mirror of
https://github.com/ValdikSS/GoodbyeDPI.git
synced 2025-12-17 12:54:36 +03:00
Compare commits
77 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
c2784dd79e | ||
|
|
bc95b6f598 | ||
|
|
985a09c73d | ||
|
|
15793fb84f | ||
|
|
f0d42129aa | ||
|
|
83af8cc541 | ||
|
|
62f2953515 | ||
|
|
7b66094f56 | ||
|
|
a6c7169033 | ||
|
|
c8c596f37e | ||
|
|
fb552640b6 | ||
|
|
ed210cdf44 | ||
|
|
dcff8389b3 | ||
|
|
9bb1bc5682 | ||
|
|
16f2a8fb81 | ||
|
|
c517169e94 | ||
|
|
e9ac13bcda | ||
|
|
78ae517871 | ||
|
|
ed45c42c9e | ||
|
|
aab7842a76 | ||
|
|
79bda5c482 | ||
|
|
68bc67685f | ||
|
|
e463f4b4e5 | ||
|
|
1a867ddf9c | ||
|
|
7e43110f74 | ||
|
|
abcca5ea84 | ||
|
|
74822fca16 | ||
|
|
8401dfcc1a | ||
|
|
c4bbd0b8e2 | ||
|
|
6b2f3cfa74 | ||
|
|
d9bf7c3ccd | ||
|
|
ad18fb9854 | ||
|
|
bc82203364 | ||
|
|
9bfce3156e | ||
|
|
f7362094d3 | ||
|
|
f1aece75ae | ||
|
|
60dd3cb004 | ||
|
|
d031ae65bf | ||
|
|
a1fb62ff82 | ||
|
|
46e6c8f2db | ||
|
|
905d3c98a6 | ||
|
|
b08836de50 | ||
|
|
cf1f2a8674 | ||
|
|
16464646a9 | ||
|
|
ba015cf44e | ||
|
|
3837635f2c | ||
|
|
95c5ca81b2 | ||
|
|
bbb7e4cea8 | ||
|
|
15eb10ac68 | ||
|
|
4c846c712d | ||
|
|
4a82fd442d | ||
|
|
b3c9ff8419 | ||
|
|
fc6fd98a62 | ||
|
|
6304328548 | ||
|
|
86867fe678 | ||
|
|
54349a1c31 | ||
|
|
4f18a73239 | ||
|
|
67629fb6ef | ||
|
|
27a6d256f0 | ||
|
|
938dce7333 | ||
|
|
99c403ca62 | ||
|
|
6ee4101f58 | ||
|
|
f94a20d221 | ||
|
|
54f810b6b0 | ||
|
|
55a3a94065 | ||
|
|
8383ecaadf | ||
|
|
8deacbc438 | ||
|
|
1cfd2b1b9f | ||
|
|
766a8ab4ed | ||
|
|
b7190f0e1f | ||
|
|
857aeb2366 | ||
|
|
871670845f | ||
|
|
68a68aede9 | ||
|
|
4a8f7ac4fb | ||
|
|
ee4ce8893c | ||
|
|
406cf2ca68 | ||
|
|
277b1fb4ef |
55
.github/ISSUE_TEMPLATE/bug.yml
vendored
55
.github/ISSUE_TEMPLATE/bug.yml
vendored
@@ -1,19 +1,52 @@
|
||||
name: Bug Report / Сообщение об ошибке
|
||||
description: File a bug report / Сообщить об ошибке в проекте
|
||||
description: File a bug report / Сообщить об ошибке в программе
|
||||
|
||||
body:
|
||||
- type: markdown
|
||||
attributes:
|
||||
value: |
|
||||
Please pay some attention!
|
||||
GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
|
||||
Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
|
||||
Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
|
||||
### USE THIS FORM ONLY FOR BUGS! The webside does not open? That's likely NOT a bug, do NOT report it here!
|
||||
### USE THIS FORM ONLY FOR BUGS! The webside does not open? That's likely NOT a bug, do NOT report it here!
|
||||
### USE THIS FORM ONLY FOR BUGS! The webside does not open? That's likely NOT a bug, do NOT report it here!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда, ВЫ БУДЕТЕ ЗАБАНЕНЫ!
|
||||
|
||||
Пожалуйста, прочтите!
|
||||
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
|
||||
Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
|
||||
Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
|
||||
GoodbyeDPI does not guarantee to work with your ISP for every blocked website or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it here.
|
||||
|
||||
Please only report software bugs, such as:
|
||||
* program crash
|
||||
* incorrect network packet handling
|
||||
* antivirus incompatibility
|
||||
* DNS redirection problems
|
||||
* other software
|
||||
|
||||
Please make sure to check other opened and closed issues, it could be your bug has been reported already.
|
||||
For questions, or if in doubt, [use NTC.party forum](https://ntc.party/c/community-software/goodbyedpi).
|
||||
|
||||
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда!
|
||||
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу с каждым заблокированным сайтом. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
|
||||
|
||||
Пожалуйста, сообщайте только об ошибках в программе, таких как:
|
||||
* падение программы
|
||||
* некорректная обработка сетевых пакетов
|
||||
* несовместимость с антивирусами
|
||||
* проблемы с перенаправлением DNS
|
||||
* другие ошибки в программе
|
||||
|
||||
Также посмотрите другие открытые и закрытые баги. Возможно, ошибка уже обсуждалась или исправлена.
|
||||
Для вопросов, а также в случае сомнений в определении бага, обращайтесь [на форум NTC.party](https://ntc.party/c/community-software/goodbyedpi).
|
||||
- type: input
|
||||
id: os
|
||||
attributes:
|
||||
@@ -35,8 +68,8 @@ body:
|
||||
- type: textarea
|
||||
id: what-happened
|
||||
attributes:
|
||||
label: Describe the issue / Опишите проблему
|
||||
description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается проблема
|
||||
label: Describe the bug / Опишите ошибку программы
|
||||
description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается ошибка
|
||||
placeholder: Attach the screenshots for clarity / При необходимости приложите скриншоты
|
||||
validations:
|
||||
required: true
|
||||
|
||||
11
.github/ISSUE_TEMPLATE/feature.yml
vendored
11
.github/ISSUE_TEMPLATE/feature.yml
vendored
@@ -5,8 +5,15 @@ body:
|
||||
- type: markdown
|
||||
attributes:
|
||||
value: |
|
||||
If you think of a great function or circumvention method which is missing from the program, go ahead and suggest it here.
|
||||
Если вы придумали новую функцию или метод обхода, которого еще нет в программе, напишите о нем подробнее здесь.
|
||||
If you think of a great function or circumvention method which is missing from the program, go ahead and suggest it here. But first make sure to search exiting tickets.
|
||||
Если вы придумали новую функцию или метод обхода, которого еще нет в программе, напишите о нем подробнее здесь. Но сначала убедитесь с помощью поиска, что такого запроса еще не было.
|
||||
- type: checkboxes
|
||||
id: ensure
|
||||
attributes:
|
||||
label: I've made sure there's no existing feature request / Я убедился, что такой функциональности еще никто не предлагал
|
||||
options:
|
||||
- label: I've made sure there's no existing feature request / Я убедился, что такой функциональности еще никто не предлагал
|
||||
required: true
|
||||
- type: textarea
|
||||
id: description
|
||||
attributes:
|
||||
|
||||
31
.github/workflows/build.yml
vendored
31
.github/workflows/build.yml
vendored
@@ -4,22 +4,27 @@ on:
|
||||
push:
|
||||
paths:
|
||||
- 'src/**'
|
||||
pull_request:
|
||||
paths:
|
||||
- 'src/**'
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
WINDIVERT_URL: https://www.reqrypt.org/download/WinDivert-1.4.3-A.zip
|
||||
WINDIVERT_NAME: WinDivert-1.4.3-A.zip
|
||||
WINDIVERT_SHA256: 4084bc3931f31546d375ed89e3f842776efa46f321ed0adcd32d3972a7d02566
|
||||
WINDIVERT_URL: https://reqrypt.org/download/WinDivert-2.2.0-D.zip
|
||||
WINDIVERT_NAME: WinDivert-2.2.0-D.zip
|
||||
WINDIVERT_BASENAME: WinDivert-2.2.0-D
|
||||
WINDIVERT_SHA256: 1d461cfdfa7ba88ebcfbb3603b71b703e9f72aba8aeff99a75ce293e6f89d2ba
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Declare short commit variable
|
||||
id: vars
|
||||
run: |
|
||||
echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
|
||||
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Install MinGW-w64
|
||||
run: >
|
||||
@@ -29,7 +34,7 @@ jobs:
|
||||
|
||||
- name: Download WinDivert from cache
|
||||
id: windivert-cache
|
||||
uses: actions/cache@v2
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ${{ env. WINDIVERT_NAME }}
|
||||
key: ${{ env. WINDIVERT_SHA256 }}
|
||||
@@ -46,15 +51,15 @@ jobs:
|
||||
- name: Compile x86_64
|
||||
run: >
|
||||
cd src && make clean &&
|
||||
make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../WinDivert-1.4.3-A/include WINDIVERTLIBS=../WinDivert-1.4.3-A/x86_64 -j4
|
||||
make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../${{ env.WINDIVERT_BASENAME }}/include WINDIVERTLIBS=../${{ env.WINDIVERT_BASENAME }}/x64 -j4
|
||||
|
||||
- name: Prepare x86_64 directory
|
||||
run: |
|
||||
mkdir goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
|
||||
cp src/goodbyedpi.exe WinDivert-1.4.3-A/x86_64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
|
||||
cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
|
||||
|
||||
- name: Upload output file x86_64 (64 bit)
|
||||
uses: actions/upload-artifact@v2
|
||||
- name: Upload output file x86_64
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
|
||||
path: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
|
||||
@@ -62,15 +67,15 @@ jobs:
|
||||
- name: Compile i686
|
||||
run: >
|
||||
cd src && make clean &&
|
||||
make CPREFIX=i686-w64-mingw32- WINDIVERTHEADERS=../WinDivert-1.4.3-A/include WINDIVERTLIBS=../WinDivert-1.4.3-A/x86 -j4
|
||||
make CPREFIX=i686-w64-mingw32- WINDIVERTHEADERS=../${{ env.WINDIVERT_BASENAME }}/include WINDIVERTLIBS=../${{ env.WINDIVERT_BASENAME }}/x86 -j4
|
||||
|
||||
- name: Prepare x86 directory
|
||||
run: |
|
||||
mkdir goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
|
||||
cp src/goodbyedpi.exe WinDivert-1.4.3-A/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
|
||||
cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
|
||||
|
||||
- name: Upload output file x86
|
||||
uses: actions/upload-artifact@v2
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
|
||||
path: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
|
||||
|
||||
40
README.md
40
README.md
@@ -22,6 +22,7 @@ Download [latest version from Releases page](https://github.com/ValdikSS/Goodbye
|
||||
```
|
||||
Usage: goodbyedpi.exe [OPTION...]
|
||||
-p block passive DPI
|
||||
-q block QUIC/HTTP3
|
||||
-r replace Host with hoSt
|
||||
-s remove space between host header and its value
|
||||
-m mix Host header case (test.com -> tEsT.cOm)
|
||||
@@ -43,13 +44,15 @@ Usage: goodbyedpi.exe [OPTION...]
|
||||
supplied text file (HTTP Host/TLS SNI).
|
||||
This option can be supplied multiple times.
|
||||
--allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.
|
||||
--frag-by-sni if SNI is detected in TLS packet, fragment the packet right before SNI value.
|
||||
--set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.
|
||||
DANGEROUS! May break websites in unexpected ways. Use with care.
|
||||
DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
|
||||
--auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease
|
||||
it based on a distance. If the distance is shorter than a2, TTL is decreased
|
||||
by a2. If it's longer, (a1; a2) scale is used with the distance as a weight.
|
||||
If the resulting TTL is more than m(ax), set it to m.
|
||||
Default (if set): --auto-ttl 1-4-10. Also sets --min-ttl 3.
|
||||
DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
|
||||
--min-ttl <value> minimum TTL distance (128/64 - TTL) for which to send Fake Request
|
||||
in --set-ttl and --auto-ttl modes.
|
||||
--wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.
|
||||
@@ -61,10 +64,18 @@ Usage: goodbyedpi.exe [OPTION...]
|
||||
--reverse-frag fragment (split) the packets just as --native-frag, but send them in the
|
||||
reversed order. Works with the websites which could not handle segmented
|
||||
HTTPS TLS ClientHello (because they receive the TCP flow "combined").
|
||||
--fake-from-hex <value> Load fake packets for Fake Request Mode from HEX values (like 1234abcDEF).
|
||||
This option can be supplied multiple times, in this case each fake packet
|
||||
would be sent on every request in the command line argument order.
|
||||
--fake-gen <value> Generate random-filled fake packets for Fake Request Mode, value of them
|
||||
(up to 30).
|
||||
--fake-resend <value> Send each fake packet value number of times.
|
||||
Default: 1 (send each packet once).
|
||||
--max-payload [value] packets with TCP payload data more than [value] won't be processed.
|
||||
Use this option to reduce CPU usage by skipping huge amount of data
|
||||
(like file transfers) in already established sessions.
|
||||
May skip some huge HTTP requests from being processed.
|
||||
Default (if set): --max-payload 1200.
|
||||
|
||||
|
||||
LEGACY modesets:
|
||||
@@ -74,8 +85,13 @@ LEGACY modesets:
|
||||
-4 -p -r -s (best speed)
|
||||
|
||||
Modern modesets (more stable, more compatible, faster):
|
||||
-5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)
|
||||
-6 -f 2 -e 2 --wrong-seq --reverse-frag
|
||||
-5 -f 2 -e 2 --auto-ttl --reverse-frag --max-payload
|
||||
-6 -f 2 -e 2 --wrong-seq --reverse-frag --max-payload
|
||||
-7 -f 2 -e 2 --wrong-chksum --reverse-frag --max-payload
|
||||
-8 -f 2 -e 2 --wrong-seq --wrong-chksum --reverse-frag --max-payload
|
||||
-9 -f 2 -e 2 --wrong-seq --wrong-chksum --reverse-frag --max-payload -q (this is the default)
|
||||
|
||||
Note: combination of --wrong-seq and --wrong-chksum generates two different fake packets.
|
||||
```
|
||||
|
||||
To check if your ISP's DPI could be circumvented, first make sure that your provider does not poison DNS answers by enabling "Secure DNS (DNS over HTTPS)" option in your browser.
|
||||
@@ -85,7 +101,7 @@ To check if your ISP's DPI could be circumvented, first make sure that your prov
|
||||
|
||||
Then run the `goodbyedpi.exe` executable without any options. If it works — congratulations! You can use it as-is or configure further, for example by using `--blacklist` option if the list of blocked websites is known and available for your country.
|
||||
|
||||
If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resover running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
|
||||
If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resolver running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
|
||||
|
||||
Check the .cmd scripts and modify it according to your preference and network conditions.
|
||||
|
||||
@@ -132,17 +148,23 @@ Modify them according to your own needs.
|
||||
# Known issues
|
||||
|
||||
* Horribly outdated Windows 7 installations are not able to load WinDivert driver due to missing support for SHA256 digital signatures. Install KB3033929 [x86](https://www.microsoft.com/en-us/download/details.aspx?id=46078)/[x64](https://www.microsoft.com/en-us/download/details.aspx?id=46148), or better, update the whole system using Windows Update.
|
||||
* Intel/Qualcomm Killer network cards: `Advanced Stream Detect` in Killer Control Center is incompabitle with GoodbyeDPI, [disable it](https://github.com/ValdikSS/GoodbyeDPI/issues/541#issuecomment-2296038239).
|
||||
* ~~Some SSL/TLS stacks unable to process fragmented ClientHello packets, and HTTPS websites won't open. Bug: [#4](https://github.com/ValdikSS/GoodbyeDPI/issues/4), [#64](https://github.com/ValdikSS/GoodbyeDPI/issues/64).~~ Fragmentation issues are fixed in v0.1.7.
|
||||
* ~~ESET Antivirus is incompatible with WinDivert driver [#91](https://github.com/ValdikSS/GoodbyeDPI/issues/91). This is most probably antivirus bug, not WinDivert.~~
|
||||
|
||||
|
||||
# Similar projects
|
||||
|
||||
- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux).
|
||||
- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows).
|
||||
- **[DPITunnel](https://github.com/zhenyolka/DPITunnel)** by @zhenyolka (for Android).
|
||||
- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux).
|
||||
- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android).
|
||||
- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for MacOS, Linux and Windows)
|
||||
- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows)
|
||||
- **[DPI Tunnel CLI](https://github.com/nomoresat/DPITunnel-cli)** by @zhenyolka (for Linux and routers)
|
||||
- **[DPI Tunnel for Android](https://github.com/nomoresat/DPITunnel-android)** by @zhenyolka (for Android)
|
||||
- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux)
|
||||
- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android)
|
||||
- **[SpoofDPI](https://github.com/xvzc/SpoofDPI)** by @xvzc (for macOS and Linux)
|
||||
- **[GhosTCP](https://github.com/macronut/ghostcp)** by @macronut (for Windows)
|
||||
- **[ByeDPI](https://github.com/hufrea/byedpi)** for Linux/Windows + **[ByeDPIAndroid](https://github.com/dovecoteescapee/ByeDPIAndroid/)** for Android (no root)
|
||||
- **[youtubeUnblock](https://github.com/Waujito/youtubeUnblock/)** by @Waujito (for OpenWRT/Entware routers and Linux)
|
||||
|
||||
# Kudos
|
||||
|
||||
|
||||
@@ -11,7 +11,12 @@ TARGET = goodbyedpi.exe
|
||||
#LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
|
||||
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a
|
||||
CC = $(CPREFIX)gcc
|
||||
|
||||
CCWINDRES = $(CPREFIX)windres
|
||||
ifeq (, $(shell which $(CPREFIX)windres))
|
||||
CCWINDRES = windres
|
||||
endif
|
||||
|
||||
CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
|
||||
-O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
|
||||
-Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 \
|
||||
@@ -22,7 +27,7 @@ CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
|
||||
-Wfloat-equal -Wcast-align -Wsign-conversion \
|
||||
#-fstack-protector-strong
|
||||
LDFLAGS = -fstack-protector -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
|
||||
-Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
|
||||
-Wl,--disable-auto-image-base
|
||||
|
||||
ifdef BIT64
|
||||
LDFLAGS += -Wl,--high-entropy-va -Wl,--pic-executable,-e,mainCRTStartup
|
||||
|
||||
@@ -70,8 +70,8 @@ int blackwhitelist_load_list(const char *filename) {
|
||||
line);
|
||||
continue;
|
||||
}
|
||||
if (strlen(line) < 3) {
|
||||
printf("WARNING: host %s is less than 3 bytes, skipping\n", line);
|
||||
if (strlen(line) < 2) {
|
||||
printf("WARNING: host %s is less than 2 characters, skipping\n", line);
|
||||
continue;
|
||||
}
|
||||
if (add_hostname(line))
|
||||
@@ -99,8 +99,7 @@ int blackwhitelist_check_hostname(const char *host_addr, size_t host_len) {
|
||||
|
||||
tokenized_host = strchr(current_host, '.');
|
||||
while (tokenized_host != NULL && tokenized_host < (current_host + HOST_MAXLEN)) {
|
||||
/* Search hostname only if there is next token */
|
||||
if (strchr(tokenized_host + 1, '.') && check_get_hostname(tokenized_host + 1))
|
||||
if (check_get_hostname(tokenized_host + 1))
|
||||
return TRUE;
|
||||
tokenized_host = strchr(tokenized_host + 1, '.');
|
||||
}
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
#include <stdio.h>
|
||||
#define _CRT_RAND_S
|
||||
#include <stdlib.h>
|
||||
#include <stdbool.h>
|
||||
#include <ctype.h>
|
||||
#include <unistd.h>
|
||||
#include <in6addr.h>
|
||||
@@ -7,6 +9,15 @@
|
||||
#include "windivert.h"
|
||||
#include "goodbyedpi.h"
|
||||
|
||||
struct fake_t {
|
||||
const unsigned char* data;
|
||||
size_t size;
|
||||
};
|
||||
|
||||
static struct fake_t *fakes[30] = {0};
|
||||
int fakes_count = 0;
|
||||
int fakes_resend = 1;
|
||||
|
||||
static const unsigned char fake_http_request[] = "GET / HTTP/1.1\r\nHost: www.w3.org\r\n"
|
||||
"User-Agent: curl/7.65.3\r\nAccept: */*\r\n"
|
||||
"Accept-Encoding: deflate, gzip, br\r\n\r\n";
|
||||
@@ -54,7 +65,8 @@ static int send_fake_data(const HANDLE w_filter,
|
||||
const BOOL is_https,
|
||||
const BYTE set_ttl,
|
||||
const BYTE set_checksum,
|
||||
const BYTE set_seq
|
||||
const BYTE set_seq,
|
||||
const struct fake_t *fake_data
|
||||
) {
|
||||
char packet_fake[MAX_PACKET_SIZE];
|
||||
WINDIVERT_ADDRESS addr_new;
|
||||
@@ -66,23 +78,29 @@ static int send_fake_data(const HANDLE w_filter,
|
||||
PWINDIVERT_TCPHDR ppTcpHdr;
|
||||
unsigned const char *fake_request_data = is_https ? fake_https_request : fake_http_request;
|
||||
UINT fake_request_size = is_https ? sizeof(fake_https_request) : sizeof(fake_http_request) - 1;
|
||||
if (fake_data) {
|
||||
fake_request_data = fake_data->data;
|
||||
fake_request_size = fake_data->size;
|
||||
}
|
||||
|
||||
memcpy(&addr_new, addr, sizeof(WINDIVERT_ADDRESS));
|
||||
memcpy(packet_fake, pkt, packetLen);
|
||||
|
||||
addr_new.PseudoTCPChecksum = 0;
|
||||
addr_new.PseudoIPChecksum = 0;
|
||||
addr_new.TCPChecksum = 0;
|
||||
addr_new.IPChecksum = 0;
|
||||
|
||||
if (!is_ipv6) {
|
||||
// IPv4 TCP Data packet
|
||||
if (!WinDivertHelperParsePacket(packet_fake, packetLen, &ppIpHdr,
|
||||
NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
|
||||
NULL, NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen,
|
||||
NULL, NULL))
|
||||
return 1;
|
||||
}
|
||||
else {
|
||||
// IPv6 TCP Data packet
|
||||
if (!WinDivertHelperParsePacket(packet_fake, packetLen, NULL,
|
||||
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
|
||||
&ppIpV6Hdr, NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen,
|
||||
NULL, NULL))
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -126,12 +144,12 @@ static int send_fake_data(const HANDLE w_filter,
|
||||
// ...and damage it
|
||||
ppTcpHdr->Checksum = htons(ntohs(ppTcpHdr->Checksum) - 1);
|
||||
}
|
||||
//printf("Pseudo checksum: %d\n", addr_new.PseudoTCPChecksum);
|
||||
//printf("Pseudo checksum: %d\n", addr_new.TCPChecksum);
|
||||
|
||||
WinDivertSend(
|
||||
w_filter, packet_fake,
|
||||
packetLen_new,
|
||||
&addr_new, NULL
|
||||
NULL, &addr_new
|
||||
);
|
||||
debug("Fake packet: OK");
|
||||
|
||||
@@ -146,22 +164,26 @@ static int send_fake_request(const HANDLE w_filter,
|
||||
const BOOL is_https,
|
||||
const BYTE set_ttl,
|
||||
const BYTE set_checksum,
|
||||
const BYTE set_seq
|
||||
const BYTE set_seq,
|
||||
const struct fake_t *fake_data
|
||||
) {
|
||||
if (set_ttl) {
|
||||
send_fake_data(w_filter, addr, pkt, packetLen,
|
||||
is_ipv6, is_https,
|
||||
set_ttl, FALSE, FALSE);
|
||||
set_ttl, FALSE, FALSE,
|
||||
fake_data);
|
||||
}
|
||||
if (set_checksum) {
|
||||
send_fake_data(w_filter, addr, pkt, packetLen,
|
||||
is_ipv6, is_https,
|
||||
FALSE, set_checksum, FALSE);
|
||||
FALSE, set_checksum, FALSE,
|
||||
fake_data);
|
||||
}
|
||||
if (set_seq) {
|
||||
send_fake_data(w_filter, addr, pkt, packetLen,
|
||||
is_ipv6, is_https,
|
||||
FALSE, FALSE, set_seq);
|
||||
FALSE, FALSE, set_seq,
|
||||
fake_data);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
@@ -175,9 +197,18 @@ int send_fake_http_request(const HANDLE w_filter,
|
||||
const BYTE set_checksum,
|
||||
const BYTE set_seq
|
||||
) {
|
||||
return send_fake_request(w_filter, addr, pkt, packetLen,
|
||||
int ret = 0;
|
||||
for (int i=0; i<fakes_count || i == 0; i++) {
|
||||
for (int j=0; j<fakes_resend; j++)
|
||||
if (send_fake_request(w_filter, addr, pkt, packetLen,
|
||||
is_ipv6, FALSE,
|
||||
set_ttl, set_checksum, set_seq);
|
||||
set_ttl, set_checksum, set_seq,
|
||||
fakes[i]))
|
||||
{
|
||||
ret++;
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
int send_fake_https_request(const HANDLE w_filter,
|
||||
@@ -189,7 +220,94 @@ int send_fake_https_request(const HANDLE w_filter,
|
||||
const BYTE set_checksum,
|
||||
const BYTE set_seq
|
||||
) {
|
||||
return send_fake_request(w_filter, addr, pkt, packetLen,
|
||||
int ret = 0;
|
||||
for (int i=0; i<fakes_count || i == 0; i++) {
|
||||
for (int j=0; j<fakes_resend; j++)
|
||||
if (send_fake_request(w_filter, addr, pkt, packetLen,
|
||||
is_ipv6, TRUE,
|
||||
set_ttl, set_checksum, set_seq);
|
||||
set_ttl, set_checksum, set_seq,
|
||||
fakes[i]))
|
||||
{
|
||||
ret++;
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int fake_add(const unsigned char *data, size_t size) {
|
||||
struct fake_t *fake = malloc(sizeof(struct fake_t));
|
||||
fake->size = size;
|
||||
fake->data = data;
|
||||
|
||||
for (size_t k = 0; k <= sizeof(fakes) / sizeof(*fakes); k++) {
|
||||
if (!fakes[k]) {
|
||||
fakes[k] = fake;
|
||||
fakes_count++;
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 3;
|
||||
}
|
||||
|
||||
int fake_load_from_hex(const char *data) {
|
||||
size_t len = strlen(data);
|
||||
if (len < 2 || len % 2 || len > 1420)
|
||||
return 1;
|
||||
|
||||
unsigned char *finaldata = calloc((len + 2) / 2, 1);
|
||||
|
||||
for (size_t i = 0; i<len - 1; i+=2) {
|
||||
char num1 = data[i];
|
||||
char num2 = data[i+1];
|
||||
debug("Current num1: %X, num2: %X\n", num1, num2);
|
||||
unsigned char finalchar = 0;
|
||||
char curchar = num1;
|
||||
|
||||
for (int j=0; j<=1; j++) {
|
||||
if (curchar >= '0' && curchar <= '9')
|
||||
curchar -= '0';
|
||||
else if (curchar >= 'a' && curchar <= 'f')
|
||||
curchar -= 'a' - 0xA;
|
||||
else if (curchar >= 'A' && curchar <= 'F')
|
||||
curchar -= 'A' - 0xA;
|
||||
else
|
||||
return 2; // incorrect character, not a hex data
|
||||
|
||||
if (!j) {
|
||||
num1 = curchar;
|
||||
curchar = num2;
|
||||
continue;
|
||||
}
|
||||
num2 = curchar;
|
||||
}
|
||||
debug("Processed num1: %X, num2: %X\n", num1, num2);
|
||||
finalchar = (num1 << 4) | num2;
|
||||
debug("Final char: %X\n", finalchar);
|
||||
finaldata[i/2] = finalchar;
|
||||
}
|
||||
|
||||
return fake_add(finaldata, len / 2);
|
||||
}
|
||||
|
||||
int fake_load_random(unsigned int count, unsigned int maxsize) {
|
||||
if (count < 1 || count > sizeof(fakes) / sizeof(*fakes))
|
||||
return 1;
|
||||
|
||||
unsigned int random = 0;
|
||||
|
||||
for (unsigned int i=0; i<count; i++) {
|
||||
unsigned int len = 0;
|
||||
if (rand_s(&len))
|
||||
return 1;
|
||||
len = 8 + (len % maxsize);
|
||||
|
||||
unsigned char *data = calloc(len, 1);
|
||||
for (unsigned int j=0; j<len; j++) {
|
||||
rand_s(&random);
|
||||
data[j] = random % 0xFF;
|
||||
}
|
||||
if (fake_add(data, len))
|
||||
return 2;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
extern int fakes_count;
|
||||
extern int fakes_resend;
|
||||
int send_fake_http_request(const HANDLE w_filter,
|
||||
const PWINDIVERT_ADDRESS addr,
|
||||
const char *pkt,
|
||||
|
||||
336
src/goodbyedpi.c
336
src/goodbyedpi.c
@@ -4,6 +4,7 @@
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdbool.h>
|
||||
#include <ctype.h>
|
||||
#include <signal.h>
|
||||
#include <unistd.h>
|
||||
@@ -23,7 +24,7 @@
|
||||
// My mingw installation does not load inet_pton definition for some reason
|
||||
WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
|
||||
|
||||
#define GOODBYEDPI_VERSION "v0.2.0"
|
||||
#define GOODBYEDPI_VERSION "v0.2.3rc2"
|
||||
|
||||
#define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
|
||||
|
||||
@@ -78,9 +79,12 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
|
||||
"(tcp.DstPort == 80 or tcp.DstPort == 443) and tcp.Ack and " \
|
||||
"(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST "))" \
|
||||
"))"
|
||||
#define FILTER_PASSIVE_BLOCK_QUIC "outbound and !impostor and !loopback and udp " \
|
||||
"and udp.DstPort == 443 and udp.PayloadLength >= 1200 " \
|
||||
"and udp.Payload[0] >= 0xC0 and udp.Payload32[1b] == 0x01"
|
||||
#define FILTER_PASSIVE_STRING_TEMPLATE "inbound and ip and tcp and " \
|
||||
"!impostor and !loopback and " \
|
||||
"((ip.Id <= 0xF and ip.Id >= 0x0) " IPID_TEMPLATE ") and " \
|
||||
"(true " IPID_TEMPLATE ") and " \
|
||||
"(tcp.SrcPort == 443 or tcp.SrcPort == 80) and tcp.Rst and " \
|
||||
DIVERT_NO_LOCALNETSv4_SRC
|
||||
|
||||
@@ -119,8 +123,8 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
|
||||
} \
|
||||
else if (ttl_min_nhops) { \
|
||||
/* If not Auto TTL mode but --min-ttl is set */ \
|
||||
if (tcp_get_auto_ttl(tcp_conn_info.ttl, 0, 0, ttl_min_nhops, 0)) { \
|
||||
/* Send only if nhops > min_ttl */ \
|
||||
if (!tcp_get_auto_ttl(tcp_conn_info.ttl, 0, 0, ttl_min_nhops, 0)) { \
|
||||
/* Send only if nhops >= min_ttl */ \
|
||||
should_send_fake = 0; \
|
||||
} \
|
||||
} \
|
||||
@@ -131,6 +135,18 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
|
||||
ttl_of_fake_packet, do_wrong_chksum, do_wrong_seq); \
|
||||
} while (0)
|
||||
|
||||
enum ERROR_CODE{
|
||||
ERROR_DEFAULT = 1,
|
||||
ERROR_PORT_BOUNDS,
|
||||
ERROR_DNS_V4_ADDR,
|
||||
ERROR_DNS_V6_ADDR,
|
||||
ERROR_DNS_V4_PORT,
|
||||
ERROR_DNS_V6_PORT,
|
||||
ERROR_BLACKLIST_LOAD,
|
||||
ERROR_AUTOTTL,
|
||||
ERROR_ATOUSI,
|
||||
ERROR_AUTOB
|
||||
};
|
||||
|
||||
static int running_from_service = 0;
|
||||
static int exiting = 0;
|
||||
@@ -162,6 +178,7 @@ static struct option long_options[] = {
|
||||
{"dns-verb", no_argument, 0, 'v' },
|
||||
{"blacklist", required_argument, 0, 'b' },
|
||||
{"allow-no-sni",no_argument, 0, ']' },
|
||||
{"frag-by-sni", no_argument, 0, '>' },
|
||||
{"ip-id", required_argument, 0, 'i' },
|
||||
{"set-ttl", required_argument, 0, '$' },
|
||||
{"min-ttl", required_argument, 0, '[' },
|
||||
@@ -171,6 +188,10 @@ static struct option long_options[] = {
|
||||
{"native-frag", no_argument, 0, '*' },
|
||||
{"reverse-frag",no_argument, 0, '(' },
|
||||
{"max-payload", optional_argument, 0, '|' },
|
||||
{"fake-from-hex", required_argument, 0, 'u' },
|
||||
{"fake-gen", required_argument, 0, 'j' },
|
||||
{"fake-resend", required_argument, 0, 't' },
|
||||
{"debug-exit", optional_argument, 0, 'x' },
|
||||
{0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
@@ -216,7 +237,11 @@ static void add_ip_id_str(int id) {
|
||||
|
||||
static void add_maxpayloadsize_str(unsigned short maxpayload) {
|
||||
char *newstr;
|
||||
const char *maxpayloadsize_str = "and (tcp.PayloadLength ? tcp.PayloadLength < %hu : true)";
|
||||
/* 0x47455420 is "GET ", 0x504F5354 is "POST", big endian. */
|
||||
const char *maxpayloadsize_str =
|
||||
"and (tcp.PayloadLength ? tcp.PayloadLength < %hu " \
|
||||
"or tcp.Payload32[0] == 0x47455420 or tcp.Payload32[0] == 0x504F5354 " \
|
||||
"or (tcp.Payload[0] == 0x16 and tcp.Payload[1] == 0x03 and tcp.Payload[2] <= 0x03): true)";
|
||||
char *addfilter = malloc(strlen(maxpayloadsize_str) + 16);
|
||||
|
||||
sprintf(addfilter, maxpayloadsize_str, maxpayload);
|
||||
@@ -262,7 +287,7 @@ unsigned short int atousi(const char *str, const char *msg) {
|
||||
|
||||
if(res > limitValue) {
|
||||
puts(msg);
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_ATOUSI);
|
||||
}
|
||||
return (unsigned short int)res;
|
||||
}
|
||||
@@ -275,7 +300,7 @@ BYTE atoub(const char *str, const char *msg) {
|
||||
|
||||
if(res > limitValue) {
|
||||
puts(msg);
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_AUTOB);
|
||||
}
|
||||
return (BYTE)res;
|
||||
}
|
||||
@@ -292,10 +317,27 @@ static HANDLE init(char *filter, UINT64 flags) {
|
||||
FORMAT_MESSAGE_IGNORE_INSERTS,
|
||||
NULL, errorcode, MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
|
||||
(LPTSTR)&errormessage, 0, NULL);
|
||||
printf("Error opening filter: %s", errormessage);
|
||||
printf("Error opening filter: %d %s\n", errorcode, errormessage);
|
||||
LocalFree(errormessage);
|
||||
if (errorcode == 577)
|
||||
printf("Windows Server 2016 systems must have secure boot disabled to be "
|
||||
if (errorcode == 2)
|
||||
printf("The driver files WinDivert32.sys or WinDivert64.sys were not found.\n");
|
||||
else if (errorcode == 654)
|
||||
printf("An incompatible version of the WinDivert driver is currently loaded.\n"
|
||||
"Please unload it with the following commands ran as administrator:\n\n"
|
||||
"sc stop windivert\n"
|
||||
"sc delete windivert\n"
|
||||
"sc stop windivert14"
|
||||
"sc delete windivert14\n");
|
||||
else if (errorcode == 1275)
|
||||
printf("This error occurs for various reasons, including:\n"
|
||||
"the WinDivert driver is blocked by security software; or\n"
|
||||
"you are using a virtualization environment that does not support drivers.\n");
|
||||
else if (errorcode == 1753)
|
||||
printf("This error occurs when the Base Filtering Engine service has been disabled.\n"
|
||||
"Enable Base Filtering Engine service.\n");
|
||||
else if (errorcode == 577)
|
||||
printf("Could not load driver due to invalid digital signature.\n"
|
||||
"Windows Server 2016 systems must have secure boot disabled to be \n"
|
||||
"able to load WinDivert driver.\n"
|
||||
"Windows 7 systems must be up-to-date or at least have KB3033929 installed.\n"
|
||||
"https://www.microsoft.com/en-us/download/details.aspx?id=46078\n\n"
|
||||
@@ -309,6 +351,7 @@ static HANDLE init(char *filter, UINT64 flags) {
|
||||
|
||||
static int deinit(HANDLE handle) {
|
||||
if (handle) {
|
||||
WinDivertShutdown(handle, WINDIVERT_SHUTDOWN_BOTH);
|
||||
WinDivertClose(handle);
|
||||
return TRUE;
|
||||
}
|
||||
@@ -415,9 +458,9 @@ static int extract_sni(const char *pktdata, unsigned int pktlen,
|
||||
}
|
||||
/* Validate that hostname has only ascii lowercase characters */
|
||||
for (int i=0; i<hnlen; i++) {
|
||||
if (!( (hnaddr[i] >= '1' && hnaddr[i] <= '9') ||
|
||||
if (!( (hnaddr[i] >= '0' && hnaddr[i] <= '9') ||
|
||||
(hnaddr[i] >= 'a' && hnaddr[i] <= 'z') ||
|
||||
hnaddr[i] == '.'))
|
||||
hnaddr[i] == '.' || hnaddr[i] == '-'))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
@@ -472,7 +515,7 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
|
||||
PWINDIVERT_TCPHDR ppTcpHdr,
|
||||
unsigned int fragment_size, int step) {
|
||||
char packet_bak[MAX_PACKET_SIZE];
|
||||
memcpy(&packet_bak, packet, packetLen);
|
||||
memcpy(packet_bak, packet, packetLen);
|
||||
UINT orig_packetLen = packetLen;
|
||||
|
||||
if (fragment_size >= packet_dataLen) {
|
||||
@@ -518,8 +561,8 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
|
||||
ppTcpHdr->SeqNum = htonl(ntohl(ppTcpHdr->SeqNum) + fragment_size);
|
||||
}
|
||||
|
||||
addr.PseudoIPChecksum = 0;
|
||||
addr.PseudoTCPChecksum = 0;
|
||||
addr.IPChecksum = 0;
|
||||
addr.TCPChecksum = 0;
|
||||
|
||||
WinDivertHelperCalcChecksums(
|
||||
packet, packetLen, &addr, 0
|
||||
@@ -527,9 +570,9 @@ static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
|
||||
WinDivertSend(
|
||||
w_filter, packet,
|
||||
packetLen,
|
||||
&addr, NULL
|
||||
NULL, &addr
|
||||
);
|
||||
memcpy(packet, &packet_bak, orig_packetLen);
|
||||
memcpy(packet, packet_bak, orig_packetLen);
|
||||
//printf("Sent native fragment of %d size (step%d)\n", packetLen, step);
|
||||
}
|
||||
|
||||
@@ -539,6 +582,7 @@ int main(int argc, char *argv[]) {
|
||||
ipv4_tcp, ipv4_tcp_data, ipv4_udp_data,
|
||||
ipv6_tcp, ipv6_tcp_data, ipv6_udp_data
|
||||
} packet_type;
|
||||
bool debug_exit = false;
|
||||
int i, should_reinject, should_recalc_checksum = 0;
|
||||
int sni_ok = 0;
|
||||
int opt;
|
||||
@@ -556,7 +600,8 @@ int main(int argc, char *argv[]) {
|
||||
conntrack_info_t dns_conn_info;
|
||||
tcp_conntrack_info_t tcp_conn_info;
|
||||
|
||||
int do_passivedpi = 0, do_fragment_http = 0,
|
||||
int do_passivedpi = 0, do_block_quic = 0,
|
||||
do_fragment_http = 0,
|
||||
do_fragment_http_persistent = 0,
|
||||
do_fragment_http_persistent_nowait = 0,
|
||||
do_fragment_https = 0, do_host = 0,
|
||||
@@ -566,6 +611,7 @@ int main(int argc, char *argv[]) {
|
||||
do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
|
||||
do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
|
||||
do_allow_no_sni = 0,
|
||||
do_fragment_by_sni = 0,
|
||||
do_fake_packet = 0,
|
||||
do_auto_ttl = 0,
|
||||
do_wrong_chksum = 0,
|
||||
@@ -627,17 +673,19 @@ int main(int argc, char *argv[]) {
|
||||
);
|
||||
|
||||
if (argc == 1) {
|
||||
/* enable mode -5 by default */
|
||||
/* enable mode -9 by default */
|
||||
do_fragment_http = do_fragment_https = 1;
|
||||
do_reverse_frag = do_native_frag = 1;
|
||||
http_fragment_size = https_fragment_size = 2;
|
||||
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
|
||||
do_fake_packet = 1;
|
||||
do_auto_ttl = 1;
|
||||
do_wrong_chksum = 1;
|
||||
do_wrong_seq = 1;
|
||||
do_block_quic = 1;
|
||||
max_payload_size = 1200;
|
||||
}
|
||||
|
||||
while ((opt = getopt_long(argc, argv, "123456prsaf:e:mwk:n", long_options, NULL)) != -1) {
|
||||
while ((opt = getopt_long(argc, argv, "123456789pqrsaf:e:mwk:n", long_options, NULL)) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
do_passivedpi = do_host = do_host_removespace \
|
||||
@@ -678,9 +726,27 @@ int main(int argc, char *argv[]) {
|
||||
do_wrong_seq = 1;
|
||||
max_payload_size = 1200;
|
||||
break;
|
||||
case '9': // +7+8
|
||||
do_block_quic = 1;
|
||||
// fall through
|
||||
case '8': // +7
|
||||
do_wrong_seq = 1;
|
||||
// fall through
|
||||
case '7':
|
||||
do_fragment_http = do_fragment_https = 1;
|
||||
do_reverse_frag = do_native_frag = 1;
|
||||
http_fragment_size = https_fragment_size = 2;
|
||||
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
|
||||
do_fake_packet = 1;
|
||||
do_wrong_chksum = 1;
|
||||
max_payload_size = 1200;
|
||||
break;
|
||||
case 'p':
|
||||
do_passivedpi = 1;
|
||||
break;
|
||||
case 'q':
|
||||
do_block_quic = 1;
|
||||
break;
|
||||
case 'r':
|
||||
do_host = 1;
|
||||
break;
|
||||
@@ -720,7 +786,7 @@ int main(int argc, char *argv[]) {
|
||||
i = atoi(optarg);
|
||||
if (i <= 0 || i > 65535) {
|
||||
printf("Port parameter error!\n");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_PORT_BOUNDS);
|
||||
}
|
||||
if (i != 80 && i != 443)
|
||||
add_filter_str(IPPROTO_TCP, i);
|
||||
@@ -739,14 +805,14 @@ int main(int argc, char *argv[]) {
|
||||
do_dnsv4_redirect = 1;
|
||||
if (inet_pton(AF_INET, optarg, &dnsv4_addr) != 1) {
|
||||
puts("DNS address parameter error!");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_DNS_V4_ADDR);
|
||||
}
|
||||
add_filter_str(IPPROTO_UDP, 53);
|
||||
flush_dns_cache();
|
||||
break;
|
||||
}
|
||||
puts("DNS address parameter error!");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_DNS_V4_ADDR);
|
||||
break;
|
||||
case '!': // --dnsv6-addr
|
||||
if ((inet_pton(AF_INET6, optarg, dns_temp_addr.s6_addr) == 1) &&
|
||||
@@ -755,21 +821,21 @@ int main(int argc, char *argv[]) {
|
||||
do_dnsv6_redirect = 1;
|
||||
if (inet_pton(AF_INET6, optarg, dnsv6_addr.s6_addr) != 1) {
|
||||
puts("DNS address parameter error!");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_DNS_V6_ADDR);
|
||||
}
|
||||
add_filter_str(IPPROTO_UDP, 53);
|
||||
flush_dns_cache();
|
||||
break;
|
||||
}
|
||||
puts("DNS address parameter error!");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_DNS_V6_ADDR);
|
||||
break;
|
||||
case 'g': // --dns-port
|
||||
if (!do_dnsv4_redirect) {
|
||||
puts("--dns-port should be used with --dns-addr!\n"
|
||||
"Make sure you use --dns-addr and pass it before "
|
||||
"--dns-port");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_DNS_V4_PORT);
|
||||
}
|
||||
dnsv4_port = atousi(optarg, "DNS port parameter error!");
|
||||
if (dnsv4_port != 53) {
|
||||
@@ -782,7 +848,7 @@ int main(int argc, char *argv[]) {
|
||||
puts("--dnsv6-port should be used with --dnsv6-addr!\n"
|
||||
"Make sure you use --dnsv6-addr and pass it before "
|
||||
"--dnsv6-port");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_DNS_V6_PORT);
|
||||
}
|
||||
dnsv6_port = atousi(optarg, "DNS port parameter error!");
|
||||
if (dnsv6_port != 53) {
|
||||
@@ -798,13 +864,17 @@ int main(int argc, char *argv[]) {
|
||||
do_blacklist = 1;
|
||||
if (!blackwhitelist_load_list(optarg)) {
|
||||
printf("Can't load blacklist from file!\n");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_BLACKLIST_LOAD);
|
||||
}
|
||||
break;
|
||||
case ']': // --allow-no-sni
|
||||
do_allow_no_sni = 1;
|
||||
break;
|
||||
case '>': // --frag-by-sni
|
||||
do_fragment_by_sni = 1;
|
||||
break;
|
||||
case '$': // --set-ttl
|
||||
do_auto_ttl = auto_ttl_1 = auto_ttl_2 = auto_ttl_max = 0;
|
||||
do_fake_packet = 1;
|
||||
ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
|
||||
break;
|
||||
@@ -828,13 +898,13 @@ int main(int argc, char *argv[]) {
|
||||
autottl_current = strtok(NULL, "-");
|
||||
if (!autottl_current) {
|
||||
puts("Set Auto TTL parameter error!");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_AUTOTTL);
|
||||
}
|
||||
auto_ttl_2 = atoub(autottl_current, "Set Auto TTL parameter error!");
|
||||
autottl_current = strtok(NULL, "-");
|
||||
if (!autottl_current) {
|
||||
puts("Set Auto TTL parameter error!");
|
||||
exit(EXIT_FAILURE);
|
||||
exit(ERROR_AUTOTTL);
|
||||
}
|
||||
auto_ttl_max = atoub(autottl_current, "Set Auto TTL parameter error!");
|
||||
}
|
||||
@@ -870,12 +940,35 @@ int main(int argc, char *argv[]) {
|
||||
optarg = argv[optind];
|
||||
if (optarg)
|
||||
max_payload_size = atousi(optarg, "Max payload size parameter error!");
|
||||
if (!max_payload_size)
|
||||
else
|
||||
max_payload_size = 1200;
|
||||
break;
|
||||
case 'u': // --fake-from-hex
|
||||
if (fake_load_from_hex(optarg)) {
|
||||
printf("WARNING: bad fake HEX value %s\n", optarg);
|
||||
}
|
||||
break;
|
||||
case 'j': // --fake-gen
|
||||
if (fake_load_random(atoub(optarg, "Fake generator parameter error!"))) {
|
||||
puts("WARNING: fake generator has failed!");
|
||||
}
|
||||
break;
|
||||
case 't': // --fake-resend
|
||||
fakes_resend = atoub(optarg, "Fake resend parameter error!");
|
||||
if (fakes_resend == 1)
|
||||
puts("WARNING: fake-resend is 1, no resending is in place!");
|
||||
else if (!fakes_resend)
|
||||
puts("WARNING: fake-resend is 0, fake packet mode is disabled!");
|
||||
else if (fakes_resend > 100)
|
||||
puts("WARNING: fake-resend value is a little too high, don't you think?");
|
||||
break;
|
||||
case 'x': // --debug-exit
|
||||
debug_exit = true;
|
||||
break;
|
||||
default:
|
||||
puts("Usage: goodbyedpi.exe [OPTION...]\n"
|
||||
" -p block passive DPI\n"
|
||||
" -q block QUIC/HTTP3\n"
|
||||
" -r replace Host with hoSt\n"
|
||||
" -s remove space between host header and its value\n"
|
||||
" -a additional space between Method and Request-URI (enables -s, may break sites)\n"
|
||||
@@ -896,6 +989,7 @@ int main(int argc, char *argv[]) {
|
||||
" supplied text file (HTTP Host/TLS SNI).\n"
|
||||
" This option can be supplied multiple times.\n"
|
||||
" --allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.\n"
|
||||
" --frag-by-sni if SNI is detected in TLS packet, fragment the packet right before SNI value.\n"
|
||||
" --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.\n"
|
||||
" DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n"
|
||||
" --auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease\n"
|
||||
@@ -916,6 +1010,13 @@ int main(int argc, char *argv[]) {
|
||||
" --reverse-frag fragment (split) the packets just as --native-frag, but send them in the\n"
|
||||
" reversed order. Works with the websites which could not handle segmented\n"
|
||||
" HTTPS TLS ClientHello (because they receive the TCP flow \"combined\").\n"
|
||||
" --fake-from-hex <value> Load fake packets for Fake Request Mode from HEX values (like 1234abcDEF).\n"
|
||||
" This option can be supplied multiple times, in this case each fake packet\n"
|
||||
" would be sent on every request in the command line argument order.\n"
|
||||
" --fake-gen <value> Generate random-filled fake packets for Fake Request Mode, value of them\n"
|
||||
" (up to 30).\n"
|
||||
" --fake-resend <value> Send each fake packet value number of times.\n"
|
||||
" Default: 1 (send each packet once).\n"
|
||||
" --max-payload [value] packets with TCP payload data more than [value] won't be processed.\n"
|
||||
" Use this option to reduce CPU usage by skipping huge amount of data\n"
|
||||
" (like file transfers) in already established sessions.\n"
|
||||
@@ -929,9 +1030,14 @@ int main(int argc, char *argv[]) {
|
||||
" -4 -p -r -s (best speed)"
|
||||
"\n"
|
||||
"Modern modesets (more stable, more compatible, faster):\n"
|
||||
" -5 -f 2 -e 2 --auto-ttl --reverse-frag (this is the default)\n"
|
||||
" -6 -f 2 -e 2 --wrong-seq --reverse-frag\n");
|
||||
exit(EXIT_FAILURE);
|
||||
" -5 -f 2 -e 2 --auto-ttl --reverse-frag --max-payload\n"
|
||||
" -6 -f 2 -e 2 --wrong-seq --reverse-frag --max-payload\n"
|
||||
" -7 -f 2 -e 2 --wrong-chksum --reverse-frag --max-payload\n"
|
||||
" -8 -f 2 -e 2 --wrong-seq --wrong-chksum --reverse-frag --max-payload\n"
|
||||
" -9 -f 2 -e 2 --wrong-seq --wrong-chksum --reverse-frag --max-payload -q (this is the default)\n\n"
|
||||
"Note: combination of --wrong-seq and --wrong-chksum generates two different fake packets.\n"
|
||||
);
|
||||
exit(ERROR_DEFAULT);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -951,45 +1057,52 @@ int main(int argc, char *argv[]) {
|
||||
}
|
||||
|
||||
printf("Block passive: %d\n" /* 1 */
|
||||
"Block QUIC/HTTP3: %d\n" /* 1 */
|
||||
"Fragment HTTP: %u\n" /* 2 */
|
||||
"Fragment persistent HTTP: %u\n" /* 3 */
|
||||
"Fragment HTTPS: %u\n" /* 4 */
|
||||
"Native fragmentation (splitting): %d\n" /* 5 */
|
||||
"Fragments sending in reverse: %d\n" /* 6 */
|
||||
"hoSt: %d\n" /* 7 */
|
||||
"Host no space: %d\n" /* 8 */
|
||||
"Additional space: %d\n" /* 9 */
|
||||
"Mix Host: %d\n" /* 10 */
|
||||
"HTTP AllPorts: %d\n" /* 11 */
|
||||
"HTTP Persistent Nowait: %d\n" /* 12 */
|
||||
"DNS redirect: %d\n" /* 13 */
|
||||
"DNSv6 redirect: %d\n" /* 14 */
|
||||
"Allow missing SNI: %d\n" /* 15 */
|
||||
"Fake requests, TTL: %s (fixed: %hu, auto: %hu-%hu-%hu, min distance: %hu)\n" /* 16 */
|
||||
"Fake requests, wrong checksum: %d\n" /* 17 */
|
||||
"Fake requests, wrong SEQ/ACK: %d\n" /* 18 */
|
||||
"Max payload size: %hu\n", /* 19 */
|
||||
do_passivedpi, /* 1 */
|
||||
"Fragment by SNI: %u\n" /* 5 */
|
||||
"Native fragmentation (splitting): %d\n" /* 6 */
|
||||
"Fragments sending in reverse: %d\n" /* 7 */
|
||||
"hoSt: %d\n" /* 8 */
|
||||
"Host no space: %d\n" /* 9 */
|
||||
"Additional space: %d\n" /* 10 */
|
||||
"Mix Host: %d\n" /* 11 */
|
||||
"HTTP AllPorts: %d\n" /* 12 */
|
||||
"HTTP Persistent Nowait: %d\n" /* 13 */
|
||||
"DNS redirect: %d\n" /* 14 */
|
||||
"DNSv6 redirect: %d\n" /* 15 */
|
||||
"Allow missing SNI: %d\n" /* 16 */
|
||||
"Fake requests, TTL: %s (fixed: %hu, auto: %hu-%hu-%hu, min distance: %hu)\n" /* 17 */
|
||||
"Fake requests, wrong checksum: %d\n" /* 18 */
|
||||
"Fake requests, wrong SEQ/ACK: %d\n" /* 19 */
|
||||
"Fake requests, custom payloads: %d\n" /* 20 */
|
||||
"Fake requests, resend: %d\n" /* 21 */
|
||||
"Max payload size: %hu\n", /* 22 */
|
||||
do_passivedpi, do_block_quic, /* 1 */
|
||||
(do_fragment_http ? http_fragment_size : 0), /* 2 */
|
||||
(do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */
|
||||
(do_fragment_https ? https_fragment_size : 0), /* 4 */
|
||||
do_native_frag, /* 5 */
|
||||
do_reverse_frag, /* 6 */
|
||||
do_host, /* 7 */
|
||||
do_host_removespace, /* 8 */
|
||||
do_additional_space, /* 9 */
|
||||
do_host_mixedcase, /* 10 */
|
||||
do_http_allports, /* 11 */
|
||||
do_fragment_http_persistent_nowait, /* 12 */
|
||||
do_dnsv4_redirect, /* 13 */
|
||||
do_dnsv6_redirect, /* 14 */
|
||||
do_allow_no_sni, /* 15 */
|
||||
ttl_of_fake_packet ? "fixed" : (do_auto_ttl ? "auto" : "disabled"), /* 16 */
|
||||
do_fragment_by_sni, /* 5 */
|
||||
do_native_frag, /* 6 */
|
||||
do_reverse_frag, /* 7 */
|
||||
do_host, /* 8 */
|
||||
do_host_removespace, /* 9 */
|
||||
do_additional_space, /* 10 */
|
||||
do_host_mixedcase, /* 11 */
|
||||
do_http_allports, /* 12 */
|
||||
do_fragment_http_persistent_nowait, /* 13 */
|
||||
do_dnsv4_redirect, /* 14 */
|
||||
do_dnsv6_redirect, /* 15 */
|
||||
do_allow_no_sni, /* 16 */
|
||||
do_auto_ttl ? "auto" : (do_fake_packet ? "fixed" : "disabled"), /* 17 */
|
||||
ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0,
|
||||
do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops,
|
||||
do_wrong_chksum, /* 17 */
|
||||
do_wrong_seq, /* 18 */
|
||||
max_payload_size /* 19 */
|
||||
do_wrong_chksum, /* 18 */
|
||||
do_wrong_seq, /* 19 */
|
||||
fakes_count, /* 20 */
|
||||
fakes_resend, /* 21 */
|
||||
max_payload_size /* 22 */
|
||||
);
|
||||
|
||||
if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
|
||||
@@ -1001,7 +1114,7 @@ int main(int argc, char *argv[]) {
|
||||
if (do_native_frag && !(do_fragment_http || do_fragment_https)) {
|
||||
puts("\nERROR: Native fragmentation is enabled but fragment sizes are not set.\n"
|
||||
"Fragmentation has no effect.");
|
||||
exit(EXIT_FAILURE);
|
||||
die();
|
||||
}
|
||||
|
||||
if (max_payload_size)
|
||||
@@ -1020,6 +1133,15 @@ int main(int argc, char *argv[]) {
|
||||
filter_num++;
|
||||
}
|
||||
|
||||
if (do_block_quic) {
|
||||
filters[filter_num] = init(
|
||||
FILTER_PASSIVE_BLOCK_QUIC,
|
||||
WINDIVERT_FLAG_DROP);
|
||||
if (filters[filter_num] == NULL)
|
||||
die();
|
||||
filter_num++;
|
||||
}
|
||||
|
||||
/*
|
||||
* IPv4 & IPv6 filter for inbound HTTP redirection packets and
|
||||
* active DPI circumvention
|
||||
@@ -1033,16 +1155,20 @@ int main(int argc, char *argv[]) {
|
||||
if (filters[i] == NULL)
|
||||
die();
|
||||
}
|
||||
|
||||
if (debug_exit) {
|
||||
printf("Debug Exit\n");
|
||||
exit(EXIT_SUCCESS);
|
||||
}
|
||||
printf("Filter activated, GoodbyeDPI is now running!\n");
|
||||
signal(SIGINT, sigint_handler);
|
||||
|
||||
while (1) {
|
||||
if (WinDivertRecv(w_filter, packet, sizeof(packet), &addr, &packetLen)) {
|
||||
debug("Got %s packet, len=%d!\n", addr.Direction ? "inbound" : "outbound",
|
||||
if (WinDivertRecv(w_filter, packet, sizeof(packet), &packetLen, &addr)) {
|
||||
debug("Got %s packet, len=%d!\n", addr.Outbound ? "outbound" : "inbound",
|
||||
packetLen);
|
||||
should_reinject = 1;
|
||||
should_recalc_checksum = 0;
|
||||
sni_ok = 0;
|
||||
|
||||
ppIpHdr = (PWINDIVERT_IPHDR)NULL;
|
||||
ppIpV6Hdr = (PWINDIVERT_IPV6HDR)NULL;
|
||||
@@ -1052,36 +1178,36 @@ int main(int argc, char *argv[]) {
|
||||
packet_type = unknown;
|
||||
|
||||
// Parse network packet and set it's type
|
||||
if ((packet_v4 = WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
|
||||
NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen)))
|
||||
if (WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
|
||||
&ppIpV6Hdr, NULL, NULL, NULL, &ppTcpHdr, &ppUdpHdr, &packet_data, &packet_dataLen,
|
||||
NULL, NULL))
|
||||
{
|
||||
if (ppIpHdr) {
|
||||
packet_v4 = 1;
|
||||
if (ppTcpHdr) {
|
||||
packet_type = ipv4_tcp;
|
||||
if (packet_data) {
|
||||
packet_type = ipv4_tcp_data;
|
||||
}
|
||||
else if ((packet_v6 = WinDivertHelperParsePacket(packet, packetLen, NULL,
|
||||
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen)))
|
||||
{
|
||||
packet_type = ipv6_tcp_data;
|
||||
}
|
||||
else if ((packet_v4 = WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
|
||||
NULL, NULL, NULL, &ppTcpHdr, NULL, NULL, NULL)))
|
||||
{
|
||||
packet_type = ipv4_tcp;
|
||||
}
|
||||
else if ((packet_v6 = WinDivertHelperParsePacket(packet, packetLen, NULL,
|
||||
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, NULL, NULL)))
|
||||
{
|
||||
packet_type = ipv6_tcp;
|
||||
}
|
||||
else if ((packet_v4 = WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
|
||||
NULL, NULL, NULL, NULL, &ppUdpHdr, &packet_data, &packet_dataLen)))
|
||||
{
|
||||
else if (ppUdpHdr && packet_data) {
|
||||
packet_type = ipv4_udp_data;
|
||||
}
|
||||
else if ((packet_v6 = WinDivertHelperParsePacket(packet, packetLen, NULL,
|
||||
&ppIpV6Hdr, NULL, NULL, NULL, &ppUdpHdr, &packet_data, &packet_dataLen)))
|
||||
{
|
||||
}
|
||||
|
||||
else if (ppIpV6Hdr) {
|
||||
packet_v6 = 1;
|
||||
if (ppTcpHdr) {
|
||||
packet_type = ipv6_tcp;
|
||||
if (packet_data) {
|
||||
packet_type = ipv6_tcp_data;
|
||||
}
|
||||
}
|
||||
else if (ppUdpHdr && packet_data) {
|
||||
packet_type = ipv6_udp_data;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
debug("packet_type: %d, packet_v4: %d, packet_v6: %d\n", packet_type, packet_v4, packet_v6);
|
||||
|
||||
@@ -1090,7 +1216,7 @@ int main(int argc, char *argv[]) {
|
||||
/* Got a TCP packet WITH DATA */
|
||||
|
||||
/* Handle INBOUND packet with data and find HTTP REDIRECT in there */
|
||||
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND && packet_dataLen > 16) {
|
||||
if (!addr.Outbound && packet_dataLen > 16) {
|
||||
/* If INBOUND packet with DATA (tcp.Ack) */
|
||||
|
||||
/* Drop packets from filter with HTTP 30x Redirect */
|
||||
@@ -1114,7 +1240,7 @@ int main(int argc, char *argv[]) {
|
||||
/* Handle OUTBOUND packet on port 443, search for something that resembles
|
||||
* TLS handshake, send fake request.
|
||||
*/
|
||||
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
|
||||
else if (addr.Outbound &&
|
||||
((do_fragment_https ? packet_dataLen == https_fragment_size : 0) ||
|
||||
packet_dataLen > 16) &&
|
||||
ppTcpHdr->DstPort != htons(80) &&
|
||||
@@ -1126,9 +1252,9 @@ int main(int argc, char *argv[]) {
|
||||
* But if the packet is more than 2 bytes, check ClientHello byte.
|
||||
*/
|
||||
if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) ||
|
||||
(packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0))
|
||||
(packet_dataLen >= 3 && ( memcmp(packet_data, "\x16\x03\x01", 3) == 0 || memcmp(packet_data, "\x16\x03\x03", 3) == 0 )))
|
||||
{
|
||||
if (do_blacklist) {
|
||||
if (do_blacklist || do_fragment_by_sni) {
|
||||
sni_ok = extract_sni(packet_data, packet_dataLen,
|
||||
&host_addr, &host_len);
|
||||
}
|
||||
@@ -1144,7 +1270,7 @@ int main(int argc, char *argv[]) {
|
||||
char lsni[HOST_MAXLEN + 1] = {0};
|
||||
extract_sni(packet_data, packet_dataLen,
|
||||
&host_addr, &host_len);
|
||||
memcpy(&lsni, host_addr, host_len);
|
||||
memcpy(lsni, host_addr, host_len);
|
||||
printf("Blocked HTTPS website SNI: %s\n", lsni);
|
||||
#endif
|
||||
if (do_fake_packet) {
|
||||
@@ -1158,7 +1284,7 @@ int main(int argc, char *argv[]) {
|
||||
}
|
||||
}
|
||||
/* Handle OUTBOUND packet on port 80, search for Host header */
|
||||
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
|
||||
else if (addr.Outbound &&
|
||||
packet_dataLen > 16 &&
|
||||
(do_http_allports ? 1 : (ppTcpHdr->DstPort == htons(80))) &&
|
||||
find_http_method_end(packet_data,
|
||||
@@ -1179,7 +1305,7 @@ int main(int argc, char *argv[]) {
|
||||
host_len = hdr_value_len;
|
||||
#ifdef DEBUG
|
||||
char lhost[HOST_MAXLEN + 1] = {0};
|
||||
memcpy(&lhost, host_addr, host_len);
|
||||
memcpy(lhost, host_addr, host_len);
|
||||
printf("Blocked HTTP website Host: %s\n", lhost);
|
||||
#endif
|
||||
|
||||
@@ -1281,8 +1407,12 @@ int main(int argc, char *argv[]) {
|
||||
current_fragment_size = http_fragment_size;
|
||||
}
|
||||
else if (do_fragment_https && ppTcpHdr->DstPort != htons(80)) {
|
||||
if (do_fragment_by_sni && sni_ok) {
|
||||
current_fragment_size = (void*)host_addr - packet_data;
|
||||
} else {
|
||||
current_fragment_size = https_fragment_size;
|
||||
}
|
||||
}
|
||||
|
||||
if (current_fragment_size) {
|
||||
send_native_fragment(w_filter, addr, packet, packetLen, packet_data,
|
||||
@@ -1302,7 +1432,7 @@ int main(int argc, char *argv[]) {
|
||||
/* Else if we got TCP packet without data */
|
||||
else if (packet_type == ipv4_tcp || packet_type == ipv6_tcp) {
|
||||
/* If we got INBOUND SYN+ACK packet */
|
||||
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND &&
|
||||
if (!addr.Outbound &&
|
||||
ppTcpHdr->Syn == 1 && ppTcpHdr->Ack == 1) {
|
||||
//printf("Changing Window Size!\n");
|
||||
/*
|
||||
@@ -1342,7 +1472,7 @@ int main(int argc, char *argv[]) {
|
||||
else if ((do_dnsv4_redirect && (packet_type == ipv4_udp_data)) ||
|
||||
(do_dnsv6_redirect && (packet_type == ipv6_udp_data)))
|
||||
{
|
||||
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND) {
|
||||
if (!addr.Outbound) {
|
||||
if ((packet_v4 && dns_handle_incoming(&ppIpHdr->DstAddr, ppUdpHdr->DstPort,
|
||||
packet_data, packet_dataLen,
|
||||
&dns_conn_info, 0))
|
||||
@@ -1372,7 +1502,7 @@ int main(int argc, char *argv[]) {
|
||||
}
|
||||
}
|
||||
|
||||
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND) {
|
||||
else if (addr.Outbound) {
|
||||
if ((packet_v4 && dns_handle_outgoing(&ppIpHdr->SrcAddr, ppUdpHdr->SrcPort,
|
||||
&ppIpHdr->DstAddr, ppUdpHdr->DstPort,
|
||||
packet_data, packet_dataLen, 0))
|
||||
@@ -1410,7 +1540,7 @@ int main(int argc, char *argv[]) {
|
||||
if (should_recalc_checksum) {
|
||||
WinDivertHelperCalcChecksums(packet, packetLen, &addr, (UINT64)0LL);
|
||||
}
|
||||
WinDivertSend(w_filter, packet, packetLen, &addr, NULL);
|
||||
WinDivertSend(w_filter, packet, packetLen, NULL, &addr);
|
||||
}
|
||||
}
|
||||
else {
|
||||
|
||||
@@ -30,7 +30,7 @@ int service_register(int argc, char *argv[])
|
||||
*/
|
||||
if (!service_argc && !service_argv) {
|
||||
service_argc = argc;
|
||||
service_argv = malloc(sizeof(void*) * (size_t)argc);
|
||||
service_argv = calloc((size_t)(argc + 1), sizeof(void*));
|
||||
for (i = 0; i < argc; i++) {
|
||||
service_argv[i] = strdup(argv[i]);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user