From 9d49f353243d93f7136e9caec3981f901433e8d7 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 23 Nov 2025 20:52:33 +0300 Subject: [PATCH] winws2: set low mandatory if possible --- docs/changes.txt | 5 ++++ nfq2/crypto/aes-gcm.c | 2 ++ nfq2/darkmagic.c | 56 ++++++++++++++++++++++++++++++++++++++++--- nfq2/darkmagic.h | 3 +++ nfq2/lua.c | 3 +++ nfq2/nfqws.c | 2 +- nfq2/params.c | 2 -- 7 files changed, 67 insertions(+), 6 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index 57b578a..b31a83d 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -12,3 +12,8 @@ v0.1.2 * nfqws2: 'known' protocol and payload filter * nfqws2: 'aes_ctr' luacall * zapret-antidpi: rst +* github actions: remove FFI from luajit + +v0.1.3 + +* winws2: set low mandatory level in process token if possible : no --wlan-filter or --nlm-filter (no windivert reinit required) diff --git a/nfq2/crypto/aes-gcm.c b/nfq2/crypto/aes-gcm.c index 130cd60..7dffa42 100644 --- a/nfq2/crypto/aes-gcm.c +++ b/nfq2/crypto/aes-gcm.c @@ -5,6 +5,8 @@ int aes_gcm_crypt(int mode, uint8_t *output, const uint8_t *input, size_t input_ int ret = 0; gcm_context ctx; + gcm_initialize(); + if (!(ret = gcm_setkey(&ctx, key, (const uint)key_len))) { ret = gcm_crypt_and_tag(&ctx, mode, iv, iv_len, adata, adata_len, input, output, input_length, atag, atag_len); diff --git a/nfq2/darkmagic.c b/nfq2/darkmagic.c index 1672700..36aa88b 100644 --- a/nfq2/darkmagic.c +++ b/nfq2/darkmagic.c @@ -609,7 +609,7 @@ uint8_t ttl46(const struct ip *ip, const struct ip6_hdr *ip6) uint32_t w_win32_error=0; -static BOOL RemoveTokenPrivs() +static BOOL RemoveTokenPrivs(void) { BOOL bRes = FALSE; HANDLE hToken; @@ -643,7 +643,32 @@ static BOOL RemoveTokenPrivs() if (!bRes) w_win32_error = GetLastError(); return bRes; } -static BOOL WinSandbox() + +static SID_IDENTIFIER_AUTHORITY label_authority = SECURITY_MANDATORY_LABEL_AUTHORITY; +BOOL LowMandatoryLevel(void) +{ + BOOL bRes = FALSE; + HANDLE hToken; + char buf1[32]; + TOKEN_MANDATORY_LABEL label_low; + + label_low.Label.Sid = (PSID)buf1; + InitializeSid(label_low.Label.Sid, &label_authority, 1); + label_low.Label.Attributes = 0; + *GetSidSubAuthority(label_low.Label.Sid, 0) = SECURITY_MANDATORY_LOW_RID; + + // S-1-16-12288 : Mandatory Label\High Mandatory Level + // S-1-16-8192 : Mandatory Label\Medium Mandatory Level + if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, &hToken)) + { + bRes = SetTokenInformation(hToken, TokenIntegrityLevel, &label_low, sizeof(label_low)); + CloseHandle(hToken); + } + if (!bRes) w_win32_error = GetLastError(); + return bRes; +} + +static BOOL WinSandbox(void) { // unfortunately there's no way to remove or disable Administrators group in the current process's token // only possible run child process with restricted token @@ -651,7 +676,22 @@ static BOOL WinSandbox() // this is not much but better than nothing return RemoveTokenPrivs(); } - +bool win_irreversible_sandbox(void) +{ + // there's no way to return privs + return LowMandatoryLevel(); +} +static bool b_isandbox_set = false; +bool win_irreversible_sandbox_if_possible(void) +{ + if (!b_isandbox_set) + { + if (!logical_net_filter_present() && !win_irreversible_sandbox()) + return false; + b_isandbox_set = true; + } + return true; +} static HANDLE w_filter = NULL; static OVERLAPPED ovl = { .hEvent = NULL }; @@ -1004,6 +1044,13 @@ bool logical_net_filter_match(void) return wlan_filter_match(wlan_filter_ssid) && nlm_filter_match(nlm_filter_net); } +bool logical_net_filter_present(void) +{ + return (wlan_filter_ssid && !LIST_EMPTY(wlan_filter_ssid)) || (nlm_filter_net && !LIST_EMPTY(nlm_filter_net)); +} + + + static bool logical_net_filter_match_rate_limited(void) { DWORD dwTick = GetTickCount() / 1000; @@ -1093,14 +1140,17 @@ static bool windivert_recv_filter(HANDLE hFilter, uint8_t *packet, size_t *len, return false; } usleep(0); + if (WinDivertRecvEx(hFilter, packet, *len, &recv_len, 0, wa, NULL, &ovl)) { *len = recv_len; return true; } + for(;;) { w_win32_error = GetLastError(); + switch(w_win32_error) { case ERROR_IO_PENDING: diff --git a/nfq2/darkmagic.h b/nfq2/darkmagic.h index 7010a99..569c8cb 100644 --- a/nfq2/darkmagic.h +++ b/nfq2/darkmagic.h @@ -92,8 +92,11 @@ bool ip_has_df(const struct ip *ip); #ifdef __CYGWIN__ extern uint32_t w_win32_error; +bool win_irreversible_sandbox(void); +bool win_irreversible_sandbox_if_possible(void); bool win_dark_init(const struct str_list_head *ssid_filter, const struct str_list_head *nlm_filter); bool win_dark_deinit(void); +bool logical_net_filter_present(void); bool logical_net_filter_match(void); bool nlm_list(bool bAll); bool windivert_init(const char *filter); diff --git a/nfq2/lua.c b/nfq2/lua.c index e9f5325..2a46a2d 100644 --- a/nfq2/lua.c +++ b/nfq2/lua.c @@ -3,6 +3,7 @@ #include "lua.h" #include "params.h" #include "helpers.h" +#include "conntrack.h" #include "crypto/sha.h" #include "crypto/aes-gcm.h" #include "crypto/aes-ctr.h" @@ -2244,6 +2245,8 @@ void lua_shutdown() if (params.L) { DLOG("LUA SHUTDOWN\n"); + // conntrack holds lua state. must clear it before lua shoudown + ConntrackPoolDestroy(¶ms.conntrack); lua_close(params.L); params.L=NULL; } diff --git a/nfq2/nfqws.c b/nfq2/nfqws.c index cd2a126..d122dfc 100644 --- a/nfq2/nfqws.c +++ b/nfq2/nfqws.c @@ -631,7 +631,7 @@ static int win_main() DLOG_CONDUP("logical network now present\n"); } - if (!windivert_init(params.windivert_filter)) + if (!windivert_init(params.windivert_filter) || !win_irreversible_sandbox_if_possible()) { res=w_win32_error; goto ex; } diff --git a/nfq2/params.c b/nfq2/params.c index 055a37b..6bf4c8a 100644 --- a/nfq2/params.c +++ b/nfq2/params.c @@ -381,9 +381,7 @@ void cleanup_params(struct params_s *params) #endif ConntrackPoolDestroy(¶ms->conntrack); - dp_list_destroy(¶ms->desync_profiles); - hostlist_files_destroy(¶ms->hostlists); ipset_files_destroy(¶ms->ipsets); ipcacheDestroy(¶ms->ipcache);