
|
||||||
|
TCP_HANDLE_OUTGOING_ADJUST_TTL();
|
||||||
|
}
|
||||||
send_fake_https_request(w_filter, &addr, packet, packetLen, packet_v6,
|
send_fake_https_request(w_filter, &addr, packet, packetLen, packet_v6,
|
||||||
ttl_of_fake_packet, do_wrong_chksum);
|
ttl_of_fake_packet, do_wrong_chksum, do_wrong_seq);
|
||||||
}
|
}
|
||||||
if (do_native_frag) {
|
if (do_native_frag) {
|
||||||
// Signal for native fragmentation code handler
|
// Signal for native fragmentation code handler
|
||||||
@@ -871,6 +999,7 @@ int main(int argc, char *argv[]) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
/* Handle OUTBOUND packet on port 80, search for Host header */
|
/* Handle OUTBOUND packet on port 80, search for Host header */
|
||||||
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
|
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
|
||||||
packet_dataLen > 16 &&
|
packet_dataLen > 16 &&
|
||||||
@@ -891,15 +1020,24 @@ int main(int argc, char *argv[]) {
|
|||||||
{
|
{
|
||||||
host_addr = hdr_value_addr;
|
host_addr = hdr_value_addr;
|
||||||
host_len = hdr_value_len;
|
host_len = hdr_value_len;
|
||||||
|
#ifdef DEBUG
|
||||||
|
unsigned char lhost[256] = {0};
|
||||||
|
memcpy(&lhost, host_addr, host_len);
|
||||||
|
printf("Blocked HTTP website Host: %s\n", lhost);
|
||||||
|
#endif
|
||||||
|
|
||||||
if (do_native_frag) {
|
if (do_native_frag) {
|
||||||
// Signal for native fragmentation code handler
|
// Signal for native fragmentation code handler
|
||||||
should_recalc_checksum = 1;
|
should_recalc_checksum = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (do_fake_packet)
|
if (do_fake_packet) {
|
||||||
|
if (do_auto_ttl) {
|
||||||
|
TCP_HANDLE_OUTGOING_ADJUST_TTL();
|
||||||
|
}
|
||||||
send_fake_http_request(w_filter, &addr, packet, packetLen, packet_v6,
|
send_fake_http_request(w_filter, &addr, packet, packetLen, packet_v6,
|
||||||
ttl_of_fake_packet, do_wrong_chksum);
|
ttl_of_fake_packet, do_wrong_chksum, do_wrong_seq);
|
||||||
|
}
|
||||||
|
|
||||||
if (do_host_mixedcase) {
|
if (do_host_mixedcase) {
|
||||||
mix_case(host_addr, host_len);
|
mix_case(host_addr, host_len);
|
||||||
@@ -923,7 +1061,7 @@ int main(int argc, char *argv[]) {
|
|||||||
|
|
||||||
if (method_addr) {
|
if (method_addr) {
|
||||||
memmove(method_addr + 1, method_addr,
|
memmove(method_addr + 1, method_addr,
|
||||||
(PVOID)host_addr - (PVOID)method_addr - 1);
|
(size_t)(host_addr - method_addr - 1));
|
||||||
should_recalc_checksum = 1;
|
should_recalc_checksum = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -951,10 +1089,10 @@ int main(int argc, char *argv[]) {
|
|||||||
* to the end of User-Agent
|
* to the end of User-Agent
|
||||||
*/
|
*/
|
||||||
memmove(host_addr - 1, host_addr,
|
memmove(host_addr - 1, host_addr,
|
||||||
(PVOID)useragent_addr + useragent_len - (PVOID)host_addr);
|
(size_t)(useragent_addr + useragent_len - host_addr));
|
||||||
host_addr -= 1;
|
host_addr -= 1;
|
||||||
/* Put space in the end of User-Agent header */
|
/* Put space in the end of User-Agent header */
|
||||||
*(char*)((PVOID)useragent_addr + useragent_len - 1) = ' ';
|
*(char*)((uint8_t*)useragent_addr + useragent_len - 1) = ' ';
|
||||||
should_recalc_checksum = 1;
|
should_recalc_checksum = 1;
|
||||||
//printf("Replaced Host header!\n");
|
//printf("Replaced Host header!\n");
|
||||||
}
|
}
|
||||||
@@ -964,11 +1102,11 @@ int main(int argc, char *argv[]) {
|
|||||||
/* Move one byte to the RIGHT from the end of User-Agent
|
/* Move one byte to the RIGHT from the end of User-Agent
|
||||||
* to the "Host:"
|
* to the "Host:"
|
||||||
*/
|
*/
|
||||||
memmove((PVOID)useragent_addr + useragent_len + 1,
|
memmove(useragent_addr + useragent_len + 1,
|
||||||
(PVOID)useragent_addr + useragent_len,
|
useragent_addr + useragent_len,
|
||||||
(PVOID)host_addr - 1 - ((PVOID)useragent_addr + useragent_len));
|
(size_t)(host_addr - 1 - (useragent_addr + useragent_len)));
|
||||||
/* Put space in the end of User-Agent header */
|
/* Put space in the end of User-Agent header */
|
||||||
*(char*)((PVOID)useragent_addr + useragent_len) = ' ';
|
*(char*)((uint8_t*)useragent_addr + useragent_len) = ' ';
|
||||||
should_recalc_checksum = 1;
|
should_recalc_checksum = 1;
|
||||||
//printf("Replaced Host header!\n");
|
//printf("Replaced Host header!\n");
|
||||||
}
|
}
|
||||||
@@ -1012,13 +1150,29 @@ int main(int argc, char *argv[]) {
|
|||||||
else if (packet_type == ipv4_tcp || packet_type == ipv6_tcp) {
|
else if (packet_type == ipv4_tcp || packet_type == ipv6_tcp) {
|
||||||
/* If we got INBOUND SYN+ACK packet */
|
/* If we got INBOUND SYN+ACK packet */
|
||||||
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND &&
|
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND &&
|
||||||
ppTcpHdr->Syn == 1 && ppTcpHdr->Ack == 1 &&
|
ppTcpHdr->Syn == 1 && ppTcpHdr->Ack == 1) {
|
||||||
!do_native_frag) {
|
|
||||||
//printf("Changing Window Size!\n");
|
//printf("Changing Window Size!\n");
|
||||||
/*
|
/*
|
||||||
* Window Size is changed even if do_fragment_http_persistent
|
* Window Size is changed even if do_fragment_http_persistent
|
||||||
* is enabled as there could be non-HTTP data on port 80
|
* is enabled as there could be non-HTTP data on port 80
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
if (do_fake_packet && do_auto_ttl) {
|
||||||
|
if (!((packet_v4 && tcp_handle_incoming(&ppIpHdr->SrcAddr, &ppIpHdr->DstAddr,
|
||||||
|
ppTcpHdr->SrcPort, ppTcpHdr->DstPort,
|
||||||
|
0, ppIpHdr->TTL))
|
||||||
|
||
|
||||||
|
(packet_v6 && tcp_handle_incoming((uint32_t*)&ppIpV6Hdr->SrcAddr,
|
||||||
|
(uint32_t*)&ppIpV6Hdr->DstAddr,
|
||||||
|
ppTcpHdr->SrcPort, ppTcpHdr->DstPort,
|
||||||
|
1, ppIpV6Hdr->HopLimit))))
|
||||||
|
{
|
||||||
|
if (do_tcp_verb)
|
||||||
|
puts("[TCP WARN] Can't add TCP connection record.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!do_native_frag) {
|
||||||
if (do_fragment_http && ppTcpHdr->SrcPort == htons(80)) {
|
if (do_fragment_http && ppTcpHdr->SrcPort == htons(80)) {
|
||||||
change_window_size(ppTcpHdr, http_fragment_size);
|
change_window_size(ppTcpHdr, http_fragment_size);
|
||||||
should_recalc_checksum = 1;
|
should_recalc_checksum = 1;
|
||||||
@@ -1029,6 +1183,7 @@ int main(int argc, char *argv[]) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Else if we got UDP packet with data */
|
/* Else if we got UDP packet with data */
|
||||||
else if ((do_dnsv4_redirect && (packet_type == ipv4_udp_data)) ||
|
else if ((do_dnsv4_redirect && (packet_type == ipv4_udp_data)) ||
|
||||||
@@ -1100,13 +1255,14 @@ int main(int argc, char *argv[]) {
|
|||||||
if (should_reinject) {
|
if (should_reinject) {
|
||||||
//printf("Re-injecting!\n");
|
//printf("Re-injecting!\n");
|
||||||
if (should_recalc_checksum) {
|
if (should_recalc_checksum) {
|
||||||
WinDivertHelperCalcChecksums(packet, packetLen, &addr, NULL);
|
WinDivertHelperCalcChecksums(packet, packetLen, &addr, (UINT64)NULL);
|
||||||
}
|
}
|
||||||
WinDivertSend(w_filter, packet, packetLen, &addr, NULL);
|
WinDivertSend(w_filter, packet, packetLen, &addr, NULL);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
// error, ignore
|
// error, ignore
|
||||||
|
if (!exiting)
|
||||||
printf("Error receiving packet!\n");
|
printf("Error receiving packet!\n");
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ int service_register(int argc, char *argv[])
|
|||||||
*/
|
*/
|
||||||
if (!service_argc && !service_argv) {
|
if (!service_argc && !service_argv) {
|
||||||
service_argc = argc;
|
service_argc = argc;
|
||||||
service_argv = malloc(sizeof(void*) * argc);
|
service_argv = malloc(sizeof(void*) * (size_t)argc);
|
||||||
for (i = 0; i < argc; i++) {
|
for (i = 0; i < argc; i++) {
|
||||||
service_argv[i] = strdup(argv[i]);
|
service_argv[i] = strdup(argv[i]);
|
||||||
}
|
}
|
||||||
@@ -71,7 +71,7 @@ void service_main(int argc __attribute__((unused)),
|
|||||||
SetServiceStatus(hStatus, &ServiceStatus);
|
SetServiceStatus(hStatus, &ServiceStatus);
|
||||||
|
|
||||||
// Calling main with saved argc & argv
|
// Calling main with saved argc & argv
|
||||||
ServiceStatus.dwWin32ExitCode = main(service_argc, service_argv);
|
ServiceStatus.dwWin32ExitCode = (DWORD)main(service_argc, service_argv);
|
||||||
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
|
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
|
||||||
SetServiceStatus(hStatus, &ServiceStatus);
|
SetServiceStatus(hStatus, &ServiceStatus);
|
||||||
return;
|
return;
|
||||||
|
|||||||
241
src/ttltrack.c
Normal file
241
src/ttltrack.c
Normal file
@@ -0,0 +1,241 @@
|
|||||||
|
/**
|
||||||
|
* TCP (TTL) Connection Tracker for GoodbyeDPI
|
||||||
|
*
|
||||||
|
* Monitors SYN/ACK only, to extract the TTL value of the remote server.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <windows.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include "goodbyedpi.h"
|
||||||
|
#include "ttltrack.h"
|
||||||
|
#include "utils/uthash.h"
|
||||||
|
|
||||||
|
|
||||||
|
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + dstip[16] + srcport[2] + dstport[2]) */
|
||||||
|
#define TCP_CONNRECORD_KEY_LEN 37
|
||||||
|
|
||||||
|
#define TCP_CLEANUP_INTERVAL_SEC 30
|
||||||
|
|
||||||
|
/* HACK!
|
||||||
|
* uthash uses strlen() for HASH_FIND_STR.
|
||||||
|
* We have null bytes in our key, so we can't use strlen()
|
||||||
|
* And since it's always TCP_CONNRECORD_KEY_LEN bytes long,
|
||||||
|
* we don't need to use any string function to determine length.
|
||||||
|
*/
|
||||||
|
#undef uthash_strlen
|
||||||
|
#define uthash_strlen(s) TCP_CONNRECORD_KEY_LEN
|
||||||
|
|
||||||
|
typedef struct tcp_connrecord {
|
||||||
|
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + dstip[16] + srcport[2] + dstport[2]) */
|
||||||
|
char key[TCP_CONNRECORD_KEY_LEN];
|
||||||
|
time_t time; /* time when this record was added */
|
||||||
|
uint16_t ttl;
|
||||||
|
UT_hash_handle hh; /* makes this structure hashable */
|
||||||
|
} tcp_connrecord_t;
|
||||||
|
|
||||||
|
static time_t last_cleanup = 0;
|
||||||
|
static tcp_connrecord_t *conntrack = NULL;
|
||||||
|
|
||||||
|
inline static void fill_key_data(char *key, const uint8_t is_ipv6, const uint32_t srcip[4],
|
||||||
|
const uint32_t dstip[4], const uint16_t srcport, const uint16_t dstport)
|
||||||
|
{
|
||||||
|
unsigned int offset = 0;
|
||||||
|
|
||||||
|
if (is_ipv6) {
|
||||||
|
*(uint8_t*)(key) = '6';
|
||||||
|
offset += sizeof(uint8_t);
|
||||||
|
ipv6_copy_addr((uint32_t*)(key + offset), srcip);
|
||||||
|
offset += sizeof(uint32_t) * 4;
|
||||||
|
ipv6_copy_addr((uint32_t*)(key + offset), dstip);
|
||||||
|
offset += sizeof(uint32_t) * 4;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
*(uint8_t*)(key) = '4';
|
||||||
|
offset += sizeof(uint8_t);
|
||||||
|
ipv4_copy_addr((uint32_t*)(key + offset), srcip);
|
||||||
|
offset += sizeof(uint32_t) * 4;
|
||||||
|
ipv4_copy_addr((uint32_t*)(key + offset), dstip);
|
||||||
|
offset += sizeof(uint32_t) * 4;
|
||||||
|
}
|
||||||
|
|
||||||
|
*(uint16_t*)(key + offset) = srcport;
|
||||||
|
offset += sizeof(srcport);
|
||||||
|
*(uint16_t*)(key + offset) = dstport;
|
||||||
|
offset += sizeof(dstport);
|
||||||
|
}
|
||||||
|
|
||||||
|
inline static void fill_data_from_key(uint8_t *is_ipv6, uint32_t srcip[4], uint32_t dstip[4],
|
||||||
|
uint16_t *srcport, uint16_t *dstport, const char *key)
|
||||||
|
{
|
||||||
|
unsigned int offset = 0;
|
||||||
|
|
||||||
|
if (key[0] == '6') {
|
||||||
|
*is_ipv6 = 1;
|
||||||
|
offset += sizeof(uint8_t);
|
||||||
|
ipv6_copy_addr(srcip, (uint32_t*)(key + offset));
|
||||||
|
offset += sizeof(uint32_t) * 4;
|
||||||
|
ipv6_copy_addr(dstip, (uint32_t*)(key + offset));
|
||||||
|
offset += sizeof(uint32_t) * 4;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
*is_ipv6 = 0;
|
||||||
|
offset += sizeof(uint8_t);
|
||||||
|
ipv4_copy_addr(srcip, (uint32_t*)(key + offset));
|
||||||
|
offset += sizeof(uint32_t) * 4;
|
||||||
|
ipv4_copy_addr(dstip, (uint32_t*)(key + offset));
|
||||||
|
offset += sizeof(uint32_t) * 4;
|
||||||
|
}
|
||||||
|
*srcport = *(uint16_t*)(key + offset);
|
||||||
|
offset += sizeof(*srcport);
|
||||||
|
*dstport = *(uint16_t*)(key + offset);
|
||||||
|
offset += sizeof(*dstport);
|
||||||
|
}
|
||||||
|
|
||||||
|
inline static void construct_key(const uint32_t srcip[4], const uint32_t dstip[4],
|
||||||
|
const uint16_t srcport, const uint16_t dstport,
|
||||||
|
char *key, const uint8_t is_ipv6)
|
||||||
|
{
|
||||||
|
debug("Construct key enter\n");
|
||||||
|
if (key) {
|
||||||
|
debug("Constructing key\n");
|
||||||
|
fill_key_data(key, is_ipv6, srcip, dstip, srcport, dstport);
|
||||||
|
}
|
||||||
|
debug("Construct key end\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
inline static void deconstruct_key(const char *key, const tcp_connrecord_t *connrecord,
|
||||||
|
tcp_conntrack_info_t *conn_info)
|
||||||
|
{
|
||||||
|
debug("Deconstruct key enter\n");
|
||||||
|
if (key && conn_info) {
|
||||||
|
debug("Deconstructing key\n");
|
||||||
|
fill_data_from_key(&conn_info->is_ipv6,
|
||||||
|
conn_info->srcip, conn_info->dstip,
|
||||||
|
&conn_info->srcport, &conn_info->dstport,
|
||||||
|
key);
|
||||||
|
|
||||||
|
conn_info->ttl = connrecord->ttl;
|
||||||
|
}
|
||||||
|
debug("Deconstruct key end\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
static int check_get_tcp_conntrack_key(const char *key, tcp_connrecord_t **connrecord) {
|
||||||
|
tcp_connrecord_t *tmp_connrecord = NULL;
|
||||||
|
if (!conntrack) return FALSE;
|
||||||
|
|
||||||
|
HASH_FIND_STR(conntrack, key, tmp_connrecord);
|
||||||
|
if (tmp_connrecord) {
|
||||||
|
if (connrecord)
|
||||||
|
*connrecord = tmp_connrecord;
|
||||||
|
debug("check_get_tcp_conntrack_key found key\n");
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
debug("check_get_tcp_conntrack_key key not found\n");
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int add_tcp_conntrack(const uint32_t srcip[4], const uint32_t dstip[4],
|
||||||
|
const uint16_t srcport, const uint16_t dstport,
|
||||||
|
const uint8_t is_ipv6, const uint8_t ttl
|
||||||
|
)
|
||||||
|
{
|
||||||
|
if (!(srcip && srcport && dstip && dstport))
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
tcp_connrecord_t *tmp_connrecord = malloc(sizeof(tcp_connrecord_t));
|
||||||
|
construct_key(srcip, dstip, srcport, dstport, tmp_connrecord->key, is_ipv6);
|
||||||
|
|
||||||
|
if (!check_get_tcp_conntrack_key(tmp_connrecord->key, NULL)) {
|
||||||
|
tmp_connrecord->time = time(NULL);
|
||||||
|
tmp_connrecord->ttl = ttl;
|
||||||
|
HASH_ADD_STR(conntrack, key, tmp_connrecord);
|
||||||
|
debug("Added TCP conntrack %u:%hu - %u:%hu\n", srcip[0], ntohs(srcport), dstip[0], ntohs(dstport));
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
debug("Not added TCP conntrack %u:%hu - %u:%hu\n", srcip[0], ntohs(srcport), dstip[0], ntohs(dstport));
|
||||||
|
free(tmp_connrecord);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void tcp_cleanup() {
|
||||||
|
tcp_connrecord_t *tmp_connrecord, *tmp_connrecord2 = NULL;
|
||||||
|
|
||||||
|
if (last_cleanup == 0) {
|
||||||
|
last_cleanup = time(NULL);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (difftime(time(NULL), last_cleanup) >= TCP_CLEANUP_INTERVAL_SEC) {
|
||||||
|
last_cleanup = time(NULL);
|
||||||
|
|
||||||
|
HASH_ITER(hh, conntrack, tmp_connrecord, tmp_connrecord2) {
|
||||||
|
if (difftime(last_cleanup, tmp_connrecord->time) >= TCP_CLEANUP_INTERVAL_SEC) {
|
||||||
|
HASH_DEL(conntrack, tmp_connrecord);
|
||||||
|
free(tmp_connrecord);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int tcp_handle_incoming(uint32_t srcip[4], uint32_t dstip[4],
|
||||||
|
uint16_t srcport, uint16_t dstport,
|
||||||
|
uint8_t is_ipv6, uint8_t ttl)
|
||||||
|
{
|
||||||
|
tcp_cleanup();
|
||||||
|
|
||||||
|
debug("trying to add TCP srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
|
||||||
|
return add_tcp_conntrack(srcip, dstip, srcport, dstport, is_ipv6, ttl);
|
||||||
|
|
||||||
|
debug("____tcp_handle_incoming FALSE: srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
int tcp_handle_outgoing(uint32_t srcip[4], uint32_t dstip[4],
|
||||||
|
uint16_t srcport, uint16_t dstport,
|
||||||
|
tcp_conntrack_info_t *conn_info,
|
||||||
|
uint8_t is_ipv6)
|
||||||
|
{
|
||||||
|
char key[TCP_CONNRECORD_KEY_LEN];
|
||||||
|
tcp_connrecord_t *tmp_connrecord = NULL;
|
||||||
|
|
||||||
|
if (!conn_info)
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
tcp_cleanup();
|
||||||
|
construct_key(dstip, srcip, dstport, srcport, key, is_ipv6);
|
||||||
|
if (check_get_tcp_conntrack_key(key, &tmp_connrecord) && tmp_connrecord) {
|
||||||
|
/* Connection exists in conntrack, moving on */
|
||||||
|
deconstruct_key(key, tmp_connrecord, conn_info);
|
||||||
|
HASH_DEL(conntrack, tmp_connrecord);
|
||||||
|
free(tmp_connrecord);
|
||||||
|
debug("____tcp_handle_outgoing TRUE: srcport = %hu\n", ntohs(srcport));
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
debug("____tcp_handle_outgoing FALSE: srcport = %hu\n", ntohs(srcport));
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
int tcp_get_auto_ttl(const uint8_t ttl, const uint8_t decrease_for) {
|
||||||
|
uint8_t ttl_of_fake_packet = 0;
|
||||||
|
|
||||||
|
if (ttl > 98 && ttl < 128) {
|
||||||
|
/* Safekeeping */
|
||||||
|
if (128 - ttl > decrease_for + 1) {
|
||||||
|
ttl_of_fake_packet = 128 - ttl - decrease_for;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (ttl > 34 && ttl < 64) {
|
||||||
|
/* Safekeeping */
|
||||||
|
if (64 - ttl > decrease_for + 1) {
|
||||||
|
ttl_of_fake_packet = 64 - ttl - decrease_for;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
ttl_of_fake_packet = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
return ttl_of_fake_packet;
|
||||||
|
}
|
||||||
25
src/ttltrack.h
Normal file
25
src/ttltrack.h
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
#ifndef _TTLTRACK_H
|
||||||
|
#define _TTLTRACK_H
|
||||||
|
#include <stdint.h>
|
||||||
|
#include "dnsredir.h"
|
||||||
|
|
||||||
|
typedef struct tcp_conntrack_info {
|
||||||
|
uint8_t is_ipv6;
|
||||||
|
uint8_t ttl;
|
||||||
|
uint32_t srcip[4];
|
||||||
|
uint16_t srcport;
|
||||||
|
uint32_t dstip[4];
|
||||||
|
uint16_t dstport;
|
||||||
|
} tcp_conntrack_info_t;
|
||||||
|
|
||||||
|
int tcp_handle_incoming(uint32_t srcip[4], uint32_t dstip[4],
|
||||||
|
uint16_t srcport, uint16_t dstport,
|
||||||
|
uint8_t is_ipv6, uint8_t ttl);
|
||||||
|
|
||||||
|
int tcp_handle_outgoing(uint32_t srcip[4], uint32_t dstip[4],
|
||||||
|
uint16_t srcport, uint16_t dstport,
|
||||||
|
tcp_conntrack_info_t *conn_info,
|
||||||
|
uint8_t is_ipv6);
|
||||||
|
|
||||||
|
int tcp_get_auto_ttl(uint8_t ttl, uint8_t decrease_for);
|
||||||
|
#endif
|
||||||
@@ -46,11 +46,11 @@ char *repl_str(const char *str, const char *from, const char *to) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pos_cache[count-1] = pstr2 - str;
|
pos_cache[count-1] = (uintptr_t)(pstr2 - str);
|
||||||
pstr = pstr2 + fromlen;
|
pstr = pstr2 + fromlen;
|
||||||
}
|
}
|
||||||
|
|
||||||
orglen = pstr - str + strlen(pstr);
|
orglen = (size_t)(pstr - str) + strlen(pstr);
|
||||||
|
|
||||||
/* Allocate memory for the post-replacement string. */
|
/* Allocate memory for the post-replacement string. */
|
||||||
if (count > 0) {
|
if (count > 0) {
|
||||||
|
|||||||
Reference in New Issue
Block a user