Version v0.1.6

Add 'GreenTunnel' to 'Similar projects' section.

.editorconfig

@@ -0,0 +1,8 @@
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 4
+insert_final_newline = true
+end_of_line = lf

.github/ISSUE_TEMPLATE/bug-report----------------------.md

@@ -0,0 +1,45 @@
+---
+name: Bug report / сообщение об ошибке
+about: Report software issue / сообщить об ошибке в программе
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!--
+WARNING! Please pay some attention!
+GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
+Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
+Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
+
+ВНИМАНИЕ! Пожалуйста, прочтите!
+GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
+Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
+Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
+-->
+
+**Describe the bug / Опишите проблему**
+A clear and concise description of what the bug is. If the issue about software incompatibility, include your operating system version and software name/version.
+Подробно опишите, в чём заключается проблема. Если проблема касается совместимости с другими программами, укажите версию вашей операционной системы, имя и версию программы.
+
+**To Reproduce / Шаги воспроизведения проблемы**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior / ожидаемое поведение программы**
+A clear and concise description of what you expected to happen.
+Подробно опишите, как вы ожидаете, чтобы программа работала.
+
+**Actual behavior / текущее поведение программы**
+A clear and concise description of what you expected to happen.
+Подробно опишите, что происходит с программой на текущий момент.
+
+**Screenshots / Скриншоты**
+If applicable, add screenshots to help explain your problem.
+Если необходимо, добавьте скриншоты, объясняющие проблему.
+
+**Additional context / дополнительная информация**

.github/ISSUE_TEMPLATE/feature-request------------------------------------.md

@@ -0,0 +1,12 @@
+---
+name: Feature request / предложить новую функциональность
+about: Suggest an idea or function for this project / предложить новую идею или функциональность
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Description / Описание**
+A clear and concise description of your suggestion.
+Детальное описание вашего предложения.

Makefile

@@ -1,37 +0,0 @@
-ifndef MSYSTEM
-	CPREFIX = x86_64-w64-mingw32-
-endif
-
-WINDIVERTHEADERS = ../../include
-WINDIVERTLIBS = ../binary
-
-TARGET = goodbyedpi.exe
-LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32
-CC = $(CPREFIX)gcc
-CCWINDRES = $(CPREFIX)windres
-CFLAGS = -Wall -Wextra -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
-         -O2 -pie -fPIE -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
-LDFLAGS = -Wl,-O1,--sort-common,--as-needed
-
-.PHONY: default all clean
-
-default: manifest $(TARGET)
-all: default
-
-OBJECTS = $(patsubst %.c, %.o, $(wildcard *.c)) goodbyedpi-rc.o
-HEADERS = $(wildcard *.h)
-
-%.o: %.c $(HEADERS)
-	$(CC) $(CFLAGS) -c $< -o $@
-
-manifest:
-	$(CCWINDRES) goodbyedpi-rc.rc goodbyedpi-rc.o
-
-.PRECIOUS: $(TARGET) $(OBJECTS)
-
-$(TARGET): $(OBJECTS)
-	$(CC) $(OBJECTS) -Wall $(LDFLAGS) $(LIBS) -s -o $@
-
-clean:
-	-rm -f *.o
-	-rm -f $(TARGET)

README.md

@@ -23,14 +23,20 @@ Usage: goodbyedpi.exe [OPTION...]
  -e [value]  set HTTPS fragmentation to value
  -a          additional space between Method and Request-URI (enables -s, may break sites)
  -w          try to find and parse HTTP traffic on all processed ports (not only on port 80)
- --port      [value]    additional TCP port to perform fragmentation on (and HTTP tricks with -w)
+ --port        [value]    additional TCP port to perform fragmentation on (and HTTP tricks with -w)
- --ip-id     [value]    handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
+ --ip-id       [value]    handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
-                        This option can be supplied multiple times.
+                          This option can be supplied multiple times.
- --dns-addr  [value]    redirect UDP DNS requests to the supplied IP address (experimental)
+ --dns-addr    [value]    redirect UDP DNS requests to the supplied IP address (experimental)
- --dns-port  [value]    redirect UDP DNS requests to the supplied port (53 by default)
+ --dns-port    [value]    redirect UDP DNS requests to the supplied port (53 by default)
- --dns-verb             print verbose DNS redirection messages
+ --dnsv6-addr  [value]    redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
- --blacklist [txtfile]  perform HTTP tricks only to host names and subdomains from
+ --dnsv6-port  [value]    redirect UDPv6 DNS requests to the supplied port (53 by default)
-                        supplied text file. This option can be supplied multiple times.
+ --dns-verb               print verbose DNS redirection messages
+ --blacklist   [txtfile]  perform HTTP tricks only to host names and subdomains from
+                          supplied text file. This option can be supplied multiple times.
+ --set-ttl     [value]    activate Fake Request Mode and send it with supplied TTL value.
+                          DANGEROUS! May break websites in unexpected ways. Use with care.
+ --wrong-chksum           activate Fake Request Mode and send it with incorrect TCP checksum.
+                          May not work in a VM or with some routers, but is safer than set-ttl.
 
  -1          -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)
  -2          -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)
@@ -54,7 +60,7 @@ Most Passive DPI send HTTP 302 Redirect if you try to access blocked website ove
 
 ### Active DPI
 
-Active DPI is more tricky to fool. Currently the software uses 6 methods to circumvent Active DPI:
+Active DPI is more tricky to fool. Currently the software uses 7 methods to circumvent Active DPI:
 
 * TCP-level fragmentation for first data packet
 * TCP-level fragmentation for persistent (keep-alive) HTTP sessions
@@ -62,6 +68,7 @@ Active DPI is more tricky to fool. Currently the software uses 6 methods to circ
 * Removing space between header name and value in `Host` header
 * Adding additional space between HTTP Method (GET, POST etc) and URI
 * Mixing case of Host header value
+* Sending fake HTTP/HTTPS packets with low Time-To-Live value or incorrect checksum to fool DPI and prevent delivering them to the destination
 
 These methods should not break any website as they're fully compatible with TCP and HTTP standards, yet it's sufficient to prevent DPI data classification and to circumvent censorship. Additional space may break some websites, although it's acceptable by HTTP/1.1 specification (see 19.3 Tolerant Applications).
 
@@ -77,16 +84,24 @@ To build x86 exe run:
 
 And for x86_64:
 
-`make CPREFIX=x86_64-w64-mingw32- WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/amd64`
+`make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=/path/to/windivert/include WINDIVERTLIBS=/path/to/windivert/amd64`
 
 # How to install as Windows Service
 
 Use `service_install_russia_blacklist.cmd`, `service_install_russia_blacklist_dnsredir.cmd` and `service_remove.cmd` scripts.  
 Modify them according to your own needs.
 
+# Known issues
+
+* Horribly outdated Windows 7 installations are not able to load WinDivert driver due to missing support for SHA256 digital signatures. Install KB3033929 [x86](https://www.microsoft.com/en-us/download/details.aspx?id=46078)/[x64](https://www.microsoft.com/en-us/download/details.aspx?id=46148), or better, update the whole system using Windows Update.
+* Some SSL/TLS stacks unable to process fragmented ClientHello packets, and HTTPS websites won't open. Bug: [#4](https://github.com/ValdikSS/GoodbyeDPI/issues/4), [#64](https://github.com/ValdikSS/GoodbyeDPI/issues/64).
+* ESET Antivirus is incompatible with WinDivert driver [#91](https://github.com/ValdikSS/GoodbyeDPI/issues/91). This is most probably antivirus bug, not WinDivert.
+
+
 # Similar projects
 
-[zapret](https://github.com/bol-van/zapret) by @bol-van (for Linux).
+- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux).
+- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows).
 
 # Kudos
 

blackwhitelist.h

@@ -1,2 +0,0 @@
-int blackwhitelist_load_list(const char *filename);
-int blackwhitelist_check_hostname(const char *host_addr, int host_len);

src/Makefile

@@ -0,0 +1,50 @@
+ifndef MSYSTEM
+	CPREFIX = x86_64-w64-mingw32-
+endif
+
+WINDIVERTHEADERS = ../../../include
+WINDIVERTLIBS = ../../binary
+MINGWLIB = /usr/x86_64-w64-mingw32/lib/
+
+TARGET = goodbyedpi.exe
+# Linking SSP does not work for some reason, the executable doesn't start.
+#LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
+LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32
+CC = $(CPREFIX)gcc
+CCWINDRES = $(CPREFIX)windres
+CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
+         -O2 -D_FORTIFY_SOURCE=2 \
+         -Wall -Wextra -Wpedantic -Wformat=2 -Wshadow -Wstrict-aliasing=1 -Werror=format-security \
+         -Wfloat-equal -Wcast-align -Wsign-conversion \
+         #-fstack-protector-strong
+LDFLAGS = -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
+-Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
+
+ifdef BIT64
+	LDFLAGS += -Wl,--high-entropy-va -Wl,--pic-executable,-e,mainCRTStartup
+else
+	LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup
+endif
+
+.PHONY: default all clean
+
+default: manifest $(TARGET)
+all: default
+
+OBJECTS = $(patsubst %.c, %.o, $(wildcard *.c utils/*.c)) goodbyedpi-rc.o
+HEADERS = $(wildcard *.h utils/*.h)
+
+%.o: %.c $(HEADERS)
+	$(CC) $(CFLAGS) -c $< -o $@
+
+manifest:
+	$(CCWINDRES) goodbyedpi-rc.rc goodbyedpi-rc.o
+
+.PRECIOUS: $(TARGET) $(OBJECTS)
+
+$(TARGET): $(OBJECTS)
+	$(CC) $(OBJECTS) $(LDFLAGS) $(LIBS) -s -o $@
+
+clean:
+	-rm -f *.o utils/*.o
+	-rm -f $(TARGET)

src/blackwhitelist.c

@@ -8,8 +8,8 @@
 #include <windows.h>
 #include <stdio.h>
 #include "goodbyedpi.h"
-#include "uthash.h"
+#include "utils/uthash.h"
-#include "getline.h"
+#include "utils/getline.h"
 
 typedef struct blackwhitelist_record {
     const char *host;
@@ -84,7 +84,7 @@ int blackwhitelist_load_list(const char *filename) {
     return TRUE;
 }
 
-int blackwhitelist_check_hostname(const char *host_addr, int host_len) {
+int blackwhitelist_check_hostname(const char *host_addr, size_t host_len) {
     char current_host[HOST_MAXLEN + 1];
     char *tokenized_host = NULL;
 

src/blackwhitelist.h

@@ -0,0 +1,2 @@
+int blackwhitelist_load_list(const char *filename);
+int blackwhitelist_check_hostname(const char *host_addr, size_t host_len);

src/dnsredir.c

@@ -15,7 +15,7 @@
 #include <stdio.h>
 #include "goodbyedpi.h"
 #include "dnsredir.h"
-#include "uthash.h"
+#include "utils/uthash.h"
 
 /* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + srcport[2]) */
 #define UDP_CONNRECORD_KEY_LEN 19
@@ -89,7 +89,7 @@ inline static void fill_data_from_key(uint8_t *is_ipv6, uint32_t srcip[4], uint1
 }
 
 inline static void construct_key(const uint32_t srcip[4], const uint16_t srcport,
-                                 char *key, int is_ipv6)
+                                 char *key, const uint8_t is_ipv6)
 {
     debug("Construct key enter\n");
     if (key) {
@@ -135,7 +135,7 @@ static int check_get_udp_conntrack_key(const char *key, udp_connrecord_t **connr
 
 static int add_udp_conntrack(const uint32_t srcip[4], const uint16_t srcport,
                              const uint32_t dstip[4], const uint16_t dstport,
-                             const int is_ipv6
+                             const uint8_t is_ipv6
                             )
 {
     if (!(srcip && srcport && dstip && dstport))

src/fakepackets.c

@@ -0,0 +1,166 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <in6addr.h>
+#include <ws2tcpip.h>
+#include "windivert.h"
+#include "goodbyedpi.h"
+
+static const char fake_http_request[] = "GET / HTTP/1.1\r\nHost: www.w3.org\r\n"
+                                        "User-Agent: curl/7.65.3\r\nAccept: */*\r\n"
+                                        "Accept-Encoding: deflate, gzip, br\r\n\r\n";
+static const unsigned char fake_https_request[] = {
+    0x16, 0x03, 0x01, 0x02, 0x00, 0x01, 0x00, 0x01, 0xfc, 0x03, 0x03, 0x9a, 0x8f, 0xa7, 0x6a, 0x5d,
+    0x57, 0xf3, 0x62, 0x19, 0xbe, 0x46, 0x82, 0x45, 0xe2, 0x59, 0x5c, 0xb4, 0x48, 0x31, 0x12, 0x15,
+    0x14, 0x79, 0x2c, 0xaa, 0xcd, 0xea, 0xda, 0xf0, 0xe1, 0xfd, 0xbb, 0x20, 0xf4, 0x83, 0x2a, 0x94,
+    0xf1, 0x48, 0x3b, 0x9d, 0xb6, 0x74, 0xba, 0x3c, 0x81, 0x63, 0xbc, 0x18, 0xcc, 0x14, 0x45, 0x57,
+    0x6c, 0x80, 0xf9, 0x25, 0xcf, 0x9c, 0x86, 0x60, 0x50, 0x31, 0x2e, 0xe9, 0x00, 0x22, 0x13, 0x01,
+    0x13, 0x03, 0x13, 0x02, 0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2c, 0xc0, 0x30,
+    0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f, 0x00, 0x35,
+    0x01, 0x00, 0x01, 0x91, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x0d, 0x00, 0x00, 0x0a, 0x77, 0x77, 0x77,
+    0x2e, 0x77, 0x33, 0x2e, 0x6f, 0x72, 0x67, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00,
+    0x00, 0x0a, 0x00, 0x0e, 0x00, 0x0c, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, 0x00,
+    0x01, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10, 0x00, 0x0e,
+    0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x00, 0x05,
+    0x00, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 0x6b, 0x00, 0x69, 0x00, 0x1d, 0x00,
+    0x20, 0xb0, 0xe4, 0xda, 0x34, 0xb4, 0x29, 0x8d, 0xd3, 0x5c, 0x70, 0xd3, 0xbe, 0xe8, 0xa7, 0x2a,
+    0x6b, 0xe4, 0x11, 0x19, 0x8b, 0x18, 0x9d, 0x83, 0x9a, 0x49, 0x7c, 0x83, 0x7f, 0xa9, 0x03, 0x8c,
+    0x3c, 0x00, 0x17, 0x00, 0x41, 0x04, 0x4c, 0x04, 0xa4, 0x71, 0x4c, 0x49, 0x75, 0x55, 0xd1, 0x18,
+    0x1e, 0x22, 0x62, 0x19, 0x53, 0x00, 0xde, 0x74, 0x2f, 0xb3, 0xde, 0x13, 0x54, 0xe6, 0x78, 0x07,
+    0x94, 0x55, 0x0e, 0xb2, 0x6c, 0xb0, 0x03, 0xee, 0x79, 0xa9, 0x96, 0x1e, 0x0e, 0x98, 0x17, 0x78,
+    0x24, 0x44, 0x0c, 0x88, 0x80, 0x06, 0x8b, 0xd4, 0x80, 0xbf, 0x67, 0x7c, 0x37, 0x6a, 0x5b, 0x46,
+    0x4c, 0xa7, 0x98, 0x6f, 0xb9, 0x22, 0x00, 0x2b, 0x00, 0x09, 0x08, 0x03, 0x04, 0x03, 0x03, 0x03,
+    0x02, 0x03, 0x01, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08,
+    0x04, 0x08, 0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x03, 0x02, 0x01, 0x00,
+    0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01, 0x00, 0x15, 0x00, 0x96, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+static int send_fake_data(const HANDLE w_filter,
+                          const PWINDIVERT_ADDRESS addr,
+                          const char *pkt,
+                          const UINT packetLen,
+                          const BOOL is_ipv6,
+                          const BOOL is_https,
+                          const BYTE set_ttl,
+                          const BYTE set_checksum
+                         ) {
+    char packet_fake[MAX_PACKET_SIZE];
+    WINDIVERT_ADDRESS addr_new;
+    PVOID packet_data;
+    UINT packet_dataLen;
+    UINT packetLen_new;
+    PWINDIVERT_IPHDR ppIpHdr;
+    PWINDIVERT_IPV6HDR ppIpV6Hdr;
+    PWINDIVERT_TCPHDR ppTcpHdr;
+    char *fake_request_data = is_https ? fake_https_request : fake_http_request;
+    UINT fake_request_size = is_https ? sizeof(fake_https_request) : sizeof(fake_http_request) - 1;
+
+    memcpy(&addr_new, addr, sizeof(WINDIVERT_ADDRESS));
+    memcpy(packet_fake, pkt, packetLen);
+
+    if (!is_ipv6) {
+        // IPv4 TCP Data packet
+        if (!WinDivertHelperParsePacket(packet_fake, packetLen, &ppIpHdr,
+            NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
+            return 1;
+    }
+    else {
+        // IPv6 TCP Data packet
+        if (!WinDivertHelperParsePacket(packet_fake, packetLen, NULL,
+            &ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
+            return 1;
+    }
+
+    if (packetLen + fake_request_size + 1 > MAX_PACKET_SIZE)
+        return 2;
+
+    memcpy(packet_data, fake_request_data, fake_request_size);
+    packetLen_new = packetLen - packet_dataLen + fake_request_size;
+
+    if (!is_ipv6) {
+        ppIpHdr->Length = htons(
+            ntohs(ppIpHdr->Length) -
+            packet_dataLen + fake_request_size
+        );
+
+        if (set_ttl)
+            ppIpHdr->TTL = set_ttl;
+    }
+    else {
+        ppIpV6Hdr->Length = htons(
+            ntohs(ppIpV6Hdr->Length) -
+            packet_dataLen + fake_request_size
+        );
+
+        if (set_ttl)
+            ppIpV6Hdr->HopLimit = set_ttl;
+    }
+
+    // Recalculate the checksum
+    addr_new.PseudoTCPChecksum = 0;
+    WinDivertHelperCalcChecksums(packet_fake, packetLen_new, &addr_new, NULL);
+
+    if (set_checksum) {
+        // ...and damage it
+        ppTcpHdr->Checksum = htons(ntohs(ppTcpHdr->Checksum) - 1);
+    }
+    //printf("Pseudo checksum: %d\n", addr_new.PseudoTCPChecksum);
+
+    WinDivertSend(
+        w_filter, packet_fake,
+        packetLen_new,
+        &addr_new, NULL
+    );
+    debug("Fake packet: OK");
+
+    return 0;
+}
+
+int send_fake_http_request(const HANDLE w_filter,
+                                  const PWINDIVERT_ADDRESS addr,
+                                  const char *pkt,
+                                  const UINT packetLen,
+                                  const BOOL is_ipv6,
+                                  const BYTE set_ttl,
+                                  const BYTE set_checksum
+                                 ) {
+    return send_fake_data(w_filter,
+                          addr,
+                          pkt,
+                          packetLen,
+                          is_ipv6,
+                          FALSE,
+                          set_ttl,
+                          set_checksum
+           );
+}
+
+int send_fake_https_request(const HANDLE w_filter,
+                                   const PWINDIVERT_ADDRESS addr,
+                                   const char *pkt,
+                                   const UINT packetLen,
+                                   const BOOL is_ipv6,
+                                   const BYTE set_ttl,
+                                   const BYTE set_checksum
+                                 ) {
+    return send_fake_data(w_filter,
+                          addr,
+                          pkt,
+                          packetLen,
+                          is_ipv6,
+                          TRUE,
+                          set_ttl,
+                          set_checksum
+           );
+}

src/fakepackets.h

@@ -0,0 +1,16 @@
+int send_fake_http_request(const HANDLE w_filter,
+                                  const PWINDIVERT_ADDRESS addr,
+                                  const char *pkt,
+                                  const UINT packetLen,
+                                  const BOOL is_ipv6,
+                                  const BYTE set_ttl,
+                                  const BYTE set_checksum
+                                 );
+int send_fake_https_request(const HANDLE w_filter,
+                                   const PWINDIVERT_ADDRESS addr,
+                                   const char *pkt,
+                                   const UINT packetLen,
+                                   const BOOL is_ipv6,
+                                   const BYTE set_ttl,
+                                   const BYTE set_checksum
+                                 );

src/goodbyedpi.c

@@ -13,18 +13,20 @@
 #include <ws2tcpip.h>
 #include "windivert.h"
 #include "goodbyedpi.h"
-#include "repl_str.h"
+#include "utils/repl_str.h"
 #include "service.h"
 #include "dnsredir.h"
 #include "blackwhitelist.h"
+#include "fakepackets.h"
 
 // My mingw installation does not load inet_pton definition for some reason
 WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
 
+#define GOODBYEDPI_VERSION "v0.1.6"
+
 #define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
 
 #define MAX_FILTERS 4
-#define MAX_PACKET_SIZE 9016
 
 #define DIVERT_NO_LOCALNETSv4_DST "(" \
                    "(ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and " \
@@ -59,33 +61,30 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
 /* #IPID# is a template to find&replace */
 #define IPID_TEMPLATE "#IPID#"
 #define FILTER_STRING_TEMPLATE \
-        "(tcp and " \
+        "(tcp and !impostor and !loopback and " \
-        "(inbound and (" \
+        "((inbound and (" \
          "(" \
           "(" \
-           "((ip.Id >= 0x0 and ip.Id <= 0xF) " IPID_TEMPLATE \
+           "(ipv6 or (ip.Id >= 0x0 and ip.Id <= 0xF) " IPID_TEMPLATE \
            ") and " \
            "tcp.SrcPort == 80 and tcp.Ack" \
           ") or " \
           "((tcp.SrcPort == 80 or tcp.SrcPort == 443) and tcp.Ack and tcp.Syn)" \
          ")" \
-         " and (" DIVERT_NO_LOCALNETSv4_SRC " or " DIVERT_NO_LOCALNETSv6_SRC ")) or " \
+         " and (" DIVERT_NO_LOCALNETSv4_SRC " or " DIVERT_NO_LOCALNETSv6_SRC "))) or " \
         "(outbound and " \
          "(tcp.DstPort == 80 or tcp.DstPort == 443) and tcp.Ack and " \
          "(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST "))" \
         "))"
 #define FILTER_PASSIVE_STRING_TEMPLATE "inbound and ip and tcp and " \
+        "!impostor and !loopback and " \
         "((ip.Id <= 0xF and ip.Id >= 0x0) " IPID_TEMPLATE ") and " \
         "(tcp.SrcPort == 443 or tcp.SrcPort == 80) and tcp.Rst and " \
         DIVERT_NO_LOCALNETSv4_SRC
 
 #define SET_HTTP_FRAGMENT_SIZE_OPTION(fragment_size) do { \
     if (!http_fragment_size) { \
-        if (fragment_size <= 0 || fragment_size > 65535) { \
+        http_fragment_size = (unsigned int)fragment_size; \
-            puts("Fragment size should be in range [0 - 65535]\n"); \
-            exit(EXIT_FAILURE); \
-        } \
-        http_fragment_size = fragment_size; \
     } \
     else if (http_fragment_size != (unsigned int)fragment_size) { \
         printf( \
@@ -98,13 +97,13 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
 static int running_from_service = 0;
 static HANDLE filters[MAX_FILTERS];
 static int filter_num = 0;
-static const char *http10_redirect_302 = "HTTP/1.0 302 ";
+static const char http10_redirect_302[] = "HTTP/1.0 302 ";
-static const char *http11_redirect_302 = "HTTP/1.1 302 ";
+static const char http11_redirect_302[] = "HTTP/1.1 302 ";
-static const char *http_host_find = "\r\nHost: ";
+static const char http_host_find[] = "\r\nHost: ";
-static const char *http_host_replace = "\r\nhoSt: ";
+static const char http_host_replace[] = "\r\nhoSt: ";
-static const char *http_useragent_find = "\r\nUser-Agent: ";
+static const char http_useragent_find[] = "\r\nUser-Agent: ";
-static const char *location_http = "\r\nLocation: http://";
+static const char location_http[] = "\r\nLocation: http://";
-static const char *connection_close = "\r\nConnection: close";
+static const char connection_close[] = "\r\nConnection: close";
 static const char *http_methods[] = {
     "GET ",
     "HEAD ",
@@ -124,6 +123,8 @@ static struct option long_options[] = {
     {"dns-verb",    no_argument,       0,  'v' },
     {"blacklist",   required_argument, 0,  'b' },
     {"ip-id",       required_argument, 0,  'i' },
+    {"set-ttl",     required_argument, 0,  '$' },
+    {"wrong-chksum",no_argument,       0,  '%' },
     {0,             0,                 0,   0  }
 };
 
@@ -131,11 +132,13 @@ static char *filter_string = NULL;
 static char *filter_passive_string = NULL;
 
 static void add_filter_str(int proto, int port) {
-    const char *udp = " or (udp and (udp.SrcPort == %d or udp.DstPort == %d))";
+    const char *udp = " or (udp and !impostor and !loopback and " \
-    const char *tcp = " or (tcp and (tcp.SrcPort == %d or tcp.DstPort == %d))";
+                      "(udp.SrcPort == %d or udp.DstPort == %d))";
+    const char *tcp = " or (tcp and !impostor and !loopback and " \
+                      "(tcp.SrcPort == %d or tcp.DstPort == %d))";
 
     char *current_filter = filter_string;
-    int new_filter_size = strlen(current_filter) +
+    size_t new_filter_size = strlen(current_filter) +
             (proto == IPPROTO_UDP ? strlen(udp) : strlen(tcp)) + 16;
     char *new_filter = malloc(new_filter_size);
 
@@ -177,10 +180,12 @@ static void finalize_filter_strings() {
     filter_passive_string = newstr;
 }
 
-static char* dumb_memmem(const char* haystack, int hlen, const char* needle, int nlen) {
+static char* dumb_memmem(const char* haystack, unsigned int hlen,
+                         const char* needle, size_t nlen)
+{
     // naive implementation
     if (nlen > hlen) return NULL;
-    int i;
+    size_t i;
     for (i=0; i<hlen-nlen+1; i++) {
         if (memcmp(haystack+i,needle,nlen)==0) {
             return (char*)(haystack+i);
@@ -189,6 +194,33 @@ static char* dumb_memmem(const char* haystack, int hlen, const char* needle, int
     return NULL;
 }
 
+unsigned short int atousi(const char *str, const char *msg) {
+    long unsigned int res = strtoul(str, NULL, 10u);
+    enum {
+        limitValue=0xFFFFu
+    };
+
+    if(res > limitValue) {
+        puts(msg);
+        exit(EXIT_FAILURE);
+    }
+    return (unsigned short int)res;
+}
+
+BYTE atoub(const char *str, const char *msg) {
+    long unsigned int res = strtoul(str, NULL, 10u);
+    enum {
+        limitValue=0xFFu
+    };
+
+    if(res > limitValue) {
+        puts(msg);
+        exit(EXIT_FAILURE);
+    }
+    return (BYTE)res;
+}
+
+
 static HANDLE init(char *filter, UINT64 flags) {
     LPTSTR errormessage = NULL;
     DWORD errorcode = 0;
@@ -234,39 +266,39 @@ static void sigint_handler(int sig __attribute__((unused))) {
     exit(EXIT_SUCCESS);
 }
 
-static void mix_case(char *pktdata, int pktlen) {
+static void mix_case(char *pktdata, unsigned int pktlen) {
-    int i;
+    unsigned int i;
 
     if (pktlen <= 0) return;
     for (i = 0; i < pktlen; i++) {
         if (i % 2) {
-            pktdata[i] = toupper(pktdata[i]);
+            pktdata[i] = (char) toupper(pktdata[i]);
         }
     }
 }
 
-static int is_passivedpi_redirect(const char *pktdata, int pktlen) {
+static int is_passivedpi_redirect(const char *pktdata, unsigned int pktlen) {
     /* First check if this is HTTP 302 redirect */
-    if (memcmp(pktdata, http11_redirect_302, strlen(http11_redirect_302)) == 0 ||
+    if (memcmp(pktdata, http11_redirect_302, sizeof(http11_redirect_302)-1) == 0 ||
-        memcmp(pktdata, http10_redirect_302, strlen(http10_redirect_302)) == 0)
+        memcmp(pktdata, http10_redirect_302, sizeof(http10_redirect_302)-1) == 0)
     {
         /* Then check if this is a redirect to new http site with Connection: close */
-        if (dumb_memmem(pktdata, pktlen, location_http, strlen(location_http)) &&
+        if (dumb_memmem(pktdata, pktlen, location_http, sizeof(location_http)-1) &&
-            dumb_memmem(pktdata, pktlen, connection_close, strlen(connection_close))) {
+            dumb_memmem(pktdata, pktlen, connection_close, sizeof(connection_close)-1)) {
             return TRUE;
         }
     }
     return FALSE;
 }
 
-static int find_header_and_get_info(const char *pktdata, int pktlen,
+static int find_header_and_get_info(const char *pktdata, unsigned int pktlen,
                 const char *hdrname,
                 char **hdrnameaddr,
-                char **hdrvalueaddr, int *hdrvaluelen) {
+                char **hdrvalueaddr, unsigned int *hdrvaluelen) {
     char *data_addr_rn;
     char *hdr_begin;
 
-    *hdrvaluelen = 0;
+    *hdrvaluelen = 0u;
     *hdrnameaddr = NULL;
     *hdrvalueaddr = NULL;
 
@@ -286,20 +318,20 @@ static int find_header_and_get_info(const char *pktdata, int pktlen,
                         "\r\n", 2);
     if (data_addr_rn) {
         *hdrvaluelen = (PVOID)data_addr_rn - (PVOID)*hdrvalueaddr;
-        if (*hdrvaluelen > 0 && *hdrvaluelen <= 512)
+        if (*hdrvaluelen > 0u && *hdrvaluelen <= 512u)
             return TRUE;
     }
     return FALSE;
 }
 
-static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, int size) {
+static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, unsigned int size) {
-    if (size >= 1 && size <= 65535) {
+    if (size >= 1 && size <= 0xFFFFu) {
-        ppTcpHdr->Window = htons(size);
+        ppTcpHdr->Window = htons((u_short)size);
     }
 }
 
 /* HTTP method end without trailing space */
-static PVOID find_http_method_end(const char *pkt, int http_frag, int *is_fragmented) {
+static PVOID find_http_method_end(const char *pkt, unsigned int http_frag, int *is_fragmented) {
     unsigned int i;
     for (i = 0; i<(sizeof(http_methods) / sizeof(*http_methods)); i++) {
         if (memcmp(pkt, http_methods[i], strlen(http_methods[i])) == 0) {
@@ -350,20 +382,22 @@ int main(int argc, char *argv[]) {
         do_http_allports = 0,
         do_host_mixedcase = 0,
         do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
-        do_dns_verb = 0, do_blacklist = 0;
+        do_dns_verb = 0, do_blacklist = 0,
-    unsigned int http_fragment_size = 2;
+        do_wrong_chksum = 0;
-    unsigned int https_fragment_size = 2;
+    unsigned int http_fragment_size = 0;
+    unsigned int https_fragment_size = 0;
+    BYTE ttl_of_fake_packet = 0;
     uint32_t dnsv4_addr = 0;
     struct in6_addr dnsv6_addr = {0};
     struct in6_addr dns_temp_addr = {0};
     uint16_t dnsv4_port = htons(53);
     uint16_t dnsv6_port = htons(53);
     char *host_addr, *useragent_addr, *method_addr;
-    int host_len, useragent_len;
+    unsigned int host_len, useragent_len;
     int http_req_fragmented;
 
     char *hdr_name_addr = NULL, *hdr_value_addr = NULL;
-    int hdr_value_len;
+    unsigned int hdr_value_len;
 
     // Make sure to search DLLs only in safe path, not in current working dir.
     SetDllDirectory("");
@@ -393,12 +427,14 @@ int main(int argc, char *argv[]) {
         filter_passive_string = strdup(FILTER_PASSIVE_STRING_TEMPLATE);
 
     printf(
-        "GoodbyeDPI: Passive DPI blocker and Active DPI circumvention utility\n"
+        "GoodbyeDPI " GOODBYEDPI_VERSION
+        ": Passive DPI blocker and Active DPI circumvention utility\n"
         "https://github.com/ValdikSS/GoodbyeDPI\n\n"
     );
 
     if (argc == 1) {
         /* enable mode -1 by default */
+        http_fragment_size = https_fragment_size = 2;
         do_passivedpi = do_host = do_host_removespace \
                 = do_fragment_http = do_fragment_https \
                 = do_fragment_http_persistent \
@@ -418,12 +454,12 @@ int main(int argc, char *argv[]) {
                 = do_fragment_http = do_fragment_https \
                 = do_fragment_http_persistent \
                 = do_fragment_http_persistent_nowait = 1;
-                https_fragment_size = 40;
+                https_fragment_size = 40u;
                 break;
             case '3':
                 do_passivedpi = do_host = do_host_removespace \
                 = do_fragment_https = 1;
-                https_fragment_size = 40;
+                https_fragment_size = 40u;
                 break;
             case '4':
                 do_passivedpi = do_host = do_host_removespace = 1;
@@ -446,22 +482,18 @@ int main(int argc, char *argv[]) {
                 break;
             case 'f':
                 do_fragment_http = 1;
-                SET_HTTP_FRAGMENT_SIZE_OPTION(atoi(optarg));
+                SET_HTTP_FRAGMENT_SIZE_OPTION(atousi(optarg, "Fragment size should be in range [0 - 0xFFFF]\n"));
                 break;
             case 'k':
                 do_fragment_http_persistent = 1;
-                SET_HTTP_FRAGMENT_SIZE_OPTION(atoi(optarg));
+                SET_HTTP_FRAGMENT_SIZE_OPTION(atousi(optarg, "Fragment size should be in range [0 - 0xFFFF]\n"));
                 break;
             case 'n':
                 do_fragment_http_persistent_nowait = 1;
                 break;
             case 'e':
                 do_fragment_https = 1;
-                https_fragment_size = atoi(optarg);
+                https_fragment_size = atousi(optarg, "Fragment size should be in range [0 - 65535]\n");
-                if (https_fragment_size <= 0 || https_fragment_size > 65535) {
-                    puts("Fragment size should be in range [0 - 65535]\n");
-                    exit(EXIT_FAILURE);
-                }
                 break;
             case 'w':
                 do_http_allports = 1;
@@ -479,11 +511,7 @@ int main(int argc, char *argv[]) {
                 break;
             case 'i':
                 /* i is used as a temporary variable here */
-                i = atoi(optarg);
+                i = atousi(optarg, "IP ID parameter error!\n");
-                if (i < 0 || i > 65535) {
-                    printf("IP ID parameter error!\n");
-                    exit(EXIT_FAILURE);
-                }
                 add_ip_id_str(i);
                 i = 0;
                 break;
@@ -526,11 +554,7 @@ int main(int argc, char *argv[]) {
                         "--dns-port");
                     exit(EXIT_FAILURE);
                 }
-                dnsv4_port = atoi(optarg);
+                dnsv4_port = atousi(optarg, "DNS port parameter error!");
-                if (atoi(optarg) <= 0 || atoi(optarg) > 65535) {
-                    puts("DNS port parameter error!");
-                    exit(EXIT_FAILURE);
-                }
                 if (dnsv4_port != 53) {
                     add_filter_str(IPPROTO_UDP, dnsv4_port);
                 }
@@ -543,11 +567,7 @@ int main(int argc, char *argv[]) {
                         "--dnsv6-port");
                     exit(EXIT_FAILURE);
                 }
-                dnsv6_port = atoi(optarg);
+                dnsv6_port = atousi(optarg, "DNS port parameter error!");
-                if (atoi(optarg) <= 0 || atoi(optarg) > 65535) {
-                    puts("DNS port parameter error!");
-                    exit(EXIT_FAILURE);
-                }
                 if (dnsv6_port != 53) {
                     add_filter_str(IPPROTO_UDP, dnsv6_port);
                 }
@@ -563,6 +583,12 @@ int main(int argc, char *argv[]) {
                     exit(EXIT_FAILURE);
                 }
                 break;
+            case '$':
+                ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
+                break;
+            case '%':
+                do_wrong_chksum = 1;
+                break;
             default:
                 puts("Usage: goodbyedpi.exe [OPTION...]\n"
                 " -p          block passive DPI\n"
@@ -584,6 +610,12 @@ int main(int argc, char *argv[]) {
                 " --dns-verb               print verbose DNS redirection messages\n"
                 " --blacklist   [txtfile]  perform HTTP tricks only to host names and subdomains from\n"
                 "                          supplied text file. This option can be supplied multiple times.\n"
+                " --set-ttl     [value]    activate Fake Request Mode and send it with supplied TTL value.\n"
+                "                          DANGEROUS! May break websites in unexpected ways. Use with care.\n"
+                "                          Could be combined with --wrong-chksum.\n"
+                " --wrong-chksum           activate Fake Request Mode and send it with incorrect TCP checksum.\n"
+                "                          May not work in a VM or with some routers, but is safer than set-ttl.\n"
+                "                          Could be combined with --set-ttl\n."
                 "\n"
                 " -1          -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)\n"
                 " -2          -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)\n"
@@ -593,17 +625,22 @@ int main(int argc, char *argv[]) {
         }
     }
 
-    printf("Block passive: %d, Fragment HTTP: %d, Fragment persistent HTTP: %d, "
+    if (!http_fragment_size)
-           "Fragment HTTPS: %d, "
+        http_fragment_size = 2;
-           "hoSt: %d, Host no space: %d, Additional space: %d, Mix Host: %d, "
+    if (!https_fragment_size)
-           "HTTP AllPorts: %d, HTTP Persistent Nowait: %d, DNS redirect: %d, "
+        https_fragment_size = 2;
-           "DNSv6 redirect: %d\n",
+
+    printf("Block passive: %d\nFragment HTTP: %d\nFragment persistent HTTP: %d\n"
+           "Fragment HTTPS: %d\nhoSt: %d\nHost no space: %d\nAdditional space: %d\n"
+           "Mix Host: %d\nHTTP AllPorts: %d\nHTTP Persistent Nowait: %d\n"
+           "DNS redirect: %d\nDNSv6 redirect: %d\n"
+           "Fake requests, TTL: %hu\nFake requests, wrong checksum: %d\n",
            do_passivedpi, (do_fragment_http ? http_fragment_size : 0),
            (do_fragment_http_persistent ? http_fragment_size : 0),
            (do_fragment_https ? https_fragment_size : 0),
            do_host, do_host_removespace, do_additional_space, do_host_mixedcase,
            do_http_allports, do_fragment_http_persistent_nowait, do_dnsv4_redirect,
-           do_dnsv6_redirect
+           do_dnsv6_redirect, ttl_of_fake_packet, do_wrong_chksum
           );
 
     if (do_fragment_http && http_fragment_size > 2) {
@@ -701,8 +738,35 @@ int main(int argc, char *argv[]) {
 
                     /* Drop packets from filter with HTTP 30x Redirect */
                     if (do_passivedpi && is_passivedpi_redirect(packet_data, packet_dataLen)) {
-                        //printf("Dropping HTTP Redirect packet!\n");
+                        if (packet_v4) {
-                        should_reinject = 0;
+                            //printf("Dropping HTTP Redirect packet!\n");
+                            should_reinject = 0;
+                        }
+                        else if (packet_v6 && WINDIVERT_IPV6HDR_GET_FLOWLABEL(ppIpV6Hdr) == 0x0) {
+                                /* Contrary to IPv4 where we get only packets with IP ID 0x0-0xF,
+                                 * for IPv6 we got all the incoming data packets since we can't
+                                 * filter them in a driver.
+                                 *
+                                 * Handle only IPv6 Flow Label == 0x0 for now
+                                 */
+                                //printf("Dropping HTTP Redirect packet!\n");
+                                should_reinject = 0;
+                        }
+                    }
+                }
+                /* Handle OUTBOUND packet on port 443, search for something that resembles
+                 * TLS handshake, send fake request.
+                 */
+                else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
+                        ((do_fragment_https ? packet_dataLen == https_fragment_size : 0) ||
+                         packet_dataLen > 16) &&
+                         ppTcpHdr->DstPort != htons(80) &&
+                         (ttl_of_fake_packet || do_wrong_chksum)
+                        )
+                {
+                    if (packet_dataLen >=2 && memcmp(packet_data, "\x16\x03", 2) == 0) {
+                        send_fake_https_request(w_filter, &addr, packet, packetLen, packet_v6,
+                                                ttl_of_fake_packet, do_wrong_chksum);
                     }
                 }
                 /* Handle OUTBOUND packet on port 80, search for Host header */
@@ -710,7 +774,7 @@ int main(int argc, char *argv[]) {
                         packet_dataLen > 16 &&
                         (do_http_allports ? 1 : (ppTcpHdr->DstPort == htons(80))) &&
                         find_http_method_end(packet_data,
-                                             (do_fragment_http ? http_fragment_size : 0),
+                                             (do_fragment_http ? http_fragment_size : 0u),
                                              &http_req_fragmented) &&
                         (do_host || do_host_removespace ||
                         do_host_mixedcase || do_fragment_http_persistent))
@@ -725,6 +789,11 @@ int main(int argc, char *argv[]) {
                         host_addr = hdr_value_addr;
                         host_len = hdr_value_len;
 
+                        if (ttl_of_fake_packet || do_wrong_chksum)
+                            send_fake_http_request(w_filter, &addr, packet, packetLen, packet_v6,
+                                                   ttl_of_fake_packet, do_wrong_chksum);
+
+
                         /*
                          * Handle new HTTP request in new
                          * connection (when Window Size modification disabled)
@@ -752,7 +821,7 @@ int main(int argc, char *argv[]) {
                                 );
 
                             WinDivertHelperCalcChecksums(
-                                packet, packetLen - packet_dataLen + http_fragment_size, 0
+                                packet, packetLen - packet_dataLen + http_fragment_size, &addr, 0
                             );
                             WinDivertSend(
                                 w_filter, packet,
@@ -957,11 +1026,7 @@ int main(int argc, char *argv[]) {
             if (should_reinject) {
                 //printf("Re-injecting!\n");
                 if (should_recalc_checksum) {
-                    WinDivertHelperCalcChecksums(packet, packetLen, 0);
+                    WinDivertHelperCalcChecksums(packet, packetLen, &addr, NULL);
-                }
-                else {
-                    WinDivertHelperCalcChecksums(packet, packetLen,
-                                                 WINDIVERT_HELPER_NO_REPLACE);
                 }
                 WinDivertSend(w_filter, packet, packetLen, &addr, NULL);
             }

src/goodbyedpi.exe.manifest

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
-    <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="GoodbyeDPI" type="win32"/> 
+    <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="GoodbyeDPI" type="win32"/>
-    <description>Divert</description> 
+    <description>GoodbyeDPI</description>
     <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
         <security>
             <requestedPrivileges>
@@ -9,4 +9,4 @@
             </requestedPrivileges>
         </security>
     </trustInfo>
-</assembly> 
+</assembly>

src/goodbyedpi.h

@@ -1,4 +1,5 @@
 #define HOST_MAXLEN 253
+#define MAX_PACKET_SIZE 9016
 
 #ifndef DEBUG
 #define debug(...) do {} while (0)