From 35cc8b7cbba6e63c520e921734a92c95f69f36f6 Mon Sep 17 00:00:00 2001
From: Aitor Viana <aitorvs@gmail.com>
Date: Fri, 27 Sep 2024 15:28:22 +0100
Subject: [PATCH] DNS malware (#36)

Task/Issue URL: https://app.asana.com/0/1198194956794324/1208368538104397/f

### Description
Add detection for when the DNS blocks requests to domains that serve malware.

The library also calls back into JVM with the blocked domain, if the JVM callback is present

### Steps to test this PR

_Test_
- [x] checkout this branch and `cd` into the `android` folder
- [x] run `./gradlew assemble publishToMavenLocal`
- [x] go to the Android app repo, `develop` branch and apply the following patch
```diff
commit 40e3568897a31e8c603490f5f49a519773aff8c9
Author: Aitor Viana <aitorvs@gmail.com>
Date:   Sun Jun 4 20:49:52 2023 -0400

    Maven local use

diff --git a/build.gradle b/build.gradle
index de22b7abb..aee98799a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -42,6 +42,7 @@ allprojects {
         google()
         mavenCentral()
         maven { url 'https://jitpack.io' }
+        mavenLocal()
     }
     configurations.all {
         resolutionStrategy.force 'org.objenesis:objenesis:2.6'
diff --git a/versions.properties b/versions.properties
index d092a0163..5f58ba46a 100644
--- a/versions.properties
+++ b/versions.properties
@@ -77,7 +77,7 @@ version.com.airbnb.android..lottie=5.2.0

 version.com.android.installreferrer..installreferrer=2.2

-version.com.duckduckgo.netguard..netguard-android=1.6.12
+version.com.duckduckgo.netguard..netguard-android=1.7.0-SNAPSHOT

 version.com.duckduckgo.synccrypto..sync-crypto-android=0.3.0
```
- [x] build Android app, `./gradlew assembleID`, install and run the app
- [x] enable the VPN
- [x] filter the logcat with `MID_RECORD_MALWARE_BLOCK` and another logcat with `tag:WireGuard/GoBackend/Write`
- [x] with VPN enabled, go to "vpn-malware.goduckgo.com"
- [x] verify `DNS malware was blocked for domain: vpn-malware.goduckgo.com. due to 'blocked:m' TXT record` log appears
- [x] verify `MID_RECORD_MALWARE_BLOCK method not found` error log appears
- [x] smoke test VPN and browsing
---
 src/wireguard/dns-malware.go | 86 ++++++++++++++++++++++++++++++++++++
 src/wireguard/go.mod         | 10 +++--
 src/wireguard/go.sum         | 14 ++++++
 src/wireguard/jni.c          | 27 +++++++++++
 src/wireguard/tun_android.go | 51 +++++++++++++++++++--
 5 files changed, 182 insertions(+), 6 deletions(-)
 create mode 100644 src/wireguard/dns-malware.go

diff --git a/src/wireguard/dns-malware.go b/src/wireguard/dns-malware.go
new file mode 100644
index 0000000..4c82d31
--- /dev/null
+++ b/src/wireguard/dns-malware.go
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2022 DuckDuckGo
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package main
+
+// #include <android/log.h>
+import "C"
+
+import (
+    "fmt"
+    "strings"
+
+    "github.com/miekg/dns"
+)
+
+
+// parseDNSResponse parses the raw DNS response from a byte slice.
+func parseDNSResponse(data []byte) *dns.Msg {
+    tag := cstring("WireGuard/GoBackend/parseDNSResponse")
+    // Create a new DNS message structure
+    dnsMsg := new(dns.Msg)
+
+    // Unpack the DNS message from the raw data
+    err := dnsMsg.Unpack(data)
+    if err != nil {
+        C.__android_log_write(C.ANDROID_LOG_DEBUG, tag, cstring(fmt.Sprintf("Failed to unpack DNS message: %v", err)))
+        return nil
+    }
+
+    // Check if this is a DNS response (QR bit set)
+    if dnsMsg.Response {
+        return dnsMsg
+    }
+
+    // If not a response, return nil
+    return nil
+}
+
+
+/*
+ * WasDNSMalwareBlocked checks if the DNS packet contains a "blocked:m" TXT
+ * record under the "explanation.invalid" domain. If such a record is found,
+ * it returns true along with the domain being blocked.
+ * That record is found when our the DDG (malware) DNS server blocks domains that
+ * serve malware
+ */
+func WasDNSMalwareBlocked(dnsData []byte) (bool, string) {
+    dnsResponse := parseDNSResponse(dnsData)
+    if dnsResponse == nil {
+        return false, ""
+    }
+
+    // Look for "explanation.invalid" in the additional section
+    for _, rr := range dnsResponse.Extra {
+        if txtRecord, ok := rr.(*dns.TXT); ok {
+            if txtRecord.Hdr.Name == "explanation.invalid." {
+                for _, txt := range txtRecord.Txt {
+                    if txt == "blocked:m" {
+                        // If there is a matching TXT record, return the blocked domain
+                        if len(dnsResponse.Question) > 0 {
+                            blockedDomain := dnsResponse.Question[0].Name
+                            // remove the trailing dot (FQDN) if present
+                            blockedDomain = strings.TrimSuffix(blockedDomain, ".")
+                            return true, blockedDomain
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    return false, ""
+}
\ No newline at end of file
diff --git a/src/wireguard/go.mod b/src/wireguard/go.mod
index e9797b0..72c53ac 100644
--- a/src/wireguard/go.mod
+++ b/src/wireguard/go.mod
@@ -3,12 +3,16 @@ module golang.zx2c4.com/wireguard/android
 go 1.18
 
 require (
-	golang.org/x/net v0.10.0
-	golang.org/x/sys v0.8.0
+	golang.org/x/net v0.27.0
+	golang.org/x/sys v0.22.0
 	golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b
 )
 
 require (
-	golang.org/x/crypto v0.9.0 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 )
diff --git a/src/wireguard/go.sum b/src/wireguard/go.sum
index 0b905bf..229c257 100644
--- a/src/wireguard/go.sum
+++ b/src/wireguard/go.sum
@@ -1,11 +1,25 @@
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
 golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
 golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b h1:J1CaxgLerRR5lgx3wnr6L04cJFbWoceSK9JWBdglINo=
diff --git a/src/wireguard/jni.c b/src/wireguard/jni.c
index c90875b..de74f3e 100644
--- a/src/wireguard/jni.c
+++ b/src/wireguard/jni.c
@@ -18,6 +18,7 @@ extern char *wgVersion();
 static JavaVM *JVM = NULL;
 static jobject GO_BACKEND = NULL;
 static jmethodID MID_SHOULD_ALLOW = NULL;
+static jmethodID MID_RECORD_MALWARE_BLOCK = NULL;
 static jint SDK = 0;
 
 JNIEXPORT jint JNICALL Java_com_wireguard_android_backend_GoBackend_wgTurnOn(JNIEnv *env, jobject  goBackend, jstring ifname,
@@ -39,6 +40,7 @@ JNIEXPORT jint JNICALL Java_com_wireguard_android_backend_GoBackend_wgTurnOn(JNI
     jclass clsGoBackend = (*env)->GetObjectClass(env, goBackend);
     const char *shouldAllowSig = "(ILjava/lang/String;ILjava/lang/String;ILjava/lang/String;I)Z";
     MID_SHOULD_ALLOW = jniGetMethodID(env, clsGoBackend, "shouldAllow", shouldAllowSig);
+    MID_RECORD_MALWARE_BLOCK = jniGetMethodID(env, clsGoBackend, "recordMalwareBlock", "(Ljava/lang/String;)V");
     (*env)->DeleteLocalRef(env, clsGoBackend);
 
     // Call Go method
@@ -137,6 +139,31 @@ int is_pkt_allowed(const uint8_t *buffer, int length) {
     return 1;
 }
 
+int record_malware_block(const char *domain) {
+    if (MID_RECORD_MALWARE_BLOCK == NULL) {
+        log_print(PLATFORM_LOG_PRIORITY_ERROR, "MID_RECORD_MALWARE_BLOCK method not found");
+        return 1;
+    }
+
+    JNIEnv *env;
+    jint rs = (*JVM)->AttachCurrentThread(JVM, &env, NULL);
+    if (rs != JNI_OK) {
+        log_print(PLATFORM_LOG_PRIORITY_ERROR, "Could not attach to JVM thread");
+        return 1;
+    }
+
+    // Prep call to Kotlin
+    jstring jdomain = (*env)->NewStringUTF(env, domain);
+    (*env)->CallVoidMethod(env, GO_BACKEND, MID_RECORD_MALWARE_BLOCK, jdomain);
+    jniCheckException(env);
+
+    // cleanup
+    (*env)->DeleteLocalRef(env, jdomain);
+
+    return 0;
+
+}
+
 JNIEXPORT void JNICALL Java_com_wireguard_android_backend_GoBackend_wgTurnOff(JNIEnv *env, jclass c, jint handle)
 {
     wgTurnOff(handle);
diff --git a/src/wireguard/tun_android.go b/src/wireguard/tun_android.go
index a98805a..b48d7ad 100644
--- a/src/wireguard/tun_android.go
+++ b/src/wireguard/tun_android.go
@@ -22,8 +22,10 @@ Implementation of the TUN device interface for Android (wraps linux one)
 
 
 // #include <android/log.h>
+// #include <stdlib.h>  // For C.free and C string functions
 // extern int is_pkt_allowed(char *buffer, int length);
 // extern int wg_write_pcap(char *buffer, int length);
+// extern int record_malware_block(const char *domain);
 import "C"
 
 import (
@@ -50,10 +52,53 @@ func (tunWrapper *NativeTunWrapper) Name() (string, error) {
     return tunWrapper.nativeTun.Name()
 }
 
-func (tunWrapper *NativeTunWrapper) Write(buf [][]byte, offset int) (int, error) {
-    pktLen, err :=  tunWrapper.nativeTun.Write(buf, offset)
+func (tunWrapper *NativeTunWrapper) Write(bufs [][]byte, offset int) (int, error) {
+    tag := cstring("WireGuard/GoBackend/Write")
 
-//     tag := cstring("WireGuard/GoBackend/Write")
+        for _, buf := range bufs {
+            // Check if it's an IPv4 packet
+            if len(buf) <= offset {
+                C.__android_log_write(C.ANDROID_LOG_DEBUG, tag, cstring("Skipping invalid packet, too short"))
+                continue
+            }
+            switch buf[offset] >> 4 {
+            case ipv4.Version:
+                if len(buf) < ipv4.HeaderLen {
+                    C.__android_log_write(C.ANDROID_LOG_DEBUG, tag, cstring("Skipping bad IPv4 packet"))
+                    continue
+                }
+
+                // Check if it's a UDP packet
+                protocol := buf[offset+9]
+                if protocol == 0x11 { // UDP
+                    // Extract the ports (skip IP and check transport layer headers)
+                    srcPort := (uint16(buf[offset+ipv4.HeaderLen]) << 8) | uint16(buf[offset+ipv4.HeaderLen+1])
+                    dstPort := (uint16(buf[offset+ipv4.HeaderLen+2]) << 8) | uint16(buf[offset+ipv4.HeaderLen+3])
+
+                    if srcPort == 53 || dstPort == 53 {
+                        // Extract the DNS data (skip IP and UDP headers)
+                        dnsData := buf[offset+ipv4.HeaderLen+8:]
+
+                        // Call the helper function to check if the DNS packet should be blocked
+                        shouldBlock, blockedDomain := WasDNSMalwareBlocked(dnsData)
+                        if shouldBlock {
+                            logMessage := "DNS malware was blocked for domain: " + blockedDomain + " due to 'blocked:m' TXT record"
+                            C.__android_log_write(C.ANDROID_LOG_DEBUG, tag, cstring(logMessage))
+
+                            // call back into JVM and let the packet flow normally
+                            cBlockedDomain := C.CString(blockedDomain)
+                            defer C.free(unsafe.Pointer(cBlockedDomain))
+                            C.record_malware_block(cBlockedDomain) // ignore return code
+                        }
+                    }
+                }
+            default:
+                // Not an IPv4 packet
+                C.__android_log_write(C.ANDROID_LOG_DEBUG, tag, cstring("Invalid IP"))
+            }
+        }
+
+    pktLen, err :=  tunWrapper.nativeTun.Write(bufs, offset)
 
     // PCAP recording
 //     pcap_res := int(C.wg_write_pcap((*C.char)(unsafe.Pointer(&buf[offset])), C.int(pktLen+offset)))