pie experiment

.github/workflows/build.yml

@@ -104,6 +104,12 @@ jobs:
           fi
           MINSIZE="$OPTIMIZE $MINSIZE"
 
+          if [ "$ARCH" = lexra ] ; then
+            STATIC="-static-pie"
+            LEXRA=1
+          else
+            STATIC="-static"
+          fi
           if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == riscv64 ]] || [[ "$ARCH" == x86 ]] ; then
             # use classic lua
             wget -qO- https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
@@ -168,9 +174,9 @@ jobs:
 
           # zapret2
           OPTIMIZE=$OPTIMIZE \
-          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include $CFLAGS" \
+          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc $STATIC -I$DEPS_DIR/include $CFLAGS" \
           LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \
-          make -C zapret2 LUA_JIT=$LJIT LUA_CFLAGS="$LCFLAGS" LUA_LIB="$LLIB" -j$(nproc)
+          make -C zapret2 ${LEXRA:+CFLAGS_PIC= LDFLAGS_PIE=} LUA_JIT=$LJIT LUA_CFLAGS="$LCFLAGS" LUA_LIB="$LLIB" -j$(nproc)
 
           tar -C zapret2/binaries/my -cJf zapret2-linux-$ARCH.tar.xz .
 
@@ -315,14 +321,14 @@ jobs:
           TARGET: ${{ matrix.target }}
           ARCH: ${{ matrix.arch }}
           CC: ${{ matrix.target }}-freebsd11-clang
-          MINSIZE: -Oz -flto=auto -ffunction-sections -fdata-sections
+          MINSIZE: -Os -flto=auto -ffunction-sections -fdata-sections
           LDMINSIZE: -Wl,--gc-sections -flto=auto
         run: |
 
           wget -qO- https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz | tar -xz
           (
             cd luajit2-*
-            make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC=gcc CC=$CC TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS"
+            make BUILDMODE=static XCFLAGS="-fPIC -DLUAJIT_DISABLE_FFI" HOST_CC=gcc CC=$CC TARGET_CFLAGS="$MINSIZE $CFLAGS -fPIC" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS"
             make install PREFIX= DESTDIR=$DEPS_DIR
           )
 
@@ -458,6 +464,8 @@ jobs:
           cp -a -t output psmisc/psmisc-*.src/psmisc-*/inst/usr/bin/killall.exe /usr/bin/cygwin1.dll &&
           wget -O WinDivert.zip https://github.com/basil00/WinDivert/releases/download/v2.2.2/WinDivert-2.2.2-A.zip &&
           unzip -j WinDivert.zip "*/${DIR}/WinDivert.dll" "*/${DIR}/WinDivert${BITS}.sys" -d output &&
+          ( [ "$BITS" = 64 ] && rebase -b 0x205c00000 output/WinDivert.dll || true ) &&
+          peflags --dynamicbase=true --high-entropy-va=true output/WinDivert.dll &&
           zip zapret2-win-${{ matrix.arch }}.zip -j output/*
 
       - name: Upload artifacts

docs/changes.txt

@@ -259,3 +259,7 @@ v0.9.4.3
 * nfqws2: fix broken wifi ssid update
 * github: revert to upx 4.2.4 for all archs except riscv64
 * zapret-lib: apply_fooling throws error if tcp_ts,tcp_seq,tcp_ack,ip_ttl,ip6_ttl,ip_autottl,ip6_autottl are empty or invalid
+
+0.9.4.4
+
+* winws2, dvtws2: ASLR

docs/readme.md

@@ -414,8 +414,8 @@ nfqws2 \
 ### Какие есть еще параметры
 
 Как узнать какие есть еще функции и какие у них бывают параметры ? Смотрите `zapret-antidpi.lua`. Перед каждой функцией подробно описано какие параметры она берет.
-Описание стандартных блоков параметров есть в начале. Позже - по мере сил и возможностей - будет писаться талмуд - справочник с руководством по программированию
-*nfqws2* и описание стандартных библиотек.
+Описание стандартных блоков параметров есть в начале. 
+Или сразу читайте [талмуд](manual.md) . Там все документировано.
 
 ### Очень важный совет
 

lua/zapret-antidpi.lua

@@ -125,7 +125,7 @@ function http_domcase(ctx, desync)
 		local host_range = resolve_multi_pos(desync.dis.payload,desync.l7payload,"host,endhost")
 		if #host_range == 2 then
 			local host = string.sub(desync.dis.payload,host_range[1],host_range[2]-1)
-			local newhost="", i
+			local newhost=""
 			for i = 1, #host do
 				newhost=newhost..((i%2)==0 and string.lower(string.sub(host,i,i)) or string.upper(string.sub(host,i,i)))
 			end
@@ -221,7 +221,7 @@ function http_unixeol(ctx, desync)
 				if #http < #desync.dis.payload then
 					hdis.headers[idx_ua].value = hdis.headers[idx_ua].value .. string.rep(" ", #desync.dis.payload - #http)
 				end
-				local http = http_reconstruct_req(hdis, true)
+				http = http_reconstruct_req(hdis, true)
 				if #http==#desync.dis.payload then
 					desync.dis.payload = http
 					DLOG("http_unixeol: applied")
@@ -939,7 +939,7 @@ function fakeddisorder(ctx, desync)
 					if b_debug then DLOG("fakeddisorder: resolved split pos: "..tostring(pos-1)) end
 
 					-- do not apply fooling to original parts except tcp_ts_up but apply ip_id
-					local fake, part, pat
+					local fake, part
 					local opts_orig = {rawsend = rawsend_opts_base(desync), reconstruct = {}, ipfrag = {}, ipid = desync.arg, fooling = {tcp_ts_up = desync.arg.tcp_ts_up}}
 					local opts_fake = {rawsend = rawsend_opts(desync), reconstruct = reconstruct_opts(desync), ipfrag = {}, ipid = desync.arg, fooling = desync.arg}
 

lua/zapret-auto.lua

@@ -313,7 +313,7 @@ function circular(ctx, desync)
 	local function count_strategies(hrec)
 		if not hrec.ctstrategy then
 			local uniq={}
-			local n=0
+			local n
 			for i,instance in pairs(desync.plan) do
 				if instance.arg.strategy then
 					n = tonumber(instance.arg.strategy)

lua/zapret-lib.lua

@@ -98,10 +98,10 @@ function detect_payload_str(ctx, desync)
 	local data = desync.reasm_data or desync.dis.payload
 	local b = data and string.find(data,desync.arg.pattern,1,true)
 	if b then
-		DLOG("detect_payload_str: detected '"..desync.arg.payload.."'")
+		DLOG("detect_payload_str: detected '"..(desync.arg.payload or '?').."'")
 		if desync.arg.payload then desync.l7payload = desync.arg.payload end
 	else
-		DLOG("detect_payload_str: not detected '"..desync.arg.payload.."'")
+		DLOG("detect_payload_str: not detected '"..(desync.arg.payload or '?').."'")
 		if desync.arg.undetected then desync.l7payload = desync.arg.undetected end
 	end
 end
@@ -644,7 +644,7 @@ function parse_tcp_flags(s)
 	local s_upper = string.upper(s)
 	for flag in string.gmatch(s_upper, "[^,]+") do
 		if flags[flag] then
- 			f = bitor(f,flags[flag])
+			f = bitor(f,flags[flag])
 		else
 			error("tcp flag '"..flag.."' is invalid")
 		end
@@ -875,7 +875,7 @@ function apply_fooling(desync, dis, fooling_options)
 				if type(desync.track.lua_state.autottl_cache)~="table" then desync.track.lua_state.autottl_cache={} end
 				if type(desync.track.lua_state.autottl_cache[desync.func_instance])~="table" then desync.track.lua_state.autottl_cache[desync.func_instance]={} end
 				if not desync.track.lua_state.autottl_cache[desync.func_instance].autottl_found then
-					attl = parse_autottl(arg_autottl)
+					local attl = parse_autottl(arg_autottl)
 					if not attl then
 						error("apply_fooling: invalid autottl value '"..arg_autottl.."'")
 					end
@@ -1201,7 +1201,7 @@ function rawsend_dissect_segmented(desync, dis, mss, options)
 					-- stop if failed
 					return false
 				end
-				discopy.tcp.th_seq = discopy.tcp.th_seq + len
+				discopy.tcp.th_seq = u32add(discopy.tcp.th_seq, len)
 				pos = pos + len
 			end
 			return true
@@ -1566,11 +1566,11 @@ function tls_client_hello_mod(tls, options)
 			table.insert(tdis.handshake[TLS_HANDSHAKE_TYPE_CLIENT].dis.ext[idx_sni].dis.list, { name = options.sni_last, type = options.sni_snt_new } )
 		end
 	end
-	local tls = tls_reconstruct(tdis)
-	if not tls then
+	local rtls = tls_reconstruct(tdis)
+	if not rtls then
 		DLOG_ERR("tls_client_hello_mod: reconstruct error")
 	end
-	return tls
+	return rtls
 end
 
 -- checks if filename is gzip compressed
@@ -1659,7 +1659,7 @@ function readfile(filename)
 	if not f then
 		error("readfile: "..err)
 	end
-	local s,err = f:read("*a")
+	local s, err = f:read("*a")
 	f:close()
 	if err then
 		error("readfile: "..err)
@@ -1677,7 +1677,7 @@ function writefile(filename, data)
 	if not f then
 		error("writefile: "..err)
 	end
-	local s,err = f:write(data)
+	local s, err = f:write(data)
 	f:close()
 	if not s then
 		error("writefile: "..err)
@@ -1697,7 +1697,7 @@ function http_dissect_header(header)
 end
 -- make table with structured http header representation
 function http_dissect_headers(http, pos)
-	local eol,pnext,header,value,idx,headers,pos_endheader,pos_startvalue,pos_headers_end
+	local eol,pnext,header,value,headers,pos_endheader,pos_startvalue,pos_headers_end
 	headers={}
 	while pos do
 		eol,pnext = find_next_line(http,pos)
@@ -2261,7 +2261,8 @@ function tls_dissect_ext(ext)
 		return left, off
 	end
 
-	local dis={}, off, len, left
+	local dis={}
+	local off, len, left
 
 	ext.dis = nil
 

lua/zapret-tests.lua

@@ -119,7 +119,7 @@ function test_aes()
 	print("* aes")
 
 	local clear_text="test "..brandom_az09(11)
-	local iv, key, encrypted, decrypted
+	local encrypted, decrypted
 
 	for key_size=16,32,8 do
 		local key = brandom(key_size)
@@ -507,7 +507,7 @@ end
 function test_dissect()
 	print("* dissect")
 
-	local dis, raw1, raw2
+	local raw1, raw2
 
 	for i=1,20 do
 		print("* dissect test "..tostring(i))
@@ -611,7 +611,7 @@ function test_dissect()
 			},
 			payload = brandom(math.random(0, 20))
 		}
-	
+
 		raw1 = reconstruct_dissect(ip6_udp)
 		print("IP6+UDP : "..string2hex(raw1))
 		dis1 = dissect(raw1)
@@ -772,11 +772,6 @@ function test_csum()
 		uh_ulen = UDP_BASE_LEN + #payload
 	}
 
-	ip.ip_p = IPPROTO_UDP
-	ip4b = reconstruct_iphdr(ip)
-	ip6.ip6_plen = packet_len({ip6=ip6,udp=udp,payload=payload}) - IP6_BASE_LEN
-	ip6b = reconstruct_ip6hdr(ip6, {ip6_last_proto=IPPROTO_UDP})
-
 	udpb = reconstruct_udphdr(udp)
 	raw =	bu16(udp.uh_sport) ..
 		bu16(udp.uh_dport) ..
@@ -787,6 +782,7 @@ function test_csum()
 
 	raw = reconstruct_dissect({ip=ip, udp=udp, payload=payload})
 	dis1 = dissect(raw)
+	ip.ip_p = IPPROTO_UDP
 	ip.ip_len = IP_BASE_LEN + #ip.options + #udpb + #payload
 	ip4b = reconstruct_iphdr(ip)
 	udpb = csum_udp_fix(ip4b,udpb,payload)
@@ -794,6 +790,8 @@ function test_csum()
 	print( dis1.udp.uh_sum==dis2.udp.uh_sum and "UDP+IP4 CSUM OK" or "UDP+IP4 CSUM FAILED" )
 	test_assert(dis1.udp.uh_sum==dis2.udp.uh_sum)
 
+	ip6.ip6_plen = packet_len({ip6=ip6,udp=udp,payload=payload}) - IP6_BASE_LEN
+	ip6b = reconstruct_ip6hdr(ip6, {ip6_last_proto=IPPROTO_UDP})
 	raw = reconstruct_dissect({ip6=ip6, udp=udp, payload=payload})
 	dis1 = dissect(raw)
 	udpb = csum_udp_fix(ip6b,udpb,payload)
@@ -949,7 +947,6 @@ function test_rawsend(opts)
 	end
 	local ip, ip6, udp, dis, ddis, raw_ip, raw_udp, raw
 	local payload = brandom(math.random(100,1200))
-	local b
 
 	local target
 	for ifname,ifinfo in pairs(get_ifaddrs()) do
@@ -997,7 +994,6 @@ function test_rawsend(opts)
 	print("send ipv4 udp using pure rawsend without dissect")
 	test_assert(rawsend_print(raw, {repeats=5}))
 
-	local target
 	for ifname,ifinfo in pairs(get_ifaddrs()) do
 		for k,v in pairs(ifinfo.addr) do
 			if #v.addr==16 and (string.sub(v.addr,1,1)=="\xFC" or string.sub(v.addr,1,1)=="\xFD") then
@@ -1083,7 +1079,7 @@ function test_rawsend(opts)
 	print("send ipv6 icmp")
 	test_assert(rawsend_dissect_print(dis, {fwmark = 0x8E10, repeats=3}))
 
-	local ip2 = {
+	ip2 = {
 		ip_tos = 0,
 		ip_id = math.random(0,0xFFFF),
 		ip_off = 0,

nfq2/BSDmakefile

@@ -2,8 +2,8 @@ CC ?= cc
 PKG_CONFIG ?= pkg-config
 OPTIMIZE ?= -Oz
 MINSIZE ?= -flto=auto -ffunction-sections -fdata-sections
-CFLAGS += -std=gnu99 -s $(OPTIMIZE) $(MINSIZE) -Wno-address-of-packed-member
-LDFLAGS += -flto=auto -Wl,--gc-sections
+CFLAGS += -std=gnu99 -s $(OPTIMIZE) $(MINSIZE) -Wno-address-of-packed-member -fPIC
+LDFLAGS += -flto=auto -Wl,--gc-sections -pie
 LIBS = -lz -lm
 SRC_FILES = *.c crypto/*.c
 

nfq2/Makefile

@@ -3,13 +3,16 @@ PKG_CONFIG ?= pkg-config
 OPTIMIZE ?= -Os
 MINSIZE ?= -flto=auto -ffunction-sections -fdata-sections
 CFLAGS += -std=gnu99 $(OPTIMIZE) $(MINSIZE)
-CFLAGS_LINUX = -Wno-alloc-size-larger-than
+CFLAGS_PIC = -fPIC
+CFLAGS_LINUX = -Wno-alloc-size-larger-than $(CFLAGS_PIC)
 CFLAGS_SYSTEMD = -DUSE_SYSTEMD
-CFLAGS_BSD = -Wno-address-of-packed-member
-CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
+CFLAGS_BSD = -Wno-address-of-packed-member $(CFLAGS_PIC)
+CFLAGS_CYGWIN = -Wno-address-of-packed-member -static -Wl,--nxcompat
 CFLAGS_CYGWIN32 =
+CFLAGS_CYGWIN64 = -Wl,--dynamicbase -Wl,--high-entropy-va
 CFLAGS_UBSAN = -fsanitize=undefined,alignment -fno-sanitize-recover=undefined,alignment
-LDFLAGS += -flto=auto -Wl,--gc-sections
+LDFLAGS_PIE = -pie
+LDFLAGS += -flto=auto -Wl,--gc-sections $(LDFLAGS_PIE)
 LDFLAGS_ANDROID = -llog
 LIBS =
 LIBS_LINUX = -lz -lnetfilter_queue -lnfnetlink -lmnl -lm
@@ -153,7 +156,7 @@ bsd: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_BSD) -o dvtws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_BSD) $(LDFLAGS)
 
 cygwin64:
-	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) -o winws2 $(SRC_FILES) $(RES_CYGWIN64) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(LDFLAGS)
+	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN64) -o winws2 $(SRC_FILES) $(RES_CYGWIN64) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(LDFLAGS)
 cygwin32:
 	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN32) -o winws2 $(SRC_FILES) $(RES_CYGWIN32) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(LDFLAGS)
 cygwin: cygwin64

nfq2/darkmagic.c

@@ -803,8 +803,8 @@ static BOOL RemoveTokenPrivs(void)
 							if (memcmp(&privs->Privileges[k].Luid, &luid_SeChangeNotifyPrivilege, sizeof(LUID)))
 								privs->Privileges[k].Attributes = SE_PRIVILEGE_REMOVED;
 						}
+						bRes = AdjustTokenPrivileges(hToken, FALSE, privs, dwSize, NULL, NULL);
 					}
-					bRes = AdjustTokenPrivileges(hToken, FALSE, privs, dwSize, NULL, NULL);
 					free(privs);
 				}
 			}

nfq2/desync.c

@@ -2003,7 +2003,7 @@ static uint8_t dpi_desync_icmp_packet(
 				// invert direction. they are answering to this packet
 				bReverse = !bReverse;
 				DLOG("found conntrack entry. inverted reverse=%u\n",bReverse);
-				if (ctrack->dp_search_complete)
+				if (ctrack->dp_search_complete && ctrack->dp)
 				{
 					// RELATED icmp processed within base connection profile
 					dp = ctrack->dp;

nfq2/lua.c

@@ -1905,11 +1905,24 @@ static bool lua_reconstruct_ip6exthdr(lua_State *L, int idx, struct ip6_hdr *ip6
 				lua_getfield(L,-1, "data");
 				if (lua_type(L,-1)!=LUA_TSTRING) goto err;
 				if (!(p=(uint8_t*)lua_tolstring(L,-1,&l))) l=0;
-				if (l<6 || (l+2)>left || (type==IPPROTO_AH ? (l>=1024 || ((l+2) & 3)) : (l>=2048 || ((l+2) & 7)))) goto err;
-				memcpy(data+2,p,l);
-				l+=2;
+
+				if (l<6 || (l+2)>left) goto err;
+				if (type==IPPROTO_AH)
+				{
+					if (l>=1024 || ((l+2) & 3)) goto err;
+					memcpy(data+2,p,l);
+					l+=2;
+					data[1] = (l>>2)-2;
+				}
+				else
+				{
+					if (l>=2048 || ((l+2) & 7)) goto err;
+					memcpy(data+2,p,l);
+					l+=2;
+					data[1] = (l>>3)-1;
+				}
+
 				data[0] = next; // may be overwritten later
-				data[1] = (type==IPPROTO_AH) ? (l>>2)-2 : (l>>3)-1;
 				if (!preserve_next) *last_proto = type;
 				last_proto = data; // first byte of header holds type
 				left -= l; data += l; filled += l;

nfq2/nfqws.c

@@ -260,8 +260,8 @@ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_da
 	uint32_t mark;
 	struct ifreq ifr_in, ifr_out;
 
-	ph = nfq_get_msg_packet_hdr(nfa);
-	id = ph ? ntohl(ph->packet_id) : 0;
+	if (!(ph = nfq_get_msg_packet_hdr(nfa))) return 0; // should not happen
+	id = ntohl(ph->packet_id);
 
 	mark = nfq_get_nfmark(nfa);
 	ilen = nfq_get_payload(nfa, &data);
@@ -666,6 +666,7 @@ static int dvt_main(void)
 				if (rd < 0)
 				{
 					DLOG_PERROR("recvfrom");
+					if (errno==ENOBUFS) continue;
 					goto exiterr;
 				}
 				else if (rd > 0)

nfq2/protocol.c

@@ -565,7 +565,7 @@ bool TLSFindExtLenOffsetInHandshake(const uint8_t *data, size_t len, size_t *off
 }
 bool TLSFindExtLen(const uint8_t *data, size_t len, size_t *off)
 {
-	if (!TLSFindExtLenOffsetInHandshake(data+5,len-5,off))
+	if (len<5 || !TLSFindExtLenOffsetInHandshake(data+5,len-5,off))
 		return false;
 	*off+=5;
 	return true;