windivert filter examples

1 day ago · fc837e14fa
6 changed files with 82 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1,3 +1,4 @@
 * text=auto eol=lf
 *.cmd eol=crlf
 *.bat eol=crlf
 init.d/windivert.filter.examples/** eol=crlf
--- a/init.d/windivert.filter.examples/README.txt
+++ b/init.d/windivert.filter.examples/README.txt
@ -0,0 +1,12 @@
 Цель этих фильтров - отсекать полезную нагрузку в режиме ядра, не насилуя процессор перенаправлением целого потока на winws.
 Задействуются через `winws --wf-raw=@filename`.
 Однако, язык фильтров windivert не содержит операций с битовыми полями, сдвигов и побитовой логики.
 Поэтому фильтры получились более слабыми, способными передавать неправильную нагрузку.
 Дофильтрация производится силами winws.
 Пример инстанса для пробития медиапотоков в discord : `winws --wf-raw=@windivert.discord_media+stun.txt --dpi-desync=fake`
 These filters are invoked using `winws --wf-raw=@filename`.
 Filters are kernel mode and save great amount of CPU.
 However windivert cannot filter by bit fields, lacks shift and bitwise logic operations.
 Filters are relaxed and can pass wrong payloads. Finer filtering is done by winws.
--- a/init.d/windivert.filter.examples/windivert.discord_media+stun.txt
+++ b/init.d/windivert.filter.examples/windivert.discord_media+stun.txt
@ -0,0 +1,28 @@
 !impostor and !loopback and
 (outbound and
  ((udp.DstPort>=50000 and udp.DstPort<=50099 and
    udp.PayloadLength=74 and
    udp.Payload32[0]=0x00010046 and
    udp.Payload32[2]=0 and
    udp.Payload32[3]=0 and
    udp.Payload32[4]=0 and
    udp.Payload32[5]=0 and
    udp.Payload32[6]=0 and
    udp.Payload32[7]=0 and
    udp.Payload32[8]=0 and
    udp.Payload32[9]=0 and
    udp.Payload32[10]=0 and
    udp.Payload32[11]=0 and
    udp.Payload32[12]=0 and
    udp.Payload32[13]=0 and
    udp.Payload32[14]=0 and
    udp.Payload32[15]=0 and
    udp.Payload32[16]=0 and
    udp.Payload32[17]=0)
   or
   (udp.PayloadLength>=20 and
    udp.Payload32[1]=0x2112A442)) and
  ( ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)) or
     ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0))
    )
 )
--- a/init.d/windivert.filter.examples/windivert.discord_media.txt
+++ b/init.d/windivert.filter.examples/windivert.discord_media.txt
@ -0,0 +1,25 @@
 !impostor and !loopback and
 (outbound and
  udp.DstPort>=50000 and udp.DstPort<=50099 and
  udp.PayloadLength=74 and
  udp.Payload32[0]=0x00010046 and
  udp.Payload32[2]=0 and
  udp.Payload32[3]=0 and
  udp.Payload32[4]=0 and
  udp.Payload32[5]=0 and
  udp.Payload32[6]=0 and
  udp.Payload32[7]=0 and
  udp.Payload32[8]=0 and
  udp.Payload32[9]=0 and
  udp.Payload32[10]=0 and
  udp.Payload32[11]=0 and
  udp.Payload32[12]=0 and
  udp.Payload32[13]=0 and
  udp.Payload32[14]=0 and
  udp.Payload32[15]=0 and
  udp.Payload32[16]=0 and
  udp.Payload32[17]=0 and
  ( ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)) or
     ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0))
    )
 )
--- a/init.d/windivert.filter.examples/windivert.stun.txt
+++ b/init.d/windivert.filter.examples/windivert.stun.txt
@ -0,0 +1,8 @@
 !impostor and !loopback and
 (outbound and
  udp.PayloadLength>=20 and
  udp.Payload32[1]=0x2112A442 and
  ( ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)) or
     ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0))
    )
 )
--- a/init.d/windivert.filter.examples/windivert.wireguard.txt
+++ b/init.d/windivert.filter.examples/windivert.wireguard.txt
@ -0,0 +1,8 @@
 !impostor and !loopback and
 (outbound and
  udp.PayloadLength=148 and
  udp.Payload[0]=0x01 and
  ( ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAddr < 169.254.0.0 or ip.DstAddr > 169.254.255.255)) or
     ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0))
    )
 )