In Figure 7, it paused on “Tor.exe” calling the API “ws2_32.send()” to send the packet containing the bridge’s IP address and Port, just like the received packet shown in Figure 6.įigure 7 is the “Call stack” window, which shows the return addresses of “libevent.dll”. When tracing the packet with the bridge’s IP address and Port in “Tor.exe”, you can see in the call stack context that many return addresses are in the module “libevent.dll”. Tor places most of its socket tasks (connect(), send(), recv() and so on) on events to be automatically called by libevent. “tor.exe” uses a third-party module named “libevent.dll”, which is from libevent (an event notification library), to drive Tor to perform its tasks. “obfs4proxy.exe” then parses the packet and converts the binary IP and Port to a string, which in this case is “154.35.22.13:16815”. The packet indicates that it asks “obfs4proxy.exe” to make a connection to a bridge with the binary IP address and Port. “05 01 00 01” is a header of its Socks5 protocol, and the rest of the data are the IP address and port in binary. It is a Socks5 packet that is 0xA bytes long. Usually, the third packet from “tor.exe” to “obfs4proxy.exe” contains one built-in obfs4 bridge’s IP address and Port in binary, just like in Figure 6. By tracing and tracking the call stack flow from “MSAFD_ConnectEx()”, I realized that my original thought was wrong because the built-in IP addresses and Ports are not hard-coded in “obfs4proxy.exe”, but taken from the parent process “tor.exe” through a local loopback TCP connection.
Tor expert bundle setup .exe#
By the way, the instruction “call dword ptr ” is used to call almost all the system APIs that “obfs4proxy.exe” needs, which is a way to hide APIs against analysis.įrom my analysis, most of the PE files (exe and dll files, like “obfs4proxy.exe”) used by Tor seem to be compiled by the “GCC MINGW-64w compiler”, which always uses “mov, …” to pass arguments to functions instead of “push …” instructions that create trouble for static analysis.
In the IDA Pro’s analysis of mswsock.dll, we can see that the address 750A7842 is just the API of “MSAFD_ConnectEx()”. As you may have noticed, the debugger OllyDbg could not recognize this API because it is not an export function of “mswsock.dll”.
Later on, it calls the APIs “WSASend” and “WSARecv” to communicate with the “obfs4” bridge. The second argument of this function is a pointer to a structure variable of struct sockaddr_in, which holds the IP address and Port to be connected to. The Tor bridge information is defined in the profile file of Firefox, so you can display it by entering “about:config” in the address bar of Tor Browser, as shown in Figure 1.įigure 5 shows that “obfs4proxy.exe” is about to call the API “mswsock.MSAFD_ConnectEx()” to make a TCP connection to a built-in “obfs4” bridge, whose IP address and port are “192.95.36.142:443”. The normal relay nodes are listed in the main Tor directory, and the connections to them can be easily identified and blocked by censors. The Tor Network consists of two kinds of relay nodes: normal relay nodes and bridge relay nodes. The Tor network is a worldwide overlay network comprising thousands of volunteer-run relays.
Tor expert bundle setup code#
You can download the source code from its official website. Tor Browser is an open source project with a design based on Mozilla Firefox. The Tor project team is aware of this practice because the Tor project blog clearly states that “Tor is misused by criminals.” It’s one of the reasons why ransomware criminals require victims to access the payment page on a. That way, only Tor Browser can access it and nobody knows what its real IP address is. Users can also set up their own website in the Tor network with a domain name ending with “.onion”. When users explore websites using Tor Browser, their real IP address is hidden by the Tor network so that the destination website never knows what the true source IP address is. Tor Browser is a tool that provides anonymous Internet connectivity combined with layers of encryption through the Tor network.
Tor expert bundle setup how to#
In part one of this two-part series, we’ll use reverse engineering to explain how to find built-in Tor bridges and how Tor browser works with Bridge enabled. ” We are now sharing more details of this research, with our analysis being posted in two blogs. At the SecureWV 2019 Cybersecurity Conference, held in Charleston, West Virginia, Peixue and I presented our talk “ Dissecting Tor Bridges and Pluggable Transport.
0 kommentar(er)
