[tor-bugs] #10006 [Pluggable transport]: Build an obfs-flash PT bundle
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 25 20:17:32 UTC 2013
#10006: Build an obfs-flash PT bundle
-------------------------------------+-------------------
Reporter: dcf | Owner: dcf
Type: task | Status: new
Priority: normal | Milestone:
Component: Pluggable transport | Version:
Resolution: | Keywords:
Actual Points: | Parent ID: #7167
Points: |
-------------------------------------+-------------------
Comment (by dcf):
GITNE on IRC suggested that it might help to set
[http://msdn.microsoft.com/en-
us/library/windows/desktop/ms684863%28v=vs.85%29.aspx#CREATE_NEW_PROCESS_GROUP
CREATE_NEW_PROCESS_GROUP] in
[https://gitweb.torproject.org/tor.git/blob/7578606a2265466bc4546f0d08b9dbdf427e7c1c:/src/common/util.c#l3750
Tor's call] to [http://msdn.microsoft.com/en-
us/library/windows/desktop/ms682425%28v=vs.85%29.aspx CreateProcess]. I
tested this by patching the binary (don't tell). Unfortunately, it didn't
seem to work.
Using the test bundle from https://people.torproject.org/~dcf/pt-
bundle/2.4.17-beta-2-obfs-flash20131025/, a partial disassembly of the
call to `CreateProcess` is
{{{
objdump -d tor.exe
55a179: c7 44 24 14 00 00 00 movl $0x0,0x14(%esp)
55a180: 00
55a181: c7 44 24 10 01 00 00 movl $0x1,0x10(%esp)
55a188: 00
55a189: c7 44 24 0c 00 00 00 movl $0x0,0xc(%esp)
55a190: 00
55a191: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp)
55a198: 00
55a199: 8b 45 f0 mov -0x10(%ebp),%eax
55a19c: 89 44 24 04 mov %eax,0x4(%esp)
55a1a0: 8b 85 74 ff ff ff mov -0x8c(%ebp),%eax
55a1a6: 89 04 24 mov %eax,(%esp)
55a1a9: e8 42 06 05 00 call 5aa7f0 <_CreateProcessA at 40>
}}}
The first line sets `dwCreationFlags`. I changed byte 1415039 of the file
from 00 to 02, so the disassembly becomes
{{{
objdump -d tor-hacked.exe
55a179: c7 44 24 14 00 02 00 movl $0x200,0x14(%esp)
55a180: 00
55a181: c7 44 24 10 01 00 00 movl $0x1,0x10(%esp)
55a188: 00
55a189: c7 44 24 0c 00 00 00 movl $0x0,0xc(%esp)
55a190: 00
55a191: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp)
55a198: 00
55a199: 8b 45 f0 mov -0x10(%ebp),%eax
55a19c: 89 44 24 04 mov %eax,0x4(%esp)
55a1a0: 8b 85 74 ff ff ff mov -0x8c(%ebp),%eax
55a1a6: 89 04 24 mov %eax,(%esp)
55a1a9: e8 42 06 05 00 call 5aa7f0 <_CreateProcessA at 40>
}}}
The resulting binaries are
{{{
sha256sum tor.exe tor-hacked.exe
30099504de82281adde709a537e7ffe600d8c72021c9af459730f103b1376502 tor.exe
5aedaba498852ba0728193ee36aca21bcdd3975e71aeaff45362d1766930f0af tor-
hacked.exe
}}}
I copied `tor-hacked.exe` over `tor.exe`, ran the bundle, and then exited
it. flashproxy-client.exe and obfsproxy.exe were still running.
I also tried `tor-hacked.exe` in combination with ''removing'' the
`CREATE_NEW_PROCESS_GROUP` flag [https://gitweb.torproject.org/pluggable-
transports/pyptlib.git/blob/471f02af7bc246d27088d41c90231a166a2b4f60:/pyptlib/util/subproc.py#l32
from subproc], supposing that maybe another new process group was
insulating the children from the parent. That didn't seem to have any
effect either.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10006#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list