New option: --ip-id. Handles additional IP ID numbers of passive DPI.

This commit is contained in:
ValdikSS 2018-01-21 14:35:30 +03:00
parent 14ae107b53
commit 2e23d93762
4 changed files with 146 additions and 4 deletions

View File

@ -24,6 +24,8 @@ Usage: goodbyedpi.exe [OPTION...]
-a additional space between Method and Request-URI (enables -s, may break sites) -a additional space between Method and Request-URI (enables -s, may break sites)
-w try to find and parse HTTP traffic on all processed ports (not only on port 80) -w try to find and parse HTTP traffic on all processed ports (not only on port 80)
--port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w) --port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)
--ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
This option can be supplied multiple times.
--dns-addr [value] redirect UDP DNS requests to the supplied IP address (experimental) --dns-addr [value] redirect UDP DNS requests to the supplied IP address (experimental)
--dns-port [value] redirect UDP DNS requests to the supplied port (53 by default) --dns-port [value] redirect UDP DNS requests to the supplied port (53 by default)
--dns-verb print verbose DNS redirection messages --dns-verb print verbose DNS redirection messages

View File

@ -11,6 +11,7 @@
#include <getopt.h> #include <getopt.h>
#include "windivert.h" #include "windivert.h"
#include "goodbyedpi.h" #include "goodbyedpi.h"
#include "repl_str.h"
#include "service.h" #include "service.h"
#include "dnsredir.h" #include "dnsredir.h"
#include "blackwhitelist.h" #include "blackwhitelist.h"
@ -35,17 +36,20 @@
"(ip.SrcAddr < 169.254.0.0 or ip.SrcAddr > 169.254.255.255)" \ "(ip.SrcAddr < 169.254.0.0 or ip.SrcAddr > 169.254.255.255)" \
")" ")"
/* #IPID# is a template to find&replace */
#define IPID_TEMPLATE "#IPID#"
#define FILTER_STRING_TEMPLATE "(ip and tcp and " \ #define FILTER_STRING_TEMPLATE "(ip and tcp and " \
"(inbound and ((" \ "(inbound and ((" \
"((ip.Id <= 0xF and ip.Id >= 0x0) and tcp.SrcPort == 80 and tcp.Ack) or " \ "(((ip.Id <= 0xF and ip.Id >= 0x0) " IPID_TEMPLATE \
") and tcp.SrcPort == 80 and tcp.Ack) or " \
"((tcp.SrcPort == 80 or tcp.SrcPort == 443) and tcp.Ack and tcp.Syn)" \ "((tcp.SrcPort == 80 or tcp.SrcPort == 443) and tcp.Ack and tcp.Syn)" \
") and " DIVERT_NO_LOCALNETS_SRC ") or " \ ") and " DIVERT_NO_LOCALNETS_SRC ") or " \
"(outbound and " \ "(outbound and " \
"(tcp.DstPort == 80 or tcp.DstPort == 443) and tcp.Ack and " \ "(tcp.DstPort == 80 or tcp.DstPort == 443) and tcp.Ack and " \
DIVERT_NO_LOCALNETS_DST ")" \ DIVERT_NO_LOCALNETS_DST ")" \
"))" "))"
#define FILTER_STRING_PASSIVE "inbound and ip and tcp and " \ #define FILTER_PASSIVE_STRING_TEMPLATE "inbound and ip and tcp and " \
"(ip.Id <= 0xF and ip.Id >= 0x0) and " \ "((ip.Id <= 0xF and ip.Id >= 0x0) " IPID_TEMPLATE ") and " \
"(tcp.SrcPort == 443 or tcp.SrcPort == 80) and tcp.Rst and " \ "(tcp.SrcPort == 443 or tcp.SrcPort == 80) and tcp.Rst and " \
DIVERT_NO_LOCALNETS_SRC DIVERT_NO_LOCALNETS_SRC
@ -91,10 +95,12 @@ static struct option long_options[] = {
{"dns-port", required_argument, 0, 'g' }, {"dns-port", required_argument, 0, 'g' },
{"dns-verb", no_argument, 0, 'v' }, {"dns-verb", no_argument, 0, 'v' },
{"blacklist", required_argument, 0, 'b' }, {"blacklist", required_argument, 0, 'b' },
{"ip-id", required_argument, 0, 'i' },
{0, 0, 0, 0 } {0, 0, 0, 0 }
}; };
static char *filter_string = NULL; static char *filter_string = NULL;
static char *filter_passive_string = NULL;
static void add_filter_str(int proto, int port) { static void add_filter_str(int proto, int port) {
const char *udp = " or (ip and udp and (udp.SrcPort == %d or udp.DstPort == %d))"; const char *udp = " or (ip and udp and (udp.SrcPort == %d or udp.DstPort == %d))";
@ -115,6 +121,34 @@ static void add_filter_str(int proto, int port) {
free(current_filter); free(current_filter);
} }
static void add_ip_id_str(int id) {
char *newstr;
const char *ipid = " or ip.Id == %d";
char *addfilter = malloc(strlen(ipid) + 16);
sprintf(addfilter, ipid, id);
newstr = repl_str(filter_string, IPID_TEMPLATE, addfilter);
free(filter_string);
filter_string = newstr;
newstr = repl_str(filter_passive_string, IPID_TEMPLATE, addfilter);
free(filter_passive_string);
filter_passive_string = newstr;
}
static void finalize_filter_strings() {
char *newstr;
newstr = repl_str(filter_string, IPID_TEMPLATE, "");
free(filter_string);
filter_string = newstr;
newstr = repl_str(filter_passive_string, IPID_TEMPLATE, "");
free(filter_passive_string);
filter_passive_string = newstr;
}
static char* dumb_memmem(const char* haystack, int hlen, const char* needle, int nlen) { static char* dumb_memmem(const char* haystack, int hlen, const char* needle, int nlen) {
// naive implementation // naive implementation
if (nlen > hlen) return NULL; if (nlen > hlen) return NULL;
@ -312,6 +346,8 @@ int main(int argc, char *argv[]) {
if (filter_string == NULL) if (filter_string == NULL)
filter_string = strdup(FILTER_STRING_TEMPLATE); filter_string = strdup(FILTER_STRING_TEMPLATE);
if (filter_passive_string == NULL)
filter_passive_string = strdup(FILTER_PASSIVE_STRING_TEMPLATE);
printf("GoodbyeDPI: Passive DPI blocker and Active DPI circumvention utility\n"); printf("GoodbyeDPI: Passive DPI blocker and Active DPI circumvention utility\n");
@ -395,6 +431,16 @@ int main(int argc, char *argv[]) {
add_filter_str(IPPROTO_TCP, i); add_filter_str(IPPROTO_TCP, i);
i = 0; i = 0;
break; break;
case 'i':
/* i is used as a temporary variable here */
i = atoi(optarg);
if (i < 0 || i > 65535) {
printf("IP ID parameter error!\n");
exit(EXIT_FAILURE);
}
add_ip_id_str(i);
i = 0;
break;
case 'd': case 'd':
if (!do_dns_redirect) { if (!do_dns_redirect) {
do_dns_redirect = 1; do_dns_redirect = 1;
@ -447,6 +493,8 @@ int main(int argc, char *argv[]) {
" -e [value] set HTTPS fragmentation to value\n" " -e [value] set HTTPS fragmentation to value\n"
" -w try to find and parse HTTP traffic on all processed ports (not only on port 80)\n" " -w try to find and parse HTTP traffic on all processed ports (not only on port 80)\n"
" --port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n" " --port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
" --ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).\n"
" This option can be supplied multiple times.\n"
" --dns-addr [value] redirect UDP DNS requests to the supplied IP address (experimental)\n" " --dns-addr [value] redirect UDP DNS requests to the supplied IP address (experimental)\n"
" --dns-port [value] redirect UDP DNS requests to the supplied port (53 by default)\n" " --dns-port [value] redirect UDP DNS requests to the supplied port (53 by default)\n"
" --dns-verb print verbose DNS redirection messages\n" " --dns-verb print verbose DNS redirection messages\n"
@ -479,12 +527,13 @@ int main(int argc, char *argv[]) {
} }
printf("\nOpening filter\n"); printf("\nOpening filter\n");
finalize_filter_strings();
filter_num = 0; filter_num = 0;
if (do_passivedpi) { if (do_passivedpi) {
/* IPv4 filter for inbound RST packets with ID [0x0; 0xF] */ /* IPv4 filter for inbound RST packets with ID [0x0; 0xF] */
filters[filter_num] = init( filters[filter_num] = init(
FILTER_STRING_PASSIVE, filter_passive_string,
WINDIVERT_FLAG_DROP); WINDIVERT_FLAG_DROP);
if (filters[filter_num] == NULL) if (filters[filter_num] == NULL)
die(); die();

90
repl_str.c Normal file
View File

@ -0,0 +1,90 @@
#include <string.h>
#include <stdlib.h>
#include <stddef.h>
#if (__STDC_VERSION__ >= 199901L)
#include <stdint.h>
#endif
char *repl_str(const char *str, const char *from, const char *to) {
/* Adjust each of the below values to suit your needs. */
/* Increment positions cache size initially by this number. */
size_t cache_sz_inc = 16;
/* Thereafter, each time capacity needs to be increased,
* multiply the increment by this factor. */
const size_t cache_sz_inc_factor = 3;
/* But never increment capacity by more than this number. */
const size_t cache_sz_inc_max = 1048576;
char *pret, *ret = NULL;
const char *pstr2, *pstr = str;
size_t i, count = 0;
#if (__STDC_VERSION__ >= 199901L)
uintptr_t *pos_cache_tmp, *pos_cache = NULL;
#else
ptrdiff_t *pos_cache_tmp, *pos_cache = NULL;
#endif
size_t cache_sz = 0;
size_t cpylen, orglen, retlen, tolen, fromlen = strlen(from);
/* Find all matches and cache their positions. */
while ((pstr2 = strstr(pstr, from)) != NULL) {
count++;
/* Increase the cache size when necessary. */
if (cache_sz < count) {
cache_sz += cache_sz_inc;
pos_cache_tmp = realloc(pos_cache, sizeof(*pos_cache) * cache_sz);
if (pos_cache_tmp == NULL) {
goto end_repl_str;
} else pos_cache = pos_cache_tmp;
cache_sz_inc *= cache_sz_inc_factor;
if (cache_sz_inc > cache_sz_inc_max) {
cache_sz_inc = cache_sz_inc_max;
}
}
pos_cache[count-1] = pstr2 - str;
pstr = pstr2 + fromlen;
}
orglen = pstr - str + strlen(pstr);
/* Allocate memory for the post-replacement string. */
if (count > 0) {
tolen = strlen(to);
retlen = orglen + (tolen - fromlen) * count;
} else retlen = orglen;
ret = malloc(retlen + 1);
if (ret == NULL) {
goto end_repl_str;
}
if (count == 0) {
/* If no matches, then just duplicate the string. */
strcpy(ret, str);
} else {
/* Otherwise, duplicate the string whilst performing
* the replacements using the position cache. */
pret = ret;
memcpy(pret, str, pos_cache[0]);
pret += pos_cache[0];
for (i = 0; i < count; i++) {
memcpy(pret, to, tolen);
pret += tolen;
pstr = str + pos_cache[i] + fromlen;
cpylen = (i == count-1 ? orglen : pos_cache[i+1]) - pos_cache[i] - fromlen;
memcpy(pret, pstr, cpylen);
pret += cpylen;
}
ret[retlen] = '\0';
}
end_repl_str:
/* Free the cache and return the post-replacement string,
* which will be NULL in the event of an error. */
free(pos_cache);
return ret;
}

1
repl_str.h Normal file
View File

@ -0,0 +1 @@
char *repl_str(const char *str, const char *from, const char *to);